diff options
Diffstat (limited to 'core/src/main/java/org/bouncycastle/crypto')
511 files changed, 0 insertions, 80173 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/AsymmetricBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/AsymmetricBlockCipher.java deleted file mode 100644 index 565effcc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/AsymmetricBlockCipher.java +++ /dev/null @@ -1,45 +0,0 @@ -package org.bouncycastle.crypto; - - -/** - * base interface that a public/private key block cipher needs - * to conform to. - */ -public interface AsymmetricBlockCipher -{ - /** - * initialise the cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param param the key and other data required by the cipher. - */ - public void init(boolean forEncryption, CipherParameters param); - - /** - * returns the largest size an input block can be. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize(); - - /** - * returns the maximum size of the block produced by this cipher. - * - * @return maximum size of the output block produced by the cipher. - */ - public int getOutputBlockSize(); - - /** - * process the block of len bytes stored in in from offset inOff. - * - * @param in the input data - * @param inOff offset into the in array where the data starts - * @param len the length of the block to be processed. - * @return the resulting byte array of the encryption/decryption process. - * @exception InvalidCipherTextException data decrypts improperly. - * @exception DataLengthException the input data is too large for the cipher. - */ - public byte[] processBlock(byte[] in, int inOff, int len) - throws InvalidCipherTextException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPair.java b/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPair.java deleted file mode 100644 index ddee7019..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPair.java +++ /dev/null @@ -1,61 +0,0 @@ -package org.bouncycastle.crypto; - -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -/** - * a holding class for public/private parameter pairs. - */ -public class AsymmetricCipherKeyPair -{ - private AsymmetricKeyParameter publicParam; - private AsymmetricKeyParameter privateParam; - - /** - * basic constructor. - * - * @param publicParam a public key parameters object. - * @param privateParam the corresponding private key parameters. - */ - public AsymmetricCipherKeyPair( - AsymmetricKeyParameter publicParam, - AsymmetricKeyParameter privateParam) - { - this.publicParam = publicParam; - this.privateParam = privateParam; - } - - /** - * basic constructor. - * - * @param publicParam a public key parameters object. - * @param privateParam the corresponding private key parameters. - * @deprecated use AsymmetricKeyParameter - */ - public AsymmetricCipherKeyPair( - CipherParameters publicParam, - CipherParameters privateParam) - { - this.publicParam = (AsymmetricKeyParameter)publicParam; - this.privateParam = (AsymmetricKeyParameter)privateParam; - } - - /** - * return the public key parameters. - * - * @return the public key parameters. - */ - public AsymmetricKeyParameter getPublic() - { - return publicParam; - } - - /** - * return the private key parameters. - * - * @return the private key parameters. - */ - public AsymmetricKeyParameter getPrivate() - { - return privateParam; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPairGenerator.java deleted file mode 100644 index 919db199..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/AsymmetricCipherKeyPairGenerator.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * interface that a public/private key pair generator should conform to. - */ -public interface AsymmetricCipherKeyPairGenerator -{ - /** - * intialise the key pair generator. - * - * @param param the parameters the key pair is to be initialised with. - */ - public void init(KeyGenerationParameters param); - - /** - * return an AsymmetricCipherKeyPair containing the generated keys. - * - * @return an AsymmetricCipherKeyPair containing the generated keys. - */ - public AsymmetricCipherKeyPair generateKeyPair(); -} - diff --git a/core/src/main/java/org/bouncycastle/crypto/BasicAgreement.java b/core/src/main/java/org/bouncycastle/crypto/BasicAgreement.java deleted file mode 100644 index 8e5ff0da..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/BasicAgreement.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto; - -import java.math.BigInteger; - -/** - * The basic interface that basic Diffie-Hellman implementations - * conforms to. - */ -public interface BasicAgreement -{ - /** - * initialise the agreement engine. - */ - void init(CipherParameters param); - - /** - * return the field size for the agreement algorithm in bytes. - */ - int getFieldSize(); - - /** - * given a public key from a given party calculate the next - * message in the agreement sequence. - */ - BigInteger calculateAgreement(CipherParameters pubKey); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/BlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/BlockCipher.java deleted file mode 100644 index 3cfa25a0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/BlockCipher.java +++ /dev/null @@ -1,56 +0,0 @@ -package org.bouncycastle.crypto; - - -/** - * Block cipher engines are expected to conform to this interface. - */ -public interface BlockCipher -{ - /** - * Initialise the cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException; - - /** - * Return the name of the algorithm the cipher implements. - * - * @return the name of the algorithm the cipher implements. - */ - public String getAlgorithmName(); - - /** - * Return the block size for this cipher (in bytes). - * - * @return the block size for this cipher in bytes. - */ - public int getBlockSize(); - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) - throws DataLengthException, IllegalStateException; - - /** - * Reset the cipher. After resetting the cipher is in the same state - * as it was after the last init (if there was one). - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/BufferedAsymmetricBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/BufferedAsymmetricBlockCipher.java deleted file mode 100644 index 1bf7ce3e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/BufferedAsymmetricBlockCipher.java +++ /dev/null @@ -1,171 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * a buffer wrapper for an asymmetric block cipher, allowing input - * to be accumulated in a piecemeal fashion until final processing. - */ -public class BufferedAsymmetricBlockCipher -{ - protected byte[] buf; - protected int bufOff; - - private final AsymmetricBlockCipher cipher; - - /** - * base constructor. - * - * @param cipher the cipher this buffering object wraps. - */ - public BufferedAsymmetricBlockCipher( - AsymmetricBlockCipher cipher) - { - this.cipher = cipher; - } - - /** - * return the underlying cipher for the buffer. - * - * @return the underlying cipher for the buffer. - */ - public AsymmetricBlockCipher getUnderlyingCipher() - { - return cipher; - } - - /** - * return the amount of data sitting in the buffer. - * - * @return the amount of data sitting in the buffer. - */ - public int getBufferPosition() - { - return bufOff; - } - - /** - * initialise the buffer and the underlying cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - reset(); - - cipher.init(forEncryption, params); - - // - // we allow for an extra byte where people are using their own padding - // mechanisms on a raw cipher. - // - buf = new byte[cipher.getInputBlockSize() + (forEncryption ? 1 : 0)]; - bufOff = 0; - } - - /** - * returns the largest size an input block can be. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - return cipher.getInputBlockSize(); - } - - /** - * returns the maximum size of the block produced by this cipher. - * - * @return maximum size of the output block produced by the cipher. - */ - public int getOutputBlockSize() - { - return cipher.getOutputBlockSize(); - } - - /** - * add another byte for processing. - * - * @param in the input byte. - */ - public void processByte( - byte in) - { - if (bufOff >= buf.length) - { - throw new DataLengthException("attempt to process message too long for cipher"); - } - - buf[bufOff++] = in; - } - - /** - * add len bytes to the buffer for processing. - * - * @param in the input data - * @param inOff offset into the in array where the data starts - * @param len the length of the block to be processed. - */ - public void processBytes( - byte[] in, - int inOff, - int len) - { - if (len == 0) - { - return; - } - - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - if (bufOff + len > buf.length) - { - throw new DataLengthException("attempt to process message too long for cipher"); - } - - System.arraycopy(in, inOff, buf, bufOff, len); - bufOff += len; - } - - /** - * process the contents of the buffer using the underlying - * cipher. - * - * @return the result of the encryption/decryption process on the - * buffer. - * @exception InvalidCipherTextException if we are given a garbage block. - */ - public byte[] doFinal() - throws InvalidCipherTextException - { - byte[] out = cipher.processBlock(buf, 0, bufOff); - - reset(); - - return out; - } - - /** - * Reset the buffer and the underlying cipher. - */ - public void reset() - { - /* - * clean the buffer. - */ - if (buf != null) - { - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - } - - bufOff = 0; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/BufferedBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/BufferedBlockCipher.java deleted file mode 100644 index 8e41e492..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/BufferedBlockCipher.java +++ /dev/null @@ -1,313 +0,0 @@ -package org.bouncycastle.crypto; - - -/** - * A wrapper class that allows block ciphers to be used to process data in - * a piecemeal fashion. The BufferedBlockCipher outputs a block only when the - * buffer is full and more data is being added, or on a doFinal. - * <p> - * Note: in the case where the underlying cipher is either a CFB cipher or an - * OFB one the last block may not be a multiple of the block size. - */ -public class BufferedBlockCipher -{ - protected byte[] buf; - protected int bufOff; - - protected boolean forEncryption; - protected BlockCipher cipher; - - protected boolean partialBlockOkay; - protected boolean pgpCFB; - - /** - * constructor for subclasses - */ - protected BufferedBlockCipher() - { - } - - /** - * Create a buffered block cipher without padding. - * - * @param cipher the underlying block cipher this buffering object wraps. - */ - public BufferedBlockCipher( - BlockCipher cipher) - { - this.cipher = cipher; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - - // - // check if we can handle partial blocks on doFinal. - // - String name = cipher.getAlgorithmName(); - int idx = name.indexOf('/') + 1; - - pgpCFB = (idx > 0 && name.startsWith("PGP", idx)); - - if (pgpCFB || cipher instanceof StreamCipher) - { - partialBlockOkay = true; - } - else - { - partialBlockOkay = (idx > 0 && (name.startsWith("OpenPGP", idx))); - } - } - - /** - * return the cipher this object wraps. - * - * @return the cipher this object wraps. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - /** - * initialise the cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - reset(); - - cipher.init(forEncryption, params); - } - - /** - * return the blocksize for the underlying cipher. - * - * @return the blocksize for the underlying cipher. - */ - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - /** - * return the size of the output buffer required for an update - * an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update - * with len bytes of input. - */ - public int getUpdateOutputSize( - int len) - { - int total = len + bufOff; - int leftOver; - - if (pgpCFB) - { - leftOver = total % buf.length - (cipher.getBlockSize() + 2); - } - else - { - leftOver = total % buf.length; - } - - return total - leftOver; - } - - /** - * return the size of the output buffer required for an update plus a - * doFinal with an input of 'length' bytes. - * - * @param length the length of the input. - * @return the space required to accommodate a call to update and doFinal - * with 'length' bytes of input. - */ - public int getOutputSize( - int length) - { - // Note: Can assume partialBlockOkay is true for purposes of this calculation - return length + bufOff; - } - - /** - * process a single byte, producing an output block if neccessary. - * - * @param in the input byte. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processByte( - byte in, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - int resultLen = 0; - - buf[bufOff++] = in; - - if (bufOff == buf.length) - { - resultLen = cipher.processBlock(buf, 0, out, outOff); - bufOff = 0; - } - - return resultLen; - } - - /** - * process an array of bytes, producing output if necessary. - * - * @param in the input byte array. - * @param inOff the offset at which the input data starts. - * @param len the number of bytes to be copied out of the input array. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = getBlockSize(); - int length = getUpdateOutputSize(len); - - if (length > 0) - { - if ((outOff + length) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - } - - int resultLen = 0; - int gapLen = buf.length - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, out, outOff); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > buf.length) - { - resultLen += cipher.processBlock(in, inOff, out, outOff + resultLen); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - - if (bufOff == buf.length) - { - resultLen += cipher.processBlock(buf, 0, out, outOff + resultLen); - bufOff = 0; - } - - return resultLen; - } - - /** - * Process the last block in the buffer. - * - * @param out the array the block currently being held is copied into. - * @param outOff the offset at which the copying starts. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there is insufficient space in out for - * the output, or the input is not block size aligned and should be. - * @exception IllegalStateException if the underlying cipher is not - * initialised. - * @exception InvalidCipherTextException if padding is expected and not found. - * @exception DataLengthException if the input is not block size - * aligned. - */ - public int doFinal( - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException, InvalidCipherTextException - { - try - { - int resultLen = 0; - - if (outOff + bufOff > out.length) - { - throw new OutputLengthException("output buffer too short for doFinal()"); - } - - if (bufOff != 0) - { - if (!partialBlockOkay) - { - throw new DataLengthException("data not block size aligned"); - } - - cipher.processBlock(buf, 0, buf, 0); - resultLen = bufOff; - bufOff = 0; - System.arraycopy(buf, 0, out, outOff, resultLen); - } - - return resultLen; - } - finally - { - reset(); - } - } - - /** - * Reset the buffer and cipher. After resetting the object is in the same - * state as it was after the last init (if there was one). - */ - public void reset() - { - // - // clean the buffer. - // - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - // - // reset the underlying cipher. - // - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/CipherKeyGenerator.java b/core/src/main/java/org/bouncycastle/crypto/CipherKeyGenerator.java deleted file mode 100644 index 451f8e8f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/CipherKeyGenerator.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.bouncycastle.crypto; - -import java.security.SecureRandom; - -/** - * The base class for symmetric, or secret, cipher key generators. - */ -public class CipherKeyGenerator -{ - protected SecureRandom random; - protected int strength; - - /** - * initialise the key generator. - * - * @param param the parameters to be used for key generation - */ - public void init( - KeyGenerationParameters param) - { - this.random = param.getRandom(); - this.strength = (param.getStrength() + 7) / 8; - } - - /** - * generate a secret key. - * - * @return a byte array containing the key value. - */ - public byte[] generateKey() - { - byte[] key = new byte[strength]; - - random.nextBytes(key); - - return key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/CipherParameters.java b/core/src/main/java/org/bouncycastle/crypto/CipherParameters.java deleted file mode 100644 index 5be87304..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/CipherParameters.java +++ /dev/null @@ -1,8 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * all parameter classes implement this. - */ -public interface CipherParameters -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Commitment.java b/core/src/main/java/org/bouncycastle/crypto/Commitment.java deleted file mode 100644 index f1dc05a3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Commitment.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * General holding class for a commitment. - */ -public class Commitment -{ - private final byte[] secret; - private final byte[] commitment; - - /** - * Base constructor. - * - * @param secret an encoding of the secret required to reveal the commitment. - * @param commitment an encoding of the sealed commitment. - */ - public Commitment(byte[] secret, byte[] commitment) - { - this.secret = secret; - this.commitment = commitment; - } - - /** - * The secret required to reveal the commitment. - * - * @return an encoding of the secret associated with the commitment. - */ - public byte[] getSecret() - { - return secret; - } - - /** - * The sealed commitment. - * - * @return an encoding of the sealed commitment. - */ - public byte[] getCommitment() - { - return commitment; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Committer.java b/core/src/main/java/org/bouncycastle/crypto/Committer.java deleted file mode 100644 index 5c93e5d1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Committer.java +++ /dev/null @@ -1,24 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * General interface fdr classes that produce and validate commitments. - */ -public interface Committer -{ - /** - * Generate a commitment for the passed in message. - * - * @param message the message to be committed to, - * @return a Commitment - */ - Commitment commit(byte[] message); - - /** - * Return true if the passed in commitment represents a commitment to the passed in maessage. - * - * @param commitment a commitment previously generated. - * @param message the message that was expected to have been committed to. - * @return true if commitment matches message, false otherwise. - */ - boolean isRevealed(Commitment commitment, byte[] message); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/CryptoException.java b/core/src/main/java/org/bouncycastle/crypto/CryptoException.java deleted file mode 100644 index 352c5569..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/CryptoException.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * the foundation class for the hard exceptions thrown by the crypto packages. - */ -public class CryptoException - extends Exception -{ - private Throwable cause; - - /** - * base constructor. - */ - public CryptoException() - { - } - - /** - * create a CryptoException with the given message. - * - * @param message the message to be carried with the exception. - */ - public CryptoException( - String message) - { - super(message); - } - - /** - * Create a CryptoException with the given message and underlying cause. - * - * @param message message describing exception. - * @param cause the throwable that was the underlying cause. - */ - public CryptoException( - String message, - Throwable cause) - { - super(message); - - this.cause = cause; - } - - public Throwable getCause() - { - return cause; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/DSA.java b/core/src/main/java/org/bouncycastle/crypto/DSA.java deleted file mode 100644 index 1f584762..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/DSA.java +++ /dev/null @@ -1,36 +0,0 @@ -package org.bouncycastle.crypto; - -import java.math.BigInteger; - -/** - * interface for classes implementing algorithms modeled similar to the Digital Signature Alorithm. - */ -public interface DSA -{ - /** - * initialise the signer for signature generation or signature - * verification. - * - * @param forSigning true if we are generating a signature, false - * otherwise. - * @param param key parameters for signature generation. - */ - public void init(boolean forSigning, CipherParameters param); - - /** - * sign the passed in message (usually the output of a hash function). - * - * @param message the message to be signed. - * @return two big integers representing the r and s values respectively. - */ - public BigInteger[] generateSignature(byte[] message); - - /** - * verify the message message against the signature values r and s. - * - * @param message the message that was supposed to have been signed. - * @param r the r signature value. - * @param s the s signature value. - */ - public boolean verifySignature(byte[] message, BigInteger r, BigInteger s); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/DataLengthException.java b/core/src/main/java/org/bouncycastle/crypto/DataLengthException.java deleted file mode 100644 index fbf047cf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/DataLengthException.java +++ /dev/null @@ -1,29 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * this exception is thrown if a buffer that is meant to have output - * copied into it turns out to be too short, or if we've been given - * insufficient input. In general this exception will get thrown rather - * than an ArrayOutOfBounds exception. - */ -public class DataLengthException - extends RuntimeCryptoException -{ - /** - * base constructor. - */ - public DataLengthException() - { - } - - /** - * create a DataLengthException with the given message. - * - * @param message the message to be carried with the exception. - */ - public DataLengthException( - String message) - { - super(message); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/DerivationFunction.java b/core/src/main/java/org/bouncycastle/crypto/DerivationFunction.java deleted file mode 100644 index 0e2b4b06..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/DerivationFunction.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * base interface for general purpose byte derivation functions. - */ -public interface DerivationFunction -{ - public void init(DerivationParameters param); - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/DerivationParameters.java b/core/src/main/java/org/bouncycastle/crypto/DerivationParameters.java deleted file mode 100644 index e11eb867..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/DerivationParameters.java +++ /dev/null @@ -1,8 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * Parameters for key/byte stream derivation classes - */ -public interface DerivationParameters -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Digest.java b/core/src/main/java/org/bouncycastle/crypto/Digest.java deleted file mode 100644 index f44fad0d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Digest.java +++ /dev/null @@ -1,51 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * interface that a message digest conforms to. - */ -public interface Digest -{ - /** - * return the algorithm name - * - * @return the algorithm name - */ - public String getAlgorithmName(); - - /** - * return the size, in bytes, of the digest produced by this message digest. - * - * @return the size, in bytes, of the digest produced by this message digest. - */ - public int getDigestSize(); - - /** - * update the message digest with a single byte. - * - * @param in the input byte to be entered. - */ - public void update(byte in); - - /** - * update the message digest with a block of bytes. - * - * @param in the byte array containing the data. - * @param inOff the offset into the byte array where the data starts. - * @param len the length of the data. - */ - public void update(byte[] in, int inOff, int len); - - /** - * close the digest, producing the final digest value. The doFinal - * call leaves the digest reset. - * - * @param out the array the digest is to be copied into. - * @param outOff the offset into the out array the digest is to start at. - */ - public int doFinal(byte[] out, int outOff); - - /** - * reset the digest back to it's initial state. - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/DigestDerivationFunction.java b/core/src/main/java/org/bouncycastle/crypto/DigestDerivationFunction.java deleted file mode 100644 index 180382d2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/DigestDerivationFunction.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * base interface for general purpose Digest based byte derivation functions. - */ -public interface DigestDerivationFunction - extends DerivationFunction -{ - /** - * return the message digest used as the basis for the function - */ - public Digest getDigest(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/EphemeralKeyPair.java b/core/src/main/java/org/bouncycastle/crypto/EphemeralKeyPair.java deleted file mode 100644 index f16812f9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/EphemeralKeyPair.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto; - -public class EphemeralKeyPair -{ - private AsymmetricCipherKeyPair keyPair; - private KeyEncoder publicKeyEncoder; - - public EphemeralKeyPair(AsymmetricCipherKeyPair keyPair, KeyEncoder publicKeyEncoder) - { - this.keyPair = keyPair; - this.publicKeyEncoder = publicKeyEncoder; - } - - public AsymmetricCipherKeyPair getKeyPair() - { - return keyPair; - } - - public byte[] getEncodedPublicKey() - { - return publicKeyEncoder.getEncoded(keyPair.getPublic()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ExtendedDigest.java b/core/src/main/java/org/bouncycastle/crypto/ExtendedDigest.java deleted file mode 100644 index c5e9e8b0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ExtendedDigest.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto; - -public interface ExtendedDigest - extends Digest -{ - /** - * Return the size in bytes of the internal buffer the digest applies it's compression - * function to. - * - * @return byte length of the digests internal buffer. - */ - public int getByteLength(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/InvalidCipherTextException.java b/core/src/main/java/org/bouncycastle/crypto/InvalidCipherTextException.java deleted file mode 100644 index 21c150d9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/InvalidCipherTextException.java +++ /dev/null @@ -1,40 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * this exception is thrown whenever we find something we don't expect in a - * message. - */ -public class InvalidCipherTextException - extends CryptoException -{ - /** - * base constructor. - */ - public InvalidCipherTextException() - { - } - - /** - * create a InvalidCipherTextException with the given message. - * - * @param message the message to be carried with the exception. - */ - public InvalidCipherTextException( - String message) - { - super(message); - } - - /** - * create a InvalidCipherTextException with the given message. - * - * @param message the message to be carried with the exception. - * @param cause the root cause of the exception. - */ - public InvalidCipherTextException( - String message, - Throwable cause) - { - super(message, cause); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/KeyEncapsulation.java b/core/src/main/java/org/bouncycastle/crypto/KeyEncapsulation.java deleted file mode 100755 index 16744573..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/KeyEncapsulation.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * The basic interface for key encapsulation mechanisms. - */ -public interface KeyEncapsulation -{ - /** - * Initialise the key encapsulation mechanism. - */ - public void init(CipherParameters param); - - /** - * Encapsulate a randomly generated session key. - */ - public CipherParameters encrypt(byte[] out, int outOff, int keyLen); - - /** - * Decapsulate an encapsulated session key. - */ - public CipherParameters decrypt(byte[] in, int inOff, int inLen, int keyLen); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/KeyEncoder.java b/core/src/main/java/org/bouncycastle/crypto/KeyEncoder.java deleted file mode 100644 index 92ded9cd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/KeyEncoder.java +++ /dev/null @@ -1,8 +0,0 @@ -package org.bouncycastle.crypto; - -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -public interface KeyEncoder -{ - byte[] getEncoded(AsymmetricKeyParameter keyParameter); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/KeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/KeyGenerationParameters.java deleted file mode 100644 index 9a63522f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/KeyGenerationParameters.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto; - -import java.security.SecureRandom; - -/** - * The base class for parameters to key generators. - */ -public class KeyGenerationParameters -{ - private SecureRandom random; - private int strength; - - /** - * initialise the generator with a source of randomness - * and a strength (in bits). - * - * @param random the random byte source. - * @param strength the size, in bits, of the keys we want to produce. - */ - public KeyGenerationParameters( - SecureRandom random, - int strength) - { - this.random = random; - this.strength = strength; - } - - /** - * return the random source associated with this - * generator. - * - * @return the generators random source. - */ - public SecureRandom getRandom() - { - return random; - } - - /** - * return the bit strength for keys produced by this generator, - * - * @return the strength of the keys this generator produces (in bits). - */ - public int getStrength() - { - return strength; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/KeyParser.java b/core/src/main/java/org/bouncycastle/crypto/KeyParser.java deleted file mode 100644 index 60ce29de..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/KeyParser.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto; - -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -public interface KeyParser -{ - AsymmetricKeyParameter readKey(InputStream stream) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Mac.java b/core/src/main/java/org/bouncycastle/crypto/Mac.java deleted file mode 100644 index c00cd58c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Mac.java +++ /dev/null @@ -1,71 +0,0 @@ -package org.bouncycastle.crypto; - - -/** - * The base interface for implementations of message authentication codes (MACs). - */ -public interface Mac -{ - /** - * Initialise the MAC. - * - * @param params the key and other data required by the MAC. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init(CipherParameters params) - throws IllegalArgumentException; - - /** - * Return the name of the algorithm the MAC implements. - * - * @return the name of the algorithm the MAC implements. - */ - public String getAlgorithmName(); - - /** - * Return the block size for this MAC (in bytes). - * - * @return the block size for this MAC in bytes. - */ - public int getMacSize(); - - /** - * add a single byte to the mac for processing. - * - * @param in the byte to be processed. - * @exception IllegalStateException if the MAC is not initialised. - */ - public void update(byte in) - throws IllegalStateException; - - /** - * @param in the array containing the input. - * @param inOff the index in the array the data begins at. - * @param len the length of the input starting at inOff. - * @exception IllegalStateException if the MAC is not initialised. - * @exception DataLengthException if there isn't enough data in in. - */ - public void update(byte[] in, int inOff, int len) - throws DataLengthException, IllegalStateException; - - /** - * Compute the final stage of the MAC writing the output to the out - * parameter. - * <p> - * doFinal leaves the MAC in the same state it was after the last init. - * - * @param out the array the MAC is to be output to. - * @param outOff the offset into the out buffer the output is to start at. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the MAC is not initialised. - */ - public int doFinal(byte[] out, int outOff) - throws DataLengthException, IllegalStateException; - - /** - * Reset the MAC. At the end of resetting the MAC should be in the - * in the same state it was after the last init (if there was one). - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/MacDerivationFunction.java b/core/src/main/java/org/bouncycastle/crypto/MacDerivationFunction.java deleted file mode 100644 index 16198bab..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/MacDerivationFunction.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * base interface for general purpose Mac based byte derivation functions. - */ -public interface MacDerivationFunction - extends DerivationFunction -{ - /** - * return the MAC used as the basis for the function - */ - public Mac getMac(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/MaxBytesExceededException.java b/core/src/main/java/org/bouncycastle/crypto/MaxBytesExceededException.java deleted file mode 100644 index bfa15442..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/MaxBytesExceededException.java +++ /dev/null @@ -1,27 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * this exception is thrown whenever a cipher requires a change of key, iv - * or similar after x amount of bytes enciphered - */ -public class MaxBytesExceededException - extends RuntimeCryptoException -{ - /** - * base constructor. - */ - public MaxBytesExceededException() - { - } - - /** - * create an with the given message. - * - * @param message the message to be carried with the exception. - */ - public MaxBytesExceededException( - String message) - { - super(message); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/OutputLengthException.java b/core/src/main/java/org/bouncycastle/crypto/OutputLengthException.java deleted file mode 100644 index 62811a2b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/OutputLengthException.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto; - -public class OutputLengthException - extends DataLengthException -{ - public OutputLengthException(String msg) - { - super(msg); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/PBEParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/PBEParametersGenerator.java deleted file mode 100644 index 18cc648a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/PBEParametersGenerator.java +++ /dev/null @@ -1,171 +0,0 @@ -package org.bouncycastle.crypto; - -import org.bouncycastle.util.Strings; - -/** - * super class for all Password Based Encryption (PBE) parameter generator classes. - */ -public abstract class PBEParametersGenerator -{ - protected byte[] password; - protected byte[] salt; - protected int iterationCount; - - /** - * base constructor. - */ - protected PBEParametersGenerator() - { - } - - /** - * initialise the PBE generator. - * - * @param password the password converted into bytes (see below). - * @param salt the salt to be mixed with the password. - * @param iterationCount the number of iterations the "mixing" function - * is to be applied for. - */ - public void init( - byte[] password, - byte[] salt, - int iterationCount) - { - this.password = password; - this.salt = salt; - this.iterationCount = iterationCount; - } - - /** - * return the password byte array. - * - * @return the password byte array. - */ - public byte[] getPassword() - { - return password; - } - - /** - * return the salt byte array. - * - * @return the salt byte array. - */ - public byte[] getSalt() - { - return salt; - } - - /** - * return the iteration count. - * - * @return the iteration count. - */ - public int getIterationCount() - { - return iterationCount; - } - - /** - * generate derived parameters for a key of length keySize. - * - * @param keySize the length, in bits, of the key required. - * @return a parameters object representing a key. - */ - public abstract CipherParameters generateDerivedParameters(int keySize); - - /** - * generate derived parameters for a key of length keySize, and - * an initialisation vector (IV) of length ivSize. - * - * @param keySize the length, in bits, of the key required. - * @param ivSize the length, in bits, of the iv required. - * @return a parameters object representing a key and an IV. - */ - public abstract CipherParameters generateDerivedParameters(int keySize, int ivSize); - - /** - * generate derived parameters for a key of length keySize, specifically - * for use with a MAC. - * - * @param keySize the length, in bits, of the key required. - * @return a parameters object representing a key. - */ - public abstract CipherParameters generateDerivedMacParameters(int keySize); - - /** - * converts a password to a byte array according to the scheme in - * PKCS5 (ascii, no padding) - * - * @param password a character array representing the password. - * @return a byte array representing the password. - */ - public static byte[] PKCS5PasswordToBytes( - char[] password) - { - if (password != null) - { - byte[] bytes = new byte[password.length]; - - for (int i = 0; i != bytes.length; i++) - { - bytes[i] = (byte)password[i]; - } - - return bytes; - } - else - { - return new byte[0]; - } - } - - /** - * converts a password to a byte array according to the scheme in - * PKCS5 (UTF-8, no padding) - * - * @param password a character array representing the password. - * @return a byte array representing the password. - */ - public static byte[] PKCS5PasswordToUTF8Bytes( - char[] password) - { - if (password != null) - { - return Strings.toUTF8ByteArray(password); - } - else - { - return new byte[0]; - } - } - - /** - * converts a password to a byte array according to the scheme in - * PKCS12 (unicode, big endian, 2 zero pad bytes at the end). - * - * @param password a character array representing the password. - * @return a byte array representing the password. - */ - public static byte[] PKCS12PasswordToBytes( - char[] password) - { - if (password != null && password.length > 0) - { - // +1 for extra 2 pad bytes. - byte[] bytes = new byte[(password.length + 1) * 2]; - - for (int i = 0; i != password.length; i ++) - { - bytes[i * 2] = (byte)(password[i] >>> 8); - bytes[i * 2 + 1] = (byte)password[i]; - } - - return bytes; - } - else - { - return new byte[0]; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/RuntimeCryptoException.java b/core/src/main/java/org/bouncycastle/crypto/RuntimeCryptoException.java deleted file mode 100644 index c1572020..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/RuntimeCryptoException.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * the foundation class for the exceptions thrown by the crypto packages. - */ -public class RuntimeCryptoException - extends RuntimeException -{ - /** - * base constructor. - */ - public RuntimeCryptoException() - { - } - - /** - * create a RuntimeCryptoException with the given message. - * - * @param message the message to be carried with the exception. - */ - public RuntimeCryptoException( - String message) - { - super(message); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Signer.java b/core/src/main/java/org/bouncycastle/crypto/Signer.java deleted file mode 100644 index 357b0da4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Signer.java +++ /dev/null @@ -1,43 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * Generic signer interface for hash based and message recovery signers. - */ -public interface Signer -{ - /** - * Initialise the signer for signing or verification. - * - * @param forSigning true if for signing, false otherwise - * @param param necessary parameters. - */ - public void init(boolean forSigning, CipherParameters param); - - /** - * update the internal digest with the byte b - */ - public void update(byte b); - - /** - * update the internal digest with the byte array in - */ - public void update(byte[] in, int off, int len); - - /** - * generate a signature for the message we've been loaded with using - * the key we were initialised with. - */ - public byte[] generateSignature() - throws CryptoException, DataLengthException; - - /** - * return true if the internal state represents the signature described - * in the passed in array. - */ - public boolean verifySignature(byte[] signature); - - /** - * reset the internal state - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/SignerWithRecovery.java b/core/src/main/java/org/bouncycastle/crypto/SignerWithRecovery.java deleted file mode 100644 index 452b367f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/SignerWithRecovery.java +++ /dev/null @@ -1,34 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * Signer with message recovery. - */ -public interface SignerWithRecovery - extends Signer -{ - /** - * Returns true if the signer has recovered the full message as - * part of signature verification. - * - * @return true if full message recovered. - */ - public boolean hasFullMessage(); - - /** - * Returns a reference to what message was recovered (if any). - * - * @return full/partial message, null if nothing. - */ - public byte[] getRecoveredMessage(); - - /** - * Perform an update with the recovered message before adding any other data. This must - * be the first update method called, and calling it will result in the signer assuming - * that further calls to update will include message content past what is recoverable. - * - * @param signature the signature that we are in the process of verifying. - * @throws IllegalStateException - */ - public void updateWithRecoveredMessage(byte[] signature) - throws InvalidCipherTextException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/SkippingCipher.java b/core/src/main/java/org/bouncycastle/crypto/SkippingCipher.java deleted file mode 100644 index f8cc648e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/SkippingCipher.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * Ciphers producing a key stream which can be reset to particular points in the stream implement this. - */ -public interface SkippingCipher -{ - /** - * Skip numberOfBytes forwards, or backwards. - * - * @param numberOfBytes the number of bytes to skip (positive forward, negative backwards). - * @return the number of bytes actually skipped. - * @throws java.lang.IllegalArgumentException if numberOfBytes is an invalid value. - */ - long skip(long numberOfBytes); - - /** - * Reset the cipher and then skip forward to a given position. - * - * @param position the number of bytes in to set the cipher state to. - * @return the byte position moved to. - */ - long seekTo(long position); - - /** - * Return the current "position" of the cipher - * - * @return the current byte position. - */ - long getPosition(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/SkippingStreamCipher.java b/core/src/main/java/org/bouncycastle/crypto/SkippingStreamCipher.java deleted file mode 100644 index a707a810..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/SkippingStreamCipher.java +++ /dev/null @@ -1,9 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * General interface for a stream cipher that supports skipping. - */ -public interface SkippingStreamCipher - extends StreamCipher, SkippingCipher -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/StreamBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/StreamBlockCipher.java deleted file mode 100644 index 09aadfbf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/StreamBlockCipher.java +++ /dev/null @@ -1,58 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * A parent class for block cipher modes that do not require block aligned data to be processed, but can function in - * a streaming mode. - */ -public abstract class StreamBlockCipher - implements BlockCipher, StreamCipher -{ - private final BlockCipher cipher; - - protected StreamBlockCipher(BlockCipher cipher) - { - this.cipher = cipher; - } - - /** - * return the underlying block cipher that we are wrapping. - * - * @return the underlying block cipher that we are wrapping. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - public final byte returnByte(byte in) - { - return calculateByte(in); - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) - throws DataLengthException - { - if (outOff + len > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - if (inOff + len > in.length) - { - throw new DataLengthException("input buffer too small"); - } - - int inStart = inOff; - int inEnd = inOff + len; - int outStart = outOff; - - while (inStart < inEnd) - { - out[outStart++] = calculateByte(in[inStart++]); - } - - return len; - } - - protected abstract byte calculateByte(byte b); -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/StreamCipher.java b/core/src/main/java/org/bouncycastle/crypto/StreamCipher.java deleted file mode 100644 index c1255e94..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/StreamCipher.java +++ /dev/null @@ -1,54 +0,0 @@ -package org.bouncycastle.crypto; - -/** - * the interface stream ciphers conform to. - */ -public interface StreamCipher -{ - /** - * Initialise the cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException; - - /** - * Return the name of the algorithm the cipher implements. - * - * @return the name of the algorithm the cipher implements. - */ - public String getAlgorithmName(); - - /** - * encrypt/decrypt a single byte returning the result. - * - * @param in the byte to be processed. - * @return the result of processing the input byte. - */ - public byte returnByte(byte in); - - /** - * process a block of bytes from in putting the result into out. - * - * @param in the input byte array. - * @param inOff the offset into the in array where the data to be processed starts. - * @param len the number of bytes to be processed. - * @param out the output buffer the processed bytes go into. - * @param outOff the offset into the output byte array the processed data starts at. - * @return the number of bytes produced - should always be len. - * @exception DataLengthException if the output buffer is too small. - */ - public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) - throws DataLengthException; - - /** - * reset the cipher. This leaves it in the same state - * it was at after the last init (if there was one). - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/Wrapper.java b/core/src/main/java/org/bouncycastle/crypto/Wrapper.java deleted file mode 100644 index 3956a6fc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/Wrapper.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.crypto; - -public interface Wrapper -{ - public void init(boolean forWrapping, CipherParameters param); - - /** - * Return the name of the algorithm the wrapper implements. - * - * @return the name of the algorithm the wrapper implements. - */ - public String getAlgorithmName(); - - public byte[] wrap(byte[] in, int inOff, int inLen); - - public byte[] unwrap(byte[] in, int inOff, int inLen) - throws InvalidCipherTextException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/DHAgreement.java b/core/src/main/java/org/bouncycastle/crypto/agreement/DHAgreement.java deleted file mode 100644 index 021a7153..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/DHAgreement.java +++ /dev/null @@ -1,94 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.generators.DHKeyPairGenerator; -import org.bouncycastle.crypto.params.DHKeyGenerationParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * a Diffie-Hellman key exchange engine. - * <p> - * note: This uses MTI/A0 key agreement in order to make the key agreement - * secure against passive attacks. If you're doing Diffie-Hellman and both - * parties have long term public keys you should look at using this. For - * further information have a look at RFC 2631. - * <p> - * It's possible to extend this to more than two parties as well, for the moment - * that is left as an exercise for the reader. - */ -public class DHAgreement -{ - private DHPrivateKeyParameters key; - private DHParameters dhParams; - private BigInteger privateValue; - private SecureRandom random; - - public void init( - CipherParameters param) - { - AsymmetricKeyParameter kParam; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - kParam = (AsymmetricKeyParameter)rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - kParam = (AsymmetricKeyParameter)param; - } - - - if (!(kParam instanceof DHPrivateKeyParameters)) - { - throw new IllegalArgumentException("DHEngine expects DHPrivateKeyParameters"); - } - - this.key = (DHPrivateKeyParameters)kParam; - this.dhParams = key.getParameters(); - } - - /** - * calculate our initial message. - */ - public BigInteger calculateMessage() - { - DHKeyPairGenerator dhGen = new DHKeyPairGenerator(); - dhGen.init(new DHKeyGenerationParameters(random, dhParams)); - AsymmetricCipherKeyPair dhPair = dhGen.generateKeyPair(); - - this.privateValue = ((DHPrivateKeyParameters)dhPair.getPrivate()).getX(); - - return ((DHPublicKeyParameters)dhPair.getPublic()).getY(); - } - - /** - * given a message from a given party and the corresponding public key, - * calculate the next message in the agreement sequence. In this case - * this will represent the shared secret. - */ - public BigInteger calculateAgreement( - DHPublicKeyParameters pub, - BigInteger message) - { - if (!pub.getParameters().equals(dhParams)) - { - throw new IllegalArgumentException("Diffie-Hellman public key has wrong parameters."); - } - - BigInteger p = dhParams.getP(); - - return message.modPow(key.getX(), p).multiply(pub.getY().modPow(privateValue, p)).mod(p); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/DHBasicAgreement.java b/core/src/main/java/org/bouncycastle/crypto/agreement/DHBasicAgreement.java deleted file mode 100644 index d2e2a09f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/DHBasicAgreement.java +++ /dev/null @@ -1,71 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * a Diffie-Hellman key agreement class. - * <p> - * note: This is only the basic algorithm, it doesn't take advantage of - * long term public keys if they are available. See the DHAgreement class - * for a "better" implementation. - */ -public class DHBasicAgreement - implements BasicAgreement -{ - private DHPrivateKeyParameters key; - private DHParameters dhParams; - - public void init( - CipherParameters param) - { - AsymmetricKeyParameter kParam; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - kParam = (AsymmetricKeyParameter)rParam.getParameters(); - } - else - { - kParam = (AsymmetricKeyParameter)param; - } - - if (!(kParam instanceof DHPrivateKeyParameters)) - { - throw new IllegalArgumentException("DHEngine expects DHPrivateKeyParameters"); - } - - this.key = (DHPrivateKeyParameters)kParam; - this.dhParams = key.getParameters(); - } - - public int getFieldSize() - { - return (key.getParameters().getP().bitLength() + 7) / 8; - } - - /** - * given a short term public key from a given party calculate the next - * message in the agreement sequence. - */ - public BigInteger calculateAgreement( - CipherParameters pubKey) - { - DHPublicKeyParameters pub = (DHPublicKeyParameters)pubKey; - - if (!pub.getParameters().equals(dhParams)) - { - throw new IllegalArgumentException("Diffie-Hellman public key has wrong parameters."); - } - - return pub.getY().modPow(key.getX(), dhParams.getP()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/DHStandardGroups.java b/core/src/main/java/org/bouncycastle/crypto/agreement/DHStandardGroups.java deleted file mode 100644 index 638bcb13..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/DHStandardGroups.java +++ /dev/null @@ -1,206 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.util.encoders.Hex; - -/** - * Standard Diffie-Hellman groups from various IETF specifications. - */ -public class DHStandardGroups -{ - - private static DHParameters fromPG(String hexP, String hexG) - { - BigInteger p = new BigInteger(1, Hex.decode(hexP)); - BigInteger g = new BigInteger(1, Hex.decode(hexG)); - return new DHParameters(p, g); - } - - private static DHParameters fromPGQ(String hexP, String hexG, String hexQ) - { - BigInteger p = new BigInteger(1, Hex.decode(hexP)); - BigInteger g = new BigInteger(1, Hex.decode(hexG)); - BigInteger q = new BigInteger(1, Hex.decode(hexQ)); - return new DHParameters(p, g, q); - } - - /* - * RFC 2409 - */ - private static final String rfc2409_768_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"; - private static final String rfc2409_768_g = "02"; - public static final DHParameters rfc2409_768 = fromPG(rfc2409_768_p, rfc2409_768_g); - - private static final String rfc2409_1024_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" - + "FFFFFFFFFFFFFFFF"; - private static final String rfc2409_1024_g = "02"; - public static final DHParameters rfc2409_1024 = fromPG(rfc2409_1024_p, rfc2409_1024_g); - - /* - * RFC 3526 - */ - private static final String rfc3526_1536_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"; - private static final String rfc3526_1536_g = "02"; - public static final DHParameters rfc3526_1536 = fromPG(rfc3526_1536_p, rfc3526_1536_g); - - private static final String rfc3526_2048_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; - private static final String rfc3526_2048_g = "02"; - public static final DHParameters rfc3526_2048 = fromPG(rfc3526_2048_p, rfc3526_2048_g); - - private static final String rfc3526_3072_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; - private static final String rfc3526_3072_g = "02"; - public static final DHParameters rfc3526_3072 = fromPG(rfc3526_3072_p, rfc3526_3072_g); - - private static final String rfc3526_4096_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" - + "FFFFFFFFFFFFFFFF"; - private static final String rfc3526_4096_g = "02"; - public static final DHParameters rfc3526_4096 = fromPG(rfc3526_4096_p, rfc3526_4096_g); - - private static final String rfc3526_6144_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" - + "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" - + "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" - + "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" - + "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8" - + "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C" - + "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718" - + "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D" - + "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D" - + "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226" - + "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC" - + "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26" - + "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB" - + "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2" - + "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127" - + "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - + "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406" - + "AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918" - + "DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B33205151" - + "2BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03" - + "F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97F" - + "BEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" - + "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58B" - + "B7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632" - + "387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E" + "6DCC4024FFFFFFFFFFFFFFFF"; - private static final String rfc3526_6144_g = "02"; - public static final DHParameters rfc3526_6144 = fromPG(rfc3526_6144_p, rfc3526_6144_g); - - private static final String rfc3526_8192_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - + "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD" + "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831" - + "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B" + "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF" - + "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6" + "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3" - + "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" + "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328" - + "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C" + "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE" - + "12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4" + "38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300" - + "741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F568" + "3423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9" - + "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B" + "4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A" - + "062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A36" + "4597E899A0255DC164F31CC50846851DF9AB48195DED7EA1" - + "B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92" + "4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E47" - + "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" + "60C980DD98EDD3DFFFFFFFFFFFFFFFFF"; - private static final String rfc3526_8192_g = "02"; - public static final DHParameters rfc3526_8192 = fromPG(rfc3526_8192_p, rfc3526_8192_g); - - /* - * RFC 4306 - */ - public static final DHParameters rfc4306_768 = rfc2409_768; - public static final DHParameters rfc4306_1024 = rfc2409_1024; - - /* - * RFC 5114 - */ - private static final String rfc5114_1024_160_p = "B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C6" - + "9A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C0" + "13ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD70" - + "98488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0" + "A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708" - + "DF1FB2BC2E4A4371"; - private static final String rfc5114_1024_160_g = "A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507F" - + "D6406CFF14266D31266FEA1E5C41564B777E690F5504F213" + "160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1" - + "909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28A" + "D662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24" - + "855E6EEB22B3B2E5"; - private static final String rfc5114_1024_160_q = "F518AA8781A8DF278ABA4E7D64B7CB9D49462353"; - public static final DHParameters rfc5114_1024_160 = fromPGQ(rfc5114_1024_160_p, rfc5114_1024_160_g, - rfc5114_1024_160_q); - - private static final String rfc5114_2048_224_p = "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" - + "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" + "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" - + "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" + "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" - + "B3BF8A317091883681286130BC8985DB1602E714415D9330" + "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" - + "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" + "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" - + "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" + "CF9DE5384E71B81C0AC4DFFE0C10E64F"; - private static final String rfc5114_2048_224_g = "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" - + "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" + "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" - + "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" + "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" - + "F180EB34118E98D119529A45D6F834566E3025E316A330EF" + "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" - + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" - + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" + "81BC087F2A7065B384B890D3191F2BFA"; - private static final String rfc5114_2048_224_q = "801C0D34C58D93FE997177101F80535A4738CEBCBF389A99B36371EB"; - public static final DHParameters rfc5114_2048_224 = fromPGQ(rfc5114_2048_224_p, rfc5114_2048_224_g, - rfc5114_2048_224_q); - - private static final String rfc5114_2048_256_p = "87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F2" - + "5D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA30" + "16C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD" - + "5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B" + "6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C" - + "4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0E" + "F13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D9" - + "67E144E5140564251CCACB83E6B486F6B3CA3F7971506026" + "C0B857F689962856DED4010ABD0BE621C3A3960A54E710C3" - + "75F26375D7014103A4B54330C198AF126116D2276E11715F" + "693877FAD7EF09CADB094AE91E1A1597"; - private static final String rfc5114_2048_256_g = "3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF2054" - + "07F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555" + "BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18" - + "A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B" + "777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC83" - + "1D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55" + "A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14" - + "C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915" + "B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6" - + "184B523D1DB246C32F63078490F00EF8D647D148D4795451" + "5E2327CFEF98C582664B4C0F6CC41659"; - private static final String rfc5114_2048_256_q = "8CF83642A709A097B447997640129DA299B1A47D1EB3750B" - + "A308B0FE64F5FBD3"; - public static final DHParameters rfc5114_2048_256 = fromPGQ(rfc5114_2048_256_p, rfc5114_2048_256_g, - rfc5114_2048_256_q); - - /* - * RFC 5996 - */ - public static final DHParameters rfc5996_768 = rfc4306_768; - public static final DHParameters rfc5996_1024 = rfc4306_1024; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHBasicAgreement.java b/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHBasicAgreement.java deleted file mode 100644 index a491b9df..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHBasicAgreement.java +++ /dev/null @@ -1,54 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.math.ec.ECPoint; - -/** - * P1363 7.2.1 ECSVDP-DH - * - * ECSVDP-DH is Elliptic Curve Secret Value Derivation Primitive, - * Diffie-Hellman version. It is based on the work of [DH76], [Mil86], - * and [Kob87]. This primitive derives a shared secret value from one - * party's private key and another party's public key, where both have - * the same set of EC domain parameters. If two parties correctly - * execute this primitive, they will produce the same output. This - * primitive can be invoked by a scheme to derive a shared secret key; - * specifically, it may be used with the schemes ECKAS-DH1 and - * DL/ECKAS-DH2. It assumes that the input keys are valid (see also - * Section 7.2.2). - */ -public class ECDHBasicAgreement - implements BasicAgreement -{ - private ECPrivateKeyParameters key; - - public void init( - CipherParameters key) - { - this.key = (ECPrivateKeyParameters)key; - } - - public int getFieldSize() - { - return (key.getParameters().getCurve().getFieldSize() + 7) / 8; - } - - public BigInteger calculateAgreement( - CipherParameters pubKey) - { - ECPublicKeyParameters pub = (ECPublicKeyParameters)pubKey; - ECPoint P = pub.getQ().multiply(key.getD()).normalize(); - - if (P.isInfinity()) - { - throw new IllegalStateException("Infinity is not a valid agreement value for ECDH"); - } - - return P.getAffineXCoord().toBigInteger(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHCBasicAgreement.java b/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHCBasicAgreement.java deleted file mode 100644 index 28140df7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/ECDHCBasicAgreement.java +++ /dev/null @@ -1,64 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.math.ec.ECPoint; - -/** - * P1363 7.2.2 ECSVDP-DHC - * - * ECSVDP-DHC is Elliptic Curve Secret Value Derivation Primitive, - * Diffie-Hellman version with cofactor multiplication. It is based on - * the work of [DH76], [Mil86], [Kob87], [LMQ98] and [Kal98a]. This - * primitive derives a shared secret value from one party's private key - * and another party's public key, where both have the same set of EC - * domain parameters. If two parties correctly execute this primitive, - * they will produce the same output. This primitive can be invoked by a - * scheme to derive a shared secret key; specifically, it may be used - * with the schemes ECKAS-DH1 and DL/ECKAS-DH2. It does not assume the - * validity of the input public key (see also Section 7.2.1). - * <p> - * Note: As stated P1363 compatibility mode with ECDH can be preset, and - * in this case the implementation doesn't have a ECDH compatibility mode - * (if you want that just use ECDHBasicAgreement and note they both implement - * BasicAgreement!). - */ -public class ECDHCBasicAgreement - implements BasicAgreement -{ - ECPrivateKeyParameters key; - - public void init( - CipherParameters key) - { - this.key = (ECPrivateKeyParameters)key; - } - - public int getFieldSize() - { - return (key.getParameters().getCurve().getFieldSize() + 7) / 8; - } - - public BigInteger calculateAgreement( - CipherParameters pubKey) - { - ECPublicKeyParameters pub = (ECPublicKeyParameters)pubKey; - ECDomainParameters params = pub.getParameters(); - - BigInteger hd = params.getH().multiply(key.getD()).mod(params.getN()); - - ECPoint P = pub.getQ().multiply(hd).normalize(); - - if (P.isInfinity()) - { - throw new IllegalStateException("Infinity is not a valid agreement value for ECDHC"); - } - - return P.getAffineXCoord().toBigInteger(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/ECMQVBasicAgreement.java b/core/src/main/java/org/bouncycastle/crypto/agreement/ECMQVBasicAgreement.java deleted file mode 100644 index 794f555b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/ECMQVBasicAgreement.java +++ /dev/null @@ -1,91 +0,0 @@ -package org.bouncycastle.crypto.agreement; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.MQVPrivateParameters; -import org.bouncycastle.crypto.params.MQVPublicParameters; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECPoint; - -public class ECMQVBasicAgreement - implements BasicAgreement -{ - MQVPrivateParameters privParams; - - public void init( - CipherParameters key) - { - this.privParams = (MQVPrivateParameters)key; - } - - public int getFieldSize() - { - return (privParams.getStaticPrivateKey().getParameters().getCurve().getFieldSize() + 7) / 8; - } - - public BigInteger calculateAgreement(CipherParameters pubKey) - { - MQVPublicParameters pubParams = (MQVPublicParameters)pubKey; - - ECPrivateKeyParameters staticPrivateKey = privParams.getStaticPrivateKey(); - - ECPoint agreement = calculateMqvAgreement(staticPrivateKey.getParameters(), staticPrivateKey, - privParams.getEphemeralPrivateKey(), privParams.getEphemeralPublicKey(), - pubParams.getStaticPublicKey(), pubParams.getEphemeralPublicKey()).normalize(); - - if (agreement.isInfinity()) - { - throw new IllegalStateException("Infinity is not a valid agreement value for MQV"); - } - - return agreement.getAffineXCoord().toBigInteger(); - } - - // The ECMQV Primitive as described in SEC-1, 3.4 - private ECPoint calculateMqvAgreement( - ECDomainParameters parameters, - ECPrivateKeyParameters d1U, - ECPrivateKeyParameters d2U, - ECPublicKeyParameters Q2U, - ECPublicKeyParameters Q1V, - ECPublicKeyParameters Q2V) - { - BigInteger n = parameters.getN(); - int e = (n.bitLength() + 1) / 2; - BigInteger powE = ECConstants.ONE.shiftLeft(e); - - ECCurve curve = parameters.getCurve(); - - ECPoint[] points = new ECPoint[]{ - // The Q2U public key is optional - ECAlgorithms.importPoint(curve, Q2U == null ? parameters.getG().multiply(d2U.getD()) : Q2U.getQ()), - ECAlgorithms.importPoint(curve, Q1V.getQ()), - ECAlgorithms.importPoint(curve, Q2V.getQ()) - }; - - curve.normalizeAll(points); - - ECPoint q2u = points[0], q1v = points[1], q2v = points[2]; - - BigInteger x = q2u.getAffineXCoord().toBigInteger(); - BigInteger xBar = x.mod(powE); - BigInteger Q2UBar = xBar.setBit(e); - BigInteger s = d1U.getD().multiply(Q2UBar).add(d2U.getD()).mod(n); - - BigInteger xPrime = q2v.getAffineXCoord().toBigInteger(); - BigInteger xPrimeBar = xPrime.mod(powE); - BigInteger Q2VBar = xPrimeBar.setBit(e); - - BigInteger hs = parameters.getH().multiply(s).mod(n); - - return ECAlgorithms.sumOfTwoMultiplies( - q1v, Q2VBar.multiply(hs).mod(n), q2v, hs); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java deleted file mode 100644 index 605b88ed..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java +++ /dev/null @@ -1,546 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.util.Arrays; - -/** - * A participant in a Password Authenticated Key Exchange by Juggling (J-PAKE) exchange. - * <p> - * The J-PAKE exchange is defined by Feng Hao and Peter Ryan in the paper - * <a href="http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf"> - * "Password Authenticated Key Exchange by Juggling, 2008."</a> - * <p> - * The J-PAKE protocol is symmetric. - * There is no notion of a <i>client</i> or <i>server</i>, but rather just two <i>participants</i>. - * An instance of {@link JPAKEParticipant} represents one participant, and - * is the primary interface for executing the exchange. - * <p> - * To execute an exchange, construct a {@link JPAKEParticipant} on each end, - * and call the following 7 methods - * (once and only once, in the given order, for each participant, sending messages between them as described): - * <ol> - * <li>{@link #createRound1PayloadToSend()} - and send the payload to the other participant</li> - * <li>{@link #validateRound1PayloadReceived(JPAKERound1Payload)} - use the payload received from the other participant</li> - * <li>{@link #createRound2PayloadToSend()} - and send the payload to the other participant</li> - * <li>{@link #validateRound2PayloadReceived(JPAKERound2Payload)} - use the payload received from the other participant</li> - * <li>{@link #calculateKeyingMaterial()}</li> - * <li>{@link #createRound3PayloadToSend(BigInteger)} - and send the payload to the other participant</li> - * <li>{@link #validateRound3PayloadReceived(JPAKERound3Payload, BigInteger)} - use the payload received from the other participant</li> - * </ol> - * <p> - * Each side should derive a session key from the keying material returned by {@link #calculateKeyingMaterial()}. - * The caller is responsible for deriving the session key using a secure key derivation function (KDF). - * <p> - * Round 3 is an optional key confirmation process. - * If you do not execute round 3, then there is no assurance that both participants are using the same key. - * (i.e. if the participants used different passwords, then their session keys will differ.) - * <p> - * If the round 3 validation succeeds, then the keys are guaranteed to be the same on both sides. - * <p> - * The symmetric design can easily support the asymmetric cases when one party initiates the communication. - * e.g. Sometimes the round1 payload and round2 payload may be sent in one pass. - * Also, in some cases, the key confirmation payload can be sent together with the round2 payload. - * These are the trivial techniques to optimize the communication. - * <p> - * The key confirmation process is implemented as specified in - * <a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">NIST SP 800-56A Revision 1</a>, - * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. - * <p> - * This class is stateful and NOT threadsafe. - * Each instance should only be used for ONE complete J-PAKE exchange - * (i.e. a new {@link JPAKEParticipant} should be constructed for each new J-PAKE exchange). - * <p> - * See {@link JPAKEExample} for example usage. - */ -public class JPAKEParticipant -{ - /* - * Possible internal states. Used for state checking. - */ - - public static final int STATE_INITIALIZED = 0; - public static final int STATE_ROUND_1_CREATED = 10; - public static final int STATE_ROUND_1_VALIDATED = 20; - public static final int STATE_ROUND_2_CREATED = 30; - public static final int STATE_ROUND_2_VALIDATED = 40; - public static final int STATE_KEY_CALCULATED = 50; - public static final int STATE_ROUND_3_CREATED = 60; - public static final int STATE_ROUND_3_VALIDATED = 70; - - /** - * Unique identifier of this participant. - * The two participants in the exchange must NOT share the same id. - */ - private final String participantId; - - /** - * Shared secret. This only contains the secret between construction - * and the call to {@link #calculateKeyingMaterial()}. - * <p/> - * i.e. When {@link #calculateKeyingMaterial()} is called, this buffer overwritten with 0's, - * and the field is set to null. - */ - private char[] password; - - /** - * Digest to use during calculations. - */ - private final Digest digest; - - /** - * Source of secure random data. - */ - private final SecureRandom random; - - private final BigInteger p; - private final BigInteger q; - private final BigInteger g; - - /** - * The participantId of the other participant in this exchange. - */ - private String partnerParticipantId; - - /** - * Alice's x1 or Bob's x3. - */ - private BigInteger x1; - /** - * Alice's x2 or Bob's x4. - */ - private BigInteger x2; - /** - * Alice's g^x1 or Bob's g^x3. - */ - private BigInteger gx1; - /** - * Alice's g^x2 or Bob's g^x4. - */ - private BigInteger gx2; - /** - * Alice's g^x3 or Bob's g^x1. - */ - private BigInteger gx3; - /** - * Alice's g^x4 or Bob's g^x2. - */ - private BigInteger gx4; - /** - * Alice's B or Bob's A. - */ - private BigInteger b; - - /** - * The current state. - * See the <tt>STATE_*</tt> constants for possible values. - */ - private int state; - - /** - * Convenience constructor for a new {@link JPAKEParticipant} that uses - * the {@link JPAKEPrimeOrderGroups#NIST_3072} prime order group, - * a SHA-256 digest, and a default {@link SecureRandom} implementation. - * <p> - * After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}. - * - * @param participantId unique identifier of this participant. - * The two participants in the exchange must NOT share the same id. - * @param password shared secret. - * A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called). - * Caller should clear the input password as soon as possible. - * @throws NullPointerException if any argument is null - * @throws IllegalArgumentException if password is empty - */ - public JPAKEParticipant( - String participantId, - char[] password) - { - this( - participantId, - password, - JPAKEPrimeOrderGroups.NIST_3072); - } - - - /** - * Convenience constructor for a new {@link JPAKEParticipant} that uses - * a SHA-256 digest and a default {@link SecureRandom} implementation. - * <p> - * After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}. - * - * @param participantId unique identifier of this participant. - * The two participants in the exchange must NOT share the same id. - * @param password shared secret. - * A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called). - * Caller should clear the input password as soon as possible. - * @param group prime order group. - * See {@link JPAKEPrimeOrderGroups} for standard groups - * @throws NullPointerException if any argument is null - * @throws IllegalArgumentException if password is empty - */ - public JPAKEParticipant( - String participantId, - char[] password, - JPAKEPrimeOrderGroup group) - { - this( - participantId, - password, - group, - new SHA256Digest(), - new SecureRandom()); - } - - - /** - * Construct a new {@link JPAKEParticipant}. - * <p> - * After construction, the {@link #getState() state} will be {@link #STATE_INITIALIZED}. - * - * @param participantId unique identifier of this participant. - * The two participants in the exchange must NOT share the same id. - * @param password shared secret. - * A defensive copy of this array is made (and cleared once {@link #calculateKeyingMaterial()} is called). - * Caller should clear the input password as soon as possible. - * @param group prime order group. - * See {@link JPAKEPrimeOrderGroups} for standard groups - * @param digest digest to use during zero knowledge proofs and key confirmation (SHA-256 or stronger preferred) - * @param random source of secure random data for x1 and x2, and for the zero knowledge proofs - * @throws NullPointerException if any argument is null - * @throws IllegalArgumentException if password is empty - */ - public JPAKEParticipant( - String participantId, - char[] password, - JPAKEPrimeOrderGroup group, - Digest digest, - SecureRandom random) - { - JPAKEUtil.validateNotNull(participantId, "participantId"); - JPAKEUtil.validateNotNull(password, "password"); - JPAKEUtil.validateNotNull(group, "p"); - JPAKEUtil.validateNotNull(digest, "digest"); - JPAKEUtil.validateNotNull(random, "random"); - if (password.length == 0) - { - throw new IllegalArgumentException("Password must not be empty."); - } - - this.participantId = participantId; - - /* - * Create a defensive copy so as to fully encapsulate the password. - * - * This array will contain the password for the lifetime of this - * participant BEFORE {@link #calculateKeyingMaterial()} is called. - * - * i.e. When {@link #calculateKeyingMaterial()} is called, the array will be cleared - * in order to remove the password from memory. - * - * The caller is responsible for clearing the original password array - * given as input to this constructor. - */ - this.password = Arrays.copyOf(password, password.length); - - this.p = group.getP(); - this.q = group.getQ(); - this.g = group.getG(); - - this.digest = digest; - this.random = random; - - this.state = STATE_INITIALIZED; - } - - /** - * Gets the current state of this participant. - * See the <tt>STATE_*</tt> constants for possible values. - */ - public int getState() - { - return this.state; - } - - /** - * Creates and returns the payload to send to the other participant during round 1. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_1_CREATED}. - */ - public JPAKERound1Payload createRound1PayloadToSend() - { - if (this.state >= STATE_ROUND_1_CREATED) - { - throw new IllegalStateException("Round1 payload already created for " + participantId); - } - - this.x1 = JPAKEUtil.generateX1(q, random); - this.x2 = JPAKEUtil.generateX2(q, random); - - this.gx1 = JPAKEUtil.calculateGx(p, g, x1); - this.gx2 = JPAKEUtil.calculateGx(p, g, x2); - BigInteger[] knowledgeProofForX1 = JPAKEUtil.calculateZeroKnowledgeProof(p, q, g, gx1, x1, participantId, digest, random); - BigInteger[] knowledgeProofForX2 = JPAKEUtil.calculateZeroKnowledgeProof(p, q, g, gx2, x2, participantId, digest, random); - - this.state = STATE_ROUND_1_CREATED; - - return new JPAKERound1Payload(participantId, gx1, gx2, knowledgeProofForX1, knowledgeProofForX2); - } - - /** - * Validates the payload received from the other participant during round 1. - * <p> - * Must be called prior to {@link #createRound2PayloadToSend()}. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_1_VALIDATED}. - * - * @throws CryptoException if validation fails. - * @throws IllegalStateException if called multiple times. - */ - public void validateRound1PayloadReceived(JPAKERound1Payload round1PayloadReceived) - throws CryptoException - { - if (this.state >= STATE_ROUND_1_VALIDATED) - { - throw new IllegalStateException("Validation already attempted for round1 payload for" + participantId); - } - this.partnerParticipantId = round1PayloadReceived.getParticipantId(); - this.gx3 = round1PayloadReceived.getGx1(); - this.gx4 = round1PayloadReceived.getGx2(); - - BigInteger[] knowledgeProofForX3 = round1PayloadReceived.getKnowledgeProofForX1(); - BigInteger[] knowledgeProofForX4 = round1PayloadReceived.getKnowledgeProofForX2(); - - JPAKEUtil.validateParticipantIdsDiffer(participantId, round1PayloadReceived.getParticipantId()); - JPAKEUtil.validateGx4(gx4); - JPAKEUtil.validateZeroKnowledgeProof(p, q, g, gx3, knowledgeProofForX3, round1PayloadReceived.getParticipantId(), digest); - JPAKEUtil.validateZeroKnowledgeProof(p, q, g, gx4, knowledgeProofForX4, round1PayloadReceived.getParticipantId(), digest); - - this.state = STATE_ROUND_1_VALIDATED; - } - - /** - * Creates and returns the payload to send to the other participant during round 2. - * <p> - * {@link #validateRound1PayloadReceived(JPAKERound1Payload)} must be called prior to this method. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_2_CREATED}. - * - * @throws IllegalStateException if called prior to {@link #validateRound1PayloadReceived(JPAKERound1Payload)}, or multiple times - */ - public JPAKERound2Payload createRound2PayloadToSend() - { - if (this.state >= STATE_ROUND_2_CREATED) - { - throw new IllegalStateException("Round2 payload already created for " + this.participantId); - } - if (this.state < STATE_ROUND_1_VALIDATED) - { - throw new IllegalStateException("Round1 payload must be validated prior to creating Round2 payload for " + this.participantId); - } - BigInteger gA = JPAKEUtil.calculateGA(p, gx1, gx3, gx4); - BigInteger s = JPAKEUtil.calculateS(password); - BigInteger x2s = JPAKEUtil.calculateX2s(q, x2, s); - BigInteger A = JPAKEUtil.calculateA(p, q, gA, x2s); - BigInteger[] knowledgeProofForX2s = JPAKEUtil.calculateZeroKnowledgeProof(p, q, gA, A, x2s, participantId, digest, random); - - this.state = STATE_ROUND_2_CREATED; - - return new JPAKERound2Payload(participantId, A, knowledgeProofForX2s); - } - - /** - * Validates the payload received from the other participant during round 2. - * <p> - * Note that this DOES NOT detect a non-common password. - * The only indication of a non-common password is through derivation - * of different keys (which can be detected explicitly by executing round 3 and round 4) - * <p> - * Must be called prior to {@link #calculateKeyingMaterial()}. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_2_VALIDATED}. - * - * @throws CryptoException if validation fails. - * @throws IllegalStateException if called prior to {@link #validateRound1PayloadReceived(JPAKERound1Payload)}, or multiple times - */ - public void validateRound2PayloadReceived(JPAKERound2Payload round2PayloadReceived) - throws CryptoException - { - if (this.state >= STATE_ROUND_2_VALIDATED) - { - throw new IllegalStateException("Validation already attempted for round2 payload for" + participantId); - } - if (this.state < STATE_ROUND_1_VALIDATED) - { - throw new IllegalStateException("Round1 payload must be validated prior to validating Round2 payload for " + this.participantId); - } - BigInteger gB = JPAKEUtil.calculateGA(p, gx3, gx1, gx2); - this.b = round2PayloadReceived.getA(); - BigInteger[] knowledgeProofForX4s = round2PayloadReceived.getKnowledgeProofForX2s(); - - JPAKEUtil.validateParticipantIdsDiffer(participantId, round2PayloadReceived.getParticipantId()); - JPAKEUtil.validateParticipantIdsEqual(this.partnerParticipantId, round2PayloadReceived.getParticipantId()); - JPAKEUtil.validateGa(gB); - JPAKEUtil.validateZeroKnowledgeProof(p, q, gB, b, knowledgeProofForX4s, round2PayloadReceived.getParticipantId(), digest); - - this.state = STATE_ROUND_2_VALIDATED; - } - - /** - * Calculates and returns the key material. - * A session key must be derived from this key material using a secure key derivation function (KDF). - * The KDF used to derive the key is handled externally (i.e. not by {@link JPAKEParticipant}). - * <p> - * The keying material will be identical for each participant if and only if - * each participant's password is the same. i.e. If the participants do not - * share the same password, then each participant will derive a different key. - * Therefore, if you immediately start using a key derived from - * the keying material, then you must handle detection of incorrect keys. - * If you want to handle this detection explicitly, you can optionally perform - * rounds 3 and 4. See {@link JPAKEParticipant} for details on how to execute - * rounds 3 and 4. - * <p> - * The keying material will be in the range <tt>[0, p-1]</tt>. - * <p> - * {@link #validateRound2PayloadReceived(JPAKERound2Payload)} must be called prior to this method. - * <p> - * As a side effect, the internal {@link #password} array is cleared, since it is no longer needed. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_KEY_CALCULATED}. - * - * @throws IllegalStateException if called prior to {@link #validateRound2PayloadReceived(JPAKERound2Payload)}, - * or if called multiple times. - */ - public BigInteger calculateKeyingMaterial() - { - if (this.state >= STATE_KEY_CALCULATED) - { - throw new IllegalStateException("Key already calculated for " + participantId); - } - if (this.state < STATE_ROUND_2_VALIDATED) - { - throw new IllegalStateException("Round2 payload must be validated prior to creating key for " + participantId); - } - BigInteger s = JPAKEUtil.calculateS(password); - - /* - * Clear the password array from memory, since we don't need it anymore. - * - * Also set the field to null as a flag to indicate that the key has already been calculated. - */ - Arrays.fill(password, (char)0); - this.password = null; - - BigInteger keyingMaterial = JPAKEUtil.calculateKeyingMaterial(p, q, gx4, x2, s, b); - - /* - * Clear the ephemeral private key fields as well. - * Note that we're relying on the garbage collector to do its job to clean these up. - * The old objects will hang around in memory until the garbage collector destroys them. - * - * If the ephemeral private keys x1 and x2 are leaked, - * the attacker might be able to brute-force the password. - */ - this.x1 = null; - this.x2 = null; - this.b = null; - - /* - * Do not clear gx* yet, since those are needed by round 3. - */ - - this.state = STATE_KEY_CALCULATED; - - return keyingMaterial; - } - - - /** - * Creates and returns the payload to send to the other participant during round 3. - * <p> - * See {@link JPAKEParticipant} for more details on round 3. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_3_CREATED}. - * - * @param keyingMaterial The keying material as returned from {@link #calculateKeyingMaterial()}. - * @throws IllegalStateException if called prior to {@link #calculateKeyingMaterial()}, or multiple times - */ - public JPAKERound3Payload createRound3PayloadToSend(BigInteger keyingMaterial) - { - if (this.state >= STATE_ROUND_3_CREATED) - { - throw new IllegalStateException("Round3 payload already created for " + this.participantId); - } - if (this.state < STATE_KEY_CALCULATED) - { - throw new IllegalStateException("Keying material must be calculated prior to creating Round3 payload for " + this.participantId); - } - - BigInteger macTag = JPAKEUtil.calculateMacTag( - this.participantId, - this.partnerParticipantId, - this.gx1, - this.gx2, - this.gx3, - this.gx4, - keyingMaterial, - this.digest); - - this.state = STATE_ROUND_3_CREATED; - - return new JPAKERound3Payload(participantId, macTag); - } - - /** - * Validates the payload received from the other participant during round 3. - * <p> - * See {@link JPAKEParticipant} for more details on round 3. - * <p> - * After execution, the {@link #getState() state} will be {@link #STATE_ROUND_3_VALIDATED}. - * - * @param keyingMaterial The keying material as returned from {@link #calculateKeyingMaterial()}. - * @throws CryptoException if validation fails. - * @throws IllegalStateException if called prior to {@link #calculateKeyingMaterial()}, or multiple times - */ - public void validateRound3PayloadReceived(JPAKERound3Payload round3PayloadReceived, BigInteger keyingMaterial) - throws CryptoException - { - if (this.state >= STATE_ROUND_3_VALIDATED) - { - throw new IllegalStateException("Validation already attempted for round3 payload for" + participantId); - } - if (this.state < STATE_KEY_CALCULATED) - { - throw new IllegalStateException("Keying material must be calculated validated prior to validating Round3 payload for " + this.participantId); - } - JPAKEUtil.validateParticipantIdsDiffer(participantId, round3PayloadReceived.getParticipantId()); - JPAKEUtil.validateParticipantIdsEqual(this.partnerParticipantId, round3PayloadReceived.getParticipantId()); - - JPAKEUtil.validateMacTag( - this.participantId, - this.partnerParticipantId, - this.gx1, - this.gx2, - this.gx3, - this.gx4, - keyingMaterial, - this.digest, - round3PayloadReceived.getMacTag()); - - - /* - * Clear the rest of the fields. - */ - this.gx1 = null; - this.gx2 = null; - this.gx3 = null; - this.gx4 = null; - - this.state = STATE_ROUND_3_VALIDATED; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java deleted file mode 100644 index ad2c6aea..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java +++ /dev/null @@ -1,115 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; - -/** - * A pre-computed prime order group for use during a J-PAKE exchange. - * <p> - * Typically a Schnorr group is used. In general, J-PAKE can use any prime order group - * that is suitable for public key cryptography, including elliptic curve cryptography. - * <p> - * See {@link JPAKEPrimeOrderGroups} for convenient standard groups. - * <p> - * NIST <a href="http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/DSA2_All.pdf">publishes</a> - * many groups that can be used for the desired level of security. - */ -public class JPAKEPrimeOrderGroup -{ - private final BigInteger p; - private final BigInteger q; - private final BigInteger g; - - /** - * Constructs a new {@link JPAKEPrimeOrderGroup}. - * <p> - * In general, you should use one of the pre-approved groups from - * {@link JPAKEPrimeOrderGroups}, rather than manually constructing one. - * <p> - * The following basic checks are performed: - * <ul> - * <li>p-1 must be evenly divisible by q</li> - * <li>g must be in [2, p-1]</li> - * <li>g^q mod p must equal 1</li> - * <li>p must be prime (within reasonably certainty)</li> - * <li>q must be prime (within reasonably certainty)</li> - * </ul> - * <p> - * The prime checks are performed using {@link BigInteger#isProbablePrime(int)}, - * and are therefore subject to the same probability guarantees. - * <p> - * These checks prevent trivial mistakes. - * However, due to the small uncertainties if p and q are not prime, - * advanced attacks are not prevented. - * Use it at your own risk. - * - * @throws NullPointerException if any argument is null - * @throws IllegalArgumentException if any of the above validations fail - */ - public JPAKEPrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g) - { - /* - * Don't skip the checks on user-specified groups. - */ - this(p, q, g, false); - } - - /** - * Internal package-private constructor used by the pre-approved - * groups in {@link JPAKEPrimeOrderGroups}. - * These pre-approved groups can avoid the expensive checks. - */ - JPAKEPrimeOrderGroup(BigInteger p, BigInteger q, BigInteger g, boolean skipChecks) - { - JPAKEUtil.validateNotNull(p, "p"); - JPAKEUtil.validateNotNull(q, "q"); - JPAKEUtil.validateNotNull(g, "g"); - - if (!skipChecks) - { - if (!p.subtract(JPAKEUtil.ONE).mod(q).equals(JPAKEUtil.ZERO)) - { - throw new IllegalArgumentException("p-1 must be evenly divisible by q"); - } - if (g.compareTo(BigInteger.valueOf(2)) == -1 || g.compareTo(p.subtract(JPAKEUtil.ONE)) == 1) - { - throw new IllegalArgumentException("g must be in [2, p-1]"); - } - if (!g.modPow(q, p).equals(JPAKEUtil.ONE)) - { - throw new IllegalArgumentException("g^q mod p must equal 1"); - } - /* - * Note that these checks do not guarantee that p and q are prime. - * We just have reasonable certainty that they are prime. - */ - if (!p.isProbablePrime(20)) - { - throw new IllegalArgumentException("p must be prime"); - } - if (!q.isProbablePrime(20)) - { - throw new IllegalArgumentException("q must be prime"); - } - } - - this.p = p; - this.q = q; - this.g = g; - } - - public BigInteger getP() - { - return p; - } - - public BigInteger getQ() - { - return q; - } - - public BigInteger getG() - { - return g; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java deleted file mode 100644 index 2fb18613..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java +++ /dev/null @@ -1,111 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; - -/** - * Standard pre-computed prime order groups for use by J-PAKE. - * (J-PAKE can use pre-computed prime order groups, same as DSA and Diffie-Hellman.) - * <p> - * This class contains some convenient constants for use as input for - * constructing {@link JPAKEParticipant}s. - * <p> - * The prime order groups below are taken from Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB), - * and from the prime order groups - * <a href="http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/DSA2_All.pdf">published by NIST</a>. - */ -public class JPAKEPrimeOrderGroups -{ - /** - * From Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB) - * 1024-bit p, 160-bit q and 1024-bit g for 80-bit security. - */ - public static final JPAKEPrimeOrderGroup SUN_JCE_1024 = new JPAKEPrimeOrderGroup( - // p - new BigInteger( - "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669" + - "455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b7" + - "6b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb" + - "83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7", 16), - // q - new BigInteger( - "9760508f15230bccb292b982a2eb840bf0581cf5", 16), - // g - new BigInteger( - "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d078267" + - "5159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e1" + - "3c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243b" + - "cca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a", 16), - true - ); - - /** - * From NIST. - * 2048-bit p, 224-bit q and 2048-bit g for 112-bit security. - */ - public static final JPAKEPrimeOrderGroup NIST_2048 = new JPAKEPrimeOrderGroup( - // p - new BigInteger( - "C196BA05AC29E1F9C3C72D56DFFC6154A033F1477AC88EC37F09BE6C5BB95F51" + - "C296DD20D1A28A067CCC4D4316A4BD1DCA55ED1066D438C35AEBAABF57E7DAE4" + - "28782A95ECA1C143DB701FD48533A3C18F0FE23557EA7AE619ECACC7E0B51652" + - "A8776D02A425567DED36EABD90CA33A1E8D988F0BBB92D02D1D20290113BB562" + - "CE1FC856EEB7CDD92D33EEA6F410859B179E7E789A8F75F645FAE2E136D252BF" + - "FAFF89528945C1ABE705A38DBC2D364AADE99BE0D0AAD82E5320121496DC65B3" + - "930E38047294FF877831A16D5228418DE8AB275D7D75651CEFED65F78AFC3EA7" + - "FE4D79B35F62A0402A1117599ADAC7B269A59F353CF450E6982D3B1702D9CA83", 16), - // q - new BigInteger( - "90EAF4D1AF0708B1B612FF35E0A2997EB9E9D263C9CE659528945C0D", 16), - // g - new BigInteger( - "A59A749A11242C58C894E9E5A91804E8FA0AC64B56288F8D47D51B1EDC4D6544" + - "4FECA0111D78F35FC9FDD4CB1F1B79A3BA9CBEE83A3F811012503C8117F98E50" + - "48B089E387AF6949BF8784EBD9EF45876F2E6A5A495BE64B6E770409494B7FEE" + - "1DBB1E4B2BC2A53D4F893D418B7159592E4FFFDF6969E91D770DAEBD0B5CB14C" + - "00AD68EC7DC1E5745EA55C706C4A1C5C88964E34D09DEB753AD418C1AD0F4FDF" + - "D049A955E5D78491C0B7A2F1575A008CCD727AB376DB6E695515B05BD412F5B8" + - "C2F4C77EE10DA48ABD53F5DD498927EE7B692BBBCDA2FB23A516C5B4533D7398" + - "0B2A3B60E384ED200AE21B40D273651AD6060C13D97FD69AA13C5611A51B9085", 16), - true - ); - - /** - * From NIST. - * 3072-bit p, 256-bit q and 3072-bit g for 128-bit security. - */ - public static final JPAKEPrimeOrderGroup NIST_3072 = new JPAKEPrimeOrderGroup( - // p - new BigInteger( - "90066455B5CFC38F9CAA4A48B4281F292C260FEEF01FD61037E56258A7795A1C" + - "7AD46076982CE6BB956936C6AB4DCFE05E6784586940CA544B9B2140E1EB523F" + - "009D20A7E7880E4E5BFA690F1B9004A27811CD9904AF70420EEFD6EA11EF7DA1" + - "29F58835FF56B89FAA637BC9AC2EFAAB903402229F491D8D3485261CD068699B" + - "6BA58A1DDBBEF6DB51E8FE34E8A78E542D7BA351C21EA8D8F1D29F5D5D159394" + - "87E27F4416B0CA632C59EFD1B1EB66511A5A0FBF615B766C5862D0BD8A3FE7A0" + - "E0DA0FB2FE1FCB19E8F9996A8EA0FCCDE538175238FC8B0EE6F29AF7F642773E" + - "BE8CD5402415A01451A840476B2FCEB0E388D30D4B376C37FE401C2A2C2F941D" + - "AD179C540C1C8CE030D460C4D983BE9AB0B20F69144C1AE13F9383EA1C08504F" + - "B0BF321503EFE43488310DD8DC77EC5B8349B8BFE97C2C560EA878DE87C11E3D" + - "597F1FEA742D73EEC7F37BE43949EF1A0D15C3F3E3FC0A8335617055AC91328E" + - "C22B50FC15B941D3D1624CD88BC25F3E941FDDC6200689581BFEC416B4B2CB73", 16), - // q - new BigInteger( - "CFA0478A54717B08CE64805B76E5B14249A77A4838469DF7F7DC987EFCCFB11D", 16), - // g - new BigInteger( - "5E5CBA992E0A680D885EB903AEA78E4A45A469103D448EDE3B7ACCC54D521E37" + - "F84A4BDD5B06B0970CC2D2BBB715F7B82846F9A0C393914C792E6A923E2117AB" + - "805276A975AADB5261D91673EA9AAFFEECBFA6183DFCB5D3B7332AA19275AFA1" + - "F8EC0B60FB6F66CC23AE4870791D5982AAD1AA9485FD8F4A60126FEB2CF05DB8" + - "A7F0F09B3397F3937F2E90B9E5B9C9B6EFEF642BC48351C46FB171B9BFA9EF17" + - "A961CE96C7E7A7CC3D3D03DFAD1078BA21DA425198F07D2481622BCE45969D9C" + - "4D6063D72AB7A0F08B2F49A7CC6AF335E08C4720E31476B67299E231F8BD90B3" + - "9AC3AE3BE0C6B6CACEF8289A2E2873D58E51E029CAFBD55E6841489AB66B5B4B" + - "9BA6E2F784660896AFF387D92844CCB8B69475496DE19DA2E58259B090489AC8" + - "E62363CDF82CFD8EF2A427ABCD65750B506F56DDE3B988567A88126B914D7828" + - "E2B63A6D7ED0747EC59E0E0A23CE7D8A74C1D2C2A7AFB6A29799620F00E11C33" + - "787F7DED3B30E1A22D09F1FBDA1ABBBFBF25CAE05A13F812E34563F99410E73B", 16), - true - ); - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound1Payload.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound1Payload.java deleted file mode 100644 index 086196dd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound1Payload.java +++ /dev/null @@ -1,96 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; - -import org.bouncycastle.util.Arrays; - -/** - * The payload sent/received during the first round of a J-PAKE exchange. - * <p> - * Each {@link JPAKEParticipant} creates and sends an instance - * of this payload to the other {@link JPAKEParticipant}. - * The payload to send should be created via - * {@link JPAKEParticipant#createRound1PayloadToSend()}. - * <p> - * Each {@link JPAKEParticipant} must also validate the payload - * received from the other {@link JPAKEParticipant}. - * The received payload should be validated via - * {@link JPAKEParticipant#validateRound1PayloadReceived(JPAKERound1Payload)}. - */ -public class JPAKERound1Payload -{ - /** - * The id of the {@link JPAKEParticipant} who created/sent this payload. - */ - private final String participantId; - - /** - * The value of g^x1 - */ - private final BigInteger gx1; - - /** - * The value of g^x2 - */ - private final BigInteger gx2; - - /** - * The zero knowledge proof for x1. - * <p/> - * This is a two element array, containing {g^v, r} for x1. - */ - private final BigInteger[] knowledgeProofForX1; - - /** - * The zero knowledge proof for x2. - * <p/> - * This is a two element array, containing {g^v, r} for x2. - */ - private final BigInteger[] knowledgeProofForX2; - - public JPAKERound1Payload( - String participantId, - BigInteger gx1, - BigInteger gx2, - BigInteger[] knowledgeProofForX1, - BigInteger[] knowledgeProofForX2) - { - JPAKEUtil.validateNotNull(participantId, "participantId"); - JPAKEUtil.validateNotNull(gx1, "gx1"); - JPAKEUtil.validateNotNull(gx2, "gx2"); - JPAKEUtil.validateNotNull(knowledgeProofForX1, "knowledgeProofForX1"); - JPAKEUtil.validateNotNull(knowledgeProofForX2, "knowledgeProofForX2"); - - this.participantId = participantId; - this.gx1 = gx1; - this.gx2 = gx2; - this.knowledgeProofForX1 = Arrays.copyOf(knowledgeProofForX1, knowledgeProofForX1.length); - this.knowledgeProofForX2 = Arrays.copyOf(knowledgeProofForX2, knowledgeProofForX2.length); - } - - public String getParticipantId() - { - return participantId; - } - - public BigInteger getGx1() - { - return gx1; - } - - public BigInteger getGx2() - { - return gx2; - } - - public BigInteger[] getKnowledgeProofForX1() - { - return Arrays.copyOf(knowledgeProofForX1, knowledgeProofForX1.length); - } - - public BigInteger[] getKnowledgeProofForX2() - { - return Arrays.copyOf(knowledgeProofForX2, knowledgeProofForX2.length); - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound2Payload.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound2Payload.java deleted file mode 100644 index e047443e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound2Payload.java +++ /dev/null @@ -1,68 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; - -import org.bouncycastle.util.Arrays; - -/** - * The payload sent/received during the second round of a J-PAKE exchange. - * <p> - * Each {@link JPAKEParticipant} creates and sends an instance - * of this payload to the other {@link JPAKEParticipant}. - * The payload to send should be created via - * {@link JPAKEParticipant#createRound2PayloadToSend()} - * <p> - * Each {@link JPAKEParticipant} must also validate the payload - * received from the other {@link JPAKEParticipant}. - * The received payload should be validated via - * {@link JPAKEParticipant#validateRound2PayloadReceived(JPAKERound2Payload)} - */ -public class JPAKERound2Payload -{ - /** - * The id of the {@link JPAKEParticipant} who created/sent this payload. - */ - private final String participantId; - - /** - * The value of A, as computed during round 2. - */ - private final BigInteger a; - - /** - * The zero knowledge proof for x2 * s. - * <p/> - * This is a two element array, containing {g^v, r} for x2 * s. - */ - private final BigInteger[] knowledgeProofForX2s; - - public JPAKERound2Payload( - String participantId, - BigInteger a, - BigInteger[] knowledgeProofForX2s) - { - JPAKEUtil.validateNotNull(participantId, "participantId"); - JPAKEUtil.validateNotNull(a, "a"); - JPAKEUtil.validateNotNull(knowledgeProofForX2s, "knowledgeProofForX2s"); - - this.participantId = participantId; - this.a = a; - this.knowledgeProofForX2s = Arrays.copyOf(knowledgeProofForX2s, knowledgeProofForX2s.length); - } - - public String getParticipantId() - { - return participantId; - } - - public BigInteger getA() - { - return a; - } - - public BigInteger[] getKnowledgeProofForX2s() - { - return Arrays.copyOf(knowledgeProofForX2s, knowledgeProofForX2s.length); - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound3Payload.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound3Payload.java deleted file mode 100644 index 0fe1cba9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKERound3Payload.java +++ /dev/null @@ -1,49 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; - -/** - * The payload sent/received during the optional third round of a J-PAKE exchange, - * which is for explicit key confirmation. - * <p> - * Each {@link JPAKEParticipant} creates and sends an instance - * of this payload to the other {@link JPAKEParticipant}. - * The payload to send should be created via - * {@link JPAKEParticipant#createRound3PayloadToSend(BigInteger)} - * <p> - * Each {@link JPAKEParticipant} must also validate the payload - * received from the other {@link JPAKEParticipant}. - * The received payload should be validated via - * {@link JPAKEParticipant#validateRound3PayloadReceived(JPAKERound3Payload, BigInteger)} - */ -public class JPAKERound3Payload -{ - /** - * The id of the {@link JPAKEParticipant} who created/sent this payload. - */ - private final String participantId; - - /** - * The value of MacTag, as computed by round 3. - * - * @see JPAKEUtil#calculateMacTag(String, String, BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, org.bouncycastle.crypto.Digest) - */ - private final BigInteger macTag; - - public JPAKERound3Payload(String participantId, BigInteger magTag) - { - this.participantId = participantId; - this.macTag = magTag; - } - - public String getParticipantId() - { - return participantId; - } - - public BigInteger getMacTag() - { - return macTag; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java b/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java deleted file mode 100644 index 0a6c5fe4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java +++ /dev/null @@ -1,495 +0,0 @@ -package org.bouncycastle.crypto.agreement.jpake; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; -import org.bouncycastle.util.Strings; - -/** - * Primitives needed for a J-PAKE exchange. - * <p> - * The recommended way to perform a J-PAKE exchange is by using - * two {@link JPAKEParticipant}s. Internally, those participants - * call these primitive operations in {@link JPAKEUtil}. - * <p> - * The primitives, however, can be used without a {@link JPAKEParticipant} - * if needed. - */ -public class JPAKEUtil -{ - static final BigInteger ZERO = BigInteger.valueOf(0); - static final BigInteger ONE = BigInteger.valueOf(1); - - /** - * Return a value that can be used as x1 or x3 during round 1. - * <p> - * The returned value is a random value in the range <tt>[0, q-1]</tt>. - */ - public static BigInteger generateX1( - BigInteger q, - SecureRandom random) - { - BigInteger min = ZERO; - BigInteger max = q.subtract(ONE); - return BigIntegers.createRandomInRange(min, max, random); - } - - /** - * Return a value that can be used as x2 or x4 during round 1. - * <p> - * The returned value is a random value in the range <tt>[1, q-1]</tt>. - */ - public static BigInteger generateX2( - BigInteger q, - SecureRandom random) - { - BigInteger min = ONE; - BigInteger max = q.subtract(ONE); - return BigIntegers.createRandomInRange(min, max, random); - } - - /** - * Converts the given password to a {@link BigInteger} - * for use in arithmetic calculations. - */ - public static BigInteger calculateS(char[] password) - { - return new BigInteger(Strings.toUTF8ByteArray(password)); - } - - /** - * Calculate g^x mod p as done in round 1. - */ - public static BigInteger calculateGx( - BigInteger p, - BigInteger g, - BigInteger x) - { - return g.modPow(x, p); - } - - - /** - * Calculate ga as done in round 2. - */ - public static BigInteger calculateGA( - BigInteger p, - BigInteger gx1, - BigInteger gx3, - BigInteger gx4) - { - // ga = g^(x1+x3+x4) = g^x1 * g^x3 * g^x4 - return gx1.multiply(gx3).multiply(gx4).mod(p); - } - - - /** - * Calculate x2 * s as done in round 2. - */ - public static BigInteger calculateX2s( - BigInteger q, - BigInteger x2, - BigInteger s) - { - return x2.multiply(s).mod(q); - } - - - /** - * Calculate A as done in round 2. - */ - public static BigInteger calculateA( - BigInteger p, - BigInteger q, - BigInteger gA, - BigInteger x2s) - { - // A = ga^(x*s) - return gA.modPow(x2s, p); - } - - /** - * Calculate a zero knowledge proof of x using Schnorr's signature. - * The returned array has two elements {g^v, r = v-x*h} for x. - */ - public static BigInteger[] calculateZeroKnowledgeProof( - BigInteger p, - BigInteger q, - BigInteger g, - BigInteger gx, - BigInteger x, - String participantId, - Digest digest, - SecureRandom random) - { - BigInteger[] zeroKnowledgeProof = new BigInteger[2]; - - /* Generate a random v, and compute g^v */ - BigInteger vMin = ZERO; - BigInteger vMax = q.subtract(ONE); - BigInteger v = BigIntegers.createRandomInRange(vMin, vMax, random); - - BigInteger gv = g.modPow(v, p); - BigInteger h = calculateHashForZeroKnowledgeProof(g, gv, gx, participantId, digest); // h - - zeroKnowledgeProof[0] = gv; - zeroKnowledgeProof[1] = v.subtract(x.multiply(h)).mod(q); // r = v-x*h - - return zeroKnowledgeProof; - } - - private static BigInteger calculateHashForZeroKnowledgeProof( - BigInteger g, - BigInteger gr, - BigInteger gx, - String participantId, - Digest digest) - { - digest.reset(); - - updateDigestIncludingSize(digest, g); - - updateDigestIncludingSize(digest, gr); - - updateDigestIncludingSize(digest, gx); - - updateDigestIncludingSize(digest, participantId); - - byte[] output = new byte[digest.getDigestSize()]; - digest.doFinal(output, 0); - - return new BigInteger(output); - } - - /** - * Validates that g^x4 is not 1. - * - * @throws CryptoException if g^x4 is 1 - */ - public static void validateGx4(BigInteger gx4) - throws CryptoException - { - if (gx4.equals(ONE)) - { - throw new CryptoException("g^x validation failed. g^x should not be 1."); - } - } - - /** - * Validates that ga is not 1. - * <p> - * As described by Feng Hao... - * <p> - * <blockquote> - * Alice could simply check ga != 1 to ensure it is a generator. - * In fact, as we will explain in Section 3, (x1 + x3 + x4 ) is random over Zq even in the face of active attacks. - * Hence, the probability for ga = 1 is extremely small - on the order of 2^160 for 160-bit q. - * </blockquote> - * - * @throws CryptoException if ga is 1 - */ - public static void validateGa(BigInteger ga) - throws CryptoException - { - if (ga.equals(ONE)) - { - throw new CryptoException("ga is equal to 1. It should not be. The chances of this happening are on the order of 2^160 for a 160-bit q. Try again."); - } - } - - /** - * Validates the zero knowledge proof (generated by - * {@link #calculateZeroKnowledgeProof(BigInteger, BigInteger, BigInteger, BigInteger, BigInteger, String, Digest, SecureRandom)}) - * is correct. - * - * @throws CryptoException if the zero knowledge proof is not correct - */ - public static void validateZeroKnowledgeProof( - BigInteger p, - BigInteger q, - BigInteger g, - BigInteger gx, - BigInteger[] zeroKnowledgeProof, - String participantId, - Digest digest) - throws CryptoException - { - - /* sig={g^v,r} */ - BigInteger gv = zeroKnowledgeProof[0]; - BigInteger r = zeroKnowledgeProof[1]; - - BigInteger h = calculateHashForZeroKnowledgeProof(g, gv, gx, participantId, digest); - if (!(gx.compareTo(ZERO) == 1 && // g^x > 0 - gx.compareTo(p) == -1 && // g^x < p - gx.modPow(q, p).compareTo(ONE) == 0 && // g^x^q mod q = 1 - /* - * Below, I took an straightforward way to compute g^r * g^x^h, - * which needs 2 exp. Using a simultaneous computation technique - * would only need 1 exp. - */ - g.modPow(r, p).multiply(gx.modPow(h, p)).mod(p).compareTo(gv) == 0)) // g^v=g^r * g^x^h - { - throw new CryptoException("Zero-knowledge proof validation failed"); - } - } - - /** - * Calculates the keying material, which can be done after round 2 has completed. - * A session key must be derived from this key material using a secure key derivation function (KDF). - * The KDF used to derive the key is handled externally (i.e. not by {@link JPAKEParticipant}). - * <pre> - * KeyingMaterial = (B/g^{x2*x4*s})^x2 - * </pre> - */ - public static BigInteger calculateKeyingMaterial( - BigInteger p, - BigInteger q, - BigInteger gx4, - BigInteger x2, - BigInteger s, - BigInteger B) - { - return gx4.modPow(x2.multiply(s).negate().mod(q), p).multiply(B).modPow(x2, p); - } - - /** - * Validates that the given participant ids are not equal. - * (For the J-PAKE exchange, each participant must use a unique id.) - * - * @throws CryptoException if the participantId strings are equal. - */ - public static void validateParticipantIdsDiffer(String participantId1, String participantId2) - throws CryptoException - { - if (participantId1.equals(participantId2)) - { - throw new CryptoException( - "Both participants are using the same participantId (" - + participantId1 - + "). This is not allowed. " - + "Each participant must use a unique participantId."); - } - } - - /** - * Validates that the given participant ids are equal. - * This is used to ensure that the payloads received from - * each round all come from the same participant. - * - * @throws CryptoException if the participantId strings are equal. - */ - public static void validateParticipantIdsEqual(String expectedParticipantId, String actualParticipantId) - throws CryptoException - { - if (!expectedParticipantId.equals(actualParticipantId)) - { - throw new CryptoException( - "Received payload from incorrect partner (" - + actualParticipantId - + "). Expected to receive payload from " - + expectedParticipantId - + "."); - } - } - - /** - * Validates that the given object is not null. - * - * @param object object in question - * @param description name of the object (to be used in exception message) - * @throws NullPointerException if the object is null. - */ - public static void validateNotNull(Object object, String description) - { - if (object == null) - { - throw new NullPointerException(description + " must not be null"); - } - } - - /** - * Calculates the MacTag (to be used for key confirmation), as defined by - * <a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">NIST SP 800-56A Revision 1</a>, - * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes. - * <pre> - * MacTag = HMAC(MacKey, MacLen, MacData) - * - * MacKey = H(K || "JPAKE_KC") - * - * MacData = "KC_1_U" || participantId || partnerParticipantId || gx1 || gx2 || gx3 || gx4 - * - * Note that both participants use "KC_1_U" because the sender of the round 3 message - * is always the initiator for key confirmation. - * - * HMAC = {@link HMac} used with the given {@link Digest} - * H = The given {@link Digest} - * MacLen = length of MacTag - * </pre> - */ - public static BigInteger calculateMacTag( - String participantId, - String partnerParticipantId, - BigInteger gx1, - BigInteger gx2, - BigInteger gx3, - BigInteger gx4, - BigInteger keyingMaterial, - Digest digest) - { - byte[] macKey = calculateMacKey( - keyingMaterial, - digest); - - HMac mac = new HMac(digest); - byte[] macOutput = new byte[mac.getMacSize()]; - mac.init(new KeyParameter(macKey)); - - /* - * MacData = "KC_1_U" || participantId_Alice || participantId_Bob || gx1 || gx2 || gx3 || gx4. - */ - updateMac(mac, "KC_1_U"); - updateMac(mac, participantId); - updateMac(mac, partnerParticipantId); - updateMac(mac, gx1); - updateMac(mac, gx2); - updateMac(mac, gx3); - updateMac(mac, gx4); - - mac.doFinal(macOutput, 0); - - Arrays.fill(macKey, (byte)0); - - return new BigInteger(macOutput); - - } - - /** - * Calculates the MacKey (i.e. the key to use when calculating the MagTag for key confirmation). - * <pre> - * MacKey = H(K || "JPAKE_KC") - * </pre> - */ - private static byte[] calculateMacKey(BigInteger keyingMaterial, Digest digest) - { - digest.reset(); - - updateDigest(digest, keyingMaterial); - /* - * This constant is used to ensure that the macKey is NOT the same as the derived key. - */ - updateDigest(digest, "JPAKE_KC"); - - byte[] output = new byte[digest.getDigestSize()]; - digest.doFinal(output, 0); - - return output; - } - - /** - * Validates the MacTag received from the partner participant. - * - * @param partnerMacTag the MacTag received from the partner. - * @throws CryptoException if the participantId strings are equal. - */ - public static void validateMacTag( - String participantId, - String partnerParticipantId, - BigInteger gx1, - BigInteger gx2, - BigInteger gx3, - BigInteger gx4, - BigInteger keyingMaterial, - Digest digest, - BigInteger partnerMacTag) - throws CryptoException - { - /* - * Calculate the expected MacTag using the parameters as the partner - * would have used when the partner called calculateMacTag. - * - * i.e. basically all the parameters are reversed. - * participantId <-> partnerParticipantId - * x1 <-> x3 - * x2 <-> x4 - */ - BigInteger expectedMacTag = calculateMacTag( - partnerParticipantId, - participantId, - gx3, - gx4, - gx1, - gx2, - keyingMaterial, - digest); - - if (!expectedMacTag.equals(partnerMacTag)) - { - throw new CryptoException( - "Partner MacTag validation failed. " - + "Therefore, the password, MAC, or digest algorithm of each participant does not match."); - } - } - - private static void updateDigest(Digest digest, BigInteger bigInteger) - { - byte[] byteArray = BigIntegers.asUnsignedByteArray(bigInteger); - digest.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static void updateDigestIncludingSize(Digest digest, BigInteger bigInteger) - { - byte[] byteArray = BigIntegers.asUnsignedByteArray(bigInteger); - digest.update(intToByteArray(byteArray.length), 0, 4); - digest.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static void updateDigest(Digest digest, String string) - { - byte[] byteArray = Strings.toUTF8ByteArray(string); - digest.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static void updateDigestIncludingSize(Digest digest, String string) - { - byte[] byteArray = Strings.toUTF8ByteArray(string); - digest.update(intToByteArray(byteArray.length), 0, 4); - digest.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static void updateMac(Mac mac, BigInteger bigInteger) - { - byte[] byteArray = BigIntegers.asUnsignedByteArray(bigInteger); - mac.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static void updateMac(Mac mac, String string) - { - byte[] byteArray = Strings.toUTF8ByteArray(string); - mac.update(byteArray, 0, byteArray.length); - Arrays.fill(byteArray, (byte)0); - } - - private static byte[] intToByteArray(int value) - { - return new byte[]{ - (byte)(value >>> 24), - (byte)(value >>> 16), - (byte)(value >>> 8), - (byte)value - }; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKDFParameters.java b/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKDFParameters.java deleted file mode 100644 index 315c5486..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKDFParameters.java +++ /dev/null @@ -1,53 +0,0 @@ -package org.bouncycastle.crypto.agreement.kdf; - -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.crypto.DerivationParameters; - -public class DHKDFParameters - implements DerivationParameters -{ - private ASN1ObjectIdentifier algorithm; - private int keySize; - private byte[] z; - private byte[] extraInfo; - - public DHKDFParameters( - ASN1ObjectIdentifier algorithm, - int keySize, - byte[] z) - { - this(algorithm, keySize, z, null); - } - - public DHKDFParameters( - ASN1ObjectIdentifier algorithm, - int keySize, - byte[] z, - byte[] extraInfo) - { - this.algorithm = algorithm; - this.keySize = keySize; - this.z = z; - this.extraInfo = extraInfo; - } - - public ASN1ObjectIdentifier getAlgorithm() - { - return algorithm; - } - - public int getKeySize() - { - return keySize; - } - - public byte[] getZ() - { - return z; - } - - public byte[] getExtraInfo() - { - return extraInfo; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKEKGenerator.java b/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKEKGenerator.java deleted file mode 100644 index 6feb5076..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/DHKEKGenerator.java +++ /dev/null @@ -1,131 +0,0 @@ -package org.bouncycastle.crypto.agreement.kdf; - -import java.io.IOException; - -import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.DERSequence; -import org.bouncycastle.asn1.DERTaggedObject; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.util.Pack; - -/** - * RFC 2631 Diffie-hellman KEK derivation function. - */ -public class DHKEKGenerator - implements DerivationFunction -{ - private final Digest digest; - - private ASN1ObjectIdentifier algorithm; - private int keySize; - private byte[] z; - private byte[] partyAInfo; - - public DHKEKGenerator( - Digest digest) - { - this.digest = digest; - } - - public void init(DerivationParameters param) - { - DHKDFParameters params = (DHKDFParameters)param; - - this.algorithm = params.getAlgorithm(); - this.keySize = params.getKeySize(); - this.z = params.getZ(); - this.partyAInfo = params.getExtraInfo(); - } - - public Digest getDigest() - { - return digest; - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - if ((out.length - len) < outOff) - { - throw new DataLengthException("output buffer too small"); - } - - long oBytes = len; - int outLen = digest.getDigestSize(); - - // - // this is at odds with the standard implementation, the - // maximum value should be hBits * (2^32 - 1) where hBits - // is the digest output size in bits. We can't have an - // array with a long index at the moment... - // - if (oBytes > ((2L << 32) - 1)) - { - throw new IllegalArgumentException("Output length too large"); - } - - int cThreshold = (int)((oBytes + outLen - 1) / outLen); - - byte[] dig = new byte[digest.getDigestSize()]; - - int counter = 1; - - for (int i = 0; i < cThreshold; i++) - { - digest.update(z, 0, z.length); - - // OtherInfo - ASN1EncodableVector v1 = new ASN1EncodableVector(); - // KeySpecificInfo - ASN1EncodableVector v2 = new ASN1EncodableVector(); - - v2.add(algorithm); - v2.add(new DEROctetString(Pack.intToBigEndian(counter))); - - v1.add(new DERSequence(v2)); - - if (partyAInfo != null) - { - v1.add(new DERTaggedObject(true, 0, new DEROctetString(partyAInfo))); - } - - v1.add(new DERTaggedObject(true, 2, new DEROctetString(Pack.intToBigEndian(keySize)))); - - try - { - byte[] other = new DERSequence(v1).getEncoded(ASN1Encoding.DER); - - digest.update(other, 0, other.length); - } - catch (IOException e) - { - throw new IllegalArgumentException("unable to encode parameter info: " + e.getMessage()); - } - - digest.doFinal(dig, 0); - - if (len > outLen) - { - System.arraycopy(dig, 0, out, outOff, outLen); - outOff += outLen; - len -= outLen; - } - else - { - System.arraycopy(dig, 0, out, outOff, len); - } - - counter++; - } - - digest.reset(); - - return (int)oBytes; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/ECDHKEKGenerator.java b/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/ECDHKEKGenerator.java deleted file mode 100644 index 5d15b992..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/kdf/ECDHKEKGenerator.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.agreement.kdf; - -import java.io.IOException; - -import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.DERSequence; -import org.bouncycastle.asn1.DERTaggedObject; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.DigestDerivationFunction; -import org.bouncycastle.crypto.generators.KDF2BytesGenerator; -import org.bouncycastle.crypto.params.KDFParameters; -import org.bouncycastle.util.Pack; - -/** - * X9.63 based key derivation function for ECDH CMS. - */ -public class ECDHKEKGenerator - implements DigestDerivationFunction -{ - private DigestDerivationFunction kdf; - - private ASN1ObjectIdentifier algorithm; - private int keySize; - private byte[] z; - - public ECDHKEKGenerator( - Digest digest) - { - this.kdf = new KDF2BytesGenerator(digest); - } - - public void init(DerivationParameters param) - { - DHKDFParameters params = (DHKDFParameters)param; - - this.algorithm = params.getAlgorithm(); - this.keySize = params.getKeySize(); - this.z = params.getZ(); - } - - public Digest getDigest() - { - return kdf.getDigest(); - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - // TODO Create an ASN.1 class for this (RFC3278) - // ECC-CMS-SharedInfo - ASN1EncodableVector v = new ASN1EncodableVector(); - - v.add(new AlgorithmIdentifier(algorithm, DERNull.INSTANCE)); - v.add(new DERTaggedObject(true, 2, new DEROctetString(Pack.intToBigEndian(keySize)))); - - try - { - kdf.init(new KDFParameters(z, new DERSequence(v).getEncoded(ASN1Encoding.DER))); - } - catch (IOException e) - { - throw new IllegalArgumentException("unable to initialise kdf: " + e.getMessage()); - } - - return kdf.generateBytes(out, outOff, len); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Client.java b/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Client.java deleted file mode 100644 index 153e5a83..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Client.java +++ /dev/null @@ -1,150 +0,0 @@ -package org.bouncycastle.crypto.agreement.srp; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; - -/** - * Implements the client side SRP-6a protocol. Note that this class is stateful, and therefore NOT threadsafe. - * This implementation of SRP is based on the optimized message sequence put forth by Thomas Wu in the paper - * "SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, 2002" - */ -public class SRP6Client -{ - protected BigInteger N; - protected BigInteger g; - - protected BigInteger a; - protected BigInteger A; - - protected BigInteger B; - - protected BigInteger x; - protected BigInteger u; - protected BigInteger S; - - protected BigInteger M1; - protected BigInteger M2; - protected BigInteger Key; - - protected Digest digest; - protected SecureRandom random; - - public SRP6Client() - { - } - - /** - * Initialises the client to begin new authentication attempt - * @param N The safe prime associated with the client's verifier - * @param g The group parameter associated with the client's verifier - * @param digest The digest algorithm associated with the client's verifier - * @param random For key generation - */ - public void init(BigInteger N, BigInteger g, Digest digest, SecureRandom random) - { - this.N = N; - this.g = g; - this.digest = digest; - this.random = random; - } - - /** - * Generates client's credentials given the client's salt, identity and password - * @param salt The salt used in the client's verifier. - * @param identity The user's identity (eg. username) - * @param password The user's password - * @return Client's public value to send to server - */ - public BigInteger generateClientCredentials(byte[] salt, byte[] identity, byte[] password) - { - this.x = SRP6Util.calculateX(digest, N, salt, identity, password); - this.a = selectPrivateValue(); - this.A = g.modPow(a, N); - - return A; - } - - /** - * Generates the secret S given the server's credentials - * @param serverB The server's credentials - * @return Client's verification message for the server - * @throws CryptoException If server's credentials are invalid - */ - public BigInteger calculateSecret(BigInteger serverB) throws CryptoException - { - this.B = SRP6Util.validatePublicValue(N, serverB); - this.u = SRP6Util.calculateU(digest, N, A, B); - this.S = calculateS(); - - return S; - } - - protected BigInteger selectPrivateValue() - { - return SRP6Util.generatePrivateValue(digest, N, g, random); - } - - private BigInteger calculateS() - { - BigInteger k = SRP6Util.calculateK(digest, N, g); - BigInteger exp = u.multiply(x).add(a); - BigInteger tmp = g.modPow(x, N).multiply(k).mod(N); - return B.subtract(tmp).mod(N).modPow(exp, N); - } - - /** - * Computes the client evidence message M1 using the previously received values. - * To be called after calculating the secret S. - * @return M1: the client side generated evidence message - * @throws CryptoException - */ - public BigInteger calculateClientEvidenceMessage() throws CryptoException{ - // verify pre-requirements - if ((this.A==null)||(this.B==null)||(this.S==null)){ - throw new CryptoException("Impossible to compute M1: " + - "some data are missing from the previous operations (A,B,S)"); - } - // compute the client evidence message 'M1' - this.M1 = SRP6Util.calculateM1(digest, N, A, B, S); - return M1; - } - - /** Authenticates the server evidence message M2 received and saves it only if correct. - * @param M2: the server side generated evidence message - * @return A boolean indicating if the server message M2 was the expected one. - * @throws CryptoException - */ - public boolean verifyServerEvidenceMessage(BigInteger serverM2) throws CryptoException{ - //verify pre-requirements - if ((this.A==null)||(this.M1==null)||(this.S==null)){ - throw new CryptoException("Impossible to compute and verify M2: " + - "some data are missing from the previous operations (A,M1,S)"); - } - // Compute the own server evidence message 'M2' - BigInteger computedM2 = SRP6Util.calculateM2(digest, N, A, M1, S); - if (computedM2.equals(serverM2)){ - this.M2 = serverM2; - return true; - } - return false; - } - - /** - * Computes the final session key as a result of the SRP successful mutual authentication - * To be called after verifying the server evidence message M2. - * @return Key: the mutually authenticated symmetric session key - * @throws CryptoException - */ - public BigInteger calculateSessionKey() throws CryptoException{ - //verify pre-requirements (here we enforce a previous calculation of M1 and M2) - if ((this.S==null)||(this.M1==null)||(this.M2==null)){ - throw new CryptoException("Impossible to compute Key: " + - "some data are missing from the previous operations (S,M1,M2)"); - } - this.Key = SRP6Util.calculateKey(digest, N, S); - return Key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Server.java b/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Server.java deleted file mode 100644 index 5d703470..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Server.java +++ /dev/null @@ -1,148 +0,0 @@ -package org.bouncycastle.crypto.agreement.srp; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; - -/** - * Implements the server side SRP-6a protocol. Note that this class is stateful, and therefore NOT threadsafe. - * This implementation of SRP is based on the optimized message sequence put forth by Thomas Wu in the paper - * "SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, 2002" - */ -public class SRP6Server -{ - protected BigInteger N; - protected BigInteger g; - protected BigInteger v; - - protected SecureRandom random; - protected Digest digest; - - protected BigInteger A; - - protected BigInteger b; - protected BigInteger B; - - protected BigInteger u; - protected BigInteger S; - protected BigInteger M1; - protected BigInteger M2; - protected BigInteger Key; - - public SRP6Server() - { - } - - /** - * Initialises the server to accept a new client authentication attempt - * @param N The safe prime associated with the client's verifier - * @param g The group parameter associated with the client's verifier - * @param v The client's verifier - * @param digest The digest algorithm associated with the client's verifier - * @param random For key generation - */ - public void init(BigInteger N, BigInteger g, BigInteger v, Digest digest, SecureRandom random) - { - this.N = N; - this.g = g; - this.v = v; - - this.random = random; - this.digest = digest; - } - - /** - * Generates the server's credentials that are to be sent to the client. - * @return The server's public value to the client - */ - public BigInteger generateServerCredentials() - { - BigInteger k = SRP6Util.calculateK(digest, N, g); - this.b = selectPrivateValue(); - this.B = k.multiply(v).mod(N).add(g.modPow(b, N)).mod(N); - - return B; - } - - /** - * Processes the client's credentials. If valid the shared secret is generated and returned. - * @param clientA The client's credentials - * @return A shared secret BigInteger - * @throws CryptoException If client's credentials are invalid - */ - public BigInteger calculateSecret(BigInteger clientA) throws CryptoException - { - this.A = SRP6Util.validatePublicValue(N, clientA); - this.u = SRP6Util.calculateU(digest, N, A, B); - this.S = calculateS(); - - return S; - } - - protected BigInteger selectPrivateValue() - { - return SRP6Util.generatePrivateValue(digest, N, g, random); - } - - private BigInteger calculateS() - { - return v.modPow(u, N).multiply(A).mod(N).modPow(b, N); - } - - /** - * Authenticates the received client evidence message M1 and saves it only if correct. - * To be called after calculating the secret S. - * @param M1: the client side generated evidence message - * @return A boolean indicating if the client message M1 was the expected one. - * @throws CryptoException - */ - public boolean verifyClientEvidenceMessage(BigInteger clientM1) throws CryptoException{ - //verify pre-requirements - if ((this.A==null)||(this.B==null)||(this.S==null)){ - throw new CryptoException("Impossible to compute and verify M1: " + - "some data are missing from the previous operations (A,B,S)"); - } - // Compute the own client evidence message 'M1' - BigInteger computedM1 = SRP6Util.calculateM1(digest, N, A, B, S); - if (computedM1.equals(clientM1)){ - this.M1 = clientM1; - return true; - } - return false; - } - - /** - * Computes the server evidence message M2 using the previously verified values. - * To be called after successfully verifying the client evidence message M1. - * @return M2: the server side generated evidence message - * @throws CryptoException - */ - public BigInteger calculateServerEvidenceMessage() throws CryptoException{ - //verify pre-requirements - if ((this.A==null)||(this.M1==null)||(this.S==null)){ - throw new CryptoException("Impossible to compute M2: " + - "some data are missing from the previous operations (A,M1,S)"); - } - // Compute the server evidence message 'M2' - this.M2 = SRP6Util.calculateM2(digest, N, A, M1, S); - return M2; - } - - /** - * Computes the final session key as a result of the SRP successful mutual authentication - * To be called after calculating the server evidence message M2. - * @return Key: the mutual authenticated symmetric session key - * @throws CryptoException - */ - public BigInteger calculateSessionKey() throws CryptoException{ - //verify pre-requirements - if ((this.S==null)||(this.M1==null)||(this.M2==null)){ - throw new CryptoException("Impossible to compute Key: " + - "some data are missing from the previous operations (S,M1,M2)"); - } - this.Key = SRP6Util.calculateKey(digest, N, S); - return Key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Util.java b/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Util.java deleted file mode 100644 index 6bcf0183..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6Util.java +++ /dev/null @@ -1,154 +0,0 @@ -package org.bouncycastle.crypto.agreement.srp; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.util.BigIntegers; - -public class SRP6Util -{ - private static BigInteger ZERO = BigInteger.valueOf(0); - private static BigInteger ONE = BigInteger.valueOf(1); - - public static BigInteger calculateK(Digest digest, BigInteger N, BigInteger g) - { - return hashPaddedPair(digest, N, N, g); - } - - public static BigInteger calculateU(Digest digest, BigInteger N, BigInteger A, BigInteger B) - { - return hashPaddedPair(digest, N, A, B); - } - - public static BigInteger calculateX(Digest digest, BigInteger N, byte[] salt, byte[] identity, byte[] password) - { - byte[] output = new byte[digest.getDigestSize()]; - - digest.update(identity, 0, identity.length); - digest.update((byte)':'); - digest.update(password, 0, password.length); - digest.doFinal(output, 0); - - digest.update(salt, 0, salt.length); - digest.update(output, 0, output.length); - digest.doFinal(output, 0); - - return new BigInteger(1, output); - } - - public static BigInteger generatePrivateValue(Digest digest, BigInteger N, BigInteger g, SecureRandom random) - { - int minBits = Math.min(256, N.bitLength() / 2); - BigInteger min = ONE.shiftLeft(minBits - 1); - BigInteger max = N.subtract(ONE); - - return BigIntegers.createRandomInRange(min, max, random); - } - - public static BigInteger validatePublicValue(BigInteger N, BigInteger val) - throws CryptoException - { - val = val.mod(N); - - // Check that val % N != 0 - if (val.equals(ZERO)) - { - throw new CryptoException("Invalid public value: 0"); - } - - return val; - } - /** - * Computes the client evidence message (M1) according to the standard routine: - * M1 = H( A | B | S ) - * @param digest The Digest used as the hashing function H - * @param N Modulus used to get the pad length - * @param A The public client value - * @param B The public server value - * @param S The secret calculated by both sides - * @return M1 The calculated client evidence message - */ - public static BigInteger calculateM1(Digest digest, BigInteger N, BigInteger A, BigInteger B, BigInteger S) { - BigInteger M1 = hashPaddedTriplet(digest,N,A,B,S); - return M1; - } - - /** - * Computes the server evidence message (M2) according to the standard routine: - * M2 = H( A | M1 | S ) - * @param digest The Digest used as the hashing function H - * @param N Modulus used to get the pad length - * @param A The public client value - * @param M1 The client evidence message - * @param S The secret calculated by both sides - * @return M2 The calculated server evidence message - */ - public static BigInteger calculateM2(Digest digest, BigInteger N, BigInteger A, BigInteger M1, BigInteger S){ - BigInteger M2 = hashPaddedTriplet(digest,N,A,M1,S); - return M2; - } - - /** - * Computes the final Key according to the standard routine: Key = H(S) - * @param digest The Digest used as the hashing function H - * @param N Modulus used to get the pad length - * @param S The secret calculated by both sides - * @return - */ - public static BigInteger calculateKey(Digest digest, BigInteger N, BigInteger S) { - int padLength = (N.bitLength() + 7) / 8; - byte[] _S = getPadded(S,padLength); - digest.update(_S, 0, _S.length); - - byte[] output = new byte[digest.getDigestSize()]; - digest.doFinal(output, 0); - return new BigInteger(1, output); - } - - private static BigInteger hashPaddedTriplet(Digest digest, BigInteger N, BigInteger n1, BigInteger n2, BigInteger n3){ - int padLength = (N.bitLength() + 7) / 8; - - byte[] n1_bytes = getPadded(n1, padLength); - byte[] n2_bytes = getPadded(n2, padLength); - byte[] n3_bytes = getPadded(n3, padLength); - - digest.update(n1_bytes, 0, n1_bytes.length); - digest.update(n2_bytes, 0, n2_bytes.length); - digest.update(n3_bytes, 0, n3_bytes.length); - - byte[] output = new byte[digest.getDigestSize()]; - digest.doFinal(output, 0); - - return new BigInteger(1, output); - } - - private static BigInteger hashPaddedPair(Digest digest, BigInteger N, BigInteger n1, BigInteger n2) - { - int padLength = (N.bitLength() + 7) / 8; - - byte[] n1_bytes = getPadded(n1, padLength); - byte[] n2_bytes = getPadded(n2, padLength); - - digest.update(n1_bytes, 0, n1_bytes.length); - digest.update(n2_bytes, 0, n2_bytes.length); - - byte[] output = new byte[digest.getDigestSize()]; - digest.doFinal(output, 0); - - return new BigInteger(1, output); - } - - private static byte[] getPadded(BigInteger n, int length) - { - byte[] bs = BigIntegers.asUnsignedByteArray(n); - if (bs.length < length) - { - byte[] tmp = new byte[length]; - System.arraycopy(bs, 0, tmp, length - bs.length, bs.length); - bs = tmp; - } - return bs; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6VerifierGenerator.java b/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6VerifierGenerator.java deleted file mode 100644 index 631ecc6e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/agreement/srp/SRP6VerifierGenerator.java +++ /dev/null @@ -1,47 +0,0 @@ -package org.bouncycastle.crypto.agreement.srp; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.Digest; - -/** - * Generates new SRP verifier for user - */ -public class SRP6VerifierGenerator -{ - protected BigInteger N; - protected BigInteger g; - protected Digest digest; - - public SRP6VerifierGenerator() - { - } - - /** - * Initialises generator to create new verifiers - * @param N The safe prime to use (see DHParametersGenerator) - * @param g The group parameter to use (see DHParametersGenerator) - * @param digest The digest to use. The same digest type will need to be used later for the actual authentication - * attempt. Also note that the final session key size is dependent on the chosen digest. - */ - public void init(BigInteger N, BigInteger g, Digest digest) - { - this.N = N; - this.g = g; - this.digest = digest; - } - - /** - * Creates a new SRP verifier - * @param salt The salt to use, generally should be large and random - * @param identity The user's identifying information (eg. username) - * @param password The user's password - * @return A new verifier for use in future SRP authentication - */ - public BigInteger generateVerifier(byte[] salt, byte[] identity, byte[] password) - { - BigInteger x = SRP6Util.calculateX(digest, N, salt, identity, password); - - return g.modPow(x, N); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/commitments/GeneralHashCommitter.java b/core/src/main/java/org/bouncycastle/crypto/commitments/GeneralHashCommitter.java deleted file mode 100644 index 3969fe8a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/commitments/GeneralHashCommitter.java +++ /dev/null @@ -1,93 +0,0 @@ -package org.bouncycastle.crypto.commitments; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.Commitment; -import org.bouncycastle.crypto.Committer; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Arrays; - -/** - * A basic hash-committer based on the one described in "Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking", - * by Jakobsson, Juels, and Rivest (11th Usenix Security Symposium, 2002). - * <p> - * The algorithm used by this class differs from the one given in that it includes the length of the message in the hash calculation. - * </p> - */ -public class GeneralHashCommitter - implements Committer -{ - private final Digest digest; - private final int byteLength; - private final SecureRandom random; - - /** - * Base Constructor. The maximum message length that can be committed to is half the length of the internal - * block size for the digest (ExtendedDigest.getBlockLength()). - * - * @param digest digest to use for creating commitments. - * @param random source of randomness for generating secrets. - */ - public GeneralHashCommitter(ExtendedDigest digest, SecureRandom random) - { - this.digest = digest; - this.byteLength = digest.getByteLength(); - this.random = random; - } - - /** - * Generate a commitment for the passed in message. - * - * @param message the message to be committed to, - * @return a Commitment - */ - public Commitment commit(byte[] message) - { - if (message.length > byteLength / 2) - { - throw new DataLengthException("Message to be committed to too large for digest."); - } - - byte[] w = new byte[byteLength - message.length]; - - random.nextBytes(w); - - return new Commitment(w, calculateCommitment(w, message)); - } - - /** - * Return true if the passed in commitment represents a commitment to the passed in message. - * - * @param commitment a commitment previously generated. - * @param message the message that was expected to have been committed to. - * @return true if commitment matches message, false otherwise. - */ - public boolean isRevealed(Commitment commitment, byte[] message) - { - if (message.length + commitment.getSecret().length != byteLength) - { - throw new DataLengthException("Message and witness secret lengths do not match."); - } - - byte[] calcCommitment = calculateCommitment(commitment.getSecret(), message); - - return Arrays.constantTimeAreEqual(commitment.getCommitment(), calcCommitment); - } - - private byte[] calculateCommitment(byte[] w, byte[] message) - { - byte[] commitment = new byte[digest.getDigestSize()]; - - digest.update(w, 0, w.length); - digest.update(message, 0, message.length); - - digest.update((byte)((message.length >>> 8))); - digest.update((byte)(message.length)); - - digest.doFinal(commitment, 0); - - return commitment; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/commitments/HashCommitter.java b/core/src/main/java/org/bouncycastle/crypto/commitments/HashCommitter.java deleted file mode 100644 index b5860b52..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/commitments/HashCommitter.java +++ /dev/null @@ -1,89 +0,0 @@ -package org.bouncycastle.crypto.commitments; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.Commitment; -import org.bouncycastle.crypto.Committer; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Arrays; - -/** - * A basic hash-committer as described in "Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking", - * by Jakobsson, Juels, and Rivest (11th Usenix Security Symposium, 2002). - * <p> - * Use this class if you can enforce fixed length for messages. If you need something more general, use the GeneralHashCommitter. - * </p> - */ -public class HashCommitter - implements Committer -{ - private final Digest digest; - private final int byteLength; - private final SecureRandom random; - - /** - * Base Constructor. The maximum message length that can be committed to is half the length of the internal - * block size for the digest (ExtendedDigest.getBlockLength()). - * - * @param digest digest to use for creating commitments. - * @param random source of randomness for generating secrets. - */ - public HashCommitter(ExtendedDigest digest, SecureRandom random) - { - this.digest = digest; - this.byteLength = digest.getByteLength(); - this.random = random; - } - - /** - * Generate a commitment for the passed in message. - * - * @param message the message to be committed to, - * @return a Commitment - */ - public Commitment commit(byte[] message) - { - if (message.length > byteLength / 2) - { - throw new DataLengthException("Message to be committed to too large for digest."); - } - - byte[] w = new byte[byteLength - message.length]; - - random.nextBytes(w); - - return new Commitment(w, calculateCommitment(w, message)); - } - - /** - * Return true if the passed in commitment represents a commitment to the passed in message. - * - * @param commitment a commitment previously generated. - * @param message the message that was expected to have been committed to. - * @return true if commitment matches message, false otherwise. - */ - public boolean isRevealed(Commitment commitment, byte[] message) - { - if (message.length + commitment.getSecret().length != byteLength) - { - throw new DataLengthException("Message and witness secret lengths do not match."); - } - - byte[] calcCommitment = calculateCommitment(commitment.getSecret(), message); - - return Arrays.constantTimeAreEqual(commitment.getCommitment(), calcCommitment); - } - - private byte[] calculateCommitment(byte[] w, byte[] message) - { - byte[] commitment = new byte[digest.getDigestSize()]; - - digest.update(w, 0, w.length); - digest.update(message, 0, message.length); - digest.doFinal(commitment, 0); - - return commitment; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/EncodableDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/EncodableDigest.java deleted file mode 100644 index d79fece8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/EncodableDigest.java +++ /dev/null @@ -1,17 +0,0 @@ -package org.bouncycastle.crypto.digests; - -/** - * Encodable digests allow you to download an encoded copy of their internal state. This is useful for the situation where - * you need to generate a signature on an external device and it allows for "sign with last round", so a copy of the - * internal state of the digest, plus the last few blocks of the message are all that needs to be sent, rather than the - * entire message. - */ -public interface EncodableDigest -{ - /** - * Return an encoded byte array for the digest's internal state - * - * @return an encoding of the digests internal state. - */ - byte[] getEncodedState(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/GOST3411Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/GOST3411Digest.java deleted file mode 100644 index 2df2d51a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/GOST3411Digest.java +++ /dev/null @@ -1,362 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.crypto.engines.GOST28147Engine; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithSBox; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - -/** - * implementation of GOST R 34.11-94 - */ -public class GOST3411Digest - implements ExtendedDigest, Memoable -{ - private static final int DIGEST_LENGTH = 32; - - private byte[] H = new byte[32], L = new byte[32], - M = new byte[32], Sum = new byte[32]; - private byte[][] C = new byte[4][32]; - - private byte[] xBuf = new byte[32]; - private int xBufOff; - private long byteCount; - - private BlockCipher cipher = new GOST28147Engine(); - private byte[] sBox; - - /** - * Standard constructor - */ - public GOST3411Digest() - { - sBox = GOST28147Engine.getSBox("D-A"); - cipher.init(true, new ParametersWithSBox(null, sBox)); - - reset(); - } - - /** - * Constructor to allow use of a particular sbox with GOST28147 - * @see GOST28147Engine#getSBox(String) - */ - public GOST3411Digest(byte[] sBoxParam) - { - sBox = Arrays.clone(sBoxParam); - cipher.init(true, new ParametersWithSBox(null, sBox)); - - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public GOST3411Digest(GOST3411Digest t) - { - reset(t); - } - - public String getAlgorithmName() - { - return "GOST3411"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - public void update(byte in) - { - xBuf[xBufOff++] = in; - if (xBufOff == xBuf.length) - { - sumByteArray(xBuf); // calc sum M - processBlock(xBuf, 0); - xBufOff = 0; - } - byteCount++; - } - - public void update(byte[] in, int inOff, int len) - { - while ((xBufOff != 0) && (len > 0)) - { - update(in[inOff]); - inOff++; - len--; - } - - while (len > xBuf.length) - { - System.arraycopy(in, inOff, xBuf, 0, xBuf.length); - - sumByteArray(xBuf); // calc sum M - processBlock(xBuf, 0); - inOff += xBuf.length; - len -= xBuf.length; - byteCount += xBuf.length; - } - - // load in the remainder. - while (len > 0) - { - update(in[inOff]); - inOff++; - len--; - } - } - - // (i + 1 + 4(k - 1)) = 8i + k i = 0-3, k = 1-8 - private byte[] K = new byte[32]; - - private byte[] P(byte[] in) - { - for(int k = 0; k < 8; k++) - { - K[4*k] = in[k]; - K[1 + 4*k] = in[ 8 + k]; - K[2 + 4*k] = in[16 + k]; - K[3 + 4*k] = in[24 + k]; - } - - return K; - } - - //A (x) = (x0 ^ x1) || x3 || x2 || x1 - byte[] a = new byte[8]; - private byte[] A(byte[] in) - { - for(int j=0; j<8; j++) - { - a[j]=(byte)(in[j] ^ in[j+8]); - } - - System.arraycopy(in, 8, in, 0, 24); - System.arraycopy(a, 0, in, 24, 8); - - return in; - } - - //Encrypt function, ECB mode - private void E(byte[] key, byte[] s, int sOff, byte[] in, int inOff) - { - cipher.init(true, new KeyParameter(key)); - - cipher.processBlock(in, inOff, s, sOff); - } - - // (in:) n16||..||n1 ==> (out:) n1^n2^n3^n4^n13^n16||n16||..||n2 - short[] wS = new short[16], w_S = new short[16]; - - private void fw(byte[] in) - { - cpyBytesToShort(in, wS); - w_S[15] = (short)(wS[0] ^ wS[1] ^ wS[2] ^ wS[3] ^ wS[12] ^ wS[15]); - System.arraycopy(wS, 1, w_S, 0, 15); - cpyShortToBytes(w_S, in); - } - - // block processing - byte[] S = new byte[32]; - byte[] U = new byte[32], V = new byte[32], W = new byte[32]; - - protected void processBlock(byte[] in, int inOff) - { - System.arraycopy(in, inOff, M, 0, 32); - - //key step 1 - - // H = h3 || h2 || h1 || h0 - // S = s3 || s2 || s1 || s0 - System.arraycopy(H, 0, U, 0, 32); - System.arraycopy(M, 0, V, 0, 32); - for (int j=0; j<32; j++) - { - W[j] = (byte)(U[j]^V[j]); - } - // Encrypt gost28147-ECB - E(P(W), S, 0, H, 0); // s0 = EK0 [h0] - - //keys step 2,3,4 - for (int i=1; i<4; i++) - { - byte[] tmpA = A(U); - for (int j=0; j<32; j++) - { - U[j] = (byte)(tmpA[j] ^ C[i][j]); - } - V = A(A(V)); - for (int j=0; j<32; j++) - { - W[j] = (byte)(U[j]^V[j]); - } - // Encrypt gost28147-ECB - E(P(W), S, i * 8, H, i * 8); // si = EKi [hi] - } - - // x(M, H) = y61(H^y(M^y12(S))) - for(int n = 0; n < 12; n++) - { - fw(S); - } - for(int n = 0; n < 32; n++) - { - S[n] = (byte)(S[n] ^ M[n]); - } - - fw(S); - - for(int n = 0; n < 32; n++) - { - S[n] = (byte)(H[n] ^ S[n]); - } - for(int n = 0; n < 61; n++) - { - fw(S); - } - System.arraycopy(S, 0, H, 0, H.length); - } - - private void finish() - { - Pack.longToLittleEndian(byteCount * 8, L, 0); // get length into L (byteCount * 8 = bitCount) - - while (xBufOff != 0) - { - update((byte)0); - } - - processBlock(L, 0); - processBlock(Sum, 0); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - System.arraycopy(H, 0, out, outOff, H.length); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - private static final byte[] C2 = { - 0x00,(byte)0xFF,0x00,(byte)0xFF,0x00,(byte)0xFF,0x00,(byte)0xFF, - (byte)0xFF,0x00,(byte)0xFF,0x00,(byte)0xFF,0x00,(byte)0xFF,0x00, - 0x00,(byte)0xFF,(byte)0xFF,0x00,(byte)0xFF,0x00,0x00,(byte)0xFF, - (byte)0xFF,0x00,0x00,0x00,(byte)0xFF,(byte)0xFF,0x00,(byte)0xFF}; - - public void reset() - { - byteCount = 0; - xBufOff = 0; - - for(int i=0; i<H.length; i++) - { - H[i] = 0; // start vector H - } - for(int i=0; i<L.length; i++) - { - L[i] = 0; - } - for(int i=0; i<M.length; i++) - { - M[i] = 0; - } - for(int i=0; i<C[1].length; i++) - { - C[1][i] = 0; // real index C = +1 because index array with 0. - } - for(int i=0; i<C[3].length; i++) - { - C[3][i] = 0; - } - for(int i=0; i<Sum.length; i++) - { - Sum[i] = 0; - } - for(int i = 0; i < xBuf.length; i++) - { - xBuf[i] = 0; - } - - System.arraycopy(C2, 0, C[2], 0, C2.length); - } - - // 256 bitsblock modul -> (Sum + a mod (2^256)) - private void sumByteArray(byte[] in) - { - int carry = 0; - - for (int i = 0; i != Sum.length; i++) - { - int sum = (Sum[i] & 0xff) + (in[i] & 0xff) + carry; - - Sum[i] = (byte)sum; - - carry = sum >>> 8; - } - } - - private void cpyBytesToShort(byte[] S, short[] wS) - { - for(int i=0; i<S.length/2; i++) - { - wS[i] = (short)(((S[i*2+1]<<8)&0xFF00)|(S[i*2]&0xFF)); - } - } - - private void cpyShortToBytes(short[] wS, byte[] S) - { - for(int i=0; i<S.length/2; i++) - { - S[i*2 + 1] = (byte)(wS[i] >> 8); - S[i*2] = (byte)wS[i]; - } - } - - public int getByteLength() - { - return 32; - } - - public Memoable copy() - { - return new GOST3411Digest(this); - } - - public void reset(Memoable other) - { - GOST3411Digest t = (GOST3411Digest)other; - - this.sBox = t.sBox; - cipher.init(true, new ParametersWithSBox(null, sBox)); - - reset(); - - System.arraycopy(t.H, 0, this.H, 0, t.H.length); - System.arraycopy(t.L, 0, this.L, 0, t.L.length); - System.arraycopy(t.M, 0, this.M, 0, t.M.length); - System.arraycopy(t.Sum, 0, this.Sum, 0, t.Sum.length); - System.arraycopy(t.C[1], 0, this.C[1], 0, t.C[1].length); - System.arraycopy(t.C[2], 0, this.C[2], 0, t.C[2].length); - System.arraycopy(t.C[3], 0, this.C[3], 0, t.C[3].length); - System.arraycopy(t.xBuf, 0, this.xBuf, 0, t.xBuf.length); - - this.xBufOff = t.xBufOff; - this.byteCount = t.byteCount; - } -} - - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/GeneralDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/GeneralDigest.java deleted file mode 100644 index 29692bad..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/GeneralDigest.java +++ /dev/null @@ -1,155 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - -/** - * base implementation of MD4 family style digest as outlined in - * "Handbook of Applied Cryptography", pages 344 - 347. - */ -public abstract class GeneralDigest - implements ExtendedDigest, Memoable -{ - private static final int BYTE_LENGTH = 64; - - private final byte[] xBuf = new byte[4]; - private int xBufOff; - - private long byteCount; - - /** - * Standard constructor - */ - protected GeneralDigest() - { - xBufOff = 0; - } - - /** - * Copy constructor. We are using copy constructors in place - * of the Object.clone() interface as this interface is not - * supported by J2ME. - */ - protected GeneralDigest(GeneralDigest t) - { - copyIn(t); - } - - protected GeneralDigest(byte[] encodedState) - { - System.arraycopy(encodedState, 0, xBuf, 0, xBuf.length); - xBufOff = Pack.bigEndianToInt(encodedState, 4); - byteCount = Pack.bigEndianToLong(encodedState, 8); - } - - protected void copyIn(GeneralDigest t) - { - System.arraycopy(t.xBuf, 0, xBuf, 0, t.xBuf.length); - - xBufOff = t.xBufOff; - byteCount = t.byteCount; - } - - public void update( - byte in) - { - xBuf[xBufOff++] = in; - - if (xBufOff == xBuf.length) - { - processWord(xBuf, 0); - xBufOff = 0; - } - - byteCount++; - } - - public void update( - byte[] in, - int inOff, - int len) - { - // - // fill the current word - // - while ((xBufOff != 0) && (len > 0)) - { - update(in[inOff]); - - inOff++; - len--; - } - - // - // process whole words. - // - while (len > xBuf.length) - { - processWord(in, inOff); - - inOff += xBuf.length; - len -= xBuf.length; - byteCount += xBuf.length; - } - - // - // load in the remainder. - // - while (len > 0) - { - update(in[inOff]); - - inOff++; - len--; - } - } - - public void finish() - { - long bitLength = (byteCount << 3); - - // - // add the pad bytes. - // - update((byte)128); - - while (xBufOff != 0) - { - update((byte)0); - } - - processLength(bitLength); - - processBlock(); - } - - public void reset() - { - byteCount = 0; - - xBufOff = 0; - for (int i = 0; i < xBuf.length; i++) - { - xBuf[i] = 0; - } - } - - protected void populateState(byte[] state) - { - System.arraycopy(xBuf, 0, state, 0, xBufOff); - Pack.intToBigEndian(xBufOff, state, 4); - Pack.longToBigEndian(byteCount, state, 8); - } - - public int getByteLength() - { - return BYTE_LENGTH; - } - - protected abstract void processWord(byte[] in, int inOff); - - protected abstract void processLength(long bitLength); - - protected abstract void processBlock(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/LongDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/LongDigest.java deleted file mode 100644 index 8ea474b3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/LongDigest.java +++ /dev/null @@ -1,409 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - -/** - * Base class for SHA-384 and SHA-512. - */ -public abstract class LongDigest - implements ExtendedDigest, Memoable, EncodableDigest -{ - private static final int BYTE_LENGTH = 128; - - private byte[] xBuf = new byte[8]; - private int xBufOff; - - private long byteCount1; - private long byteCount2; - - protected long H1, H2, H3, H4, H5, H6, H7, H8; - - private long[] W = new long[80]; - private int wOff; - - /** - * Constructor for variable length word - */ - protected LongDigest() - { - xBufOff = 0; - - reset(); - } - - /** - * Copy constructor. We are using copy constructors in place - * of the Object.clone() interface as this interface is not - * supported by J2ME. - */ - protected LongDigest(LongDigest t) - { - copyIn(t); - } - - protected void copyIn(LongDigest t) - { - System.arraycopy(t.xBuf, 0, xBuf, 0, t.xBuf.length); - - xBufOff = t.xBufOff; - byteCount1 = t.byteCount1; - byteCount2 = t.byteCount2; - - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - H6 = t.H6; - H7 = t.H7; - H8 = t.H8; - - System.arraycopy(t.W, 0, W, 0, t.W.length); - wOff = t.wOff; - } - - protected void populateState(byte[] state) - { - System.arraycopy(xBuf, 0, state, 0, xBufOff); - Pack.intToBigEndian(xBufOff, state, 8); - Pack.longToBigEndian(byteCount1, state, 12); - Pack.longToBigEndian(byteCount2, state, 20); - Pack.longToBigEndian(H1, state, 28); - Pack.longToBigEndian(H2, state, 36); - Pack.longToBigEndian(H3, state, 44); - Pack.longToBigEndian(H4, state, 52); - Pack.longToBigEndian(H5, state, 60); - Pack.longToBigEndian(H6, state, 68); - Pack.longToBigEndian(H7, state, 76); - Pack.longToBigEndian(H8, state, 84); - - Pack.intToBigEndian(wOff, state, 92); - for (int i = 0; i < wOff; i++) - { - Pack.longToBigEndian(W[i], state, 96 + (i * 8)); - } - } - - protected void restoreState(byte[] encodedState) - { - xBufOff = Pack.bigEndianToInt(encodedState, 8); - System.arraycopy(encodedState, 0, xBuf, 0, xBufOff); - byteCount1 = Pack.bigEndianToLong(encodedState, 12); - byteCount2 = Pack.bigEndianToLong(encodedState, 20); - - H1 = Pack.bigEndianToLong(encodedState, 28); - H2 = Pack.bigEndianToLong(encodedState, 36); - H3 = Pack.bigEndianToLong(encodedState, 44); - H4 = Pack.bigEndianToLong(encodedState, 52); - H5 = Pack.bigEndianToLong(encodedState, 60); - H6 = Pack.bigEndianToLong(encodedState, 68); - H7 = Pack.bigEndianToLong(encodedState, 76); - H8 = Pack.bigEndianToLong(encodedState, 84); - - wOff = Pack.bigEndianToInt(encodedState, 92); - for (int i = 0; i < wOff; i++) - { - W[i] = Pack.bigEndianToLong(encodedState, 96 + (i * 8)); - } - } - - protected int getEncodedStateSize() - { - return 96 + (wOff * 8); - } - - public void update( - byte in) - { - xBuf[xBufOff++] = in; - - if (xBufOff == xBuf.length) - { - processWord(xBuf, 0); - xBufOff = 0; - } - - byteCount1++; - } - - public void update( - byte[] in, - int inOff, - int len) - { - // - // fill the current word - // - while ((xBufOff != 0) && (len > 0)) - { - update(in[inOff]); - - inOff++; - len--; - } - - // - // process whole words. - // - while (len > xBuf.length) - { - processWord(in, inOff); - - inOff += xBuf.length; - len -= xBuf.length; - byteCount1 += xBuf.length; - } - - // - // load in the remainder. - // - while (len > 0) - { - update(in[inOff]); - - inOff++; - len--; - } - } - - public void finish() - { - adjustByteCounts(); - - long lowBitLength = byteCount1 << 3; - long hiBitLength = byteCount2; - - // - // add the pad bytes. - // - update((byte)128); - - while (xBufOff != 0) - { - update((byte)0); - } - - processLength(lowBitLength, hiBitLength); - - processBlock(); - } - - public void reset() - { - byteCount1 = 0; - byteCount2 = 0; - - xBufOff = 0; - for (int i = 0; i < xBuf.length; i++) - { - xBuf[i] = 0; - } - - wOff = 0; - for (int i = 0; i != W.length; i++) - { - W[i] = 0; - } - } - - public int getByteLength() - { - return BYTE_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - W[wOff] = Pack.bigEndianToLong(in, inOff); - - if (++wOff == 16) - { - processBlock(); - } - } - - /** - * adjust the byte counts so that byteCount2 represents the - * upper long (less 3 bits) word of the byte count. - */ - private void adjustByteCounts() - { - if (byteCount1 > 0x1fffffffffffffffL) - { - byteCount2 += (byteCount1 >>> 61); - byteCount1 &= 0x1fffffffffffffffL; - } - } - - protected void processLength( - long lowW, - long hiW) - { - if (wOff > 14) - { - processBlock(); - } - - W[14] = hiW; - W[15] = lowW; - } - - protected void processBlock() - { - adjustByteCounts(); - - // - // expand 16 word block into 80 word blocks. - // - for (int t = 16; t <= 79; t++) - { - W[t] = Sigma1(W[t - 2]) + W[t - 7] + Sigma0(W[t - 15]) + W[t - 16]; - } - - // - // set up working variables. - // - long a = H1; - long b = H2; - long c = H3; - long d = H4; - long e = H5; - long f = H6; - long g = H7; - long h = H8; - - int t = 0; - for(int i = 0; i < 10; i ++) - { - // t = 8 * i - h += Sum1(e) + Ch(e, f, g) + K[t] + W[t++]; - d += h; - h += Sum0(a) + Maj(a, b, c); - - // t = 8 * i + 1 - g += Sum1(d) + Ch(d, e, f) + K[t] + W[t++]; - c += g; - g += Sum0(h) + Maj(h, a, b); - - // t = 8 * i + 2 - f += Sum1(c) + Ch(c, d, e) + K[t] + W[t++]; - b += f; - f += Sum0(g) + Maj(g, h, a); - - // t = 8 * i + 3 - e += Sum1(b) + Ch(b, c, d) + K[t] + W[t++]; - a += e; - e += Sum0(f) + Maj(f, g, h); - - // t = 8 * i + 4 - d += Sum1(a) + Ch(a, b, c) + K[t] + W[t++]; - h += d; - d += Sum0(e) + Maj(e, f, g); - - // t = 8 * i + 5 - c += Sum1(h) + Ch(h, a, b) + K[t] + W[t++]; - g += c; - c += Sum0(d) + Maj(d, e, f); - - // t = 8 * i + 6 - b += Sum1(g) + Ch(g, h, a) + K[t] + W[t++]; - f += b; - b += Sum0(c) + Maj(c, d, e); - - // t = 8 * i + 7 - a += Sum1(f) + Ch(f, g, h) + K[t] + W[t++]; - e += a; - a += Sum0(b) + Maj(b, c, d); - } - - H1 += a; - H2 += b; - H3 += c; - H4 += d; - H5 += e; - H6 += f; - H7 += g; - H8 += h; - - // - // reset the offset and clean out the word buffer. - // - wOff = 0; - for (int i = 0; i < 16; i++) - { - W[i] = 0; - } - } - - /* SHA-384 and SHA-512 functions (as for SHA-256 but for longs) */ - private long Ch( - long x, - long y, - long z) - { - return ((x & y) ^ ((~x) & z)); - } - - private long Maj( - long x, - long y, - long z) - { - return ((x & y) ^ (x & z) ^ (y & z)); - } - - private long Sum0( - long x) - { - return ((x << 36)|(x >>> 28)) ^ ((x << 30)|(x >>> 34)) ^ ((x << 25)|(x >>> 39)); - } - - private long Sum1( - long x) - { - return ((x << 50)|(x >>> 14)) ^ ((x << 46)|(x >>> 18)) ^ ((x << 23)|(x >>> 41)); - } - - private long Sigma0( - long x) - { - return ((x << 63)|(x >>> 1)) ^ ((x << 56)|(x >>> 8)) ^ (x >>> 7); - } - - private long Sigma1( - long x) - { - return ((x << 45)|(x >>> 19)) ^ ((x << 3)|(x >>> 61)) ^ (x >>> 6); - } - - /* SHA-384 and SHA-512 Constants - * (represent the first 64 bits of the fractional parts of the - * cube roots of the first sixty-four prime numbers) - */ - static final long K[] = { -0x428a2f98d728ae22L, 0x7137449123ef65cdL, 0xb5c0fbcfec4d3b2fL, 0xe9b5dba58189dbbcL, -0x3956c25bf348b538L, 0x59f111f1b605d019L, 0x923f82a4af194f9bL, 0xab1c5ed5da6d8118L, -0xd807aa98a3030242L, 0x12835b0145706fbeL, 0x243185be4ee4b28cL, 0x550c7dc3d5ffb4e2L, -0x72be5d74f27b896fL, 0x80deb1fe3b1696b1L, 0x9bdc06a725c71235L, 0xc19bf174cf692694L, -0xe49b69c19ef14ad2L, 0xefbe4786384f25e3L, 0x0fc19dc68b8cd5b5L, 0x240ca1cc77ac9c65L, -0x2de92c6f592b0275L, 0x4a7484aa6ea6e483L, 0x5cb0a9dcbd41fbd4L, 0x76f988da831153b5L, -0x983e5152ee66dfabL, 0xa831c66d2db43210L, 0xb00327c898fb213fL, 0xbf597fc7beef0ee4L, -0xc6e00bf33da88fc2L, 0xd5a79147930aa725L, 0x06ca6351e003826fL, 0x142929670a0e6e70L, -0x27b70a8546d22ffcL, 0x2e1b21385c26c926L, 0x4d2c6dfc5ac42aedL, 0x53380d139d95b3dfL, -0x650a73548baf63deL, 0x766a0abb3c77b2a8L, 0x81c2c92e47edaee6L, 0x92722c851482353bL, -0xa2bfe8a14cf10364L, 0xa81a664bbc423001L, 0xc24b8b70d0f89791L, 0xc76c51a30654be30L, -0xd192e819d6ef5218L, 0xd69906245565a910L, 0xf40e35855771202aL, 0x106aa07032bbd1b8L, -0x19a4c116b8d2d0c8L, 0x1e376c085141ab53L, 0x2748774cdf8eeb99L, 0x34b0bcb5e19b48a8L, -0x391c0cb3c5c95a63L, 0x4ed8aa4ae3418acbL, 0x5b9cca4f7763e373L, 0x682e6ff3d6b2b8a3L, -0x748f82ee5defb2fcL, 0x78a5636f43172f60L, 0x84c87814a1f0ab72L, 0x8cc702081a6439ecL, -0x90befffa23631e28L, 0xa4506cebde82bde9L, 0xbef9a3f7b2c67915L, 0xc67178f2e372532bL, -0xca273eceea26619cL, 0xd186b8c721c0c207L, 0xeada7dd6cde0eb1eL, 0xf57d4f7fee6ed178L, -0x06f067aa72176fbaL, 0x0a637dc5a2c898a6L, 0x113f9804bef90daeL, 0x1b710b35131c471bL, -0x28db77f523047d84L, 0x32caab7b40c72493L, 0x3c9ebe0a15c9bebcL, 0x431d67c49c100d4cL, -0x4cc5d4becb3e42b6L, 0x597f299cfc657e2aL, 0x5fcb6fab3ad6faecL, 0x6c44198c4a475817L - }; - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/MD2Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/MD2Digest.java deleted file mode 100644 index f96b4a15..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/MD2Digest.java +++ /dev/null @@ -1,258 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.*; -import org.bouncycastle.util.Memoable; - -/** - * implementation of MD2 - * as outlined in RFC1319 by B.Kaliski from RSA Laboratories April 1992 - */ -public class MD2Digest - implements ExtendedDigest, Memoable -{ - private static final int DIGEST_LENGTH = 16; - - /* X buffer */ - private byte[] X = new byte[48]; - private int xOff; - /* M buffer */ - private byte[] M = new byte[16]; - private int mOff; - /* check sum */ - private byte[] C = new byte[16]; - private int COff; - - public MD2Digest() - { - reset(); - } - - public MD2Digest(MD2Digest t) - { - copyIn(t); - } - - private void copyIn(MD2Digest t) - { - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - System.arraycopy(t.M, 0, M, 0, t.M.length); - mOff = t.mOff; - System.arraycopy(t.C, 0, C, 0, t.C.length); - COff = t.COff; - } - - /** - * return the algorithm name - * - * @return the algorithm name - */ - public String getAlgorithmName() - { - return "MD2"; - } - /** - * return the size, in bytes, of the digest produced by this message digest. - * - * @return the size, in bytes, of the digest produced by this message digest. - */ - public int getDigestSize() - { - return DIGEST_LENGTH; - } - /** - * close the digest, producing the final digest value. The doFinal - * call leaves the digest reset. - * - * @param out the array the digest is to be copied into. - * @param outOff the offset into the out array the digest is to start at. - */ - public int doFinal(byte[] out, int outOff) - { - // add padding - byte paddingByte = (byte)(M.length-mOff); - for (int i=mOff;i<M.length;i++) - { - M[i] = paddingByte; - } - //do final check sum - processCheckSum(M); - // do final block process - processBlock(M); - - processBlock(C); - - System.arraycopy(X,xOff,out,outOff,16); - - reset(); - - return DIGEST_LENGTH; - } - /** - * reset the digest back to it's initial state. - */ - public void reset() - { - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - mOff = 0; - for (int i = 0; i != M.length; i++) - { - M[i] = 0; - } - COff = 0; - for (int i = 0; i != C.length; i++) - { - C[i] = 0; - } - } - /** - * update the message digest with a single byte. - * - * @param in the input byte to be entered. - */ - public void update(byte in) - { - M[mOff++] = in; - - if (mOff == 16) - { - processCheckSum(M); - processBlock(M); - mOff = 0; - } - } - - /** - * update the message digest with a block of bytes. - * - * @param in the byte array containing the data. - * @param inOff the offset into the byte array where the data starts. - * @param len the length of the data. - */ - public void update(byte[] in, int inOff, int len) - { - // - // fill the current word - // - while ((mOff != 0) && (len > 0)) - { - update(in[inOff]); - inOff++; - len--; - } - - // - // process whole words. - // - while (len > 16) - { - System.arraycopy(in,inOff,M,0,16); - processCheckSum(M); - processBlock(M); - len -= 16; - inOff += 16; - } - - // - // load in the remainder. - // - while (len > 0) - { - update(in[inOff]); - inOff++; - len--; - } - } - protected void processCheckSum(byte[] m) - { - int L = C[15]; - for (int i=0;i<16;i++) - { - C[i] ^= S[(m[i] ^ L) & 0xff]; - L = C[i]; - } - } - protected void processBlock(byte[] m) - { - for (int i=0;i<16;i++) - { - X[i+16] = m[i]; - X[i+32] = (byte)(m[i] ^ X[i]); - } - // encrypt block - int t = 0; - - for (int j=0;j<18;j++) - { - for (int k=0;k<48;k++) - { - t = X[k] ^= S[t]; - t = t & 0xff; - } - t = (t + j)%256; - } - } - // 256-byte random permutation constructed from the digits of PI - private static final byte[] S = { - (byte)41,(byte)46,(byte)67,(byte)201,(byte)162,(byte)216,(byte)124, - (byte)1,(byte)61,(byte)54,(byte)84,(byte)161,(byte)236,(byte)240, - (byte)6,(byte)19,(byte)98,(byte)167,(byte)5,(byte)243,(byte)192, - (byte)199,(byte)115,(byte)140,(byte)152,(byte)147,(byte)43,(byte)217, - (byte)188,(byte)76,(byte)130,(byte)202,(byte)30,(byte)155,(byte)87, - (byte)60,(byte)253,(byte)212,(byte)224,(byte)22,(byte)103,(byte)66, - (byte)111,(byte)24,(byte)138,(byte)23,(byte)229,(byte)18,(byte)190, - (byte)78,(byte)196,(byte)214,(byte)218,(byte)158,(byte)222,(byte)73, - (byte)160,(byte)251,(byte)245,(byte)142,(byte)187,(byte)47,(byte)238, - (byte)122,(byte)169,(byte)104,(byte)121,(byte)145,(byte)21,(byte)178, - (byte)7,(byte)63,(byte)148,(byte)194,(byte)16,(byte)137,(byte)11, - (byte)34,(byte)95,(byte)33,(byte)128,(byte)127,(byte)93,(byte)154, - (byte)90,(byte)144,(byte)50,(byte)39,(byte)53,(byte)62,(byte)204, - (byte)231,(byte)191,(byte)247,(byte)151,(byte)3,(byte)255,(byte)25, - (byte)48,(byte)179,(byte)72,(byte)165,(byte)181,(byte)209,(byte)215, - (byte)94,(byte)146,(byte)42,(byte)172,(byte)86,(byte)170,(byte)198, - (byte)79,(byte)184,(byte)56,(byte)210,(byte)150,(byte)164,(byte)125, - (byte)182,(byte)118,(byte)252,(byte)107,(byte)226,(byte)156,(byte)116, - (byte)4,(byte)241,(byte)69,(byte)157,(byte)112,(byte)89,(byte)100, - (byte)113,(byte)135,(byte)32,(byte)134,(byte)91,(byte)207,(byte)101, - (byte)230,(byte)45,(byte)168,(byte)2,(byte)27,(byte)96,(byte)37, - (byte)173,(byte)174,(byte)176,(byte)185,(byte)246,(byte)28,(byte)70, - (byte)97,(byte)105,(byte)52,(byte)64,(byte)126,(byte)15,(byte)85, - (byte)71,(byte)163,(byte)35,(byte)221,(byte)81,(byte)175,(byte)58, - (byte)195,(byte)92,(byte)249,(byte)206,(byte)186,(byte)197,(byte)234, - (byte)38,(byte)44,(byte)83,(byte)13,(byte)110,(byte)133,(byte)40, - (byte)132, 9,(byte)211,(byte)223,(byte)205,(byte)244,(byte)65, - (byte)129,(byte)77,(byte)82,(byte)106,(byte)220,(byte)55,(byte)200, - (byte)108,(byte)193,(byte)171,(byte)250,(byte)36,(byte)225,(byte)123, - (byte)8,(byte)12,(byte)189,(byte)177,(byte)74,(byte)120,(byte)136, - (byte)149,(byte)139,(byte)227,(byte)99,(byte)232,(byte)109,(byte)233, - (byte)203,(byte)213,(byte)254,(byte)59,(byte)0,(byte)29,(byte)57, - (byte)242,(byte)239,(byte)183,(byte)14,(byte)102,(byte)88,(byte)208, - (byte)228,(byte)166,(byte)119,(byte)114,(byte)248,(byte)235,(byte)117, - (byte)75,(byte)10,(byte)49,(byte)68,(byte)80,(byte)180,(byte)143, - (byte)237,(byte)31,(byte)26,(byte)219,(byte)153,(byte)141,(byte)51, - (byte)159,(byte)17,(byte)131,(byte)20 - }; - - public int getByteLength() - { - return 16; - } - - public Memoable copy() - { - return new MD2Digest(this); - } - - public void reset(Memoable other) - { - MD2Digest d = (MD2Digest)other; - - copyIn(d); - } -} - - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/MD4Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/MD4Digest.java deleted file mode 100644 index 68532bd2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/MD4Digest.java +++ /dev/null @@ -1,291 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of MD4 as RFC 1320 by R. Rivest, MIT Laboratory for - * Computer Science and RSA Data Security, Inc. - * <p> - * <b>NOTE</b>: This algorithm is only included for backwards compatability - * with legacy applications, it's not secure, don't use it for anything new! - */ -public class MD4Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 16; - - private int H1, H2, H3, H4; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public MD4Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public MD4Digest(MD4Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(MD4Digest t) - { - super.copyIn(t); - - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "MD4"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H1, out, outOff); - unpackWord(H2, out, outOff + 4); - unpackWord(H3, out, outOff + 8); - unpackWord(H4, out, outOff + 12); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H1 = 0x67452301; - H2 = 0xefcdab89; - H3 = 0x98badcfe; - H4 = 0x10325476; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - // - // round 1 left rotates - // - private static final int S11 = 3; - private static final int S12 = 7; - private static final int S13 = 11; - private static final int S14 = 19; - - // - // round 2 left rotates - // - private static final int S21 = 3; - private static final int S22 = 5; - private static final int S23 = 9; - private static final int S24 = 13; - - // - // round 3 left rotates - // - private static final int S31 = 3; - private static final int S32 = 9; - private static final int S33 = 11; - private static final int S34 = 15; - - /* - * rotate int x left n bits. - */ - private int rotateLeft( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * F, G, H and I are the basic MD4 functions. - */ - private int F( - int u, - int v, - int w) - { - return (u & v) | (~u & w); - } - - private int G( - int u, - int v, - int w) - { - return (u & v) | (u & w) | (v & w); - } - - private int H( - int u, - int v, - int w) - { - return u ^ v ^ w; - } - - protected void processBlock() - { - int a = H1; - int b = H2; - int c = H3; - int d = H4; - - // - // Round 1 - F cycle, 16 times. - // - a = rotateLeft(a + F(b, c, d) + X[ 0], S11); - d = rotateLeft(d + F(a, b, c) + X[ 1], S12); - c = rotateLeft(c + F(d, a, b) + X[ 2], S13); - b = rotateLeft(b + F(c, d, a) + X[ 3], S14); - a = rotateLeft(a + F(b, c, d) + X[ 4], S11); - d = rotateLeft(d + F(a, b, c) + X[ 5], S12); - c = rotateLeft(c + F(d, a, b) + X[ 6], S13); - b = rotateLeft(b + F(c, d, a) + X[ 7], S14); - a = rotateLeft(a + F(b, c, d) + X[ 8], S11); - d = rotateLeft(d + F(a, b, c) + X[ 9], S12); - c = rotateLeft(c + F(d, a, b) + X[10], S13); - b = rotateLeft(b + F(c, d, a) + X[11], S14); - a = rotateLeft(a + F(b, c, d) + X[12], S11); - d = rotateLeft(d + F(a, b, c) + X[13], S12); - c = rotateLeft(c + F(d, a, b) + X[14], S13); - b = rotateLeft(b + F(c, d, a) + X[15], S14); - - // - // Round 2 - G cycle, 16 times. - // - a = rotateLeft(a + G(b, c, d) + X[ 0] + 0x5a827999, S21); - d = rotateLeft(d + G(a, b, c) + X[ 4] + 0x5a827999, S22); - c = rotateLeft(c + G(d, a, b) + X[ 8] + 0x5a827999, S23); - b = rotateLeft(b + G(c, d, a) + X[12] + 0x5a827999, S24); - a = rotateLeft(a + G(b, c, d) + X[ 1] + 0x5a827999, S21); - d = rotateLeft(d + G(a, b, c) + X[ 5] + 0x5a827999, S22); - c = rotateLeft(c + G(d, a, b) + X[ 9] + 0x5a827999, S23); - b = rotateLeft(b + G(c, d, a) + X[13] + 0x5a827999, S24); - a = rotateLeft(a + G(b, c, d) + X[ 2] + 0x5a827999, S21); - d = rotateLeft(d + G(a, b, c) + X[ 6] + 0x5a827999, S22); - c = rotateLeft(c + G(d, a, b) + X[10] + 0x5a827999, S23); - b = rotateLeft(b + G(c, d, a) + X[14] + 0x5a827999, S24); - a = rotateLeft(a + G(b, c, d) + X[ 3] + 0x5a827999, S21); - d = rotateLeft(d + G(a, b, c) + X[ 7] + 0x5a827999, S22); - c = rotateLeft(c + G(d, a, b) + X[11] + 0x5a827999, S23); - b = rotateLeft(b + G(c, d, a) + X[15] + 0x5a827999, S24); - - // - // Round 3 - H cycle, 16 times. - // - a = rotateLeft(a + H(b, c, d) + X[ 0] + 0x6ed9eba1, S31); - d = rotateLeft(d + H(a, b, c) + X[ 8] + 0x6ed9eba1, S32); - c = rotateLeft(c + H(d, a, b) + X[ 4] + 0x6ed9eba1, S33); - b = rotateLeft(b + H(c, d, a) + X[12] + 0x6ed9eba1, S34); - a = rotateLeft(a + H(b, c, d) + X[ 2] + 0x6ed9eba1, S31); - d = rotateLeft(d + H(a, b, c) + X[10] + 0x6ed9eba1, S32); - c = rotateLeft(c + H(d, a, b) + X[ 6] + 0x6ed9eba1, S33); - b = rotateLeft(b + H(c, d, a) + X[14] + 0x6ed9eba1, S34); - a = rotateLeft(a + H(b, c, d) + X[ 1] + 0x6ed9eba1, S31); - d = rotateLeft(d + H(a, b, c) + X[ 9] + 0x6ed9eba1, S32); - c = rotateLeft(c + H(d, a, b) + X[ 5] + 0x6ed9eba1, S33); - b = rotateLeft(b + H(c, d, a) + X[13] + 0x6ed9eba1, S34); - a = rotateLeft(a + H(b, c, d) + X[ 3] + 0x6ed9eba1, S31); - d = rotateLeft(d + H(a, b, c) + X[11] + 0x6ed9eba1, S32); - c = rotateLeft(c + H(d, a, b) + X[ 7] + 0x6ed9eba1, S33); - b = rotateLeft(b + H(c, d, a) + X[15] + 0x6ed9eba1, S34); - - H1 += a; - H2 += b; - H3 += c; - H4 += d; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new MD4Digest(this); - } - - public void reset(Memoable other) - { - MD4Digest d = (MD4Digest)other; - - copyIn(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/MD5Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/MD5Digest.java deleted file mode 100644 index ff9cedf0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/MD5Digest.java +++ /dev/null @@ -1,323 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of MD5 as outlined in "Handbook of Applied Cryptography", pages 346 - 347. - */ -public class MD5Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 16; - - private int H1, H2, H3, H4; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public MD5Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public MD5Digest(MD5Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(MD5Digest t) - { - super.copyIn(t); - - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "MD5"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H1, out, outOff); - unpackWord(H2, out, outOff + 4); - unpackWord(H3, out, outOff + 8); - unpackWord(H4, out, outOff + 12); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H1 = 0x67452301; - H2 = 0xefcdab89; - H3 = 0x98badcfe; - H4 = 0x10325476; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - // - // round 1 left rotates - // - private static final int S11 = 7; - private static final int S12 = 12; - private static final int S13 = 17; - private static final int S14 = 22; - - // - // round 2 left rotates - // - private static final int S21 = 5; - private static final int S22 = 9; - private static final int S23 = 14; - private static final int S24 = 20; - - // - // round 3 left rotates - // - private static final int S31 = 4; - private static final int S32 = 11; - private static final int S33 = 16; - private static final int S34 = 23; - - // - // round 4 left rotates - // - private static final int S41 = 6; - private static final int S42 = 10; - private static final int S43 = 15; - private static final int S44 = 21; - - /* - * rotate int x left n bits. - */ - private int rotateLeft( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * F, G, H and I are the basic MD5 functions. - */ - private int F( - int u, - int v, - int w) - { - return (u & v) | (~u & w); - } - - private int G( - int u, - int v, - int w) - { - return (u & w) | (v & ~w); - } - - private int H( - int u, - int v, - int w) - { - return u ^ v ^ w; - } - - private int K( - int u, - int v, - int w) - { - return v ^ (u | ~w); - } - - protected void processBlock() - { - int a = H1; - int b = H2; - int c = H3; - int d = H4; - - // - // Round 1 - F cycle, 16 times. - // - a = rotateLeft(a + F(b, c, d) + X[ 0] + 0xd76aa478, S11) + b; - d = rotateLeft(d + F(a, b, c) + X[ 1] + 0xe8c7b756, S12) + a; - c = rotateLeft(c + F(d, a, b) + X[ 2] + 0x242070db, S13) + d; - b = rotateLeft(b + F(c, d, a) + X[ 3] + 0xc1bdceee, S14) + c; - a = rotateLeft(a + F(b, c, d) + X[ 4] + 0xf57c0faf, S11) + b; - d = rotateLeft(d + F(a, b, c) + X[ 5] + 0x4787c62a, S12) + a; - c = rotateLeft(c + F(d, a, b) + X[ 6] + 0xa8304613, S13) + d; - b = rotateLeft(b + F(c, d, a) + X[ 7] + 0xfd469501, S14) + c; - a = rotateLeft(a + F(b, c, d) + X[ 8] + 0x698098d8, S11) + b; - d = rotateLeft(d + F(a, b, c) + X[ 9] + 0x8b44f7af, S12) + a; - c = rotateLeft(c + F(d, a, b) + X[10] + 0xffff5bb1, S13) + d; - b = rotateLeft(b + F(c, d, a) + X[11] + 0x895cd7be, S14) + c; - a = rotateLeft(a + F(b, c, d) + X[12] + 0x6b901122, S11) + b; - d = rotateLeft(d + F(a, b, c) + X[13] + 0xfd987193, S12) + a; - c = rotateLeft(c + F(d, a, b) + X[14] + 0xa679438e, S13) + d; - b = rotateLeft(b + F(c, d, a) + X[15] + 0x49b40821, S14) + c; - - // - // Round 2 - G cycle, 16 times. - // - a = rotateLeft(a + G(b, c, d) + X[ 1] + 0xf61e2562, S21) + b; - d = rotateLeft(d + G(a, b, c) + X[ 6] + 0xc040b340, S22) + a; - c = rotateLeft(c + G(d, a, b) + X[11] + 0x265e5a51, S23) + d; - b = rotateLeft(b + G(c, d, a) + X[ 0] + 0xe9b6c7aa, S24) + c; - a = rotateLeft(a + G(b, c, d) + X[ 5] + 0xd62f105d, S21) + b; - d = rotateLeft(d + G(a, b, c) + X[10] + 0x02441453, S22) + a; - c = rotateLeft(c + G(d, a, b) + X[15] + 0xd8a1e681, S23) + d; - b = rotateLeft(b + G(c, d, a) + X[ 4] + 0xe7d3fbc8, S24) + c; - a = rotateLeft(a + G(b, c, d) + X[ 9] + 0x21e1cde6, S21) + b; - d = rotateLeft(d + G(a, b, c) + X[14] + 0xc33707d6, S22) + a; - c = rotateLeft(c + G(d, a, b) + X[ 3] + 0xf4d50d87, S23) + d; - b = rotateLeft(b + G(c, d, a) + X[ 8] + 0x455a14ed, S24) + c; - a = rotateLeft(a + G(b, c, d) + X[13] + 0xa9e3e905, S21) + b; - d = rotateLeft(d + G(a, b, c) + X[ 2] + 0xfcefa3f8, S22) + a; - c = rotateLeft(c + G(d, a, b) + X[ 7] + 0x676f02d9, S23) + d; - b = rotateLeft(b + G(c, d, a) + X[12] + 0x8d2a4c8a, S24) + c; - - // - // Round 3 - H cycle, 16 times. - // - a = rotateLeft(a + H(b, c, d) + X[ 5] + 0xfffa3942, S31) + b; - d = rotateLeft(d + H(a, b, c) + X[ 8] + 0x8771f681, S32) + a; - c = rotateLeft(c + H(d, a, b) + X[11] + 0x6d9d6122, S33) + d; - b = rotateLeft(b + H(c, d, a) + X[14] + 0xfde5380c, S34) + c; - a = rotateLeft(a + H(b, c, d) + X[ 1] + 0xa4beea44, S31) + b; - d = rotateLeft(d + H(a, b, c) + X[ 4] + 0x4bdecfa9, S32) + a; - c = rotateLeft(c + H(d, a, b) + X[ 7] + 0xf6bb4b60, S33) + d; - b = rotateLeft(b + H(c, d, a) + X[10] + 0xbebfbc70, S34) + c; - a = rotateLeft(a + H(b, c, d) + X[13] + 0x289b7ec6, S31) + b; - d = rotateLeft(d + H(a, b, c) + X[ 0] + 0xeaa127fa, S32) + a; - c = rotateLeft(c + H(d, a, b) + X[ 3] + 0xd4ef3085, S33) + d; - b = rotateLeft(b + H(c, d, a) + X[ 6] + 0x04881d05, S34) + c; - a = rotateLeft(a + H(b, c, d) + X[ 9] + 0xd9d4d039, S31) + b; - d = rotateLeft(d + H(a, b, c) + X[12] + 0xe6db99e5, S32) + a; - c = rotateLeft(c + H(d, a, b) + X[15] + 0x1fa27cf8, S33) + d; - b = rotateLeft(b + H(c, d, a) + X[ 2] + 0xc4ac5665, S34) + c; - - // - // Round 4 - K cycle, 16 times. - // - a = rotateLeft(a + K(b, c, d) + X[ 0] + 0xf4292244, S41) + b; - d = rotateLeft(d + K(a, b, c) + X[ 7] + 0x432aff97, S42) + a; - c = rotateLeft(c + K(d, a, b) + X[14] + 0xab9423a7, S43) + d; - b = rotateLeft(b + K(c, d, a) + X[ 5] + 0xfc93a039, S44) + c; - a = rotateLeft(a + K(b, c, d) + X[12] + 0x655b59c3, S41) + b; - d = rotateLeft(d + K(a, b, c) + X[ 3] + 0x8f0ccc92, S42) + a; - c = rotateLeft(c + K(d, a, b) + X[10] + 0xffeff47d, S43) + d; - b = rotateLeft(b + K(c, d, a) + X[ 1] + 0x85845dd1, S44) + c; - a = rotateLeft(a + K(b, c, d) + X[ 8] + 0x6fa87e4f, S41) + b; - d = rotateLeft(d + K(a, b, c) + X[15] + 0xfe2ce6e0, S42) + a; - c = rotateLeft(c + K(d, a, b) + X[ 6] + 0xa3014314, S43) + d; - b = rotateLeft(b + K(c, d, a) + X[13] + 0x4e0811a1, S44) + c; - a = rotateLeft(a + K(b, c, d) + X[ 4] + 0xf7537e82, S41) + b; - d = rotateLeft(d + K(a, b, c) + X[11] + 0xbd3af235, S42) + a; - c = rotateLeft(c + K(d, a, b) + X[ 2] + 0x2ad7d2bb, S43) + d; - b = rotateLeft(b + K(c, d, a) + X[ 9] + 0xeb86d391, S44) + c; - - H1 += a; - H2 += b; - H3 += c; - H4 += d; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new MD5Digest(this); - } - - public void reset(Memoable other) - { - MD5Digest d = (MD5Digest)other; - - copyIn(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/NonMemoableDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/NonMemoableDigest.java deleted file mode 100644 index 87a4d249..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/NonMemoableDigest.java +++ /dev/null @@ -1,64 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; - -/** - * Wrapper removes exposure to the Memoable interface on an ExtendedDigest implementation. - */ -public class NonMemoableDigest - implements ExtendedDigest -{ - private ExtendedDigest baseDigest; - - /** - * Base constructor. - * - * @param baseDigest underlying digest to use. - * @exception IllegalArgumentException if baseDigest is null - */ - public NonMemoableDigest( - ExtendedDigest baseDigest) - { - if (baseDigest == null) - { - throw new IllegalArgumentException("baseDigest must not be null"); - } - - this.baseDigest = baseDigest; - } - - public String getAlgorithmName() - { - return baseDigest.getAlgorithmName(); - } - - public int getDigestSize() - { - return baseDigest.getDigestSize(); - } - - public void update(byte in) - { - baseDigest.update(in); - } - - public void update(byte[] in, int inOff, int len) - { - baseDigest.update(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - return baseDigest.doFinal(out, outOff); - } - - public void reset() - { - baseDigest.reset(); - } - - public int getByteLength() - { - return baseDigest.getByteLength(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/NullDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/NullDigest.java deleted file mode 100644 index 6cb0d4ac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/NullDigest.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import java.io.ByteArrayOutputStream; - -import org.bouncycastle.crypto.Digest; - - -public class NullDigest - implements Digest -{ - private ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - public String getAlgorithmName() - { - return "NULL"; - } - - public int getDigestSize() - { - return bOut.size(); - } - - public void update(byte in) - { - bOut.write(in); - } - - public void update(byte[] in, int inOff, int len) - { - bOut.write(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - byte[] res = bOut.toByteArray(); - - System.arraycopy(res, 0, out, outOff, res.length); - - reset(); - - return res.length; - } - - public void reset() - { - bOut.reset(); - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD128Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD128Digest.java deleted file mode 100644 index ec7fa859..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD128Digest.java +++ /dev/null @@ -1,482 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of RIPEMD128 - */ -public class RIPEMD128Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 16; - - private int H0, H1, H2, H3; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public RIPEMD128Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public RIPEMD128Digest(RIPEMD128Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(RIPEMD128Digest t) - { - super.copyIn(t); - - H0 = t.H0; - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "RIPEMD128"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H0, out, outOff); - unpackWord(H1, out, outOff + 4); - unpackWord(H2, out, outOff + 8); - unpackWord(H3, out, outOff + 12); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H0 = 0x67452301; - H1 = 0xefcdab89; - H2 = 0x98badcfe; - H3 = 0x10325476; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - /* - * rotate int x left n bits. - */ - private int RL( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * f1,f2,f3,f4 are the basic RIPEMD128 functions. - */ - - /* - * F - */ - private int f1( - int x, - int y, - int z) - { - return x ^ y ^ z; - } - - /* - * G - */ - private int f2( - int x, - int y, - int z) - { - return (x & y) | (~x & z); - } - - /* - * H - */ - private int f3( - int x, - int y, - int z) - { - return (x | ~y) ^ z; - } - - /* - * I - */ - private int f4( - int x, - int y, - int z) - { - return (x & z) | (y & ~z); - } - - private int F1( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f1(b, c, d) + x, s); - } - - private int F2( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f2(b, c, d) + x + 0x5a827999, s); - } - - private int F3( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f3(b, c, d) + x + 0x6ed9eba1, s); - } - - private int F4( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f4(b, c, d) + x + 0x8f1bbcdc, s); - } - - private int FF1( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f1(b, c, d) + x, s); - } - - private int FF2( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f2(b, c, d) + x + 0x6d703ef3, s); - } - - private int FF3( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f3(b, c, d) + x + 0x5c4dd124, s); - } - - private int FF4( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f4(b, c, d) + x + 0x50a28be6, s); - } - - protected void processBlock() - { - int a, aa; - int b, bb; - int c, cc; - int d, dd; - - a = aa = H0; - b = bb = H1; - c = cc = H2; - d = dd = H3; - - // - // Round 1 - // - a = F1(a, b, c, d, X[ 0], 11); - d = F1(d, a, b, c, X[ 1], 14); - c = F1(c, d, a, b, X[ 2], 15); - b = F1(b, c, d, a, X[ 3], 12); - a = F1(a, b, c, d, X[ 4], 5); - d = F1(d, a, b, c, X[ 5], 8); - c = F1(c, d, a, b, X[ 6], 7); - b = F1(b, c, d, a, X[ 7], 9); - a = F1(a, b, c, d, X[ 8], 11); - d = F1(d, a, b, c, X[ 9], 13); - c = F1(c, d, a, b, X[10], 14); - b = F1(b, c, d, a, X[11], 15); - a = F1(a, b, c, d, X[12], 6); - d = F1(d, a, b, c, X[13], 7); - c = F1(c, d, a, b, X[14], 9); - b = F1(b, c, d, a, X[15], 8); - - // - // Round 2 - // - a = F2(a, b, c, d, X[ 7], 7); - d = F2(d, a, b, c, X[ 4], 6); - c = F2(c, d, a, b, X[13], 8); - b = F2(b, c, d, a, X[ 1], 13); - a = F2(a, b, c, d, X[10], 11); - d = F2(d, a, b, c, X[ 6], 9); - c = F2(c, d, a, b, X[15], 7); - b = F2(b, c, d, a, X[ 3], 15); - a = F2(a, b, c, d, X[12], 7); - d = F2(d, a, b, c, X[ 0], 12); - c = F2(c, d, a, b, X[ 9], 15); - b = F2(b, c, d, a, X[ 5], 9); - a = F2(a, b, c, d, X[ 2], 11); - d = F2(d, a, b, c, X[14], 7); - c = F2(c, d, a, b, X[11], 13); - b = F2(b, c, d, a, X[ 8], 12); - - // - // Round 3 - // - a = F3(a, b, c, d, X[ 3], 11); - d = F3(d, a, b, c, X[10], 13); - c = F3(c, d, a, b, X[14], 6); - b = F3(b, c, d, a, X[ 4], 7); - a = F3(a, b, c, d, X[ 9], 14); - d = F3(d, a, b, c, X[15], 9); - c = F3(c, d, a, b, X[ 8], 13); - b = F3(b, c, d, a, X[ 1], 15); - a = F3(a, b, c, d, X[ 2], 14); - d = F3(d, a, b, c, X[ 7], 8); - c = F3(c, d, a, b, X[ 0], 13); - b = F3(b, c, d, a, X[ 6], 6); - a = F3(a, b, c, d, X[13], 5); - d = F3(d, a, b, c, X[11], 12); - c = F3(c, d, a, b, X[ 5], 7); - b = F3(b, c, d, a, X[12], 5); - - // - // Round 4 - // - a = F4(a, b, c, d, X[ 1], 11); - d = F4(d, a, b, c, X[ 9], 12); - c = F4(c, d, a, b, X[11], 14); - b = F4(b, c, d, a, X[10], 15); - a = F4(a, b, c, d, X[ 0], 14); - d = F4(d, a, b, c, X[ 8], 15); - c = F4(c, d, a, b, X[12], 9); - b = F4(b, c, d, a, X[ 4], 8); - a = F4(a, b, c, d, X[13], 9); - d = F4(d, a, b, c, X[ 3], 14); - c = F4(c, d, a, b, X[ 7], 5); - b = F4(b, c, d, a, X[15], 6); - a = F4(a, b, c, d, X[14], 8); - d = F4(d, a, b, c, X[ 5], 6); - c = F4(c, d, a, b, X[ 6], 5); - b = F4(b, c, d, a, X[ 2], 12); - - // - // Parallel round 1 - // - aa = FF4(aa, bb, cc, dd, X[ 5], 8); - dd = FF4(dd, aa, bb, cc, X[14], 9); - cc = FF4(cc, dd, aa, bb, X[ 7], 9); - bb = FF4(bb, cc, dd, aa, X[ 0], 11); - aa = FF4(aa, bb, cc, dd, X[ 9], 13); - dd = FF4(dd, aa, bb, cc, X[ 2], 15); - cc = FF4(cc, dd, aa, bb, X[11], 15); - bb = FF4(bb, cc, dd, aa, X[ 4], 5); - aa = FF4(aa, bb, cc, dd, X[13], 7); - dd = FF4(dd, aa, bb, cc, X[ 6], 7); - cc = FF4(cc, dd, aa, bb, X[15], 8); - bb = FF4(bb, cc, dd, aa, X[ 8], 11); - aa = FF4(aa, bb, cc, dd, X[ 1], 14); - dd = FF4(dd, aa, bb, cc, X[10], 14); - cc = FF4(cc, dd, aa, bb, X[ 3], 12); - bb = FF4(bb, cc, dd, aa, X[12], 6); - - // - // Parallel round 2 - // - aa = FF3(aa, bb, cc, dd, X[ 6], 9); - dd = FF3(dd, aa, bb, cc, X[11], 13); - cc = FF3(cc, dd, aa, bb, X[ 3], 15); - bb = FF3(bb, cc, dd, aa, X[ 7], 7); - aa = FF3(aa, bb, cc, dd, X[ 0], 12); - dd = FF3(dd, aa, bb, cc, X[13], 8); - cc = FF3(cc, dd, aa, bb, X[ 5], 9); - bb = FF3(bb, cc, dd, aa, X[10], 11); - aa = FF3(aa, bb, cc, dd, X[14], 7); - dd = FF3(dd, aa, bb, cc, X[15], 7); - cc = FF3(cc, dd, aa, bb, X[ 8], 12); - bb = FF3(bb, cc, dd, aa, X[12], 7); - aa = FF3(aa, bb, cc, dd, X[ 4], 6); - dd = FF3(dd, aa, bb, cc, X[ 9], 15); - cc = FF3(cc, dd, aa, bb, X[ 1], 13); - bb = FF3(bb, cc, dd, aa, X[ 2], 11); - - // - // Parallel round 3 - // - aa = FF2(aa, bb, cc, dd, X[15], 9); - dd = FF2(dd, aa, bb, cc, X[ 5], 7); - cc = FF2(cc, dd, aa, bb, X[ 1], 15); - bb = FF2(bb, cc, dd, aa, X[ 3], 11); - aa = FF2(aa, bb, cc, dd, X[ 7], 8); - dd = FF2(dd, aa, bb, cc, X[14], 6); - cc = FF2(cc, dd, aa, bb, X[ 6], 6); - bb = FF2(bb, cc, dd, aa, X[ 9], 14); - aa = FF2(aa, bb, cc, dd, X[11], 12); - dd = FF2(dd, aa, bb, cc, X[ 8], 13); - cc = FF2(cc, dd, aa, bb, X[12], 5); - bb = FF2(bb, cc, dd, aa, X[ 2], 14); - aa = FF2(aa, bb, cc, dd, X[10], 13); - dd = FF2(dd, aa, bb, cc, X[ 0], 13); - cc = FF2(cc, dd, aa, bb, X[ 4], 7); - bb = FF2(bb, cc, dd, aa, X[13], 5); - - // - // Parallel round 4 - // - aa = FF1(aa, bb, cc, dd, X[ 8], 15); - dd = FF1(dd, aa, bb, cc, X[ 6], 5); - cc = FF1(cc, dd, aa, bb, X[ 4], 8); - bb = FF1(bb, cc, dd, aa, X[ 1], 11); - aa = FF1(aa, bb, cc, dd, X[ 3], 14); - dd = FF1(dd, aa, bb, cc, X[11], 14); - cc = FF1(cc, dd, aa, bb, X[15], 6); - bb = FF1(bb, cc, dd, aa, X[ 0], 14); - aa = FF1(aa, bb, cc, dd, X[ 5], 6); - dd = FF1(dd, aa, bb, cc, X[12], 9); - cc = FF1(cc, dd, aa, bb, X[ 2], 12); - bb = FF1(bb, cc, dd, aa, X[13], 9); - aa = FF1(aa, bb, cc, dd, X[ 9], 12); - dd = FF1(dd, aa, bb, cc, X[ 7], 5); - cc = FF1(cc, dd, aa, bb, X[10], 15); - bb = FF1(bb, cc, dd, aa, X[14], 8); - - dd += c + H1; // final result for H0 - - // - // combine the results - // - H1 = H2 + d + aa; - H2 = H3 + a + bb; - H3 = H0 + b + cc; - H0 = dd; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new RIPEMD128Digest(this); - } - - public void reset(Memoable other) - { - RIPEMD128Digest d = (RIPEMD128Digest)other; - - copyIn(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD160Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD160Digest.java deleted file mode 100644 index 20c81e68..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD160Digest.java +++ /dev/null @@ -1,443 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of RIPEMD see, - * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html - */ -public class RIPEMD160Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 20; - - private int H0, H1, H2, H3, H4; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public RIPEMD160Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public RIPEMD160Digest(RIPEMD160Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(RIPEMD160Digest t) - { - super.copyIn(t); - - H0 = t.H0; - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "RIPEMD160"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H0, out, outOff); - unpackWord(H1, out, outOff + 4); - unpackWord(H2, out, outOff + 8); - unpackWord(H3, out, outOff + 12); - unpackWord(H4, out, outOff + 16); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H0 = 0x67452301; - H1 = 0xefcdab89; - H2 = 0x98badcfe; - H3 = 0x10325476; - H4 = 0xc3d2e1f0; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - /* - * rotate int x left n bits. - */ - private int RL( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * f1,f2,f3,f4,f5 are the basic RIPEMD160 functions. - */ - - /* - * rounds 0-15 - */ - private int f1( - int x, - int y, - int z) - { - return x ^ y ^ z; - } - - /* - * rounds 16-31 - */ - private int f2( - int x, - int y, - int z) - { - return (x & y) | (~x & z); - } - - /* - * rounds 32-47 - */ - private int f3( - int x, - int y, - int z) - { - return (x | ~y) ^ z; - } - - /* - * rounds 48-63 - */ - private int f4( - int x, - int y, - int z) - { - return (x & z) | (y & ~z); - } - - /* - * rounds 64-79 - */ - private int f5( - int x, - int y, - int z) - { - return x ^ (y | ~z); - } - - protected void processBlock() - { - int a, aa; - int b, bb; - int c, cc; - int d, dd; - int e, ee; - - a = aa = H0; - b = bb = H1; - c = cc = H2; - d = dd = H3; - e = ee = H4; - - // - // Rounds 1 - 16 - // - // left - a = RL(a + f1(b,c,d) + X[ 0], 11) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[ 1], 14) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[ 2], 15) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[ 3], 12) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[ 4], 5) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[ 5], 8) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[ 6], 7) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[ 7], 9) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[ 8], 11) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[ 9], 13) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[10], 14) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[11], 15) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[12], 6) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[13], 7) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[14], 9) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[15], 8) + e; c = RL(c, 10); - - // right - aa = RL(aa + f5(bb,cc,dd) + X[ 5] + 0x50a28be6, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[14] + 0x50a28be6, 9) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 7] + 0x50a28be6, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[ 0] + 0x50a28be6, 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 9] + 0x50a28be6, 13) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[ 2] + 0x50a28be6, 15) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[11] + 0x50a28be6, 15) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 4] + 0x50a28be6, 5) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[13] + 0x50a28be6, 7) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 6] + 0x50a28be6, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[15] + 0x50a28be6, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[ 8] + 0x50a28be6, 11) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 1] + 0x50a28be6, 14) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[10] + 0x50a28be6, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 3] + 0x50a28be6, 12) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[12] + 0x50a28be6, 6) + ee; cc = RL(cc, 10); - - // - // Rounds 16-31 - // - // left - e = RL(e + f2(a,b,c) + X[ 7] + 0x5a827999, 7) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[ 4] + 0x5a827999, 6) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[13] + 0x5a827999, 8) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[ 1] + 0x5a827999, 13) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[10] + 0x5a827999, 11) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 6] + 0x5a827999, 9) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[15] + 0x5a827999, 7) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[ 3] + 0x5a827999, 15) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[12] + 0x5a827999, 7) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[ 0] + 0x5a827999, 12) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 9] + 0x5a827999, 15) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[ 5] + 0x5a827999, 9) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[ 2] + 0x5a827999, 11) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[14] + 0x5a827999, 7) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[11] + 0x5a827999, 13) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 8] + 0x5a827999, 12) + d; b = RL(b, 10); - - // right - ee = RL(ee + f4(aa,bb,cc) + X[ 6] + 0x5c4dd124, 9) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[11] + 0x5c4dd124, 13) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[ 3] + 0x5c4dd124, 15) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[ 7] + 0x5c4dd124, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[ 0] + 0x5c4dd124, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[13] + 0x5c4dd124, 8) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[ 5] + 0x5c4dd124, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[10] + 0x5c4dd124, 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[14] + 0x5c4dd124, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[15] + 0x5c4dd124, 7) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[ 8] + 0x5c4dd124, 12) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[12] + 0x5c4dd124, 7) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[ 4] + 0x5c4dd124, 6) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[ 9] + 0x5c4dd124, 15) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[ 1] + 0x5c4dd124, 13) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[ 2] + 0x5c4dd124, 11) + dd; bb = RL(bb, 10); - - // - // Rounds 32-47 - // - // left - d = RL(d + f3(e,a,b) + X[ 3] + 0x6ed9eba1, 11) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[10] + 0x6ed9eba1, 13) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[14] + 0x6ed9eba1, 6) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[ 4] + 0x6ed9eba1, 7) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 9] + 0x6ed9eba1, 14) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[15] + 0x6ed9eba1, 9) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[ 8] + 0x6ed9eba1, 13) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[ 1] + 0x6ed9eba1, 15) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[ 2] + 0x6ed9eba1, 14) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 7] + 0x6ed9eba1, 8) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[ 0] + 0x6ed9eba1, 13) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[ 6] + 0x6ed9eba1, 6) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[13] + 0x6ed9eba1, 5) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[11] + 0x6ed9eba1, 12) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 5] + 0x6ed9eba1, 7) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[12] + 0x6ed9eba1, 5) + c; a = RL(a, 10); - - // right - dd = RL(dd + f3(ee,aa,bb) + X[15] + 0x6d703ef3, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 5] + 0x6d703ef3, 7) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[ 1] + 0x6d703ef3, 15) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[ 3] + 0x6d703ef3, 11) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 7] + 0x6d703ef3, 8) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[14] + 0x6d703ef3, 6) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 6] + 0x6d703ef3, 6) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[ 9] + 0x6d703ef3, 14) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[11] + 0x6d703ef3, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 8] + 0x6d703ef3, 13) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[12] + 0x6d703ef3, 5) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 2] + 0x6d703ef3, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[10] + 0x6d703ef3, 13) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[ 0] + 0x6d703ef3, 13) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 4] + 0x6d703ef3, 7) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[13] + 0x6d703ef3, 5) + cc; aa = RL(aa, 10); - - // - // Rounds 48-63 - // - // left - c = RL(c + f4(d,e,a) + X[ 1] + 0x8f1bbcdc, 11) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[ 9] + 0x8f1bbcdc, 12) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[11] + 0x8f1bbcdc, 14) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[10] + 0x8f1bbcdc, 15) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 0] + 0x8f1bbcdc, 14) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 8] + 0x8f1bbcdc, 15) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[12] + 0x8f1bbcdc, 9) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[ 4] + 0x8f1bbcdc, 8) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[13] + 0x8f1bbcdc, 9) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 3] + 0x8f1bbcdc, 14) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 7] + 0x8f1bbcdc, 5) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[15] + 0x8f1bbcdc, 6) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[14] + 0x8f1bbcdc, 8) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[ 5] + 0x8f1bbcdc, 6) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 6] + 0x8f1bbcdc, 5) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 2] + 0x8f1bbcdc, 12) + b; e = RL(e, 10); - - // right - cc = RL(cc + f2(dd,ee,aa) + X[ 8] + 0x7a6d76e9, 15) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[ 6] + 0x7a6d76e9, 5) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 4] + 0x7a6d76e9, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 1] + 0x7a6d76e9, 11) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[ 3] + 0x7a6d76e9, 14) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[11] + 0x7a6d76e9, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[15] + 0x7a6d76e9, 6) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 0] + 0x7a6d76e9, 14) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 5] + 0x7a6d76e9, 6) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[12] + 0x7a6d76e9, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[ 2] + 0x7a6d76e9, 12) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[13] + 0x7a6d76e9, 9) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 9] + 0x7a6d76e9, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 7] + 0x7a6d76e9, 5) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[10] + 0x7a6d76e9, 15) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[14] + 0x7a6d76e9, 8) + bb; ee = RL(ee, 10); - - // - // Rounds 64-79 - // - // left - b = RL(b + f5(c,d,e) + X[ 4] + 0xa953fd4e, 9) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 0] + 0xa953fd4e, 15) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[ 5] + 0xa953fd4e, 5) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[ 9] + 0xa953fd4e, 11) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[ 7] + 0xa953fd4e, 6) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[12] + 0xa953fd4e, 8) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 2] + 0xa953fd4e, 13) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[10] + 0xa953fd4e, 12) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[14] + 0xa953fd4e, 5) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[ 1] + 0xa953fd4e, 12) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[ 3] + 0xa953fd4e, 13) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 8] + 0xa953fd4e, 14) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[11] + 0xa953fd4e, 11) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[ 6] + 0xa953fd4e, 8) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[15] + 0xa953fd4e, 5) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[13] + 0xa953fd4e, 6) + a; d = RL(d, 10); - - // right - bb = RL(bb + f1(cc,dd,ee) + X[12], 8) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[15], 5) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[10], 12) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 4], 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 1], 12) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[ 5], 5) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[ 8], 14) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[ 7], 6) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 6], 8) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 2], 13) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[13], 6) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[14], 5) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[ 0], 15) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 3], 13) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 9], 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[11], 11) + aa; dd = RL(dd, 10); - - dd += c + H1; - H1 = H2 + d + ee; - H2 = H3 + e + aa; - H3 = H4 + a + bb; - H4 = H0 + b + cc; - H0 = dd; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new RIPEMD160Digest(this); - } - - public void reset(Memoable other) - { - RIPEMD160Digest d = (RIPEMD160Digest)other; - - copyIn(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD256Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD256Digest.java deleted file mode 100644 index 86746b45..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD256Digest.java +++ /dev/null @@ -1,497 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of RIPEMD256. - * <p> - * <b>note:</b> this algorithm offers the same level of security as RIPEMD128. - */ -public class RIPEMD256Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 32; - - private int H0, H1, H2, H3, H4, H5, H6, H7; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public RIPEMD256Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public RIPEMD256Digest(RIPEMD256Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(RIPEMD256Digest t) - { - super.copyIn(t); - - H0 = t.H0; - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - H6 = t.H6; - H7 = t.H7; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "RIPEMD256"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H0, out, outOff); - unpackWord(H1, out, outOff + 4); - unpackWord(H2, out, outOff + 8); - unpackWord(H3, out, outOff + 12); - unpackWord(H4, out, outOff + 16); - unpackWord(H5, out, outOff + 20); - unpackWord(H6, out, outOff + 24); - unpackWord(H7, out, outOff + 28); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H0 = 0x67452301; - H1 = 0xefcdab89; - H2 = 0x98badcfe; - H3 = 0x10325476; - H4 = 0x76543210; - H5 = 0xFEDCBA98; - H6 = 0x89ABCDEF; - H7 = 0x01234567; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - /* - * rotate int x left n bits. - */ - private int RL( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * f1,f2,f3,f4 are the basic RIPEMD128 functions. - */ - - /* - * F - */ - private int f1( - int x, - int y, - int z) - { - return x ^ y ^ z; - } - - /* - * G - */ - private int f2( - int x, - int y, - int z) - { - return (x & y) | (~x & z); - } - - /* - * H - */ - private int f3( - int x, - int y, - int z) - { - return (x | ~y) ^ z; - } - - /* - * I - */ - private int f4( - int x, - int y, - int z) - { - return (x & z) | (y & ~z); - } - - private int F1( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f1(b, c, d) + x, s); - } - - private int F2( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f2(b, c, d) + x + 0x5a827999, s); - } - - private int F3( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f3(b, c, d) + x + 0x6ed9eba1, s); - } - - private int F4( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f4(b, c, d) + x + 0x8f1bbcdc, s); - } - - private int FF1( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f1(b, c, d) + x, s); - } - - private int FF2( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f2(b, c, d) + x + 0x6d703ef3, s); - } - - private int FF3( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f3(b, c, d) + x + 0x5c4dd124, s); - } - - private int FF4( - int a, - int b, - int c, - int d, - int x, - int s) - { - return RL(a + f4(b, c, d) + x + 0x50a28be6, s); - } - - protected void processBlock() - { - int a, aa; - int b, bb; - int c, cc; - int d, dd; - int t; - - a = H0; - b = H1; - c = H2; - d = H3; - aa = H4; - bb = H5; - cc = H6; - dd = H7; - - // - // Round 1 - // - - a = F1(a, b, c, d, X[ 0], 11); - d = F1(d, a, b, c, X[ 1], 14); - c = F1(c, d, a, b, X[ 2], 15); - b = F1(b, c, d, a, X[ 3], 12); - a = F1(a, b, c, d, X[ 4], 5); - d = F1(d, a, b, c, X[ 5], 8); - c = F1(c, d, a, b, X[ 6], 7); - b = F1(b, c, d, a, X[ 7], 9); - a = F1(a, b, c, d, X[ 8], 11); - d = F1(d, a, b, c, X[ 9], 13); - c = F1(c, d, a, b, X[10], 14); - b = F1(b, c, d, a, X[11], 15); - a = F1(a, b, c, d, X[12], 6); - d = F1(d, a, b, c, X[13], 7); - c = F1(c, d, a, b, X[14], 9); - b = F1(b, c, d, a, X[15], 8); - - aa = FF4(aa, bb, cc, dd, X[ 5], 8); - dd = FF4(dd, aa, bb, cc, X[14], 9); - cc = FF4(cc, dd, aa, bb, X[ 7], 9); - bb = FF4(bb, cc, dd, aa, X[ 0], 11); - aa = FF4(aa, bb, cc, dd, X[ 9], 13); - dd = FF4(dd, aa, bb, cc, X[ 2], 15); - cc = FF4(cc, dd, aa, bb, X[11], 15); - bb = FF4(bb, cc, dd, aa, X[ 4], 5); - aa = FF4(aa, bb, cc, dd, X[13], 7); - dd = FF4(dd, aa, bb, cc, X[ 6], 7); - cc = FF4(cc, dd, aa, bb, X[15], 8); - bb = FF4(bb, cc, dd, aa, X[ 8], 11); - aa = FF4(aa, bb, cc, dd, X[ 1], 14); - dd = FF4(dd, aa, bb, cc, X[10], 14); - cc = FF4(cc, dd, aa, bb, X[ 3], 12); - bb = FF4(bb, cc, dd, aa, X[12], 6); - - t = a; a = aa; aa = t; - - // - // Round 2 - // - a = F2(a, b, c, d, X[ 7], 7); - d = F2(d, a, b, c, X[ 4], 6); - c = F2(c, d, a, b, X[13], 8); - b = F2(b, c, d, a, X[ 1], 13); - a = F2(a, b, c, d, X[10], 11); - d = F2(d, a, b, c, X[ 6], 9); - c = F2(c, d, a, b, X[15], 7); - b = F2(b, c, d, a, X[ 3], 15); - a = F2(a, b, c, d, X[12], 7); - d = F2(d, a, b, c, X[ 0], 12); - c = F2(c, d, a, b, X[ 9], 15); - b = F2(b, c, d, a, X[ 5], 9); - a = F2(a, b, c, d, X[ 2], 11); - d = F2(d, a, b, c, X[14], 7); - c = F2(c, d, a, b, X[11], 13); - b = F2(b, c, d, a, X[ 8], 12); - - aa = FF3(aa, bb, cc, dd, X[ 6], 9); - dd = FF3(dd, aa, bb, cc, X[ 11], 13); - cc = FF3(cc, dd, aa, bb, X[3], 15); - bb = FF3(bb, cc, dd, aa, X[ 7], 7); - aa = FF3(aa, bb, cc, dd, X[0], 12); - dd = FF3(dd, aa, bb, cc, X[13], 8); - cc = FF3(cc, dd, aa, bb, X[5], 9); - bb = FF3(bb, cc, dd, aa, X[10], 11); - aa = FF3(aa, bb, cc, dd, X[14], 7); - dd = FF3(dd, aa, bb, cc, X[15], 7); - cc = FF3(cc, dd, aa, bb, X[ 8], 12); - bb = FF3(bb, cc, dd, aa, X[12], 7); - aa = FF3(aa, bb, cc, dd, X[ 4], 6); - dd = FF3(dd, aa, bb, cc, X[ 9], 15); - cc = FF3(cc, dd, aa, bb, X[ 1], 13); - bb = FF3(bb, cc, dd, aa, X[ 2], 11); - - t = b; b = bb; bb = t; - - // - // Round 3 - // - a = F3(a, b, c, d, X[ 3], 11); - d = F3(d, a, b, c, X[10], 13); - c = F3(c, d, a, b, X[14], 6); - b = F3(b, c, d, a, X[ 4], 7); - a = F3(a, b, c, d, X[ 9], 14); - d = F3(d, a, b, c, X[15], 9); - c = F3(c, d, a, b, X[ 8], 13); - b = F3(b, c, d, a, X[ 1], 15); - a = F3(a, b, c, d, X[ 2], 14); - d = F3(d, a, b, c, X[ 7], 8); - c = F3(c, d, a, b, X[ 0], 13); - b = F3(b, c, d, a, X[ 6], 6); - a = F3(a, b, c, d, X[13], 5); - d = F3(d, a, b, c, X[11], 12); - c = F3(c, d, a, b, X[ 5], 7); - b = F3(b, c, d, a, X[12], 5); - - aa = FF2(aa, bb, cc, dd, X[ 15], 9); - dd = FF2(dd, aa, bb, cc, X[5], 7); - cc = FF2(cc, dd, aa, bb, X[1], 15); - bb = FF2(bb, cc, dd, aa, X[ 3], 11); - aa = FF2(aa, bb, cc, dd, X[ 7], 8); - dd = FF2(dd, aa, bb, cc, X[14], 6); - cc = FF2(cc, dd, aa, bb, X[ 6], 6); - bb = FF2(bb, cc, dd, aa, X[ 9], 14); - aa = FF2(aa, bb, cc, dd, X[11], 12); - dd = FF2(dd, aa, bb, cc, X[ 8], 13); - cc = FF2(cc, dd, aa, bb, X[12], 5); - bb = FF2(bb, cc, dd, aa, X[ 2], 14); - aa = FF2(aa, bb, cc, dd, X[10], 13); - dd = FF2(dd, aa, bb, cc, X[ 0], 13); - cc = FF2(cc, dd, aa, bb, X[ 4], 7); - bb = FF2(bb, cc, dd, aa, X[13], 5); - - t = c; c = cc; cc = t; - - // - // Round 4 - // - a = F4(a, b, c, d, X[ 1], 11); - d = F4(d, a, b, c, X[ 9], 12); - c = F4(c, d, a, b, X[11], 14); - b = F4(b, c, d, a, X[10], 15); - a = F4(a, b, c, d, X[ 0], 14); - d = F4(d, a, b, c, X[ 8], 15); - c = F4(c, d, a, b, X[12], 9); - b = F4(b, c, d, a, X[ 4], 8); - a = F4(a, b, c, d, X[13], 9); - d = F4(d, a, b, c, X[ 3], 14); - c = F4(c, d, a, b, X[ 7], 5); - b = F4(b, c, d, a, X[15], 6); - a = F4(a, b, c, d, X[14], 8); - d = F4(d, a, b, c, X[ 5], 6); - c = F4(c, d, a, b, X[ 6], 5); - b = F4(b, c, d, a, X[ 2], 12); - - aa = FF1(aa, bb, cc, dd, X[ 8], 15); - dd = FF1(dd, aa, bb, cc, X[ 6], 5); - cc = FF1(cc, dd, aa, bb, X[ 4], 8); - bb = FF1(bb, cc, dd, aa, X[ 1], 11); - aa = FF1(aa, bb, cc, dd, X[ 3], 14); - dd = FF1(dd, aa, bb, cc, X[11], 14); - cc = FF1(cc, dd, aa, bb, X[15], 6); - bb = FF1(bb, cc, dd, aa, X[ 0], 14); - aa = FF1(aa, bb, cc, dd, X[ 5], 6); - dd = FF1(dd, aa, bb, cc, X[12], 9); - cc = FF1(cc, dd, aa, bb, X[ 2], 12); - bb = FF1(bb, cc, dd, aa, X[13], 9); - aa = FF1(aa, bb, cc, dd, X[ 9], 12); - dd = FF1(dd, aa, bb, cc, X[ 7], 5); - cc = FF1(cc, dd, aa, bb, X[10], 15); - bb = FF1(bb, cc, dd, aa, X[14], 8); - - t = d; d = dd; dd = t; - - H0 += a; - H1 += b; - H2 += c; - H3 += d; - H4 += aa; - H5 += bb; - H6 += cc; - H7 += dd; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new RIPEMD256Digest(this); - } - - public void reset(Memoable other) - { - RIPEMD256Digest d = (RIPEMD256Digest)other; - - copyIn(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD320Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD320Digest.java deleted file mode 100644 index 32775e77..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/RIPEMD320Digest.java +++ /dev/null @@ -1,481 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; - -/** - * implementation of RIPEMD 320. - * <p> - * <b>Note:</b> this implementation offers the same level of security - * as RIPEMD 160. - */ -public class RIPEMD320Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 40; - - private int H0, H1, H2, H3, H4, H5, H6, H7, H8, H9; // IV's - - private int[] X = new int[16]; - private int xOff; - - /** - * Standard constructor - */ - public RIPEMD320Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public RIPEMD320Digest(RIPEMD320Digest t) - { - super(t); - - doCopy(t); - } - - private void doCopy(RIPEMD320Digest t) - { - super.copyIn(t); - H0 = t.H0; - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - H6 = t.H6; - H7 = t.H7; - H8 = t.H8; - H9 = t.H9; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "RIPEMD320"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - X[xOff++] = (in[inOff] & 0xff) | ((in[inOff + 1] & 0xff) << 8) - | ((in[inOff + 2] & 0xff) << 16) | ((in[inOff + 3] & 0xff) << 24); - - if (xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength & 0xffffffff); - X[15] = (int)(bitLength >>> 32); - } - - private void unpackWord( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)word; - out[outOff + 1] = (byte)(word >>> 8); - out[outOff + 2] = (byte)(word >>> 16); - out[outOff + 3] = (byte)(word >>> 24); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(H0, out, outOff); - unpackWord(H1, out, outOff + 4); - unpackWord(H2, out, outOff + 8); - unpackWord(H3, out, outOff + 12); - unpackWord(H4, out, outOff + 16); - unpackWord(H5, out, outOff + 20); - unpackWord(H6, out, outOff + 24); - unpackWord(H7, out, outOff + 28); - unpackWord(H8, out, outOff + 32); - unpackWord(H9, out, outOff + 36); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables to the IV values. - */ - public void reset() - { - super.reset(); - - H0 = 0x67452301; - H1 = 0xefcdab89; - H2 = 0x98badcfe; - H3 = 0x10325476; - H4 = 0xc3d2e1f0; - H5 = 0x76543210; - H6 = 0xFEDCBA98; - H7 = 0x89ABCDEF; - H8 = 0x01234567; - H9 = 0x3C2D1E0F; - - xOff = 0; - - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - /* - * rotate int x left n bits. - */ - private int RL( - int x, - int n) - { - return (x << n) | (x >>> (32 - n)); - } - - /* - * f1,f2,f3,f4,f5 are the basic RIPEMD160 functions. - */ - - /* - * rounds 0-15 - */ - private int f1( - int x, - int y, - int z) - { - return x ^ y ^ z; - } - - /* - * rounds 16-31 - */ - private int f2( - int x, - int y, - int z) - { - return (x & y) | (~x & z); - } - - /* - * rounds 32-47 - */ - private int f3( - int x, - int y, - int z) - { - return (x | ~y) ^ z; - } - - /* - * rounds 48-63 - */ - private int f4( - int x, - int y, - int z) - { - return (x & z) | (y & ~z); - } - - /* - * rounds 64-79 - */ - private int f5( - int x, - int y, - int z) - { - return x ^ (y | ~z); - } - - protected void processBlock() - { - int a, aa; - int b, bb; - int c, cc; - int d, dd; - int e, ee; - int t; - - a = H0; - b = H1; - c = H2; - d = H3; - e = H4; - aa = H5; - bb = H6; - cc = H7; - dd = H8; - ee = H9; - - // - // Rounds 1 - 16 - // - // left - a = RL(a + f1(b,c,d) + X[ 0], 11) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[ 1], 14) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[ 2], 15) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[ 3], 12) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[ 4], 5) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[ 5], 8) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[ 6], 7) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[ 7], 9) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[ 8], 11) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[ 9], 13) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[10], 14) + e; c = RL(c, 10); - e = RL(e + f1(a,b,c) + X[11], 15) + d; b = RL(b, 10); - d = RL(d + f1(e,a,b) + X[12], 6) + c; a = RL(a, 10); - c = RL(c + f1(d,e,a) + X[13], 7) + b; e = RL(e, 10); - b = RL(b + f1(c,d,e) + X[14], 9) + a; d = RL(d, 10); - a = RL(a + f1(b,c,d) + X[15], 8) + e; c = RL(c, 10); - - // right - aa = RL(aa + f5(bb,cc,dd) + X[ 5] + 0x50a28be6, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[14] + 0x50a28be6, 9) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 7] + 0x50a28be6, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[ 0] + 0x50a28be6, 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 9] + 0x50a28be6, 13) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[ 2] + 0x50a28be6, 15) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[11] + 0x50a28be6, 15) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 4] + 0x50a28be6, 5) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[13] + 0x50a28be6, 7) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 6] + 0x50a28be6, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[15] + 0x50a28be6, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f5(aa,bb,cc) + X[ 8] + 0x50a28be6, 11) + dd; bb = RL(bb, 10); - dd = RL(dd + f5(ee,aa,bb) + X[ 1] + 0x50a28be6, 14) + cc; aa = RL(aa, 10); - cc = RL(cc + f5(dd,ee,aa) + X[10] + 0x50a28be6, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f5(cc,dd,ee) + X[ 3] + 0x50a28be6, 12) + aa; dd = RL(dd, 10); - aa = RL(aa + f5(bb,cc,dd) + X[12] + 0x50a28be6, 6) + ee; cc = RL(cc, 10); - - t = a; a = aa; aa = t; - - // - // Rounds 16-31 - // - // left - e = RL(e + f2(a,b,c) + X[ 7] + 0x5a827999, 7) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[ 4] + 0x5a827999, 6) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[13] + 0x5a827999, 8) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[ 1] + 0x5a827999, 13) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[10] + 0x5a827999, 11) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 6] + 0x5a827999, 9) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[15] + 0x5a827999, 7) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[ 3] + 0x5a827999, 15) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[12] + 0x5a827999, 7) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[ 0] + 0x5a827999, 12) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 9] + 0x5a827999, 15) + d; b = RL(b, 10); - d = RL(d + f2(e,a,b) + X[ 5] + 0x5a827999, 9) + c; a = RL(a, 10); - c = RL(c + f2(d,e,a) + X[ 2] + 0x5a827999, 11) + b; e = RL(e, 10); - b = RL(b + f2(c,d,e) + X[14] + 0x5a827999, 7) + a; d = RL(d, 10); - a = RL(a + f2(b,c,d) + X[11] + 0x5a827999, 13) + e; c = RL(c, 10); - e = RL(e + f2(a,b,c) + X[ 8] + 0x5a827999, 12) + d; b = RL(b, 10); - - // right - ee = RL(ee + f4(aa,bb,cc) + X[ 6] + 0x5c4dd124, 9) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[11] + 0x5c4dd124, 13) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[ 3] + 0x5c4dd124, 15) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[ 7] + 0x5c4dd124, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[ 0] + 0x5c4dd124, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[13] + 0x5c4dd124, 8) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[ 5] + 0x5c4dd124, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[10] + 0x5c4dd124, 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[14] + 0x5c4dd124, 7) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[15] + 0x5c4dd124, 7) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[ 8] + 0x5c4dd124, 12) + dd; bb = RL(bb, 10); - dd = RL(dd + f4(ee,aa,bb) + X[12] + 0x5c4dd124, 7) + cc; aa = RL(aa, 10); - cc = RL(cc + f4(dd,ee,aa) + X[ 4] + 0x5c4dd124, 6) + bb; ee = RL(ee, 10); - bb = RL(bb + f4(cc,dd,ee) + X[ 9] + 0x5c4dd124, 15) + aa; dd = RL(dd, 10); - aa = RL(aa + f4(bb,cc,dd) + X[ 1] + 0x5c4dd124, 13) + ee; cc = RL(cc, 10); - ee = RL(ee + f4(aa,bb,cc) + X[ 2] + 0x5c4dd124, 11) + dd; bb = RL(bb, 10); - - t = b; b = bb; bb = t; - - // - // Rounds 32-47 - // - // left - d = RL(d + f3(e,a,b) + X[ 3] + 0x6ed9eba1, 11) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[10] + 0x6ed9eba1, 13) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[14] + 0x6ed9eba1, 6) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[ 4] + 0x6ed9eba1, 7) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 9] + 0x6ed9eba1, 14) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[15] + 0x6ed9eba1, 9) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[ 8] + 0x6ed9eba1, 13) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[ 1] + 0x6ed9eba1, 15) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[ 2] + 0x6ed9eba1, 14) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 7] + 0x6ed9eba1, 8) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[ 0] + 0x6ed9eba1, 13) + c; a = RL(a, 10); - c = RL(c + f3(d,e,a) + X[ 6] + 0x6ed9eba1, 6) + b; e = RL(e, 10); - b = RL(b + f3(c,d,e) + X[13] + 0x6ed9eba1, 5) + a; d = RL(d, 10); - a = RL(a + f3(b,c,d) + X[11] + 0x6ed9eba1, 12) + e; c = RL(c, 10); - e = RL(e + f3(a,b,c) + X[ 5] + 0x6ed9eba1, 7) + d; b = RL(b, 10); - d = RL(d + f3(e,a,b) + X[12] + 0x6ed9eba1, 5) + c; a = RL(a, 10); - - // right - dd = RL(dd + f3(ee,aa,bb) + X[15] + 0x6d703ef3, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 5] + 0x6d703ef3, 7) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[ 1] + 0x6d703ef3, 15) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[ 3] + 0x6d703ef3, 11) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 7] + 0x6d703ef3, 8) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[14] + 0x6d703ef3, 6) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 6] + 0x6d703ef3, 6) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[ 9] + 0x6d703ef3, 14) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[11] + 0x6d703ef3, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 8] + 0x6d703ef3, 13) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[12] + 0x6d703ef3, 5) + cc; aa = RL(aa, 10); - cc = RL(cc + f3(dd,ee,aa) + X[ 2] + 0x6d703ef3, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f3(cc,dd,ee) + X[10] + 0x6d703ef3, 13) + aa; dd = RL(dd, 10); - aa = RL(aa + f3(bb,cc,dd) + X[ 0] + 0x6d703ef3, 13) + ee; cc = RL(cc, 10); - ee = RL(ee + f3(aa,bb,cc) + X[ 4] + 0x6d703ef3, 7) + dd; bb = RL(bb, 10); - dd = RL(dd + f3(ee,aa,bb) + X[13] + 0x6d703ef3, 5) + cc; aa = RL(aa, 10); - - t = c; c = cc; cc = t; - - // - // Rounds 48-63 - // - // left - c = RL(c + f4(d,e,a) + X[ 1] + 0x8f1bbcdc, 11) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[ 9] + 0x8f1bbcdc, 12) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[11] + 0x8f1bbcdc, 14) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[10] + 0x8f1bbcdc, 15) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 0] + 0x8f1bbcdc, 14) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 8] + 0x8f1bbcdc, 15) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[12] + 0x8f1bbcdc, 9) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[ 4] + 0x8f1bbcdc, 8) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[13] + 0x8f1bbcdc, 9) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 3] + 0x8f1bbcdc, 14) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 7] + 0x8f1bbcdc, 5) + b; e = RL(e, 10); - b = RL(b + f4(c,d,e) + X[15] + 0x8f1bbcdc, 6) + a; d = RL(d, 10); - a = RL(a + f4(b,c,d) + X[14] + 0x8f1bbcdc, 8) + e; c = RL(c, 10); - e = RL(e + f4(a,b,c) + X[ 5] + 0x8f1bbcdc, 6) + d; b = RL(b, 10); - d = RL(d + f4(e,a,b) + X[ 6] + 0x8f1bbcdc, 5) + c; a = RL(a, 10); - c = RL(c + f4(d,e,a) + X[ 2] + 0x8f1bbcdc, 12) + b; e = RL(e, 10); - - // right - cc = RL(cc + f2(dd,ee,aa) + X[ 8] + 0x7a6d76e9, 15) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[ 6] + 0x7a6d76e9, 5) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 4] + 0x7a6d76e9, 8) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 1] + 0x7a6d76e9, 11) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[ 3] + 0x7a6d76e9, 14) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[11] + 0x7a6d76e9, 14) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[15] + 0x7a6d76e9, 6) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 0] + 0x7a6d76e9, 14) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 5] + 0x7a6d76e9, 6) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[12] + 0x7a6d76e9, 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[ 2] + 0x7a6d76e9, 12) + bb; ee = RL(ee, 10); - bb = RL(bb + f2(cc,dd,ee) + X[13] + 0x7a6d76e9, 9) + aa; dd = RL(dd, 10); - aa = RL(aa + f2(bb,cc,dd) + X[ 9] + 0x7a6d76e9, 12) + ee; cc = RL(cc, 10); - ee = RL(ee + f2(aa,bb,cc) + X[ 7] + 0x7a6d76e9, 5) + dd; bb = RL(bb, 10); - dd = RL(dd + f2(ee,aa,bb) + X[10] + 0x7a6d76e9, 15) + cc; aa = RL(aa, 10); - cc = RL(cc + f2(dd,ee,aa) + X[14] + 0x7a6d76e9, 8) + bb; ee = RL(ee, 10); - - t = d; d = dd; dd = t; - - // - // Rounds 64-79 - // - // left - b = RL(b + f5(c,d,e) + X[ 4] + 0xa953fd4e, 9) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 0] + 0xa953fd4e, 15) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[ 5] + 0xa953fd4e, 5) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[ 9] + 0xa953fd4e, 11) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[ 7] + 0xa953fd4e, 6) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[12] + 0xa953fd4e, 8) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 2] + 0xa953fd4e, 13) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[10] + 0xa953fd4e, 12) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[14] + 0xa953fd4e, 5) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[ 1] + 0xa953fd4e, 12) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[ 3] + 0xa953fd4e, 13) + a; d = RL(d, 10); - a = RL(a + f5(b,c,d) + X[ 8] + 0xa953fd4e, 14) + e; c = RL(c, 10); - e = RL(e + f5(a,b,c) + X[11] + 0xa953fd4e, 11) + d; b = RL(b, 10); - d = RL(d + f5(e,a,b) + X[ 6] + 0xa953fd4e, 8) + c; a = RL(a, 10); - c = RL(c + f5(d,e,a) + X[15] + 0xa953fd4e, 5) + b; e = RL(e, 10); - b = RL(b + f5(c,d,e) + X[13] + 0xa953fd4e, 6) + a; d = RL(d, 10); - - // right - bb = RL(bb + f1(cc,dd,ee) + X[12], 8) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[15], 5) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[10], 12) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 4], 9) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 1], 12) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[ 5], 5) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[ 8], 14) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[ 7], 6) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 6], 8) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 2], 13) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[13], 6) + aa; dd = RL(dd, 10); - aa = RL(aa + f1(bb,cc,dd) + X[14], 5) + ee; cc = RL(cc, 10); - ee = RL(ee + f1(aa,bb,cc) + X[ 0], 15) + dd; bb = RL(bb, 10); - dd = RL(dd + f1(ee,aa,bb) + X[ 3], 13) + cc; aa = RL(aa, 10); - cc = RL(cc + f1(dd,ee,aa) + X[ 9], 11) + bb; ee = RL(ee, 10); - bb = RL(bb + f1(cc,dd,ee) + X[11], 11) + aa; dd = RL(dd, 10); - - // - // do (e, ee) swap as part of assignment. - // - - H0 += a; - H1 += b; - H2 += c; - H3 += d; - H4 += ee; - H5 += aa; - H6 += bb; - H7 += cc; - H8 += dd; - H9 += e; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new RIPEMD320Digest(this); - } - - public void reset(Memoable other) - { - RIPEMD320Digest d = (RIPEMD320Digest)other; - - doCopy(d); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA1Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA1Digest.java deleted file mode 100644 index 450dda46..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA1Digest.java +++ /dev/null @@ -1,348 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - -/** - * implementation of SHA-1 as outlined in "Handbook of Applied Cryptography", pages 346 - 349. - * - * It is interesting to ponder why the, apart from the extra IV, the other difference here from MD5 - * is the "endianness" of the word processing! - */ -public class SHA1Digest - extends GeneralDigest - implements EncodableDigest -{ - private static final int DIGEST_LENGTH = 20; - - private int H1, H2, H3, H4, H5; - - private int[] X = new int[80]; - private int xOff; - - /** - * Standard constructor - */ - public SHA1Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA1Digest(SHA1Digest t) - { - super(t); - - copyIn(t); - } - - public SHA1Digest(byte[] encodedState) - { - super(encodedState); - - H1 = Pack.bigEndianToInt(encodedState, 16); - H2 = Pack.bigEndianToInt(encodedState, 20); - H3 = Pack.bigEndianToInt(encodedState, 24); - H4 = Pack.bigEndianToInt(encodedState, 28); - H5 = Pack.bigEndianToInt(encodedState, 32); - - xOff = Pack.bigEndianToInt(encodedState, 36); - for (int i = 0; i != xOff; i++) - { - X[i] = Pack.bigEndianToInt(encodedState, 40 + (i * 4)); - } - } - - private void copyIn(SHA1Digest t) - { - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "SHA-1"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - // Note: Inlined for performance -// X[xOff] = Pack.bigEndianToInt(in, inOff); - int n = in[ inOff] << 24; - n |= (in[++inOff] & 0xff) << 16; - n |= (in[++inOff] & 0xff) << 8; - n |= (in[++inOff] & 0xff); - X[xOff] = n; - - if (++xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength >>> 32); - X[15] = (int)(bitLength & 0xffffffff); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - Pack.intToBigEndian(H1, out, outOff); - Pack.intToBigEndian(H2, out, outOff + 4); - Pack.intToBigEndian(H3, out, outOff + 8); - Pack.intToBigEndian(H4, out, outOff + 12); - Pack.intToBigEndian(H5, out, outOff + 16); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - H1 = 0x67452301; - H2 = 0xefcdab89; - H3 = 0x98badcfe; - H4 = 0x10325476; - H5 = 0xc3d2e1f0; - - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - // - // Additive constants - // - private static final int Y1 = 0x5a827999; - private static final int Y2 = 0x6ed9eba1; - private static final int Y3 = 0x8f1bbcdc; - private static final int Y4 = 0xca62c1d6; - - private int f( - int u, - int v, - int w) - { - return ((u & v) | ((~u) & w)); - } - - private int h( - int u, - int v, - int w) - { - return (u ^ v ^ w); - } - - private int g( - int u, - int v, - int w) - { - return ((u & v) | (u & w) | (v & w)); - } - - protected void processBlock() - { - // - // expand 16 word block into 80 word block. - // - for (int i = 16; i < 80; i++) - { - int t = X[i - 3] ^ X[i - 8] ^ X[i - 14] ^ X[i - 16]; - X[i] = t << 1 | t >>> 31; - } - - // - // set up working variables. - // - int A = H1; - int B = H2; - int C = H3; - int D = H4; - int E = H5; - - // - // round 1 - // - int idx = 0; - - for (int j = 0; j < 4; j++) - { - // E = rotateLeft(A, 5) + f(B, C, D) + E + X[idx++] + Y1 - // B = rotateLeft(B, 30) - E += (A << 5 | A >>> 27) + f(B, C, D) + X[idx++] + Y1; - B = B << 30 | B >>> 2; - - D += (E << 5 | E >>> 27) + f(A, B, C) + X[idx++] + Y1; - A = A << 30 | A >>> 2; - - C += (D << 5 | D >>> 27) + f(E, A, B) + X[idx++] + Y1; - E = E << 30 | E >>> 2; - - B += (C << 5 | C >>> 27) + f(D, E, A) + X[idx++] + Y1; - D = D << 30 | D >>> 2; - - A += (B << 5 | B >>> 27) + f(C, D, E) + X[idx++] + Y1; - C = C << 30 | C >>> 2; - } - - // - // round 2 - // - for (int j = 0; j < 4; j++) - { - // E = rotateLeft(A, 5) + h(B, C, D) + E + X[idx++] + Y2 - // B = rotateLeft(B, 30) - E += (A << 5 | A >>> 27) + h(B, C, D) + X[idx++] + Y2; - B = B << 30 | B >>> 2; - - D += (E << 5 | E >>> 27) + h(A, B, C) + X[idx++] + Y2; - A = A << 30 | A >>> 2; - - C += (D << 5 | D >>> 27) + h(E, A, B) + X[idx++] + Y2; - E = E << 30 | E >>> 2; - - B += (C << 5 | C >>> 27) + h(D, E, A) + X[idx++] + Y2; - D = D << 30 | D >>> 2; - - A += (B << 5 | B >>> 27) + h(C, D, E) + X[idx++] + Y2; - C = C << 30 | C >>> 2; - } - - // - // round 3 - // - for (int j = 0; j < 4; j++) - { - // E = rotateLeft(A, 5) + g(B, C, D) + E + X[idx++] + Y3 - // B = rotateLeft(B, 30) - E += (A << 5 | A >>> 27) + g(B, C, D) + X[idx++] + Y3; - B = B << 30 | B >>> 2; - - D += (E << 5 | E >>> 27) + g(A, B, C) + X[idx++] + Y3; - A = A << 30 | A >>> 2; - - C += (D << 5 | D >>> 27) + g(E, A, B) + X[idx++] + Y3; - E = E << 30 | E >>> 2; - - B += (C << 5 | C >>> 27) + g(D, E, A) + X[idx++] + Y3; - D = D << 30 | D >>> 2; - - A += (B << 5 | B >>> 27) + g(C, D, E) + X[idx++] + Y3; - C = C << 30 | C >>> 2; - } - - // - // round 4 - // - for (int j = 0; j <= 3; j++) - { - // E = rotateLeft(A, 5) + h(B, C, D) + E + X[idx++] + Y4 - // B = rotateLeft(B, 30) - E += (A << 5 | A >>> 27) + h(B, C, D) + X[idx++] + Y4; - B = B << 30 | B >>> 2; - - D += (E << 5 | E >>> 27) + h(A, B, C) + X[idx++] + Y4; - A = A << 30 | A >>> 2; - - C += (D << 5 | D >>> 27) + h(E, A, B) + X[idx++] + Y4; - E = E << 30 | E >>> 2; - - B += (C << 5 | C >>> 27) + h(D, E, A) + X[idx++] + Y4; - D = D << 30 | D >>> 2; - - A += (B << 5 | B >>> 27) + h(C, D, E) + X[idx++] + Y4; - C = C << 30 | C >>> 2; - } - - - H1 += A; - H2 += B; - H3 += C; - H4 += D; - H5 += E; - - // - // reset start of the buffer. - // - xOff = 0; - for (int i = 0; i < 16; i++) - { - X[i] = 0; - } - } - - public Memoable copy() - { - return new SHA1Digest(this); - } - - public void reset(Memoable other) - { - SHA1Digest d = (SHA1Digest)other; - - super.copyIn(d); - copyIn(d); - } - - public byte[] getEncodedState() - { - byte[] state = new byte[40 + xOff * 4]; - - super.populateState(state); - - Pack.intToBigEndian(H1, state, 16); - Pack.intToBigEndian(H2, state, 20); - Pack.intToBigEndian(H3, state, 24); - Pack.intToBigEndian(H4, state, 28); - Pack.intToBigEndian(H5, state, 32); - Pack.intToBigEndian(xOff, state, 36); - - for (int i = 0; i != xOff; i++) - { - Pack.intToBigEndian(X[i], state, 40 + (i * 4)); - } - - return state; - } -} - - - - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA224Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA224Digest.java deleted file mode 100644 index 4f2b2842..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA224Digest.java +++ /dev/null @@ -1,356 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - - -/** - * SHA-224 as described in RFC 3874 - * <pre> - * block word digest - * SHA-1 512 32 160 - * SHA-224 512 32 224 - * SHA-256 512 32 256 - * SHA-384 1024 64 384 - * SHA-512 1024 64 512 - * </pre> - */ -public class SHA224Digest - extends GeneralDigest - implements EncodableDigest -{ - private static final int DIGEST_LENGTH = 28; - - private int H1, H2, H3, H4, H5, H6, H7, H8; - - private int[] X = new int[64]; - private int xOff; - - /** - * Standard constructor - */ - public SHA224Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA224Digest(SHA224Digest t) - { - super(t); - - doCopy(t); - } - - private void doCopy(SHA224Digest t) - { - super.copyIn(t); - - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - H6 = t.H6; - H7 = t.H7; - H8 = t.H8; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public SHA224Digest(byte[] encodedState) - { - super(encodedState); - - H1 = Pack.bigEndianToInt(encodedState, 16); - H2 = Pack.bigEndianToInt(encodedState, 20); - H3 = Pack.bigEndianToInt(encodedState, 24); - H4 = Pack.bigEndianToInt(encodedState, 28); - H5 = Pack.bigEndianToInt(encodedState, 32); - H6 = Pack.bigEndianToInt(encodedState, 36); - H7 = Pack.bigEndianToInt(encodedState, 40); - H8 = Pack.bigEndianToInt(encodedState, 44); - - xOff = Pack.bigEndianToInt(encodedState, 48); - for (int i = 0; i != xOff; i++) - { - X[i] = Pack.bigEndianToInt(encodedState, 52 + (i * 4)); - } - } - - public String getAlgorithmName() - { - return "SHA-224"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - // Note: Inlined for performance -// X[xOff] = Pack.bigEndianToInt(in, inOff); - int n = in[ inOff] << 24; - n |= (in[++inOff] & 0xff) << 16; - n |= (in[++inOff] & 0xff) << 8; - n |= (in[++inOff] & 0xff); - X[xOff] = n; - - if (++xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength >>> 32); - X[15] = (int)(bitLength & 0xffffffff); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - Pack.intToBigEndian(H1, out, outOff); - Pack.intToBigEndian(H2, out, outOff + 4); - Pack.intToBigEndian(H3, out, outOff + 8); - Pack.intToBigEndian(H4, out, outOff + 12); - Pack.intToBigEndian(H5, out, outOff + 16); - Pack.intToBigEndian(H6, out, outOff + 20); - Pack.intToBigEndian(H7, out, outOff + 24); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - /* SHA-224 initial hash value - */ - - H1 = 0xc1059ed8; - H2 = 0x367cd507; - H3 = 0x3070dd17; - H4 = 0xf70e5939; - H5 = 0xffc00b31; - H6 = 0x68581511; - H7 = 0x64f98fa7; - H8 = 0xbefa4fa4; - - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - protected void processBlock() - { - // - // expand 16 word block into 64 word blocks. - // - for (int t = 16; t <= 63; t++) - { - X[t] = Theta1(X[t - 2]) + X[t - 7] + Theta0(X[t - 15]) + X[t - 16]; - } - - // - // set up working variables. - // - int a = H1; - int b = H2; - int c = H3; - int d = H4; - int e = H5; - int f = H6; - int g = H7; - int h = H8; - - - int t = 0; - for(int i = 0; i < 8; i ++) - { - // t = 8 * i - h += Sum1(e) + Ch(e, f, g) + K[t] + X[t]; - d += h; - h += Sum0(a) + Maj(a, b, c); - ++t; - - // t = 8 * i + 1 - g += Sum1(d) + Ch(d, e, f) + K[t] + X[t]; - c += g; - g += Sum0(h) + Maj(h, a, b); - ++t; - - // t = 8 * i + 2 - f += Sum1(c) + Ch(c, d, e) + K[t] + X[t]; - b += f; - f += Sum0(g) + Maj(g, h, a); - ++t; - - // t = 8 * i + 3 - e += Sum1(b) + Ch(b, c, d) + K[t] + X[t]; - a += e; - e += Sum0(f) + Maj(f, g, h); - ++t; - - // t = 8 * i + 4 - d += Sum1(a) + Ch(a, b, c) + K[t] + X[t]; - h += d; - d += Sum0(e) + Maj(e, f, g); - ++t; - - // t = 8 * i + 5 - c += Sum1(h) + Ch(h, a, b) + K[t] + X[t]; - g += c; - c += Sum0(d) + Maj(d, e, f); - ++t; - - // t = 8 * i + 6 - b += Sum1(g) + Ch(g, h, a) + K[t] + X[t]; - f += b; - b += Sum0(c) + Maj(c, d, e); - ++t; - - // t = 8 * i + 7 - a += Sum1(f) + Ch(f, g, h) + K[t] + X[t]; - e += a; - a += Sum0(b) + Maj(b, c, d); - ++t; - } - - H1 += a; - H2 += b; - H3 += c; - H4 += d; - H5 += e; - H6 += f; - H7 += g; - H8 += h; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i < 16; i++) - { - X[i] = 0; - } - } - - /* SHA-224 functions */ - private int Ch( - int x, - int y, - int z) - { - return ((x & y) ^ ((~x) & z)); - } - - private int Maj( - int x, - int y, - int z) - { - return ((x & y) ^ (x & z) ^ (y & z)); - } - - private int Sum0( - int x) - { - return ((x >>> 2) | (x << 30)) ^ ((x >>> 13) | (x << 19)) ^ ((x >>> 22) | (x << 10)); - } - - private int Sum1( - int x) - { - return ((x >>> 6) | (x << 26)) ^ ((x >>> 11) | (x << 21)) ^ ((x >>> 25) | (x << 7)); - } - - private int Theta0( - int x) - { - return ((x >>> 7) | (x << 25)) ^ ((x >>> 18) | (x << 14)) ^ (x >>> 3); - } - - private int Theta1( - int x) - { - return ((x >>> 17) | (x << 15)) ^ ((x >>> 19) | (x << 13)) ^ (x >>> 10); - } - - /* SHA-224 Constants - * (represent the first 32 bits of the fractional parts of the - * cube roots of the first sixty-four prime numbers) - */ - static final int K[] = { - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, - 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, - 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, - 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, - 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 - }; - - public Memoable copy() - { - return new SHA224Digest(this); - } - - public void reset(Memoable other) - { - SHA224Digest d = (SHA224Digest)other; - - doCopy(d); - } - - public byte[] getEncodedState() - { - byte[] state = new byte[52 + xOff * 4]; - - super.populateState(state); - - Pack.intToBigEndian(H1, state, 16); - Pack.intToBigEndian(H2, state, 20); - Pack.intToBigEndian(H3, state, 24); - Pack.intToBigEndian(H4, state, 28); - Pack.intToBigEndian(H5, state, 32); - Pack.intToBigEndian(H6, state, 36); - Pack.intToBigEndian(H7, state, 40); - Pack.intToBigEndian(H8, state, 44); - Pack.intToBigEndian(xOff, state, 48); - - for (int i = 0; i != xOff; i++) - { - Pack.intToBigEndian(X[i], state, 52 + (i * 4)); - } - - return state; - } -} - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA256Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA256Digest.java deleted file mode 100644 index 600d2343..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA256Digest.java +++ /dev/null @@ -1,360 +0,0 @@ -package org.bouncycastle.crypto.digests; - - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - - -/** - * FIPS 180-2 implementation of SHA-256. - * - * <pre> - * block word digest - * SHA-1 512 32 160 - * SHA-256 512 32 256 - * SHA-384 1024 64 384 - * SHA-512 1024 64 512 - * </pre> - */ -public class SHA256Digest - extends GeneralDigest - implements EncodableDigest -{ - private static final int DIGEST_LENGTH = 32; - - private int H1, H2, H3, H4, H5, H6, H7, H8; - - private int[] X = new int[64]; - private int xOff; - - /** - * Standard constructor - */ - public SHA256Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA256Digest(SHA256Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(SHA256Digest t) - { - super.copyIn(t); - - H1 = t.H1; - H2 = t.H2; - H3 = t.H3; - H4 = t.H4; - H5 = t.H5; - H6 = t.H6; - H7 = t.H7; - H8 = t.H8; - - System.arraycopy(t.X, 0, X, 0, t.X.length); - xOff = t.xOff; - } - - public SHA256Digest(byte[] encodedState) - { - super(encodedState); - - H1 = Pack.bigEndianToInt(encodedState, 16); - H2 = Pack.bigEndianToInt(encodedState, 20); - H3 = Pack.bigEndianToInt(encodedState, 24); - H4 = Pack.bigEndianToInt(encodedState, 28); - H5 = Pack.bigEndianToInt(encodedState, 32); - H6 = Pack.bigEndianToInt(encodedState, 36); - H7 = Pack.bigEndianToInt(encodedState, 40); - H8 = Pack.bigEndianToInt(encodedState, 44); - - xOff = Pack.bigEndianToInt(encodedState, 48); - for (int i = 0; i != xOff; i++) - { - X[i] = Pack.bigEndianToInt(encodedState, 52 + (i * 4)); - } - } - - - public String getAlgorithmName() - { - return "SHA-256"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - protected void processWord( - byte[] in, - int inOff) - { - // Note: Inlined for performance -// X[xOff] = Pack.bigEndianToInt(in, inOff); - int n = in[inOff] << 24; - n |= (in[++inOff] & 0xff) << 16; - n |= (in[++inOff] & 0xff) << 8; - n |= (in[++inOff] & 0xff); - X[xOff] = n; - - if (++xOff == 16) - { - processBlock(); - } - } - - protected void processLength( - long bitLength) - { - if (xOff > 14) - { - processBlock(); - } - - X[14] = (int)(bitLength >>> 32); - X[15] = (int)(bitLength & 0xffffffff); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - Pack.intToBigEndian(H1, out, outOff); - Pack.intToBigEndian(H2, out, outOff + 4); - Pack.intToBigEndian(H3, out, outOff + 8); - Pack.intToBigEndian(H4, out, outOff + 12); - Pack.intToBigEndian(H5, out, outOff + 16); - Pack.intToBigEndian(H6, out, outOff + 20); - Pack.intToBigEndian(H7, out, outOff + 24); - Pack.intToBigEndian(H8, out, outOff + 28); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - /* SHA-256 initial hash value - * The first 32 bits of the fractional parts of the square roots - * of the first eight prime numbers - */ - - H1 = 0x6a09e667; - H2 = 0xbb67ae85; - H3 = 0x3c6ef372; - H4 = 0xa54ff53a; - H5 = 0x510e527f; - H6 = 0x9b05688c; - H7 = 0x1f83d9ab; - H8 = 0x5be0cd19; - - xOff = 0; - for (int i = 0; i != X.length; i++) - { - X[i] = 0; - } - } - - protected void processBlock() - { - // - // expand 16 word block into 64 word blocks. - // - for (int t = 16; t <= 63; t++) - { - X[t] = Theta1(X[t - 2]) + X[t - 7] + Theta0(X[t - 15]) + X[t - 16]; - } - - // - // set up working variables. - // - int a = H1; - int b = H2; - int c = H3; - int d = H4; - int e = H5; - int f = H6; - int g = H7; - int h = H8; - - int t = 0; - for(int i = 0; i < 8; i ++) - { - // t = 8 * i - h += Sum1(e) + Ch(e, f, g) + K[t] + X[t]; - d += h; - h += Sum0(a) + Maj(a, b, c); - ++t; - - // t = 8 * i + 1 - g += Sum1(d) + Ch(d, e, f) + K[t] + X[t]; - c += g; - g += Sum0(h) + Maj(h, a, b); - ++t; - - // t = 8 * i + 2 - f += Sum1(c) + Ch(c, d, e) + K[t] + X[t]; - b += f; - f += Sum0(g) + Maj(g, h, a); - ++t; - - // t = 8 * i + 3 - e += Sum1(b) + Ch(b, c, d) + K[t] + X[t]; - a += e; - e += Sum0(f) + Maj(f, g, h); - ++t; - - // t = 8 * i + 4 - d += Sum1(a) + Ch(a, b, c) + K[t] + X[t]; - h += d; - d += Sum0(e) + Maj(e, f, g); - ++t; - - // t = 8 * i + 5 - c += Sum1(h) + Ch(h, a, b) + K[t] + X[t]; - g += c; - c += Sum0(d) + Maj(d, e, f); - ++t; - - // t = 8 * i + 6 - b += Sum1(g) + Ch(g, h, a) + K[t] + X[t]; - f += b; - b += Sum0(c) + Maj(c, d, e); - ++t; - - // t = 8 * i + 7 - a += Sum1(f) + Ch(f, g, h) + K[t] + X[t]; - e += a; - a += Sum0(b) + Maj(b, c, d); - ++t; - } - - H1 += a; - H2 += b; - H3 += c; - H4 += d; - H5 += e; - H6 += f; - H7 += g; - H8 += h; - - // - // reset the offset and clean out the word buffer. - // - xOff = 0; - for (int i = 0; i < 16; i++) - { - X[i] = 0; - } - } - - /* SHA-256 functions */ - private int Ch( - int x, - int y, - int z) - { - return (x & y) ^ ((~x) & z); - } - - private int Maj( - int x, - int y, - int z) - { - return (x & y) ^ (x & z) ^ (y & z); - } - - private int Sum0( - int x) - { - return ((x >>> 2) | (x << 30)) ^ ((x >>> 13) | (x << 19)) ^ ((x >>> 22) | (x << 10)); - } - - private int Sum1( - int x) - { - return ((x >>> 6) | (x << 26)) ^ ((x >>> 11) | (x << 21)) ^ ((x >>> 25) | (x << 7)); - } - - private int Theta0( - int x) - { - return ((x >>> 7) | (x << 25)) ^ ((x >>> 18) | (x << 14)) ^ (x >>> 3); - } - - private int Theta1( - int x) - { - return ((x >>> 17) | (x << 15)) ^ ((x >>> 19) | (x << 13)) ^ (x >>> 10); - } - - /* SHA-256 Constants - * (represent the first 32 bits of the fractional parts of the - * cube roots of the first sixty-four prime numbers) - */ - static final int K[] = { - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, - 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, - 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, - 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, - 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, - 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 - }; - - public Memoable copy() - { - return new SHA256Digest(this); - } - - public void reset(Memoable other) - { - SHA256Digest d = (SHA256Digest)other; - - copyIn(d); - } - - public byte[] getEncodedState() - { - byte[] state = new byte[52 + xOff * 4]; - - super.populateState(state); - - Pack.intToBigEndian(H1, state, 16); - Pack.intToBigEndian(H2, state, 20); - Pack.intToBigEndian(H3, state, 24); - Pack.intToBigEndian(H4, state, 28); - Pack.intToBigEndian(H5, state, 32); - Pack.intToBigEndian(H6, state, 36); - Pack.intToBigEndian(H7, state, 40); - Pack.intToBigEndian(H8, state, 44); - Pack.intToBigEndian(xOff, state, 48); - - for (int i = 0; i != xOff; i++) - { - Pack.intToBigEndian(X[i], state, 52 + (i * 4)); - } - - return state; - } -} - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA384Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA384Digest.java deleted file mode 100644 index fc9fa1e7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA384Digest.java +++ /dev/null @@ -1,111 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - - -/** - * FIPS 180-2 implementation of SHA-384. - * - * <pre> - * block word digest - * SHA-1 512 32 160 - * SHA-256 512 32 256 - * SHA-384 1024 64 384 - * SHA-512 1024 64 512 - * </pre> - */ -public class SHA384Digest - extends LongDigest -{ - private static final int DIGEST_LENGTH = 48; - - /** - * Standard constructor - */ - public SHA384Digest() - { - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA384Digest(SHA384Digest t) - { - super(t); - } - - public SHA384Digest(byte[] encodedState) - { - restoreState(encodedState); - } - - public String getAlgorithmName() - { - return "SHA-384"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - Pack.longToBigEndian(H1, out, outOff); - Pack.longToBigEndian(H2, out, outOff + 8); - Pack.longToBigEndian(H3, out, outOff + 16); - Pack.longToBigEndian(H4, out, outOff + 24); - Pack.longToBigEndian(H5, out, outOff + 32); - Pack.longToBigEndian(H6, out, outOff + 40); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - /* SHA-384 initial hash value - * The first 64 bits of the fractional parts of the square roots - * of the 9th through 16th prime numbers - */ - H1 = 0xcbbb9d5dc1059ed8l; - H2 = 0x629a292a367cd507l; - H3 = 0x9159015a3070dd17l; - H4 = 0x152fecd8f70e5939l; - H5 = 0x67332667ffc00b31l; - H6 = 0x8eb44a8768581511l; - H7 = 0xdb0c2e0d64f98fa7l; - H8 = 0x47b5481dbefa4fa4l; - } - - public Memoable copy() - { - return new SHA384Digest(this); - } - - public void reset(Memoable other) - { - SHA384Digest d = (SHA384Digest)other; - - super.copyIn(d); - } - - public byte[] getEncodedState() - { - byte[] encoded = new byte[getEncodedStateSize()]; - super.populateState(encoded); - return encoded; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA3Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA3Digest.java deleted file mode 100644 index e13dc614..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA3Digest.java +++ /dev/null @@ -1,547 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Arrays; - -/** - * implementation of SHA-3 based on following KeccakNISTInterface.c from http://keccak.noekeon.org/ - * <p> - * Following the naming conventions used in the C source code to enable easy review of the implementation. - */ -public class SHA3Digest - implements ExtendedDigest -{ - private static long[] KeccakRoundConstants = keccakInitializeRoundConstants(); - - private static int[] KeccakRhoOffsets = keccakInitializeRhoOffsets(); - - private static long[] keccakInitializeRoundConstants() - { - long[] keccakRoundConstants = new long[24]; - byte[] LFSRstate = new byte[1]; - - LFSRstate[0] = 0x01; - int i, j, bitPosition; - - for (i = 0; i < 24; i++) - { - keccakRoundConstants[i] = 0; - for (j = 0; j < 7; j++) - { - bitPosition = (1 << j) - 1; - if (LFSR86540(LFSRstate)) - { - keccakRoundConstants[i] ^= 1L << bitPosition; - } - } - } - - return keccakRoundConstants; - } - - private static boolean LFSR86540(byte[] LFSR) - { - boolean result = (((LFSR[0]) & 0x01) != 0); - if (((LFSR[0]) & 0x80) != 0) - { - LFSR[0] = (byte)(((LFSR[0]) << 1) ^ 0x71); - } - else - { - LFSR[0] <<= 1; - } - - return result; - } - - private static int[] keccakInitializeRhoOffsets() - { - int[] keccakRhoOffsets = new int[25]; - int x, y, t, newX, newY; - - keccakRhoOffsets[(((0) % 5) + 5 * ((0) % 5))] = 0; - x = 1; - y = 0; - for (t = 0; t < 24; t++) - { - keccakRhoOffsets[(((x) % 5) + 5 * ((y) % 5))] = ((t + 1) * (t + 2) / 2) % 64; - newX = (0 * x + 1 * y) % 5; - newY = (2 * x + 3 * y) % 5; - x = newX; - y = newY; - } - - return keccakRhoOffsets; - } - - private byte[] state = new byte[(1600 / 8)]; - private byte[] dataQueue = new byte[(1536 / 8)]; - private int rate; - private int bitsInQueue; - private int fixedOutputLength; - private boolean squeezing; - private int bitsAvailableForSqueezing; - private byte[] chunk; - private byte[] oneByte; - - private void clearDataQueueSection(int off, int len) - { - for (int i = off; i != off + len; i++) - { - dataQueue[i] = 0; - } - } - - public SHA3Digest() - { - init(0); - } - - public SHA3Digest(int bitLength) - { - init(bitLength); - } - - public SHA3Digest(SHA3Digest source) { - System.arraycopy(source.state, 0, this.state, 0, source.state.length); - System.arraycopy(source.dataQueue, 0, this.dataQueue, 0, source.dataQueue.length); - this.rate = source.rate; - this.bitsInQueue = source.bitsInQueue; - this.fixedOutputLength = source.fixedOutputLength; - this.squeezing = source.squeezing; - this.bitsAvailableForSqueezing = source.bitsAvailableForSqueezing; - this.chunk = Arrays.clone(source.chunk); - this.oneByte = Arrays.clone(source.oneByte); - } - - public String getAlgorithmName() - { - return "SHA3-" + fixedOutputLength; - } - - public int getDigestSize() - { - return fixedOutputLength / 8; - } - - public void update(byte in) - { - oneByte[0] = in; - - doUpdate(oneByte, 0, 8L); - } - - public void update(byte[] in, int inOff, int len) - { - doUpdate(in, inOff, len * 8L); - } - - public int doFinal(byte[] out, int outOff) - { - squeeze(out, outOff, fixedOutputLength); - - reset(); - - return getDigestSize(); - } - - public void reset() - { - init(fixedOutputLength); - } - - /** - * Return the size of block that the compression function is applied to in bytes. - * - * @return internal byte length of a block. - */ - public int getByteLength() - { - return rate / 8; - } - - private void init(int bitLength) - { - switch (bitLength) - { - case 0: - case 288: - initSponge(1024, 576); - break; - case 224: - initSponge(1152, 448); - break; - case 256: - initSponge(1088, 512); - break; - case 384: - initSponge(832, 768); - break; - case 512: - initSponge(576, 1024); - break; - default: - throw new IllegalArgumentException("bitLength must be one of 224, 256, 384, or 512."); - } - } - - private void doUpdate(byte[] data, int off, long databitlen) - { - if ((databitlen % 8) == 0) - { - absorb(data, off, databitlen); - } - else - { - absorb(data, off, databitlen - (databitlen % 8)); - - byte[] lastByte = new byte[1]; - - lastByte[0] = (byte)(data[off + (int)(databitlen / 8)] >> (8 - (databitlen % 8))); - absorb(lastByte, off, databitlen % 8); - } - } - - private void initSponge(int rate, int capacity) - { - if (rate + capacity != 1600) - { - throw new IllegalStateException("rate + capacity != 1600"); - } - if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0)) - { - throw new IllegalStateException("invalid rate value"); - } - - this.rate = rate; - // this is never read, need to check to see why we want to save it - // this.capacity = capacity; - this.fixedOutputLength = 0; - Arrays.fill(this.state, (byte)0); - Arrays.fill(this.dataQueue, (byte)0); - this.bitsInQueue = 0; - this.squeezing = false; - this.bitsAvailableForSqueezing = 0; - this.fixedOutputLength = capacity / 2; - this.chunk = new byte[rate / 8]; - this.oneByte = new byte[1]; - } - - private void absorbQueue() - { - KeccakAbsorb(state, dataQueue, rate / 8); - - bitsInQueue = 0; - } - - private void absorb(byte[] data, int off, long databitlen) - { - long i, j, wholeBlocks; - - if ((bitsInQueue % 8) != 0) - { - throw new IllegalStateException("attempt to absorb with odd length queue."); - } - if (squeezing) - { - throw new IllegalStateException("attempt to absorb while squeezing."); - } - - i = 0; - while (i < databitlen) - { - if ((bitsInQueue == 0) && (databitlen >= rate) && (i <= (databitlen - rate))) - { - wholeBlocks = (databitlen - i) / rate; - - for (j = 0; j < wholeBlocks; j++) - { - System.arraycopy(data, (int)(off + (i / 8) + (j * chunk.length)), chunk, 0, chunk.length); - -// displayIntermediateValues.displayBytes(1, "Block to be absorbed", curData, rate / 8); - - KeccakAbsorb(state, chunk, chunk.length); - } - - i += wholeBlocks * rate; - } - else - { - int partialBlock = (int)(databitlen - i); - if (partialBlock + bitsInQueue > rate) - { - partialBlock = rate - bitsInQueue; - } - int partialByte = partialBlock % 8; - partialBlock -= partialByte; - System.arraycopy(data, off + (int)(i / 8), dataQueue, bitsInQueue / 8, partialBlock / 8); - - bitsInQueue += partialBlock; - i += partialBlock; - if (bitsInQueue == rate) - { - absorbQueue(); - } - if (partialByte > 0) - { - int mask = (1 << partialByte) - 1; - dataQueue[bitsInQueue / 8] = (byte)(data[off + ((int)(i / 8))] & mask); - bitsInQueue += partialByte; - i += partialByte; - } - } - } - } - - private void padAndSwitchToSqueezingPhase() - { - if (bitsInQueue + 1 == rate) - { - dataQueue[bitsInQueue / 8] |= 1 << (bitsInQueue % 8); - absorbQueue(); - clearDataQueueSection(0, rate / 8); - } - else - { - clearDataQueueSection((bitsInQueue + 7) / 8, rate / 8 - (bitsInQueue + 7) / 8); - dataQueue[bitsInQueue / 8] |= 1 << (bitsInQueue % 8); - } - dataQueue[(rate - 1) / 8] |= 1 << ((rate - 1) % 8); - absorbQueue(); - - -// displayIntermediateValues.displayText(1, "--- Switching to squeezing phase ---"); - - - if (rate == 1024) - { - KeccakExtract1024bits(state, dataQueue); - bitsAvailableForSqueezing = 1024; - } - else - - { - KeccakExtract(state, dataQueue, rate / 64); - bitsAvailableForSqueezing = rate; - } - -// displayIntermediateValues.displayBytes(1, "Block available for squeezing", dataQueue, bitsAvailableForSqueezing / 8); - - squeezing = true; - } - - private void squeeze(byte[] output, int offset, long outputLength) - { - long i; - int partialBlock; - - if (!squeezing) - { - padAndSwitchToSqueezingPhase(); - } - if ((outputLength % 8) != 0) - { - throw new IllegalStateException("outputLength not a multiple of 8"); - } - - i = 0; - while (i < outputLength) - { - if (bitsAvailableForSqueezing == 0) - { - keccakPermutation(state); - - if (rate == 1024) - { - KeccakExtract1024bits(state, dataQueue); - bitsAvailableForSqueezing = 1024; - } - else - - { - KeccakExtract(state, dataQueue, rate / 64); - bitsAvailableForSqueezing = rate; - } - -// displayIntermediateValues.displayBytes(1, "Block available for squeezing", dataQueue, bitsAvailableForSqueezing / 8); - - } - partialBlock = bitsAvailableForSqueezing; - if ((long)partialBlock > outputLength - i) - { - partialBlock = (int)(outputLength - i); - } - - System.arraycopy(dataQueue, (rate - bitsAvailableForSqueezing) / 8, output, offset + (int)(i / 8), partialBlock / 8); - bitsAvailableForSqueezing -= partialBlock; - i += partialBlock; - } - } - - private void fromBytesToWords(long[] stateAsWords, byte[] state) - { - for (int i = 0; i < (1600 / 64); i++) - { - stateAsWords[i] = 0; - int index = i * (64 / 8); - for (int j = 0; j < (64 / 8); j++) - { - stateAsWords[i] |= ((long)state[index + j] & 0xff) << ((8 * j)); - } - } - } - - private void fromWordsToBytes(byte[] state, long[] stateAsWords) - { - for (int i = 0; i < (1600 / 64); i++) - { - int index = i * (64 / 8); - for (int j = 0; j < (64 / 8); j++) - { - state[index + j] = (byte)((stateAsWords[i] >>> ((8 * j))) & 0xFF); - } - } - } - - private void keccakPermutation(byte[] state) - { - long[] longState = new long[state.length / 8]; - - fromBytesToWords(longState, state); - -// displayIntermediateValues.displayStateAsBytes(1, "Input of permutation", longState); - - keccakPermutationOnWords(longState); - -// displayIntermediateValues.displayStateAsBytes(1, "State after permutation", longState); - - fromWordsToBytes(state, longState); - } - - private void keccakPermutationAfterXor(byte[] state, byte[] data, int dataLengthInBytes) - { - int i; - - for (i = 0; i < dataLengthInBytes; i++) - { - state[i] ^= data[i]; - } - - keccakPermutation(state); - } - - private void keccakPermutationOnWords(long[] state) - { - int i; - -// displayIntermediateValues.displayStateAs64bitWords(3, "Same, with lanes as 64-bit words", state); - - for (i = 0; i < 24; i++) - { -// displayIntermediateValues.displayRoundNumber(3, i); - - theta(state); -// displayIntermediateValues.displayStateAs64bitWords(3, "After theta", state); - - rho(state); -// displayIntermediateValues.displayStateAs64bitWords(3, "After rho", state); - - pi(state); -// displayIntermediateValues.displayStateAs64bitWords(3, "After pi", state); - - chi(state); -// displayIntermediateValues.displayStateAs64bitWords(3, "After chi", state); - - iota(state, i); -// displayIntermediateValues.displayStateAs64bitWords(3, "After iota", state); - } - } - - long[] C = new long[5]; - - private void theta(long[] A) - { - for (int x = 0; x < 5; x++) - { - C[x] = 0; - for (int y = 0; y < 5; y++) - { - C[x] ^= A[x + 5 * y]; - } - } - for (int x = 0; x < 5; x++) - { - long dX = ((((C[(x + 1) % 5]) << 1) ^ ((C[(x + 1) % 5]) >>> (64 - 1)))) ^ C[(x + 4) % 5]; - for (int y = 0; y < 5; y++) - { - A[x + 5 * y] ^= dX; - } - } - } - - private void rho(long[] A) - { - for (int x = 0; x < 5; x++) - { - for (int y = 0; y < 5; y++) - { - int index = x + 5 * y; - A[index] = ((KeccakRhoOffsets[index] != 0) ? (((A[index]) << KeccakRhoOffsets[index]) ^ ((A[index]) >>> (64 - KeccakRhoOffsets[index]))) : A[index]); - } - } - } - - long[] tempA = new long[25]; - - private void pi(long[] A) - { - System.arraycopy(A, 0, tempA, 0, tempA.length); - - for (int x = 0; x < 5; x++) - { - for (int y = 0; y < 5; y++) - { - A[y + 5 * ((2 * x + 3 * y) % 5)] = tempA[x + 5 * y]; - } - } - } - - long[] chiC = new long[5]; - - private void chi(long[] A) - { - for (int y = 0; y < 5; y++) - { - for (int x = 0; x < 5; x++) - { - chiC[x] = A[x + 5 * y] ^ ((~A[(((x + 1) % 5) + 5 * y)]) & A[(((x + 2) % 5) + 5 * y)]); - } - for (int x = 0; x < 5; x++) - { - A[x + 5 * y] = chiC[x]; - } - } - } - - private void iota(long[] A, int indexRound) - { - A[(((0) % 5) + 5 * ((0) % 5))] ^= KeccakRoundConstants[indexRound]; - } - - private void KeccakAbsorb(byte[] byteState, byte[] data, int dataInBytes) - { - keccakPermutationAfterXor(byteState, data, dataInBytes); - } - - - private void KeccakExtract1024bits(byte[] byteState, byte[] data) - { - System.arraycopy(byteState, 0, data, 0, 128); - } - - - private void KeccakExtract(byte[] byteState, byte[] data, int laneCount) - { - System.arraycopy(byteState, 0, data, 0, laneCount * 8); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA512Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA512Digest.java deleted file mode 100644 index 644bafad..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA512Digest.java +++ /dev/null @@ -1,114 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - - -/** - * FIPS 180-2 implementation of SHA-512. - * - * <pre> - * block word digest - * SHA-1 512 32 160 - * SHA-256 512 32 256 - * SHA-384 1024 64 384 - * SHA-512 1024 64 512 - * </pre> - */ -public class SHA512Digest - extends LongDigest -{ - private static final int DIGEST_LENGTH = 64; - - /** - * Standard constructor - */ - public SHA512Digest() - { - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA512Digest(SHA512Digest t) - { - super(t); - } - - public SHA512Digest(byte[] encodedState) - { - restoreState(encodedState); - } - - public String getAlgorithmName() - { - return "SHA-512"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - Pack.longToBigEndian(H1, out, outOff); - Pack.longToBigEndian(H2, out, outOff + 8); - Pack.longToBigEndian(H3, out, outOff + 16); - Pack.longToBigEndian(H4, out, outOff + 24); - Pack.longToBigEndian(H5, out, outOff + 32); - Pack.longToBigEndian(H6, out, outOff + 40); - Pack.longToBigEndian(H7, out, outOff + 48); - Pack.longToBigEndian(H8, out, outOff + 56); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - /* SHA-512 initial hash value - * The first 64 bits of the fractional parts of the square roots - * of the first eight prime numbers - */ - H1 = 0x6a09e667f3bcc908L; - H2 = 0xbb67ae8584caa73bL; - H3 = 0x3c6ef372fe94f82bL; - H4 = 0xa54ff53a5f1d36f1L; - H5 = 0x510e527fade682d1L; - H6 = 0x9b05688c2b3e6c1fL; - H7 = 0x1f83d9abfb41bd6bL; - H8 = 0x5be0cd19137e2179L; - } - - public Memoable copy() - { - return new SHA512Digest(this); - } - - public void reset(Memoable other) - { - SHA512Digest d = (SHA512Digest)other; - - copyIn(d); - } - - public byte[] getEncodedState() - { - byte[] encoded = new byte[getEncodedStateSize()]; - super.populateState(encoded); - return encoded; - } -} - diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SHA512tDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SHA512tDigest.java deleted file mode 100644 index d5848b17..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SHA512tDigest.java +++ /dev/null @@ -1,227 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.MemoableResetException; -import org.bouncycastle.util.Pack; - -/** - * FIPS 180-4 implementation of SHA-512/t - */ -public class SHA512tDigest - extends LongDigest -{ - private int digestLength; // non-final due to old flow analyser. - - private long H1t, H2t, H3t, H4t, H5t, H6t, H7t, H8t; - - /** - * Standard constructor - */ - public SHA512tDigest(int bitLength) - { - if (bitLength >= 512) - { - throw new IllegalArgumentException("bitLength cannot be >= 512"); - } - - if (bitLength % 8 != 0) - { - throw new IllegalArgumentException("bitLength needs to be a multiple of 8"); - } - - if (bitLength == 384) - { - throw new IllegalArgumentException("bitLength cannot be 384 use SHA384 instead"); - } - - this.digestLength = bitLength / 8; - - tIvGenerate(digestLength * 8); - - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SHA512tDigest(SHA512tDigest t) - { - super(t); - - this.digestLength = t.digestLength; - - reset(t); - } - - public SHA512tDigest(byte[] encodedState) - { - this(readDigestLength(encodedState)); - restoreState(encodedState); - } - - private static int readDigestLength(byte[] encodedState) - { - return Pack.bigEndianToInt(encodedState, encodedState.length - 4); - } - - public String getAlgorithmName() - { - return "SHA-512/" + Integer.toString(digestLength * 8); - } - - public int getDigestSize() - { - return digestLength; - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - longToBigEndian(H1, out, outOff, digestLength); - longToBigEndian(H2, out, outOff + 8, digestLength - 8); - longToBigEndian(H3, out, outOff + 16, digestLength - 16); - longToBigEndian(H4, out, outOff + 24, digestLength - 24); - longToBigEndian(H5, out, outOff + 32, digestLength - 32); - longToBigEndian(H6, out, outOff + 40, digestLength - 40); - longToBigEndian(H7, out, outOff + 48, digestLength - 48); - longToBigEndian(H8, out, outOff + 56, digestLength - 56); - - reset(); - - return digestLength; - } - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - /* - * initial hash values use the iv generation algorithm for t. - */ - H1 = H1t; - H2 = H2t; - H3 = H3t; - H4 = H4t; - H5 = H5t; - H6 = H6t; - H7 = H7t; - H8 = H8t; - } - - private void tIvGenerate(int bitLength) - { - H1 = 0x6a09e667f3bcc908L ^ 0xa5a5a5a5a5a5a5a5L; - H2 = 0xbb67ae8584caa73bL ^ 0xa5a5a5a5a5a5a5a5L; - H3 = 0x3c6ef372fe94f82bL ^ 0xa5a5a5a5a5a5a5a5L; - H4 = 0xa54ff53a5f1d36f1L ^ 0xa5a5a5a5a5a5a5a5L; - H5 = 0x510e527fade682d1L ^ 0xa5a5a5a5a5a5a5a5L; - H6 = 0x9b05688c2b3e6c1fL ^ 0xa5a5a5a5a5a5a5a5L; - H7 = 0x1f83d9abfb41bd6bL ^ 0xa5a5a5a5a5a5a5a5L; - H8 = 0x5be0cd19137e2179L ^ 0xa5a5a5a5a5a5a5a5L; - - update((byte)0x53); - update((byte)0x48); - update((byte)0x41); - update((byte)0x2D); - update((byte)0x35); - update((byte)0x31); - update((byte)0x32); - update((byte)0x2F); - - if (bitLength > 100) - { - update((byte)(bitLength / 100 + 0x30)); - bitLength = bitLength % 100; - update((byte)(bitLength / 10 + 0x30)); - bitLength = bitLength % 10; - update((byte)(bitLength + 0x30)); - } - else if (bitLength > 10) - { - update((byte)(bitLength / 10 + 0x30)); - bitLength = bitLength % 10; - update((byte)(bitLength + 0x30)); - } - else - { - update((byte)(bitLength + 0x30)); - } - - finish(); - - H1t = H1; - H2t = H2; - H3t = H3; - H4t = H4; - H5t = H5; - H6t = H6; - H7t = H7; - H8t = H8; - } - - private static void longToBigEndian(long n, byte[] bs, int off, int max) - { - if (max > 0) - { - intToBigEndian((int)(n >>> 32), bs, off, max); - - if (max > 4) - { - intToBigEndian((int)(n & 0xffffffffL), bs, off + 4, max - 4); - } - } - } - - private static void intToBigEndian(int n, byte[] bs, int off, int max) - { - int num = Math.min(4, max); - while (--num >= 0) - { - int shift = 8 * (3 - num); - bs[off + num] = (byte)(n >>> shift); - } - } - - public Memoable copy() - { - return new SHA512tDigest(this); - } - - public void reset(Memoable other) - { - SHA512tDigest t = (SHA512tDigest)other; - - if (this.digestLength != t.digestLength) - { - throw new MemoableResetException("digestLength inappropriate in other"); - } - - super.copyIn(t); - - this.H1t = t.H1t; - this.H2t = t.H2t; - this.H3t = t.H3t; - this.H4t = t.H4t; - this.H5t = t.H5t; - this.H6t = t.H6t; - this.H7t = t.H7t; - this.H8t = t.H8t; - } - - public byte[] getEncodedState() - { - final int baseSize = getEncodedStateSize(); - byte[] encoded = new byte[baseSize + 4]; - populateState(encoded); - Pack.intToBigEndian(digestLength * 8, encoded, baseSize); - return encoded; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SM3Digest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SM3Digest.java deleted file mode 100644 index 5e90add5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SM3Digest.java +++ /dev/null @@ -1,333 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.util.Memoable; -import org.bouncycastle.util.Pack; - -/** - * Implementation of Chinese SM3 digest as described at - * http://tools.ietf.org/html/draft-shen-sm3-hash-00 - * and at .... ( Chinese PDF ) - * <p> - * The specification says "process a bit stream", - * but this is written to process bytes in blocks of 4, - * meaning this will process 32-bit word groups. - * But so do also most other digest specifications, - * including the SHA-256 which was a origin for - * this specification. - */ -public class SM3Digest - extends GeneralDigest -{ - private static final int DIGEST_LENGTH = 32; // bytes - private static final int BLOCK_SIZE = 64 / 4; // of 32 bit ints (16 ints) - - private int[] V = new int[DIGEST_LENGTH / 4]; // in 32 bit ints (8 ints) - private int[] inwords = new int[BLOCK_SIZE]; - private int xOff; - - // Work-bufs used within processBlock() - private int[] W = new int[68]; - private int[] W1 = new int[64]; - - // Round constant T for processBlock() which is 32 bit integer rolled left up to (63 MOD 32) bit positions. - private static final int[] T = new int[64]; - - static - { - for (int i = 0; i < 16; ++i) - { - int t = 0x79CC4519; - T[i] = (t << i) | (t >>> (32 - i)); - } - for (int i = 16; i < 64; ++i) - { - int n = i % 32; - int t = 0x7A879D8A; - T[i] = (t << n) | (t >>> (32 - n)); - } - } - - - /** - * Standard constructor - */ - public SM3Digest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public SM3Digest(SM3Digest t) - { - super(t); - - copyIn(t); - } - - private void copyIn(SM3Digest t) - { - System.arraycopy(t.V, 0, this.V, 0, this.V.length); - System.arraycopy(t.inwords, 0, this.inwords, 0, this.inwords.length); - xOff = t.xOff; - } - - public String getAlgorithmName() - { - return "SM3"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - - public Memoable copy() - { - return new SM3Digest(this); - } - - public void reset(Memoable other) - { - SM3Digest d = (SM3Digest)other; - - super.copyIn(d); - copyIn(d); - } - - - /** - * reset the chaining variables - */ - public void reset() - { - super.reset(); - - this.V[0] = 0x7380166F; - this.V[1] = 0x4914B2B9; - this.V[2] = 0x172442D7; - this.V[3] = 0xDA8A0600; - this.V[4] = 0xA96F30BC; - this.V[5] = 0x163138AA; - this.V[6] = 0xE38DEE4D; - this.V[7] = 0xB0FB0E4E; - - this.xOff = 0; - } - - - public int doFinal(byte[] out, - int outOff) - { - finish(); - - Pack.intToBigEndian(this.V[0], out, outOff + 0); - Pack.intToBigEndian(this.V[1], out, outOff + 4); - Pack.intToBigEndian(this.V[2], out, outOff + 8); - Pack.intToBigEndian(this.V[3], out, outOff + 12); - Pack.intToBigEndian(this.V[4], out, outOff + 16); - Pack.intToBigEndian(this.V[5], out, outOff + 20); - Pack.intToBigEndian(this.V[6], out, outOff + 24); - Pack.intToBigEndian(this.V[7], out, outOff + 28); - - reset(); - - return DIGEST_LENGTH; - } - - - protected void processWord(byte[] in, - int inOff) - { - // Note: Inlined for performance - // this.inwords[xOff] = Pack.bigEndianToInt(in, inOff); - int n = (((in[inOff] & 0xff) << 24) | - ((in[++inOff] & 0xff) << 16) | - ((in[++inOff] & 0xff) << 8) | - ((in[++inOff] & 0xff))); - - this.inwords[this.xOff] = n; - ++this.xOff; - - if (this.xOff >= 16) - { - processBlock(); - } - } - - protected void processLength(long bitLength) - { - if (this.xOff > (BLOCK_SIZE - 2)) - { - // xOff == 15 --> can't fit the 64 bit length field at tail.. - this.inwords[this.xOff] = 0; // fill with zero - ++this.xOff; - - processBlock(); - } - // Fill with zero words, until reach 2nd to last slot - while (this.xOff < (BLOCK_SIZE - 2)) - { - this.inwords[this.xOff] = 0; - ++this.xOff; - } - - // Store input data length in BITS - this.inwords[this.xOff++] = (int)(bitLength >>> 32); - this.inwords[this.xOff++] = (int)(bitLength); - } - -/* - -3.4.2. Constants - - - Tj = 79cc4519 when 0 < = j < = 15 - Tj = 7a879d8a when 16 < = j < = 63 - -3.4.3. Boolean function - - - FFj(X;Y;Z) = X XOR Y XOR Z when 0 < = j < = 15 - = (X AND Y) OR (X AND Z) OR (Y AND Z) when 16 < = j < = 63 - - GGj(X;Y;Z) = X XOR Y XOR Z when 0 < = j < = 15 - = (X AND Y) OR (NOT X AND Z) when 16 < = j < = 63 - - The X, Y, Z in the fomular are words!GBP - -3.4.4. Permutation function - - - P0(X) = X XOR (X <<< 9) XOR (X <<< 17) ## ROLL, not SHIFT - P1(X) = X XOR (X <<< 15) XOR (X <<< 23) ## ROLL, not SHIFT - - The X in the fomular are a word. - ----------- - -Each ROLL converted to Java expression: - -ROLL 9 : ((x << 9) | (x >>> (32-9)))) -ROLL 17 : ((x << 17) | (x >>> (32-17))) -ROLL 15 : ((x << 15) | (x >>> (32-15))) -ROLL 23 : ((x << 23) | (x >>> (32-23))) - - */ - - private int P0(final int x) - { - final int r9 = ((x << 9) | (x >>> (32 - 9))); - final int r17 = ((x << 17) | (x >>> (32 - 17))); - return (x ^ r9 ^ r17); - } - - private int P1(final int x) - { - final int r15 = ((x << 15) | (x >>> (32 - 15))); - final int r23 = ((x << 23) | (x >>> (32 - 23))); - return (x ^ r15 ^ r23); - } - - private int FF0(final int x, final int y, final int z) - { - return (x ^ y ^ z); - } - - private int FF1(final int x, final int y, final int z) - { - return ((x & y) | (x & z) | (y & z)); - } - - private int GG0(final int x, final int y, final int z) - { - return (x ^ y ^ z); - } - - private int GG1(final int x, final int y, final int z) - { - return ((x & y) | ((~x) & z)); - } - - - protected void processBlock() - { - for (int j = 0; j < 16; ++j) - { - this.W[j] = this.inwords[j]; - } - for (int j = 16; j < 68; ++j) - { - int wj3 = this.W[j - 3]; - int r15 = ((wj3 << 15) | (wj3 >>> (32 - 15))); - int wj13 = this.W[j - 13]; - int r7 = ((wj13 << 7) | (wj13 >>> (32 - 7))); - this.W[j] = P1(this.W[j - 16] ^ this.W[j - 9] ^ r15) ^ r7 ^ this.W[j - 6]; - } - for (int j = 0; j < 64; ++j) - { - this.W1[j] = this.W[j] ^ this.W[j + 4]; - } - - int A = this.V[0]; - int B = this.V[1]; - int C = this.V[2]; - int D = this.V[3]; - int E = this.V[4]; - int F = this.V[5]; - int G = this.V[6]; - int H = this.V[7]; - - - for (int j = 0; j < 16; ++j) - { - int a12 = ((A << 12) | (A >>> (32 - 12))); - int s1_ = a12 + E + T[j]; - int SS1 = ((s1_ << 7) | (s1_ >>> (32 - 7))); - int SS2 = SS1 ^ a12; - int TT1 = FF0(A, B, C) + D + SS2 + this.W1[j]; - int TT2 = GG0(E, F, G) + H + SS1 + this.W[j]; - D = C; - C = ((B << 9) | (B >>> (32 - 9))); - B = A; - A = TT1; - H = G; - G = ((F << 19) | (F >>> (32 - 19))); - F = E; - E = P0(TT2); - } - - // Different FF,GG functions on rounds 16..63 - for (int j = 16; j < 64; ++j) - { - int a12 = ((A << 12) | (A >>> (32 - 12))); - int s1_ = a12 + E + T[j]; - int SS1 = ((s1_ << 7) | (s1_ >>> (32 - 7))); - int SS2 = SS1 ^ a12; - int TT1 = FF1(A, B, C) + D + SS2 + this.W1[j]; - int TT2 = GG1(E, F, G) + H + SS1 + this.W[j]; - D = C; - C = ((B << 9) | (B >>> (32 - 9))); - B = A; - A = TT1; - H = G; - G = ((F << 19) | (F >>> (32 - 19))); - F = E; - E = P0(TT2); - } - - this.V[0] ^= A; - this.V[1] ^= B; - this.V[2] ^= C; - this.V[3] ^= D; - this.V[4] ^= E; - this.V[5] ^= F; - this.V[6] ^= G; - this.V[7] ^= H; - - this.xOff = 0; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/ShortenedDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/ShortenedDigest.java deleted file mode 100644 index 89033e80..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/ShortenedDigest.java +++ /dev/null @@ -1,80 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; - -/** - * Wrapper class that reduces the output length of a particular digest to - * only the first n bytes of the digest function. - */ -public class ShortenedDigest - implements ExtendedDigest -{ - private ExtendedDigest baseDigest; - private int length; - - /** - * Base constructor. - * - * @param baseDigest underlying digest to use. - * @param length length in bytes of the output of doFinal. - * @exception IllegalArgumentException if baseDigest is null, or length is greater than baseDigest.getDigestSize(). - */ - public ShortenedDigest( - ExtendedDigest baseDigest, - int length) - { - if (baseDigest == null) - { - throw new IllegalArgumentException("baseDigest must not be null"); - } - - if (length > baseDigest.getDigestSize()) - { - throw new IllegalArgumentException("baseDigest output not large enough to support length"); - } - - this.baseDigest = baseDigest; - this.length = length; - } - - public String getAlgorithmName() - { - return baseDigest.getAlgorithmName() + "(" + length * 8 + ")"; - } - - public int getDigestSize() - { - return length; - } - - public void update(byte in) - { - baseDigest.update(in); - } - - public void update(byte[] in, int inOff, int len) - { - baseDigest.update(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - byte[] tmp = new byte[baseDigest.getDigestSize()]; - - baseDigest.doFinal(tmp, 0); - - System.arraycopy(tmp, 0, out, outOff, length); - - return length; - } - - public void reset() - { - baseDigest.reset(); - } - - public int getByteLength() - { - return baseDigest.getByteLength(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SkeinDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/SkeinDigest.java deleted file mode 100644 index ae1dbd62..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SkeinDigest.java +++ /dev/null @@ -1,115 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.crypto.engines.ThreefishEngine; -import org.bouncycastle.crypto.params.SkeinParameters; -import org.bouncycastle.util.Memoable; - -/** - * Implementation of the Skein parameterised hash function in 256, 512 and 1024 bit block sizes, - * based on the {@link ThreefishEngine Threefish} tweakable block cipher. - * <p> - * This is the 1.3 version of Skein defined in the Skein hash function submission to the NIST SHA-3 - * competition in October 2010. - * <p> - * Skein was designed by Niels Ferguson - Stefan Lucks - Bruce Schneier - Doug Whiting - Mihir - * Bellare - Tadayoshi Kohno - Jon Callas - Jesse Walker. - * - * @see SkeinEngine - * @see SkeinParameters - */ -public class SkeinDigest - implements ExtendedDigest, Memoable -{ - /** - * 256 bit block size - Skein-256 - */ - public static final int SKEIN_256 = SkeinEngine.SKEIN_256; - /** - * 512 bit block size - Skein-512 - */ - public static final int SKEIN_512 = SkeinEngine.SKEIN_512; - /** - * 1024 bit block size - Skein-1024 - */ - public static final int SKEIN_1024 = SkeinEngine.SKEIN_1024; - - private SkeinEngine engine; - - /** - * Constructs a Skein digest with an internal state size and output size. - * - * @param stateSizeBits the internal state size in bits - one of {@link #SKEIN_256}, {@link #SKEIN_512} or - * {@link #SKEIN_1024}. - * @param digestSizeBits the output/digest size to produce in bits, which must be an integral number of - * bytes. - */ - public SkeinDigest(int stateSizeBits, int digestSizeBits) - { - this.engine = new SkeinEngine(stateSizeBits, digestSizeBits); - init(null); - } - - public SkeinDigest(SkeinDigest digest) - { - this.engine = new SkeinEngine(digest.engine); - } - - public void reset(Memoable other) - { - SkeinDigest d = (SkeinDigest)other; - engine.reset(d.engine); - } - - public Memoable copy() - { - return new SkeinDigest(this); - } - - public String getAlgorithmName() - { - return "Skein-" + (engine.getBlockSize() * 8) + "-" + (engine.getOutputSize() * 8); - } - - public int getDigestSize() - { - return engine.getOutputSize(); - } - - public int getByteLength() - { - return engine.getBlockSize(); - } - - /** - * Optionally initialises the Skein digest with the provided parameters.<br> - * See {@link SkeinParameters} for details on the parameterisation of the Skein hash function. - * - * @param params the parameters to apply to this engine, or <code>null</code> to use no parameters. - */ - public void init(SkeinParameters params) - { - engine.init(params); - } - - public void reset() - { - engine.reset(); - } - - public void update(byte in) - { - engine.update(in); - } - - public void update(byte[] in, int inOff, int len) - { - engine.update(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - return engine.doFinal(out, outOff); - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/SkeinEngine.java b/core/src/main/java/org/bouncycastle/crypto/digests/SkeinEngine.java deleted file mode 100644 index b125dbd6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/SkeinEngine.java +++ /dev/null @@ -1,817 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.engines.ThreefishEngine; -import org.bouncycastle.crypto.macs.SkeinMac; -import org.bouncycastle.crypto.params.SkeinParameters; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Memoable; - -/** - * Implementation of the Skein family of parameterised hash functions in 256, 512 and 1024 bit block - * sizes, based on the {@link ThreefishEngine Threefish} tweakable block cipher. - * <p> - * This is the 1.3 version of Skein defined in the Skein hash function submission to the NIST SHA-3 - * competition in October 2010. - * <p> - * Skein was designed by Niels Ferguson - Stefan Lucks - Bruce Schneier - Doug Whiting - Mihir - * Bellare - Tadayoshi Kohno - Jon Callas - Jesse Walker. - * <p> - * This implementation is the basis for {@link SkeinDigest} and {@link SkeinMac}, implementing the - * parameter based configuration system that allows Skein to be adapted to multiple applications. <br> - * Initialising the engine with {@link SkeinParameters} allows standard and arbitrary parameters to - * be applied during the Skein hash function. - * <p> - * Implemented: - * <ul> - * <li>256, 512 and 1024 bit internal states.</li> - * <li>Full 96 bit input length.</li> - * <li>Parameters defined in the Skein specification, and arbitrary other pre and post message - * parameters.</li> - * <li>Arbitrary output size in 1 byte intervals.</li> - * </ul> - * <p> - * Not implemented: - * <ul> - * <li>Sub-byte length input (bit padding).</li> - * <li>Tree hashing.</li> - * </ul> - * - * @see SkeinParameters - */ -public class SkeinEngine - implements Memoable -{ - /** - * 256 bit block size - Skein 256 - */ - public static final int SKEIN_256 = ThreefishEngine.BLOCKSIZE_256; - /** - * 512 bit block size - Skein 512 - */ - public static final int SKEIN_512 = ThreefishEngine.BLOCKSIZE_512; - /** - * 1024 bit block size - Skein 1024 - */ - public static final int SKEIN_1024 = ThreefishEngine.BLOCKSIZE_1024; - - // Minimal at present, but more complex when tree hashing is implemented - private static class Configuration - { - private byte[] bytes = new byte[32]; - - public Configuration(long outputSizeBits) - { - // 0..3 = ASCII SHA3 - bytes[0] = (byte)'S'; - bytes[1] = (byte)'H'; - bytes[2] = (byte)'A'; - bytes[3] = (byte)'3'; - - // 4..5 = version number in LSB order - bytes[4] = 1; - bytes[5] = 0; - - // 8..15 = output length - ThreefishEngine.wordToBytes(outputSizeBits, bytes, 8); - } - - public byte[] getBytes() - { - return bytes; - } - - } - - public static class Parameter - { - private int type; - private byte[] value; - - public Parameter(int type, byte[] value) - { - this.type = type; - this.value = value; - } - - public int getType() - { - return type; - } - - public byte[] getValue() - { - return value; - } - - } - - /** - * The parameter type for the Skein key. - */ - private static final int PARAM_TYPE_KEY = 0; - - /** - * The parameter type for the Skein configuration block. - */ - private static final int PARAM_TYPE_CONFIG = 4; - - /** - * The parameter type for the message. - */ - private static final int PARAM_TYPE_MESSAGE = 48; - - /** - * The parameter type for the output transformation. - */ - private static final int PARAM_TYPE_OUTPUT = 63; - - /** - * Precalculated UBI(CFG) states for common state/output combinations without key or other - * pre-message params. - */ - private static final Hashtable INITIAL_STATES = new Hashtable(); - - static - { - // From Appendix C of the Skein 1.3 NIST submission - initialState(SKEIN_256, 128, new long[]{ - 0xe1111906964d7260L, - 0x883daaa77c8d811cL, - 0x10080df491960f7aL, - 0xccf7dde5b45bc1c2L}); - - initialState(SKEIN_256, 160, new long[]{ - 0x1420231472825e98L, - 0x2ac4e9a25a77e590L, - 0xd47a58568838d63eL, - 0x2dd2e4968586ab7dL}); - - initialState(SKEIN_256, 224, new long[]{ - 0xc6098a8c9ae5ea0bL, - 0x876d568608c5191cL, - 0x99cb88d7d7f53884L, - 0x384bddb1aeddb5deL}); - - initialState(SKEIN_256, 256, new long[]{ - 0xfc9da860d048b449L, - 0x2fca66479fa7d833L, - 0xb33bc3896656840fL, - 0x6a54e920fde8da69L}); - - initialState(SKEIN_512, 128, new long[]{ - 0xa8bc7bf36fbf9f52L, - 0x1e9872cebd1af0aaL, - 0x309b1790b32190d3L, - 0xbcfbb8543f94805cL, - 0x0da61bcd6e31b11bL, - 0x1a18ebead46a32e3L, - 0xa2cc5b18ce84aa82L, - 0x6982ab289d46982dL}); - - initialState(SKEIN_512, 160, new long[]{ - 0x28b81a2ae013bd91L, - 0xc2f11668b5bdf78fL, - 0x1760d8f3f6a56f12L, - 0x4fb747588239904fL, - 0x21ede07f7eaf5056L, - 0xd908922e63ed70b8L, - 0xb8ec76ffeccb52faL, - 0x01a47bb8a3f27a6eL}); - - initialState(SKEIN_512, 224, new long[]{ - 0xccd0616248677224L, - 0xcba65cf3a92339efL, - 0x8ccd69d652ff4b64L, - 0x398aed7b3ab890b4L, - 0x0f59d1b1457d2bd0L, - 0x6776fe6575d4eb3dL, - 0x99fbc70e997413e9L, - 0x9e2cfccfe1c41ef7L}); - - initialState(SKEIN_512, 384, new long[]{ - 0xa3f6c6bf3a75ef5fL, - 0xb0fef9ccfd84faa4L, - 0x9d77dd663d770cfeL, - 0xd798cbf3b468fddaL, - 0x1bc4a6668a0e4465L, - 0x7ed7d434e5807407L, - 0x548fc1acd4ec44d6L, - 0x266e17546aa18ff8L}); - - initialState(SKEIN_512, 512, new long[]{ - 0x4903adff749c51ceL, - 0x0d95de399746df03L, - 0x8fd1934127c79bceL, - 0x9a255629ff352cb1L, - 0x5db62599df6ca7b0L, - 0xeabe394ca9d5c3f4L, - 0x991112c71a75b523L, - 0xae18a40b660fcc33L}); - } - - private static void initialState(int blockSize, int outputSize, long[] state) - { - INITIAL_STATES.put(variantIdentifier(blockSize / 8, outputSize / 8), state); - } - - private static Integer variantIdentifier(int blockSizeBytes, int outputSizeBytes) - { - return new Integer((outputSizeBytes << 16) | blockSizeBytes); - } - - private static class UbiTweak - { - /** - * Point at which position might overflow long, so switch to add with carry logic - */ - private static final long LOW_RANGE = Long.MAX_VALUE - Integer.MAX_VALUE; - - /** - * Bit 127 = final - */ - private static final long T1_FINAL = 1L << 63; - - /** - * Bit 126 = first - */ - private static final long T1_FIRST = 1L << 62; - - /** - * UBI uses a 128 bit tweak - */ - private long tweak[] = new long[2]; - - /** - * Whether 64 bit position exceeded - */ - private boolean extendedPosition; - - public UbiTweak() - { - reset(); - } - - public void reset(UbiTweak tweak) - { - this.tweak = Arrays.clone(tweak.tweak, this.tweak); - this.extendedPosition = tweak.extendedPosition; - } - - public void reset() - { - tweak[0] = 0; - tweak[1] = 0; - extendedPosition = false; - setFirst(true); - } - - public void setType(int type) - { - // Bits 120..125 = type - tweak[1] = (tweak[1] & 0xFFFFFFC000000000L) | ((type & 0x3FL) << 56); - } - - public int getType() - { - return (int)((tweak[1] >>> 56) & 0x3FL); - } - - public void setFirst(boolean first) - { - if (first) - { - tweak[1] |= T1_FIRST; - } - else - { - tweak[1] &= ~T1_FIRST; - } - } - - public boolean isFirst() - { - return ((tweak[1] & T1_FIRST) != 0); - } - - public void setFinal(boolean last) - { - if (last) - { - tweak[1] |= T1_FINAL; - } - else - { - tweak[1] &= ~T1_FINAL; - } - } - - public boolean isFinal() - { - return ((tweak[1] & T1_FINAL) != 0); - } - - /** - * Advances the position in the tweak by the specified value. - */ - public void advancePosition(int advance) - { - // Bits 0..95 = position - if (extendedPosition) - { - long[] parts = new long[3]; - parts[0] = tweak[0] & 0xFFFFFFFFL; - parts[1] = (tweak[0] >>> 32) & 0xFFFFFFFFL; - parts[2] = tweak[1] & 0xFFFFFFFFL; - - long carry = advance; - for (int i = 0; i < parts.length; i++) - { - carry += parts[i]; - parts[i] = carry; - carry >>>= 32; - } - tweak[0] = ((parts[1] & 0xFFFFFFFFL) << 32) | (parts[0] & 0xFFFFFFFFL); - tweak[1] = (tweak[1] & 0xFFFFFFFF00000000L) | (parts[2] & 0xFFFFFFFFL); - } - else - { - long position = tweak[0]; - position += advance; - tweak[0] = position; - if (position > LOW_RANGE) - { - extendedPosition = true; - } - } - } - - public long[] getWords() - { - return tweak; - } - - public String toString() - { - return getType() + " first: " + isFirst() + ", final: " + isFinal(); - } - - } - - /** - * The Unique Block Iteration chaining mode. - */ - // TODO: This might be better as methods... - private class UBI - { - private final UbiTweak tweak = new UbiTweak(); - - /** - * Buffer for the current block of message data - */ - private byte[] currentBlock; - - /** - * Offset into the current message block - */ - private int currentOffset; - - /** - * Buffer for message words for feedback into encrypted block - */ - private long[] message; - - public UBI(int blockSize) - { - currentBlock = new byte[blockSize]; - message = new long[currentBlock.length / 8]; - } - - public void reset(UBI ubi) - { - currentBlock = Arrays.clone(ubi.currentBlock, currentBlock); - currentOffset = ubi.currentOffset; - message = Arrays.clone(ubi.message, this.message); - tweak.reset(ubi.tweak); - } - - public void reset(int type) - { - tweak.reset(); - tweak.setType(type); - currentOffset = 0; - } - - public void update(byte[] value, int offset, int len, long[] output) - { - /* - * Buffer complete blocks for the underlying Threefish cipher, only flushing when there - * are subsequent bytes (last block must be processed in doFinal() with final=true set). - */ - int copied = 0; - while (len > copied) - { - if (currentOffset == currentBlock.length) - { - processBlock(output); - tweak.setFirst(false); - currentOffset = 0; - } - - int toCopy = Math.min((len - copied), currentBlock.length - currentOffset); - System.arraycopy(value, offset + copied, currentBlock, currentOffset, toCopy); - copied += toCopy; - currentOffset += toCopy; - tweak.advancePosition(toCopy); - } - } - - private void processBlock(long[] output) - { - threefish.init(true, chain, tweak.getWords()); - for (int i = 0; i < message.length; i++) - { - message[i] = ThreefishEngine.bytesToWord(currentBlock, i * 8); - } - - threefish.processBlock(message, output); - - for (int i = 0; i < output.length; i++) - { - output[i] ^= message[i]; - } - } - - public void doFinal(long[] output) - { - // Pad remainder of current block with zeroes - for (int i = currentOffset; i < currentBlock.length; i++) - { - currentBlock[i] = 0; - } - - tweak.setFinal(true); - processBlock(output); - } - - } - - /** - * Underlying Threefish tweakable block cipher - */ - final ThreefishEngine threefish; - - /** - * Size of the digest output, in bytes - */ - private final int outputSizeBytes; - - /** - * The current chaining/state value - */ - long[] chain; - - /** - * The initial state value - */ - private long[] initialState; - - /** - * The (optional) key parameter - */ - private byte[] key; - - /** - * Parameters to apply prior to the message - */ - private Parameter[] preMessageParameters; - - /** - * Parameters to apply after the message, but prior to output - */ - private Parameter[] postMessageParameters; - - /** - * The current UBI operation - */ - private final UBI ubi; - - /** - * Buffer for single byte update method - */ - private final byte[] singleByte = new byte[1]; - - /** - * Constructs a Skein engine. - * - * @param blockSizeBits the internal state size in bits - one of {@link #SKEIN_256}, {@link #SKEIN_512} or - * {@link #SKEIN_1024}. - * @param outputSizeBits the output/digest size to produce in bits, which must be an integral number of - * bytes. - */ - public SkeinEngine(int blockSizeBits, int outputSizeBits) - { - if (outputSizeBits % 8 != 0) - { - throw new IllegalArgumentException("Output size must be a multiple of 8 bits. :" + outputSizeBits); - } - // TODO: Prevent digest sizes > block size? - this.outputSizeBytes = outputSizeBits / 8; - - this.threefish = new ThreefishEngine(blockSizeBits); - this.ubi = new UBI(threefish.getBlockSize()); - } - - /** - * Creates a SkeinEngine as an exact copy of an existing instance. - */ - public SkeinEngine(SkeinEngine engine) - { - this(engine.getBlockSize() * 8, engine.getOutputSize() * 8); - copyIn(engine); - } - - private void copyIn(SkeinEngine engine) - { - this.ubi.reset(engine.ubi); - this.chain = Arrays.clone(engine.chain, this.chain); - this.initialState = Arrays.clone(engine.initialState, this.initialState); - this.key = Arrays.clone(engine.key, this.key); - this.preMessageParameters = clone(engine.preMessageParameters, this.preMessageParameters); - this.postMessageParameters = clone(engine.postMessageParameters, this.postMessageParameters); - } - - private static Parameter[] clone(Parameter[] data, Parameter[] existing) - { - if (data == null) - { - return null; - } - if ((existing == null) || (existing.length != data.length)) - { - existing = new Parameter[data.length]; - } - System.arraycopy(data, 0, existing, 0, existing.length); - return existing; - } - - public Memoable copy() - { - return new SkeinEngine(this); - } - - public void reset(Memoable other) - { - SkeinEngine s = (SkeinEngine)other; - if ((getBlockSize() != s.getBlockSize()) || (outputSizeBytes != s.outputSizeBytes)) - { - throw new IllegalArgumentException("Incompatible parameters in provided SkeinEngine."); - } - copyIn(s); - } - - public int getOutputSize() - { - return outputSizeBytes; - } - - public int getBlockSize() - { - return threefish.getBlockSize(); - } - - /** - * Initialises the Skein engine with the provided parameters. See {@link SkeinParameters} for - * details on the parameterisation of the Skein hash function. - * - * @param params the parameters to apply to this engine, or <code>null</code> to use no parameters. - */ - public void init(SkeinParameters params) - { - this.chain = null; - this.key = null; - this.preMessageParameters = null; - this.postMessageParameters = null; - - if (params != null) - { - byte[] key = params.getKey(); - if (key.length < 16) - { - throw new IllegalArgumentException("Skein key must be at least 128 bits."); - } - initParams(params.getParameters()); - } - createInitialState(); - - // Initialise message block - ubiInit(PARAM_TYPE_MESSAGE); - } - - private void initParams(Hashtable parameters) - { - Enumeration keys = parameters.keys(); - final Vector pre = new Vector(); - final Vector post = new Vector(); - - while (keys.hasMoreElements()) - { - Integer type = (Integer)keys.nextElement(); - byte[] value = (byte[])parameters.get(type); - - if (type.intValue() == PARAM_TYPE_KEY) - { - this.key = value; - } - else if (type.intValue() < PARAM_TYPE_MESSAGE) - { - pre.addElement(new Parameter(type.intValue(), value)); - } - else - { - post.addElement(new Parameter(type.intValue(), value)); - } - } - preMessageParameters = new Parameter[pre.size()]; - pre.copyInto(preMessageParameters); - sort(preMessageParameters); - - postMessageParameters = new Parameter[post.size()]; - post.copyInto(postMessageParameters); - sort(postMessageParameters); - } - - private static void sort(Parameter[] params) - { - if (params == null) - { - return; - } - // Insertion sort, for Java 1.1 compatibility - for (int i = 1; i < params.length; i++) - { - Parameter param = params[i]; - int hole = i; - while (hole > 0 && param.getType() < params[hole - 1].getType()) - { - params[hole] = params[hole - 1]; - hole = hole - 1; - } - params[hole] = param; - } - } - - /** - * Calculate the initial (pre message block) chaining state. - */ - private void createInitialState() - { - long[] precalc = (long[])INITIAL_STATES.get(variantIdentifier(getBlockSize(), getOutputSize())); - if ((key == null) && (precalc != null)) - { - // Precalculated UBI(CFG) - chain = Arrays.clone(precalc); - } - else - { - // Blank initial state - chain = new long[getBlockSize() / 8]; - - // Process key block - if (key != null) - { - ubiComplete(SkeinParameters.PARAM_TYPE_KEY, key); - } - - // Process configuration block - ubiComplete(PARAM_TYPE_CONFIG, new Configuration(outputSizeBytes * 8).getBytes()); - } - - // Process additional pre-message parameters - if (preMessageParameters != null) - { - for (int i = 0; i < preMessageParameters.length; i++) - { - Parameter param = preMessageParameters[i]; - ubiComplete(param.getType(), param.getValue()); - } - } - initialState = Arrays.clone(chain); - } - - /** - * Reset the engine to the initial state (with the key and any pre-message parameters , ready to - * accept message input. - */ - public void reset() - { - System.arraycopy(initialState, 0, chain, 0, chain.length); - - ubiInit(PARAM_TYPE_MESSAGE); - } - - private void ubiComplete(int type, byte[] value) - { - ubiInit(type); - this.ubi.update(value, 0, value.length, chain); - ubiFinal(); - } - - private void ubiInit(int type) - { - this.ubi.reset(type); - } - - private void ubiFinal() - { - ubi.doFinal(chain); - } - - private void checkInitialised() - { - if (this.ubi == null) - { - throw new IllegalArgumentException("Skein engine is not initialised."); - } - } - - public void update(byte in) - { - singleByte[0] = in; - update(singleByte, 0, 1); - } - - public void update(byte[] in, int inOff, int len) - { - checkInitialised(); - ubi.update(in, inOff, len, chain); - } - - public int doFinal(byte[] out, int outOff) - { - checkInitialised(); - if (out.length < (outOff + outputSizeBytes)) - { - throw new DataLengthException("Output buffer is too short to hold output of " + outputSizeBytes + " bytes"); - } - - // Finalise message block - ubiFinal(); - - // Process additional post-message parameters - if (postMessageParameters != null) - { - for (int i = 0; i < postMessageParameters.length; i++) - { - Parameter param = postMessageParameters[i]; - ubiComplete(param.getType(), param.getValue()); - } - } - - // Perform the output transform - final int blockSize = getBlockSize(); - final int blocksRequired = ((outputSizeBytes + blockSize - 1) / blockSize); - for (int i = 0; i < blocksRequired; i++) - { - final int toWrite = Math.min(blockSize, outputSizeBytes - (i * blockSize)); - output(i, out, outOff + (i * blockSize), toWrite); - } - - reset(); - - return outputSizeBytes; - } - - private void output(long outputSequence, byte[] out, int outOff, int outputBytes) - { - byte[] currentBytes = new byte[8]; - ThreefishEngine.wordToBytes(outputSequence, currentBytes, 0); - - // Output is a sequence of UBI invocations all of which use and preserve the pre-output - // state - long[] outputWords = new long[chain.length]; - ubiInit(PARAM_TYPE_OUTPUT); - this.ubi.update(currentBytes, 0, currentBytes.length, outputWords); - ubi.doFinal(outputWords); - - final int wordsRequired = ((outputBytes + 8 - 1) / 8); - for (int i = 0; i < wordsRequired; i++) - { - int toWrite = Math.min(8, outputBytes - (i * 8)); - if (toWrite == 8) - { - ThreefishEngine.wordToBytes(outputWords[i], out, outOff + (i * 8)); - } - else - { - ThreefishEngine.wordToBytes(outputWords[i], currentBytes, 0); - System.arraycopy(currentBytes, 0, out, outOff + (i * 8), toWrite); - } - } - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/TigerDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/TigerDigest.java deleted file mode 100644 index 2899e305..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/TigerDigest.java +++ /dev/null @@ -1,879 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Memoable; - -/** - * implementation of Tiger based on: - * <a href="http://www.cs.technion.ac.il/~biham/Reports/Tiger"> - * http://www.cs.technion.ac.il/~biham/Reports/Tiger</a> - */ -public class TigerDigest - implements ExtendedDigest, Memoable -{ - private static final int BYTE_LENGTH = 64; - - /* - * S-Boxes. - */ - private static final long[] t1 = { - 0x02AAB17CF7E90C5EL /* 0 */, 0xAC424B03E243A8ECL /* 1 */, - 0x72CD5BE30DD5FCD3L /* 2 */, 0x6D019B93F6F97F3AL /* 3 */, - 0xCD9978FFD21F9193L /* 4 */, 0x7573A1C9708029E2L /* 5 */, - 0xB164326B922A83C3L /* 6 */, 0x46883EEE04915870L /* 7 */, - 0xEAACE3057103ECE6L /* 8 */, 0xC54169B808A3535CL /* 9 */, - 0x4CE754918DDEC47CL /* 10 */, 0x0AA2F4DFDC0DF40CL /* 11 */, - 0x10B76F18A74DBEFAL /* 12 */, 0xC6CCB6235AD1AB6AL /* 13 */, - 0x13726121572FE2FFL /* 14 */, 0x1A488C6F199D921EL /* 15 */, - 0x4BC9F9F4DA0007CAL /* 16 */, 0x26F5E6F6E85241C7L /* 17 */, - 0x859079DBEA5947B6L /* 18 */, 0x4F1885C5C99E8C92L /* 19 */, - 0xD78E761EA96F864BL /* 20 */, 0x8E36428C52B5C17DL /* 21 */, - 0x69CF6827373063C1L /* 22 */, 0xB607C93D9BB4C56EL /* 23 */, - 0x7D820E760E76B5EAL /* 24 */, 0x645C9CC6F07FDC42L /* 25 */, - 0xBF38A078243342E0L /* 26 */, 0x5F6B343C9D2E7D04L /* 27 */, - 0xF2C28AEB600B0EC6L /* 28 */, 0x6C0ED85F7254BCACL /* 29 */, - 0x71592281A4DB4FE5L /* 30 */, 0x1967FA69CE0FED9FL /* 31 */, - 0xFD5293F8B96545DBL /* 32 */, 0xC879E9D7F2A7600BL /* 33 */, - 0x860248920193194EL /* 34 */, 0xA4F9533B2D9CC0B3L /* 35 */, - 0x9053836C15957613L /* 36 */, 0xDB6DCF8AFC357BF1L /* 37 */, - 0x18BEEA7A7A370F57L /* 38 */, 0x037117CA50B99066L /* 39 */, - 0x6AB30A9774424A35L /* 40 */, 0xF4E92F02E325249BL /* 41 */, - 0x7739DB07061CCAE1L /* 42 */, 0xD8F3B49CECA42A05L /* 43 */, - 0xBD56BE3F51382F73L /* 44 */, 0x45FAED5843B0BB28L /* 45 */, - 0x1C813D5C11BF1F83L /* 46 */, 0x8AF0E4B6D75FA169L /* 47 */, - 0x33EE18A487AD9999L /* 48 */, 0x3C26E8EAB1C94410L /* 49 */, - 0xB510102BC0A822F9L /* 50 */, 0x141EEF310CE6123BL /* 51 */, - 0xFC65B90059DDB154L /* 52 */, 0xE0158640C5E0E607L /* 53 */, - 0x884E079826C3A3CFL /* 54 */, 0x930D0D9523C535FDL /* 55 */, - 0x35638D754E9A2B00L /* 56 */, 0x4085FCCF40469DD5L /* 57 */, - 0xC4B17AD28BE23A4CL /* 58 */, 0xCAB2F0FC6A3E6A2EL /* 59 */, - 0x2860971A6B943FCDL /* 60 */, 0x3DDE6EE212E30446L /* 61 */, - 0x6222F32AE01765AEL /* 62 */, 0x5D550BB5478308FEL /* 63 */, - 0xA9EFA98DA0EDA22AL /* 64 */, 0xC351A71686C40DA7L /* 65 */, - 0x1105586D9C867C84L /* 66 */, 0xDCFFEE85FDA22853L /* 67 */, - 0xCCFBD0262C5EEF76L /* 68 */, 0xBAF294CB8990D201L /* 69 */, - 0xE69464F52AFAD975L /* 70 */, 0x94B013AFDF133E14L /* 71 */, - 0x06A7D1A32823C958L /* 72 */, 0x6F95FE5130F61119L /* 73 */, - 0xD92AB34E462C06C0L /* 74 */, 0xED7BDE33887C71D2L /* 75 */, - 0x79746D6E6518393EL /* 76 */, 0x5BA419385D713329L /* 77 */, - 0x7C1BA6B948A97564L /* 78 */, 0x31987C197BFDAC67L /* 79 */, - 0xDE6C23C44B053D02L /* 80 */, 0x581C49FED002D64DL /* 81 */, - 0xDD474D6338261571L /* 82 */, 0xAA4546C3E473D062L /* 83 */, - 0x928FCE349455F860L /* 84 */, 0x48161BBACAAB94D9L /* 85 */, - 0x63912430770E6F68L /* 86 */, 0x6EC8A5E602C6641CL /* 87 */, - 0x87282515337DDD2BL /* 88 */, 0x2CDA6B42034B701BL /* 89 */, - 0xB03D37C181CB096DL /* 90 */, 0xE108438266C71C6FL /* 91 */, - 0x2B3180C7EB51B255L /* 92 */, 0xDF92B82F96C08BBCL /* 93 */, - 0x5C68C8C0A632F3BAL /* 94 */, 0x5504CC861C3D0556L /* 95 */, - 0xABBFA4E55FB26B8FL /* 96 */, 0x41848B0AB3BACEB4L /* 97 */, - 0xB334A273AA445D32L /* 98 */, 0xBCA696F0A85AD881L /* 99 */, - 0x24F6EC65B528D56CL /* 100 */, 0x0CE1512E90F4524AL /* 101 */, - 0x4E9DD79D5506D35AL /* 102 */, 0x258905FAC6CE9779L /* 103 */, - 0x2019295B3E109B33L /* 104 */, 0xF8A9478B73A054CCL /* 105 */, - 0x2924F2F934417EB0L /* 106 */, 0x3993357D536D1BC4L /* 107 */, - 0x38A81AC21DB6FF8BL /* 108 */, 0x47C4FBF17D6016BFL /* 109 */, - 0x1E0FAADD7667E3F5L /* 110 */, 0x7ABCFF62938BEB96L /* 111 */, - 0xA78DAD948FC179C9L /* 112 */, 0x8F1F98B72911E50DL /* 113 */, - 0x61E48EAE27121A91L /* 114 */, 0x4D62F7AD31859808L /* 115 */, - 0xECEBA345EF5CEAEBL /* 116 */, 0xF5CEB25EBC9684CEL /* 117 */, - 0xF633E20CB7F76221L /* 118 */, 0xA32CDF06AB8293E4L /* 119 */, - 0x985A202CA5EE2CA4L /* 120 */, 0xCF0B8447CC8A8FB1L /* 121 */, - 0x9F765244979859A3L /* 122 */, 0xA8D516B1A1240017L /* 123 */, - 0x0BD7BA3EBB5DC726L /* 124 */, 0xE54BCA55B86ADB39L /* 125 */, - 0x1D7A3AFD6C478063L /* 126 */, 0x519EC608E7669EDDL /* 127 */, - 0x0E5715A2D149AA23L /* 128 */, 0x177D4571848FF194L /* 129 */, - 0xEEB55F3241014C22L /* 130 */, 0x0F5E5CA13A6E2EC2L /* 131 */, - 0x8029927B75F5C361L /* 132 */, 0xAD139FABC3D6E436L /* 133 */, - 0x0D5DF1A94CCF402FL /* 134 */, 0x3E8BD948BEA5DFC8L /* 135 */, - 0xA5A0D357BD3FF77EL /* 136 */, 0xA2D12E251F74F645L /* 137 */, - 0x66FD9E525E81A082L /* 138 */, 0x2E0C90CE7F687A49L /* 139 */, - 0xC2E8BCBEBA973BC5L /* 140 */, 0x000001BCE509745FL /* 141 */, - 0x423777BBE6DAB3D6L /* 142 */, 0xD1661C7EAEF06EB5L /* 143 */, - 0xA1781F354DAACFD8L /* 144 */, 0x2D11284A2B16AFFCL /* 145 */, - 0xF1FC4F67FA891D1FL /* 146 */, 0x73ECC25DCB920ADAL /* 147 */, - 0xAE610C22C2A12651L /* 148 */, 0x96E0A810D356B78AL /* 149 */, - 0x5A9A381F2FE7870FL /* 150 */, 0xD5AD62EDE94E5530L /* 151 */, - 0xD225E5E8368D1427L /* 152 */, 0x65977B70C7AF4631L /* 153 */, - 0x99F889B2DE39D74FL /* 154 */, 0x233F30BF54E1D143L /* 155 */, - 0x9A9675D3D9A63C97L /* 156 */, 0x5470554FF334F9A8L /* 157 */, - 0x166ACB744A4F5688L /* 158 */, 0x70C74CAAB2E4AEADL /* 159 */, - 0xF0D091646F294D12L /* 160 */, 0x57B82A89684031D1L /* 161 */, - 0xEFD95A5A61BE0B6BL /* 162 */, 0x2FBD12E969F2F29AL /* 163 */, - 0x9BD37013FEFF9FE8L /* 164 */, 0x3F9B0404D6085A06L /* 165 */, - 0x4940C1F3166CFE15L /* 166 */, 0x09542C4DCDF3DEFBL /* 167 */, - 0xB4C5218385CD5CE3L /* 168 */, 0xC935B7DC4462A641L /* 169 */, - 0x3417F8A68ED3B63FL /* 170 */, 0xB80959295B215B40L /* 171 */, - 0xF99CDAEF3B8C8572L /* 172 */, 0x018C0614F8FCB95DL /* 173 */, - 0x1B14ACCD1A3ACDF3L /* 174 */, 0x84D471F200BB732DL /* 175 */, - 0xC1A3110E95E8DA16L /* 176 */, 0x430A7220BF1A82B8L /* 177 */, - 0xB77E090D39DF210EL /* 178 */, 0x5EF4BD9F3CD05E9DL /* 179 */, - 0x9D4FF6DA7E57A444L /* 180 */, 0xDA1D60E183D4A5F8L /* 181 */, - 0xB287C38417998E47L /* 182 */, 0xFE3EDC121BB31886L /* 183 */, - 0xC7FE3CCC980CCBEFL /* 184 */, 0xE46FB590189BFD03L /* 185 */, - 0x3732FD469A4C57DCL /* 186 */, 0x7EF700A07CF1AD65L /* 187 */, - 0x59C64468A31D8859L /* 188 */, 0x762FB0B4D45B61F6L /* 189 */, - 0x155BAED099047718L /* 190 */, 0x68755E4C3D50BAA6L /* 191 */, - 0xE9214E7F22D8B4DFL /* 192 */, 0x2ADDBF532EAC95F4L /* 193 */, - 0x32AE3909B4BD0109L /* 194 */, 0x834DF537B08E3450L /* 195 */, - 0xFA209DA84220728DL /* 196 */, 0x9E691D9B9EFE23F7L /* 197 */, - 0x0446D288C4AE8D7FL /* 198 */, 0x7B4CC524E169785BL /* 199 */, - 0x21D87F0135CA1385L /* 200 */, 0xCEBB400F137B8AA5L /* 201 */, - 0x272E2B66580796BEL /* 202 */, 0x3612264125C2B0DEL /* 203 */, - 0x057702BDAD1EFBB2L /* 204 */, 0xD4BABB8EACF84BE9L /* 205 */, - 0x91583139641BC67BL /* 206 */, 0x8BDC2DE08036E024L /* 207 */, - 0x603C8156F49F68EDL /* 208 */, 0xF7D236F7DBEF5111L /* 209 */, - 0x9727C4598AD21E80L /* 210 */, 0xA08A0896670A5FD7L /* 211 */, - 0xCB4A8F4309EBA9CBL /* 212 */, 0x81AF564B0F7036A1L /* 213 */, - 0xC0B99AA778199ABDL /* 214 */, 0x959F1EC83FC8E952L /* 215 */, - 0x8C505077794A81B9L /* 216 */, 0x3ACAAF8F056338F0L /* 217 */, - 0x07B43F50627A6778L /* 218 */, 0x4A44AB49F5ECCC77L /* 219 */, - 0x3BC3D6E4B679EE98L /* 220 */, 0x9CC0D4D1CF14108CL /* 221 */, - 0x4406C00B206BC8A0L /* 222 */, 0x82A18854C8D72D89L /* 223 */, - 0x67E366B35C3C432CL /* 224 */, 0xB923DD61102B37F2L /* 225 */, - 0x56AB2779D884271DL /* 226 */, 0xBE83E1B0FF1525AFL /* 227 */, - 0xFB7C65D4217E49A9L /* 228 */, 0x6BDBE0E76D48E7D4L /* 229 */, - 0x08DF828745D9179EL /* 230 */, 0x22EA6A9ADD53BD34L /* 231 */, - 0xE36E141C5622200AL /* 232 */, 0x7F805D1B8CB750EEL /* 233 */, - 0xAFE5C7A59F58E837L /* 234 */, 0xE27F996A4FB1C23CL /* 235 */, - 0xD3867DFB0775F0D0L /* 236 */, 0xD0E673DE6E88891AL /* 237 */, - 0x123AEB9EAFB86C25L /* 238 */, 0x30F1D5D5C145B895L /* 239 */, - 0xBB434A2DEE7269E7L /* 240 */, 0x78CB67ECF931FA38L /* 241 */, - 0xF33B0372323BBF9CL /* 242 */, 0x52D66336FB279C74L /* 243 */, - 0x505F33AC0AFB4EAAL /* 244 */, 0xE8A5CD99A2CCE187L /* 245 */, - 0x534974801E2D30BBL /* 246 */, 0x8D2D5711D5876D90L /* 247 */, - 0x1F1A412891BC038EL /* 248 */, 0xD6E2E71D82E56648L /* 249 */, - 0x74036C3A497732B7L /* 250 */, 0x89B67ED96361F5ABL /* 251 */, - 0xFFED95D8F1EA02A2L /* 252 */, 0xE72B3BD61464D43DL /* 253 */, - 0xA6300F170BDC4820L /* 254 */, 0xEBC18760ED78A77AL /* 255 */, - }; - - private static final long[] t2 = { - 0xE6A6BE5A05A12138L /* 256 */, 0xB5A122A5B4F87C98L /* 257 */, - 0x563C6089140B6990L /* 258 */, 0x4C46CB2E391F5DD5L /* 259 */, - 0xD932ADDBC9B79434L /* 260 */, 0x08EA70E42015AFF5L /* 261 */, - 0xD765A6673E478CF1L /* 262 */, 0xC4FB757EAB278D99L /* 263 */, - 0xDF11C6862D6E0692L /* 264 */, 0xDDEB84F10D7F3B16L /* 265 */, - 0x6F2EF604A665EA04L /* 266 */, 0x4A8E0F0FF0E0DFB3L /* 267 */, - 0xA5EDEEF83DBCBA51L /* 268 */, 0xFC4F0A2A0EA4371EL /* 269 */, - 0xE83E1DA85CB38429L /* 270 */, 0xDC8FF882BA1B1CE2L /* 271 */, - 0xCD45505E8353E80DL /* 272 */, 0x18D19A00D4DB0717L /* 273 */, - 0x34A0CFEDA5F38101L /* 274 */, 0x0BE77E518887CAF2L /* 275 */, - 0x1E341438B3C45136L /* 276 */, 0xE05797F49089CCF9L /* 277 */, - 0xFFD23F9DF2591D14L /* 278 */, 0x543DDA228595C5CDL /* 279 */, - 0x661F81FD99052A33L /* 280 */, 0x8736E641DB0F7B76L /* 281 */, - 0x15227725418E5307L /* 282 */, 0xE25F7F46162EB2FAL /* 283 */, - 0x48A8B2126C13D9FEL /* 284 */, 0xAFDC541792E76EEAL /* 285 */, - 0x03D912BFC6D1898FL /* 286 */, 0x31B1AAFA1B83F51BL /* 287 */, - 0xF1AC2796E42AB7D9L /* 288 */, 0x40A3A7D7FCD2EBACL /* 289 */, - 0x1056136D0AFBBCC5L /* 290 */, 0x7889E1DD9A6D0C85L /* 291 */, - 0xD33525782A7974AAL /* 292 */, 0xA7E25D09078AC09BL /* 293 */, - 0xBD4138B3EAC6EDD0L /* 294 */, 0x920ABFBE71EB9E70L /* 295 */, - 0xA2A5D0F54FC2625CL /* 296 */, 0xC054E36B0B1290A3L /* 297 */, - 0xF6DD59FF62FE932BL /* 298 */, 0x3537354511A8AC7DL /* 299 */, - 0xCA845E9172FADCD4L /* 300 */, 0x84F82B60329D20DCL /* 301 */, - 0x79C62CE1CD672F18L /* 302 */, 0x8B09A2ADD124642CL /* 303 */, - 0xD0C1E96A19D9E726L /* 304 */, 0x5A786A9B4BA9500CL /* 305 */, - 0x0E020336634C43F3L /* 306 */, 0xC17B474AEB66D822L /* 307 */, - 0x6A731AE3EC9BAAC2L /* 308 */, 0x8226667AE0840258L /* 309 */, - 0x67D4567691CAECA5L /* 310 */, 0x1D94155C4875ADB5L /* 311 */, - 0x6D00FD985B813FDFL /* 312 */, 0x51286EFCB774CD06L /* 313 */, - 0x5E8834471FA744AFL /* 314 */, 0xF72CA0AEE761AE2EL /* 315 */, - 0xBE40E4CDAEE8E09AL /* 316 */, 0xE9970BBB5118F665L /* 317 */, - 0x726E4BEB33DF1964L /* 318 */, 0x703B000729199762L /* 319 */, - 0x4631D816F5EF30A7L /* 320 */, 0xB880B5B51504A6BEL /* 321 */, - 0x641793C37ED84B6CL /* 322 */, 0x7B21ED77F6E97D96L /* 323 */, - 0x776306312EF96B73L /* 324 */, 0xAE528948E86FF3F4L /* 325 */, - 0x53DBD7F286A3F8F8L /* 326 */, 0x16CADCE74CFC1063L /* 327 */, - 0x005C19BDFA52C6DDL /* 328 */, 0x68868F5D64D46AD3L /* 329 */, - 0x3A9D512CCF1E186AL /* 330 */, 0x367E62C2385660AEL /* 331 */, - 0xE359E7EA77DCB1D7L /* 332 */, 0x526C0773749ABE6EL /* 333 */, - 0x735AE5F9D09F734BL /* 334 */, 0x493FC7CC8A558BA8L /* 335 */, - 0xB0B9C1533041AB45L /* 336 */, 0x321958BA470A59BDL /* 337 */, - 0x852DB00B5F46C393L /* 338 */, 0x91209B2BD336B0E5L /* 339 */, - 0x6E604F7D659EF19FL /* 340 */, 0xB99A8AE2782CCB24L /* 341 */, - 0xCCF52AB6C814C4C7L /* 342 */, 0x4727D9AFBE11727BL /* 343 */, - 0x7E950D0C0121B34DL /* 344 */, 0x756F435670AD471FL /* 345 */, - 0xF5ADD442615A6849L /* 346 */, 0x4E87E09980B9957AL /* 347 */, - 0x2ACFA1DF50AEE355L /* 348 */, 0xD898263AFD2FD556L /* 349 */, - 0xC8F4924DD80C8FD6L /* 350 */, 0xCF99CA3D754A173AL /* 351 */, - 0xFE477BACAF91BF3CL /* 352 */, 0xED5371F6D690C12DL /* 353 */, - 0x831A5C285E687094L /* 354 */, 0xC5D3C90A3708A0A4L /* 355 */, - 0x0F7F903717D06580L /* 356 */, 0x19F9BB13B8FDF27FL /* 357 */, - 0xB1BD6F1B4D502843L /* 358 */, 0x1C761BA38FFF4012L /* 359 */, - 0x0D1530C4E2E21F3BL /* 360 */, 0x8943CE69A7372C8AL /* 361 */, - 0xE5184E11FEB5CE66L /* 362 */, 0x618BDB80BD736621L /* 363 */, - 0x7D29BAD68B574D0BL /* 364 */, 0x81BB613E25E6FE5BL /* 365 */, - 0x071C9C10BC07913FL /* 366 */, 0xC7BEEB7909AC2D97L /* 367 */, - 0xC3E58D353BC5D757L /* 368 */, 0xEB017892F38F61E8L /* 369 */, - 0xD4EFFB9C9B1CC21AL /* 370 */, 0x99727D26F494F7ABL /* 371 */, - 0xA3E063A2956B3E03L /* 372 */, 0x9D4A8B9A4AA09C30L /* 373 */, - 0x3F6AB7D500090FB4L /* 374 */, 0x9CC0F2A057268AC0L /* 375 */, - 0x3DEE9D2DEDBF42D1L /* 376 */, 0x330F49C87960A972L /* 377 */, - 0xC6B2720287421B41L /* 378 */, 0x0AC59EC07C00369CL /* 379 */, - 0xEF4EAC49CB353425L /* 380 */, 0xF450244EEF0129D8L /* 381 */, - 0x8ACC46E5CAF4DEB6L /* 382 */, 0x2FFEAB63989263F7L /* 383 */, - 0x8F7CB9FE5D7A4578L /* 384 */, 0x5BD8F7644E634635L /* 385 */, - 0x427A7315BF2DC900L /* 386 */, 0x17D0C4AA2125261CL /* 387 */, - 0x3992486C93518E50L /* 388 */, 0xB4CBFEE0A2D7D4C3L /* 389 */, - 0x7C75D6202C5DDD8DL /* 390 */, 0xDBC295D8E35B6C61L /* 391 */, - 0x60B369D302032B19L /* 392 */, 0xCE42685FDCE44132L /* 393 */, - 0x06F3DDB9DDF65610L /* 394 */, 0x8EA4D21DB5E148F0L /* 395 */, - 0x20B0FCE62FCD496FL /* 396 */, 0x2C1B912358B0EE31L /* 397 */, - 0xB28317B818F5A308L /* 398 */, 0xA89C1E189CA6D2CFL /* 399 */, - 0x0C6B18576AAADBC8L /* 400 */, 0xB65DEAA91299FAE3L /* 401 */, - 0xFB2B794B7F1027E7L /* 402 */, 0x04E4317F443B5BEBL /* 403 */, - 0x4B852D325939D0A6L /* 404 */, 0xD5AE6BEEFB207FFCL /* 405 */, - 0x309682B281C7D374L /* 406 */, 0xBAE309A194C3B475L /* 407 */, - 0x8CC3F97B13B49F05L /* 408 */, 0x98A9422FF8293967L /* 409 */, - 0x244B16B01076FF7CL /* 410 */, 0xF8BF571C663D67EEL /* 411 */, - 0x1F0D6758EEE30DA1L /* 412 */, 0xC9B611D97ADEB9B7L /* 413 */, - 0xB7AFD5887B6C57A2L /* 414 */, 0x6290AE846B984FE1L /* 415 */, - 0x94DF4CDEACC1A5FDL /* 416 */, 0x058A5BD1C5483AFFL /* 417 */, - 0x63166CC142BA3C37L /* 418 */, 0x8DB8526EB2F76F40L /* 419 */, - 0xE10880036F0D6D4EL /* 420 */, 0x9E0523C9971D311DL /* 421 */, - 0x45EC2824CC7CD691L /* 422 */, 0x575B8359E62382C9L /* 423 */, - 0xFA9E400DC4889995L /* 424 */, 0xD1823ECB45721568L /* 425 */, - 0xDAFD983B8206082FL /* 426 */, 0xAA7D29082386A8CBL /* 427 */, - 0x269FCD4403B87588L /* 428 */, 0x1B91F5F728BDD1E0L /* 429 */, - 0xE4669F39040201F6L /* 430 */, 0x7A1D7C218CF04ADEL /* 431 */, - 0x65623C29D79CE5CEL /* 432 */, 0x2368449096C00BB1L /* 433 */, - 0xAB9BF1879DA503BAL /* 434 */, 0xBC23ECB1A458058EL /* 435 */, - 0x9A58DF01BB401ECCL /* 436 */, 0xA070E868A85F143DL /* 437 */, - 0x4FF188307DF2239EL /* 438 */, 0x14D565B41A641183L /* 439 */, - 0xEE13337452701602L /* 440 */, 0x950E3DCF3F285E09L /* 441 */, - 0x59930254B9C80953L /* 442 */, 0x3BF299408930DA6DL /* 443 */, - 0xA955943F53691387L /* 444 */, 0xA15EDECAA9CB8784L /* 445 */, - 0x29142127352BE9A0L /* 446 */, 0x76F0371FFF4E7AFBL /* 447 */, - 0x0239F450274F2228L /* 448 */, 0xBB073AF01D5E868BL /* 449 */, - 0xBFC80571C10E96C1L /* 450 */, 0xD267088568222E23L /* 451 */, - 0x9671A3D48E80B5B0L /* 452 */, 0x55B5D38AE193BB81L /* 453 */, - 0x693AE2D0A18B04B8L /* 454 */, 0x5C48B4ECADD5335FL /* 455 */, - 0xFD743B194916A1CAL /* 456 */, 0x2577018134BE98C4L /* 457 */, - 0xE77987E83C54A4ADL /* 458 */, 0x28E11014DA33E1B9L /* 459 */, - 0x270CC59E226AA213L /* 460 */, 0x71495F756D1A5F60L /* 461 */, - 0x9BE853FB60AFEF77L /* 462 */, 0xADC786A7F7443DBFL /* 463 */, - 0x0904456173B29A82L /* 464 */, 0x58BC7A66C232BD5EL /* 465 */, - 0xF306558C673AC8B2L /* 466 */, 0x41F639C6B6C9772AL /* 467 */, - 0x216DEFE99FDA35DAL /* 468 */, 0x11640CC71C7BE615L /* 469 */, - 0x93C43694565C5527L /* 470 */, 0xEA038E6246777839L /* 471 */, - 0xF9ABF3CE5A3E2469L /* 472 */, 0x741E768D0FD312D2L /* 473 */, - 0x0144B883CED652C6L /* 474 */, 0xC20B5A5BA33F8552L /* 475 */, - 0x1AE69633C3435A9DL /* 476 */, 0x97A28CA4088CFDECL /* 477 */, - 0x8824A43C1E96F420L /* 478 */, 0x37612FA66EEEA746L /* 479 */, - 0x6B4CB165F9CF0E5AL /* 480 */, 0x43AA1C06A0ABFB4AL /* 481 */, - 0x7F4DC26FF162796BL /* 482 */, 0x6CBACC8E54ED9B0FL /* 483 */, - 0xA6B7FFEFD2BB253EL /* 484 */, 0x2E25BC95B0A29D4FL /* 485 */, - 0x86D6A58BDEF1388CL /* 486 */, 0xDED74AC576B6F054L /* 487 */, - 0x8030BDBC2B45805DL /* 488 */, 0x3C81AF70E94D9289L /* 489 */, - 0x3EFF6DDA9E3100DBL /* 490 */, 0xB38DC39FDFCC8847L /* 491 */, - 0x123885528D17B87EL /* 492 */, 0xF2DA0ED240B1B642L /* 493 */, - 0x44CEFADCD54BF9A9L /* 494 */, 0x1312200E433C7EE6L /* 495 */, - 0x9FFCC84F3A78C748L /* 496 */, 0xF0CD1F72248576BBL /* 497 */, - 0xEC6974053638CFE4L /* 498 */, 0x2BA7B67C0CEC4E4CL /* 499 */, - 0xAC2F4DF3E5CE32EDL /* 500 */, 0xCB33D14326EA4C11L /* 501 */, - 0xA4E9044CC77E58BCL /* 502 */, 0x5F513293D934FCEFL /* 503 */, - 0x5DC9645506E55444L /* 504 */, 0x50DE418F317DE40AL /* 505 */, - 0x388CB31A69DDE259L /* 506 */, 0x2DB4A83455820A86L /* 507 */, - 0x9010A91E84711AE9L /* 508 */, 0x4DF7F0B7B1498371L /* 509 */, - 0xD62A2EABC0977179L /* 510 */, 0x22FAC097AA8D5C0EL /* 511 */, - }; - - private static final long[] t3 = { - 0xF49FCC2FF1DAF39BL /* 512 */, 0x487FD5C66FF29281L /* 513 */, - 0xE8A30667FCDCA83FL /* 514 */, 0x2C9B4BE3D2FCCE63L /* 515 */, - 0xDA3FF74B93FBBBC2L /* 516 */, 0x2FA165D2FE70BA66L /* 517 */, - 0xA103E279970E93D4L /* 518 */, 0xBECDEC77B0E45E71L /* 519 */, - 0xCFB41E723985E497L /* 520 */, 0xB70AAA025EF75017L /* 521 */, - 0xD42309F03840B8E0L /* 522 */, 0x8EFC1AD035898579L /* 523 */, - 0x96C6920BE2B2ABC5L /* 524 */, 0x66AF4163375A9172L /* 525 */, - 0x2174ABDCCA7127FBL /* 526 */, 0xB33CCEA64A72FF41L /* 527 */, - 0xF04A4933083066A5L /* 528 */, 0x8D970ACDD7289AF5L /* 529 */, - 0x8F96E8E031C8C25EL /* 530 */, 0xF3FEC02276875D47L /* 531 */, - 0xEC7BF310056190DDL /* 532 */, 0xF5ADB0AEBB0F1491L /* 533 */, - 0x9B50F8850FD58892L /* 534 */, 0x4975488358B74DE8L /* 535 */, - 0xA3354FF691531C61L /* 536 */, 0x0702BBE481D2C6EEL /* 537 */, - 0x89FB24057DEDED98L /* 538 */, 0xAC3075138596E902L /* 539 */, - 0x1D2D3580172772EDL /* 540 */, 0xEB738FC28E6BC30DL /* 541 */, - 0x5854EF8F63044326L /* 542 */, 0x9E5C52325ADD3BBEL /* 543 */, - 0x90AA53CF325C4623L /* 544 */, 0xC1D24D51349DD067L /* 545 */, - 0x2051CFEEA69EA624L /* 546 */, 0x13220F0A862E7E4FL /* 547 */, - 0xCE39399404E04864L /* 548 */, 0xD9C42CA47086FCB7L /* 549 */, - 0x685AD2238A03E7CCL /* 550 */, 0x066484B2AB2FF1DBL /* 551 */, - 0xFE9D5D70EFBF79ECL /* 552 */, 0x5B13B9DD9C481854L /* 553 */, - 0x15F0D475ED1509ADL /* 554 */, 0x0BEBCD060EC79851L /* 555 */, - 0xD58C6791183AB7F8L /* 556 */, 0xD1187C5052F3EEE4L /* 557 */, - 0xC95D1192E54E82FFL /* 558 */, 0x86EEA14CB9AC6CA2L /* 559 */, - 0x3485BEB153677D5DL /* 560 */, 0xDD191D781F8C492AL /* 561 */, - 0xF60866BAA784EBF9L /* 562 */, 0x518F643BA2D08C74L /* 563 */, - 0x8852E956E1087C22L /* 564 */, 0xA768CB8DC410AE8DL /* 565 */, - 0x38047726BFEC8E1AL /* 566 */, 0xA67738B4CD3B45AAL /* 567 */, - 0xAD16691CEC0DDE19L /* 568 */, 0xC6D4319380462E07L /* 569 */, - 0xC5A5876D0BA61938L /* 570 */, 0x16B9FA1FA58FD840L /* 571 */, - 0x188AB1173CA74F18L /* 572 */, 0xABDA2F98C99C021FL /* 573 */, - 0x3E0580AB134AE816L /* 574 */, 0x5F3B05B773645ABBL /* 575 */, - 0x2501A2BE5575F2F6L /* 576 */, 0x1B2F74004E7E8BA9L /* 577 */, - 0x1CD7580371E8D953L /* 578 */, 0x7F6ED89562764E30L /* 579 */, - 0xB15926FF596F003DL /* 580 */, 0x9F65293DA8C5D6B9L /* 581 */, - 0x6ECEF04DD690F84CL /* 582 */, 0x4782275FFF33AF88L /* 583 */, - 0xE41433083F820801L /* 584 */, 0xFD0DFE409A1AF9B5L /* 585 */, - 0x4325A3342CDB396BL /* 586 */, 0x8AE77E62B301B252L /* 587 */, - 0xC36F9E9F6655615AL /* 588 */, 0x85455A2D92D32C09L /* 589 */, - 0xF2C7DEA949477485L /* 590 */, 0x63CFB4C133A39EBAL /* 591 */, - 0x83B040CC6EBC5462L /* 592 */, 0x3B9454C8FDB326B0L /* 593 */, - 0x56F56A9E87FFD78CL /* 594 */, 0x2DC2940D99F42BC6L /* 595 */, - 0x98F7DF096B096E2DL /* 596 */, 0x19A6E01E3AD852BFL /* 597 */, - 0x42A99CCBDBD4B40BL /* 598 */, 0xA59998AF45E9C559L /* 599 */, - 0x366295E807D93186L /* 600 */, 0x6B48181BFAA1F773L /* 601 */, - 0x1FEC57E2157A0A1DL /* 602 */, 0x4667446AF6201AD5L /* 603 */, - 0xE615EBCACFB0F075L /* 604 */, 0xB8F31F4F68290778L /* 605 */, - 0x22713ED6CE22D11EL /* 606 */, 0x3057C1A72EC3C93BL /* 607 */, - 0xCB46ACC37C3F1F2FL /* 608 */, 0xDBB893FD02AAF50EL /* 609 */, - 0x331FD92E600B9FCFL /* 610 */, 0xA498F96148EA3AD6L /* 611 */, - 0xA8D8426E8B6A83EAL /* 612 */, 0xA089B274B7735CDCL /* 613 */, - 0x87F6B3731E524A11L /* 614 */, 0x118808E5CBC96749L /* 615 */, - 0x9906E4C7B19BD394L /* 616 */, 0xAFED7F7E9B24A20CL /* 617 */, - 0x6509EADEEB3644A7L /* 618 */, 0x6C1EF1D3E8EF0EDEL /* 619 */, - 0xB9C97D43E9798FB4L /* 620 */, 0xA2F2D784740C28A3L /* 621 */, - 0x7B8496476197566FL /* 622 */, 0x7A5BE3E6B65F069DL /* 623 */, - 0xF96330ED78BE6F10L /* 624 */, 0xEEE60DE77A076A15L /* 625 */, - 0x2B4BEE4AA08B9BD0L /* 626 */, 0x6A56A63EC7B8894EL /* 627 */, - 0x02121359BA34FEF4L /* 628 */, 0x4CBF99F8283703FCL /* 629 */, - 0x398071350CAF30C8L /* 630 */, 0xD0A77A89F017687AL /* 631 */, - 0xF1C1A9EB9E423569L /* 632 */, 0x8C7976282DEE8199L /* 633 */, - 0x5D1737A5DD1F7ABDL /* 634 */, 0x4F53433C09A9FA80L /* 635 */, - 0xFA8B0C53DF7CA1D9L /* 636 */, 0x3FD9DCBC886CCB77L /* 637 */, - 0xC040917CA91B4720L /* 638 */, 0x7DD00142F9D1DCDFL /* 639 */, - 0x8476FC1D4F387B58L /* 640 */, 0x23F8E7C5F3316503L /* 641 */, - 0x032A2244E7E37339L /* 642 */, 0x5C87A5D750F5A74BL /* 643 */, - 0x082B4CC43698992EL /* 644 */, 0xDF917BECB858F63CL /* 645 */, - 0x3270B8FC5BF86DDAL /* 646 */, 0x10AE72BB29B5DD76L /* 647 */, - 0x576AC94E7700362BL /* 648 */, 0x1AD112DAC61EFB8FL /* 649 */, - 0x691BC30EC5FAA427L /* 650 */, 0xFF246311CC327143L /* 651 */, - 0x3142368E30E53206L /* 652 */, 0x71380E31E02CA396L /* 653 */, - 0x958D5C960AAD76F1L /* 654 */, 0xF8D6F430C16DA536L /* 655 */, - 0xC8FFD13F1BE7E1D2L /* 656 */, 0x7578AE66004DDBE1L /* 657 */, - 0x05833F01067BE646L /* 658 */, 0xBB34B5AD3BFE586DL /* 659 */, - 0x095F34C9A12B97F0L /* 660 */, 0x247AB64525D60CA8L /* 661 */, - 0xDCDBC6F3017477D1L /* 662 */, 0x4A2E14D4DECAD24DL /* 663 */, - 0xBDB5E6D9BE0A1EEBL /* 664 */, 0x2A7E70F7794301ABL /* 665 */, - 0xDEF42D8A270540FDL /* 666 */, 0x01078EC0A34C22C1L /* 667 */, - 0xE5DE511AF4C16387L /* 668 */, 0x7EBB3A52BD9A330AL /* 669 */, - 0x77697857AA7D6435L /* 670 */, 0x004E831603AE4C32L /* 671 */, - 0xE7A21020AD78E312L /* 672 */, 0x9D41A70C6AB420F2L /* 673 */, - 0x28E06C18EA1141E6L /* 674 */, 0xD2B28CBD984F6B28L /* 675 */, - 0x26B75F6C446E9D83L /* 676 */, 0xBA47568C4D418D7FL /* 677 */, - 0xD80BADBFE6183D8EL /* 678 */, 0x0E206D7F5F166044L /* 679 */, - 0xE258A43911CBCA3EL /* 680 */, 0x723A1746B21DC0BCL /* 681 */, - 0xC7CAA854F5D7CDD3L /* 682 */, 0x7CAC32883D261D9CL /* 683 */, - 0x7690C26423BA942CL /* 684 */, 0x17E55524478042B8L /* 685 */, - 0xE0BE477656A2389FL /* 686 */, 0x4D289B5E67AB2DA0L /* 687 */, - 0x44862B9C8FBBFD31L /* 688 */, 0xB47CC8049D141365L /* 689 */, - 0x822C1B362B91C793L /* 690 */, 0x4EB14655FB13DFD8L /* 691 */, - 0x1ECBBA0714E2A97BL /* 692 */, 0x6143459D5CDE5F14L /* 693 */, - 0x53A8FBF1D5F0AC89L /* 694 */, 0x97EA04D81C5E5B00L /* 695 */, - 0x622181A8D4FDB3F3L /* 696 */, 0xE9BCD341572A1208L /* 697 */, - 0x1411258643CCE58AL /* 698 */, 0x9144C5FEA4C6E0A4L /* 699 */, - 0x0D33D06565CF620FL /* 700 */, 0x54A48D489F219CA1L /* 701 */, - 0xC43E5EAC6D63C821L /* 702 */, 0xA9728B3A72770DAFL /* 703 */, - 0xD7934E7B20DF87EFL /* 704 */, 0xE35503B61A3E86E5L /* 705 */, - 0xCAE321FBC819D504L /* 706 */, 0x129A50B3AC60BFA6L /* 707 */, - 0xCD5E68EA7E9FB6C3L /* 708 */, 0xB01C90199483B1C7L /* 709 */, - 0x3DE93CD5C295376CL /* 710 */, 0xAED52EDF2AB9AD13L /* 711 */, - 0x2E60F512C0A07884L /* 712 */, 0xBC3D86A3E36210C9L /* 713 */, - 0x35269D9B163951CEL /* 714 */, 0x0C7D6E2AD0CDB5FAL /* 715 */, - 0x59E86297D87F5733L /* 716 */, 0x298EF221898DB0E7L /* 717 */, - 0x55000029D1A5AA7EL /* 718 */, 0x8BC08AE1B5061B45L /* 719 */, - 0xC2C31C2B6C92703AL /* 720 */, 0x94CC596BAF25EF42L /* 721 */, - 0x0A1D73DB22540456L /* 722 */, 0x04B6A0F9D9C4179AL /* 723 */, - 0xEFFDAFA2AE3D3C60L /* 724 */, 0xF7C8075BB49496C4L /* 725 */, - 0x9CC5C7141D1CD4E3L /* 726 */, 0x78BD1638218E5534L /* 727 */, - 0xB2F11568F850246AL /* 728 */, 0xEDFABCFA9502BC29L /* 729 */, - 0x796CE5F2DA23051BL /* 730 */, 0xAAE128B0DC93537CL /* 731 */, - 0x3A493DA0EE4B29AEL /* 732 */, 0xB5DF6B2C416895D7L /* 733 */, - 0xFCABBD25122D7F37L /* 734 */, 0x70810B58105DC4B1L /* 735 */, - 0xE10FDD37F7882A90L /* 736 */, 0x524DCAB5518A3F5CL /* 737 */, - 0x3C9E85878451255BL /* 738 */, 0x4029828119BD34E2L /* 739 */, - 0x74A05B6F5D3CECCBL /* 740 */, 0xB610021542E13ECAL /* 741 */, - 0x0FF979D12F59E2ACL /* 742 */, 0x6037DA27E4F9CC50L /* 743 */, - 0x5E92975A0DF1847DL /* 744 */, 0xD66DE190D3E623FEL /* 745 */, - 0x5032D6B87B568048L /* 746 */, 0x9A36B7CE8235216EL /* 747 */, - 0x80272A7A24F64B4AL /* 748 */, 0x93EFED8B8C6916F7L /* 749 */, - 0x37DDBFF44CCE1555L /* 750 */, 0x4B95DB5D4B99BD25L /* 751 */, - 0x92D3FDA169812FC0L /* 752 */, 0xFB1A4A9A90660BB6L /* 753 */, - 0x730C196946A4B9B2L /* 754 */, 0x81E289AA7F49DA68L /* 755 */, - 0x64669A0F83B1A05FL /* 756 */, 0x27B3FF7D9644F48BL /* 757 */, - 0xCC6B615C8DB675B3L /* 758 */, 0x674F20B9BCEBBE95L /* 759 */, - 0x6F31238275655982L /* 760 */, 0x5AE488713E45CF05L /* 761 */, - 0xBF619F9954C21157L /* 762 */, 0xEABAC46040A8EAE9L /* 763 */, - 0x454C6FE9F2C0C1CDL /* 764 */, 0x419CF6496412691CL /* 765 */, - 0xD3DC3BEF265B0F70L /* 766 */, 0x6D0E60F5C3578A9EL /* 767 */, - }; - - private static final long[] t4 = { - 0x5B0E608526323C55L /* 768 */, 0x1A46C1A9FA1B59F5L /* 769 */, - 0xA9E245A17C4C8FFAL /* 770 */, 0x65CA5159DB2955D7L /* 771 */, - 0x05DB0A76CE35AFC2L /* 772 */, 0x81EAC77EA9113D45L /* 773 */, - 0x528EF88AB6AC0A0DL /* 774 */, 0xA09EA253597BE3FFL /* 775 */, - 0x430DDFB3AC48CD56L /* 776 */, 0xC4B3A67AF45CE46FL /* 777 */, - 0x4ECECFD8FBE2D05EL /* 778 */, 0x3EF56F10B39935F0L /* 779 */, - 0x0B22D6829CD619C6L /* 780 */, 0x17FD460A74DF2069L /* 781 */, - 0x6CF8CC8E8510ED40L /* 782 */, 0xD6C824BF3A6ECAA7L /* 783 */, - 0x61243D581A817049L /* 784 */, 0x048BACB6BBC163A2L /* 785 */, - 0xD9A38AC27D44CC32L /* 786 */, 0x7FDDFF5BAAF410ABL /* 787 */, - 0xAD6D495AA804824BL /* 788 */, 0xE1A6A74F2D8C9F94L /* 789 */, - 0xD4F7851235DEE8E3L /* 790 */, 0xFD4B7F886540D893L /* 791 */, - 0x247C20042AA4BFDAL /* 792 */, 0x096EA1C517D1327CL /* 793 */, - 0xD56966B4361A6685L /* 794 */, 0x277DA5C31221057DL /* 795 */, - 0x94D59893A43ACFF7L /* 796 */, 0x64F0C51CCDC02281L /* 797 */, - 0x3D33BCC4FF6189DBL /* 798 */, 0xE005CB184CE66AF1L /* 799 */, - 0xFF5CCD1D1DB99BEAL /* 800 */, 0xB0B854A7FE42980FL /* 801 */, - 0x7BD46A6A718D4B9FL /* 802 */, 0xD10FA8CC22A5FD8CL /* 803 */, - 0xD31484952BE4BD31L /* 804 */, 0xC7FA975FCB243847L /* 805 */, - 0x4886ED1E5846C407L /* 806 */, 0x28CDDB791EB70B04L /* 807 */, - 0xC2B00BE2F573417FL /* 808 */, 0x5C9590452180F877L /* 809 */, - 0x7A6BDDFFF370EB00L /* 810 */, 0xCE509E38D6D9D6A4L /* 811 */, - 0xEBEB0F00647FA702L /* 812 */, 0x1DCC06CF76606F06L /* 813 */, - 0xE4D9F28BA286FF0AL /* 814 */, 0xD85A305DC918C262L /* 815 */, - 0x475B1D8732225F54L /* 816 */, 0x2D4FB51668CCB5FEL /* 817 */, - 0xA679B9D9D72BBA20L /* 818 */, 0x53841C0D912D43A5L /* 819 */, - 0x3B7EAA48BF12A4E8L /* 820 */, 0x781E0E47F22F1DDFL /* 821 */, - 0xEFF20CE60AB50973L /* 822 */, 0x20D261D19DFFB742L /* 823 */, - 0x16A12B03062A2E39L /* 824 */, 0x1960EB2239650495L /* 825 */, - 0x251C16FED50EB8B8L /* 826 */, 0x9AC0C330F826016EL /* 827 */, - 0xED152665953E7671L /* 828 */, 0x02D63194A6369570L /* 829 */, - 0x5074F08394B1C987L /* 830 */, 0x70BA598C90B25CE1L /* 831 */, - 0x794A15810B9742F6L /* 832 */, 0x0D5925E9FCAF8C6CL /* 833 */, - 0x3067716CD868744EL /* 834 */, 0x910AB077E8D7731BL /* 835 */, - 0x6A61BBDB5AC42F61L /* 836 */, 0x93513EFBF0851567L /* 837 */, - 0xF494724B9E83E9D5L /* 838 */, 0xE887E1985C09648DL /* 839 */, - 0x34B1D3C675370CFDL /* 840 */, 0xDC35E433BC0D255DL /* 841 */, - 0xD0AAB84234131BE0L /* 842 */, 0x08042A50B48B7EAFL /* 843 */, - 0x9997C4EE44A3AB35L /* 844 */, 0x829A7B49201799D0L /* 845 */, - 0x263B8307B7C54441L /* 846 */, 0x752F95F4FD6A6CA6L /* 847 */, - 0x927217402C08C6E5L /* 848 */, 0x2A8AB754A795D9EEL /* 849 */, - 0xA442F7552F72943DL /* 850 */, 0x2C31334E19781208L /* 851 */, - 0x4FA98D7CEAEE6291L /* 852 */, 0x55C3862F665DB309L /* 853 */, - 0xBD0610175D53B1F3L /* 854 */, 0x46FE6CB840413F27L /* 855 */, - 0x3FE03792DF0CFA59L /* 856 */, 0xCFE700372EB85E8FL /* 857 */, - 0xA7BE29E7ADBCE118L /* 858 */, 0xE544EE5CDE8431DDL /* 859 */, - 0x8A781B1B41F1873EL /* 860 */, 0xA5C94C78A0D2F0E7L /* 861 */, - 0x39412E2877B60728L /* 862 */, 0xA1265EF3AFC9A62CL /* 863 */, - 0xBCC2770C6A2506C5L /* 864 */, 0x3AB66DD5DCE1CE12L /* 865 */, - 0xE65499D04A675B37L /* 866 */, 0x7D8F523481BFD216L /* 867 */, - 0x0F6F64FCEC15F389L /* 868 */, 0x74EFBE618B5B13C8L /* 869 */, - 0xACDC82B714273E1DL /* 870 */, 0xDD40BFE003199D17L /* 871 */, - 0x37E99257E7E061F8L /* 872 */, 0xFA52626904775AAAL /* 873 */, - 0x8BBBF63A463D56F9L /* 874 */, 0xF0013F1543A26E64L /* 875 */, - 0xA8307E9F879EC898L /* 876 */, 0xCC4C27A4150177CCL /* 877 */, - 0x1B432F2CCA1D3348L /* 878 */, 0xDE1D1F8F9F6FA013L /* 879 */, - 0x606602A047A7DDD6L /* 880 */, 0xD237AB64CC1CB2C7L /* 881 */, - 0x9B938E7225FCD1D3L /* 882 */, 0xEC4E03708E0FF476L /* 883 */, - 0xFEB2FBDA3D03C12DL /* 884 */, 0xAE0BCED2EE43889AL /* 885 */, - 0x22CB8923EBFB4F43L /* 886 */, 0x69360D013CF7396DL /* 887 */, - 0x855E3602D2D4E022L /* 888 */, 0x073805BAD01F784CL /* 889 */, - 0x33E17A133852F546L /* 890 */, 0xDF4874058AC7B638L /* 891 */, - 0xBA92B29C678AA14AL /* 892 */, 0x0CE89FC76CFAADCDL /* 893 */, - 0x5F9D4E0908339E34L /* 894 */, 0xF1AFE9291F5923B9L /* 895 */, - 0x6E3480F60F4A265FL /* 896 */, 0xEEBF3A2AB29B841CL /* 897 */, - 0xE21938A88F91B4ADL /* 898 */, 0x57DFEFF845C6D3C3L /* 899 */, - 0x2F006B0BF62CAAF2L /* 900 */, 0x62F479EF6F75EE78L /* 901 */, - 0x11A55AD41C8916A9L /* 902 */, 0xF229D29084FED453L /* 903 */, - 0x42F1C27B16B000E6L /* 904 */, 0x2B1F76749823C074L /* 905 */, - 0x4B76ECA3C2745360L /* 906 */, 0x8C98F463B91691BDL /* 907 */, - 0x14BCC93CF1ADE66AL /* 908 */, 0x8885213E6D458397L /* 909 */, - 0x8E177DF0274D4711L /* 910 */, 0xB49B73B5503F2951L /* 911 */, - 0x10168168C3F96B6BL /* 912 */, 0x0E3D963B63CAB0AEL /* 913 */, - 0x8DFC4B5655A1DB14L /* 914 */, 0xF789F1356E14DE5CL /* 915 */, - 0x683E68AF4E51DAC1L /* 916 */, 0xC9A84F9D8D4B0FD9L /* 917 */, - 0x3691E03F52A0F9D1L /* 918 */, 0x5ED86E46E1878E80L /* 919 */, - 0x3C711A0E99D07150L /* 920 */, 0x5A0865B20C4E9310L /* 921 */, - 0x56FBFC1FE4F0682EL /* 922 */, 0xEA8D5DE3105EDF9BL /* 923 */, - 0x71ABFDB12379187AL /* 924 */, 0x2EB99DE1BEE77B9CL /* 925 */, - 0x21ECC0EA33CF4523L /* 926 */, 0x59A4D7521805C7A1L /* 927 */, - 0x3896F5EB56AE7C72L /* 928 */, 0xAA638F3DB18F75DCL /* 929 */, - 0x9F39358DABE9808EL /* 930 */, 0xB7DEFA91C00B72ACL /* 931 */, - 0x6B5541FD62492D92L /* 932 */, 0x6DC6DEE8F92E4D5BL /* 933 */, - 0x353F57ABC4BEEA7EL /* 934 */, 0x735769D6DA5690CEL /* 935 */, - 0x0A234AA642391484L /* 936 */, 0xF6F9508028F80D9DL /* 937 */, - 0xB8E319A27AB3F215L /* 938 */, 0x31AD9C1151341A4DL /* 939 */, - 0x773C22A57BEF5805L /* 940 */, 0x45C7561A07968633L /* 941 */, - 0xF913DA9E249DBE36L /* 942 */, 0xDA652D9B78A64C68L /* 943 */, - 0x4C27A97F3BC334EFL /* 944 */, 0x76621220E66B17F4L /* 945 */, - 0x967743899ACD7D0BL /* 946 */, 0xF3EE5BCAE0ED6782L /* 947 */, - 0x409F753600C879FCL /* 948 */, 0x06D09A39B5926DB6L /* 949 */, - 0x6F83AEB0317AC588L /* 950 */, 0x01E6CA4A86381F21L /* 951 */, - 0x66FF3462D19F3025L /* 952 */, 0x72207C24DDFD3BFBL /* 953 */, - 0x4AF6B6D3E2ECE2EBL /* 954 */, 0x9C994DBEC7EA08DEL /* 955 */, - 0x49ACE597B09A8BC4L /* 956 */, 0xB38C4766CF0797BAL /* 957 */, - 0x131B9373C57C2A75L /* 958 */, 0xB1822CCE61931E58L /* 959 */, - 0x9D7555B909BA1C0CL /* 960 */, 0x127FAFDD937D11D2L /* 961 */, - 0x29DA3BADC66D92E4L /* 962 */, 0xA2C1D57154C2ECBCL /* 963 */, - 0x58C5134D82F6FE24L /* 964 */, 0x1C3AE3515B62274FL /* 965 */, - 0xE907C82E01CB8126L /* 966 */, 0xF8ED091913E37FCBL /* 967 */, - 0x3249D8F9C80046C9L /* 968 */, 0x80CF9BEDE388FB63L /* 969 */, - 0x1881539A116CF19EL /* 970 */, 0x5103F3F76BD52457L /* 971 */, - 0x15B7E6F5AE47F7A8L /* 972 */, 0xDBD7C6DED47E9CCFL /* 973 */, - 0x44E55C410228BB1AL /* 974 */, 0xB647D4255EDB4E99L /* 975 */, - 0x5D11882BB8AAFC30L /* 976 */, 0xF5098BBB29D3212AL /* 977 */, - 0x8FB5EA14E90296B3L /* 978 */, 0x677B942157DD025AL /* 979 */, - 0xFB58E7C0A390ACB5L /* 980 */, 0x89D3674C83BD4A01L /* 981 */, - 0x9E2DA4DF4BF3B93BL /* 982 */, 0xFCC41E328CAB4829L /* 983 */, - 0x03F38C96BA582C52L /* 984 */, 0xCAD1BDBD7FD85DB2L /* 985 */, - 0xBBB442C16082AE83L /* 986 */, 0xB95FE86BA5DA9AB0L /* 987 */, - 0xB22E04673771A93FL /* 988 */, 0x845358C9493152D8L /* 989 */, - 0xBE2A488697B4541EL /* 990 */, 0x95A2DC2DD38E6966L /* 991 */, - 0xC02C11AC923C852BL /* 992 */, 0x2388B1990DF2A87BL /* 993 */, - 0x7C8008FA1B4F37BEL /* 994 */, 0x1F70D0C84D54E503L /* 995 */, - 0x5490ADEC7ECE57D4L /* 996 */, 0x002B3C27D9063A3AL /* 997 */, - 0x7EAEA3848030A2BFL /* 998 */, 0xC602326DED2003C0L /* 999 */, - 0x83A7287D69A94086L /* 1000 */, 0xC57A5FCB30F57A8AL /* 1001 */, - 0xB56844E479EBE779L /* 1002 */, 0xA373B40F05DCBCE9L /* 1003 */, - 0xD71A786E88570EE2L /* 1004 */, 0x879CBACDBDE8F6A0L /* 1005 */, - 0x976AD1BCC164A32FL /* 1006 */, 0xAB21E25E9666D78BL /* 1007 */, - 0x901063AAE5E5C33CL /* 1008 */, 0x9818B34448698D90L /* 1009 */, - 0xE36487AE3E1E8ABBL /* 1010 */, 0xAFBDF931893BDCB4L /* 1011 */, - 0x6345A0DC5FBBD519L /* 1012 */, 0x8628FE269B9465CAL /* 1013 */, - 0x1E5D01603F9C51ECL /* 1014 */, 0x4DE44006A15049B7L /* 1015 */, - 0xBF6C70E5F776CBB1L /* 1016 */, 0x411218F2EF552BEDL /* 1017 */, - 0xCB0C0708705A36A3L /* 1018 */, 0xE74D14754F986044L /* 1019 */, - 0xCD56D9430EA8280EL /* 1020 */, 0xC12591D7535F5065L /* 1021 */, - 0xC83223F1720AEF96L /* 1022 */, 0xC3A0396F7363A51FL /* 1023 */ - }; - - private static final int DIGEST_LENGTH = 24; - - // - // registers - // - private long a, b, c; - private long byteCount; - - // - // buffers - // - private byte[] buf = new byte[8]; - private int bOff = 0; - - private long[] x = new long[8]; - private int xOff = 0; - - /** - * Standard constructor - */ - public TigerDigest() - { - reset(); - } - - /** - * Copy constructor. This will copy the state of the provided - * message digest. - */ - public TigerDigest(TigerDigest t) - { - this.reset(t); - } - - public String getAlgorithmName() - { - return "Tiger"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH; - } - - private void processWord( - byte[] b, - int off) - { - x[xOff++] = ((long)(b[off + 7] & 0xff) << 56) - | ((long)(b[off + 6] & 0xff) << 48) - | ((long)(b[off + 5] & 0xff) << 40) - | ((long)(b[off + 4] & 0xff) << 32) - | ((long)(b[off + 3] & 0xff) << 24) - | ((long)(b[off + 2] & 0xff) << 16) - | ((long)(b[off + 1] & 0xff) << 8) - | ((b[off + 0] & 0xff)); - - if (xOff == x.length) - { - processBlock(); - } - - bOff = 0; - } - - public void update( - byte in) - { - buf[bOff++] = in; - - if (bOff == buf.length) - { - processWord(buf, 0); - } - - byteCount++; - } - - public void update( - byte[] in, - int inOff, - int len) - { - // - // fill the current word - // - while ((bOff != 0) && (len > 0)) - { - update(in[inOff]); - - inOff++; - len--; - } - - // - // process whole words. - // - while (len > 8) - { - processWord(in, inOff); - - inOff += 8; - len -= 8; - byteCount += 8; - } - - // - // load in the remainder. - // - while (len > 0) - { - update(in[inOff]); - - inOff++; - len--; - } - } - - private void roundABC( - long x, - long mul) - { - c ^= x ; - a -= t1[(int)c & 0xff] ^ t2[(int)(c >> 16) & 0xff] - ^ t3[(int)(c >> 32) & 0xff] ^ t4[(int)(c >> 48) & 0xff]; - b += t4[(int)(c >> 8) & 0xff] ^ t3[(int)(c >> 24) & 0xff] - ^ t2[(int)(c >> 40) & 0xff] ^ t1[(int)(c >> 56) & 0xff]; - b *= mul; - } - - private void roundBCA( - long x, - long mul) - { - a ^= x ; - b -= t1[(int)a & 0xff] ^ t2[(int)(a >> 16) & 0xff] - ^ t3[(int)(a >> 32) & 0xff] ^ t4[(int)(a >> 48) & 0xff]; - c += t4[(int)(a >> 8) & 0xff] ^ t3[(int)(a >> 24) & 0xff] - ^ t2[(int)(a >> 40) & 0xff] ^ t1[(int)(a >> 56) & 0xff]; - c *= mul; - } - - private void roundCAB( - long x, - long mul) - { - b ^= x ; - c -= t1[(int)b & 0xff] ^ t2[(int)(b >> 16) & 0xff] - ^ t3[(int)(b >> 32) & 0xff] ^ t4[(int)(b >> 48) & 0xff]; - a += t4[(int)(b >> 8) & 0xff] ^ t3[(int)(b >> 24) & 0xff] - ^ t2[(int)(b >> 40) & 0xff] ^ t1[(int)(b >> 56) & 0xff]; - a *= mul; - } - - private void keySchedule() - { - x[0] -= x[7] ^ 0xA5A5A5A5A5A5A5A5L; - x[1] ^= x[0]; - x[2] += x[1]; - x[3] -= x[2] ^ ((~x[1]) << 19); - x[4] ^= x[3]; - x[5] += x[4]; - x[6] -= x[5] ^ ((~x[4]) >>> 23); - x[7] ^= x[6]; - x[0] += x[7]; - x[1] -= x[0] ^ ((~x[7]) << 19); - x[2] ^= x[1]; - x[3] += x[2]; - x[4] -= x[3] ^ ((~x[2]) >>> 23); - x[5] ^= x[4]; - x[6] += x[5]; - x[7] -= x[6] ^ 0x0123456789ABCDEFL; - } - - private void processBlock() - { - // - // save abc - // - long aa = a; - long bb = b; - long cc = c; - - // - // rounds and schedule - // - roundABC(x[0], 5); - roundBCA(x[1], 5); - roundCAB(x[2], 5); - roundABC(x[3], 5); - roundBCA(x[4], 5); - roundCAB(x[5], 5); - roundABC(x[6], 5); - roundBCA(x[7], 5); - - keySchedule(); - - roundCAB(x[0], 7); - roundABC(x[1], 7); - roundBCA(x[2], 7); - roundCAB(x[3], 7); - roundABC(x[4], 7); - roundBCA(x[5], 7); - roundCAB(x[6], 7); - roundABC(x[7], 7); - - keySchedule(); - - roundBCA(x[0], 9); - roundCAB(x[1], 9); - roundABC(x[2], 9); - roundBCA(x[3], 9); - roundCAB(x[4], 9); - roundABC(x[5], 9); - roundBCA(x[6], 9); - roundCAB(x[7], 9); - - // - // feed forward - // - a ^= aa; - b -= bb; - c += cc; - - // - // clear the x buffer - // - xOff = 0; - for (int i = 0; i != x.length; i++) - { - x[i] = 0; - } - } - - public void unpackWord( - long r, - byte[] out, - int outOff) - { - out[outOff + 7] = (byte)(r >> 56); - out[outOff + 6] = (byte)(r >> 48); - out[outOff + 5] = (byte)(r >> 40); - out[outOff + 4] = (byte)(r >> 32); - out[outOff + 3] = (byte)(r >> 24); - out[outOff + 2] = (byte)(r >> 16); - out[outOff + 1] = (byte)(r >> 8); - out[outOff] = (byte)r; - } - - private void processLength( - long bitLength) - { - x[7] = bitLength; - } - - private void finish() - { - long bitLength = (byteCount << 3); - - update((byte)0x01); - - while (bOff != 0) - { - update((byte)0); - } - - processLength(bitLength); - - processBlock(); - } - - public int doFinal( - byte[] out, - int outOff) - { - finish(); - - unpackWord(a, out, outOff); - unpackWord(b, out, outOff + 8); - unpackWord(c, out, outOff + 16); - - reset(); - - return DIGEST_LENGTH; - } - - /** - * reset the chaining variables - */ - public void reset() - { - a = 0x0123456789ABCDEFL; - b = 0xFEDCBA9876543210L; - c = 0xF096A5B4C3B2E187L; - - xOff = 0; - for (int i = 0; i != x.length; i++) - { - x[i] = 0; - } - - bOff = 0; - for (int i = 0; i != buf.length; i++) - { - buf[i] = 0; - } - - byteCount = 0; - } - - public int getByteLength() - { - return BYTE_LENGTH; - } - - public Memoable copy() - { - return new TigerDigest(this); - } - - public void reset(Memoable other) - { - TigerDigest t = (TigerDigest)other; - - a = t.a; - b = t.b; - c = t.c; - - System.arraycopy(t.x, 0, x, 0, t.x.length); - xOff = t.xOff; - - System.arraycopy(t.buf, 0, buf, 0, t.buf.length); - bOff = t.bOff; - - byteCount = t.byteCount; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/WhirlpoolDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/WhirlpoolDigest.java deleted file mode 100644 index 11e884cd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/digests/WhirlpoolDigest.java +++ /dev/null @@ -1,409 +0,0 @@ -package org.bouncycastle.crypto.digests; - -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Memoable; - - -/** - * Implementation of WhirlpoolDigest, based on Java source published by Barreto - * and Rijmen. - * - */ -public final class WhirlpoolDigest - implements ExtendedDigest, Memoable -{ - private static final int BYTE_LENGTH = 64; - - private static final int DIGEST_LENGTH_BYTES = 512 / 8; - private static final int ROUNDS = 10; - private static final int REDUCTION_POLYNOMIAL = 0x011d; // 2^8 + 2^4 + 2^3 + 2 + 1; - - private static final int[] SBOX = { - 0x18, 0x23, 0xc6, 0xe8, 0x87, 0xb8, 0x01, 0x4f, 0x36, 0xa6, 0xd2, 0xf5, 0x79, 0x6f, 0x91, 0x52, - 0x60, 0xbc, 0x9b, 0x8e, 0xa3, 0x0c, 0x7b, 0x35, 0x1d, 0xe0, 0xd7, 0xc2, 0x2e, 0x4b, 0xfe, 0x57, - 0x15, 0x77, 0x37, 0xe5, 0x9f, 0xf0, 0x4a, 0xda, 0x58, 0xc9, 0x29, 0x0a, 0xb1, 0xa0, 0x6b, 0x85, - 0xbd, 0x5d, 0x10, 0xf4, 0xcb, 0x3e, 0x05, 0x67, 0xe4, 0x27, 0x41, 0x8b, 0xa7, 0x7d, 0x95, 0xd8, - 0xfb, 0xee, 0x7c, 0x66, 0xdd, 0x17, 0x47, 0x9e, 0xca, 0x2d, 0xbf, 0x07, 0xad, 0x5a, 0x83, 0x33, - 0x63, 0x02, 0xaa, 0x71, 0xc8, 0x19, 0x49, 0xd9, 0xf2, 0xe3, 0x5b, 0x88, 0x9a, 0x26, 0x32, 0xb0, - 0xe9, 0x0f, 0xd5, 0x80, 0xbe, 0xcd, 0x34, 0x48, 0xff, 0x7a, 0x90, 0x5f, 0x20, 0x68, 0x1a, 0xae, - 0xb4, 0x54, 0x93, 0x22, 0x64, 0xf1, 0x73, 0x12, 0x40, 0x08, 0xc3, 0xec, 0xdb, 0xa1, 0x8d, 0x3d, - 0x97, 0x00, 0xcf, 0x2b, 0x76, 0x82, 0xd6, 0x1b, 0xb5, 0xaf, 0x6a, 0x50, 0x45, 0xf3, 0x30, 0xef, - 0x3f, 0x55, 0xa2, 0xea, 0x65, 0xba, 0x2f, 0xc0, 0xde, 0x1c, 0xfd, 0x4d, 0x92, 0x75, 0x06, 0x8a, - 0xb2, 0xe6, 0x0e, 0x1f, 0x62, 0xd4, 0xa8, 0x96, 0xf9, 0xc5, 0x25, 0x59, 0x84, 0x72, 0x39, 0x4c, - 0x5e, 0x78, 0x38, 0x8c, 0xd1, 0xa5, 0xe2, 0x61, 0xb3, 0x21, 0x9c, 0x1e, 0x43, 0xc7, 0xfc, 0x04, - 0x51, 0x99, 0x6d, 0x0d, 0xfa, 0xdf, 0x7e, 0x24, 0x3b, 0xab, 0xce, 0x11, 0x8f, 0x4e, 0xb7, 0xeb, - 0x3c, 0x81, 0x94, 0xf7, 0xb9, 0x13, 0x2c, 0xd3, 0xe7, 0x6e, 0xc4, 0x03, 0x56, 0x44, 0x7f, 0xa9, - 0x2a, 0xbb, 0xc1, 0x53, 0xdc, 0x0b, 0x9d, 0x6c, 0x31, 0x74, 0xf6, 0x46, 0xac, 0x89, 0x14, 0xe1, - 0x16, 0x3a, 0x69, 0x09, 0x70, 0xb6, 0xd0, 0xed, 0xcc, 0x42, 0x98, 0xa4, 0x28, 0x5c, 0xf8, 0x86 - }; - - private static final long[] C0 = new long[256]; - private static final long[] C1 = new long[256]; - private static final long[] C2 = new long[256]; - private static final long[] C3 = new long[256]; - private static final long[] C4 = new long[256]; - private static final long[] C5 = new long[256]; - private static final long[] C6 = new long[256]; - private static final long[] C7 = new long[256]; - - private final long[] _rc = new long[ROUNDS + 1]; - - public WhirlpoolDigest() - { - for (int i = 0; i < 256; i++) - { - int v1 = SBOX[i]; - int v2 = maskWithReductionPolynomial(v1 << 1); - int v4 = maskWithReductionPolynomial(v2 << 1); - int v5 = v4 ^ v1; - int v8 = maskWithReductionPolynomial(v4 << 1); - int v9 = v8 ^ v1; - - C0[i] = packIntoLong(v1, v1, v4, v1, v8, v5, v2, v9); - C1[i] = packIntoLong(v9, v1, v1, v4, v1, v8, v5, v2); - C2[i] = packIntoLong(v2, v9, v1, v1, v4, v1, v8, v5); - C3[i] = packIntoLong(v5, v2, v9, v1, v1, v4, v1, v8); - C4[i] = packIntoLong(v8, v5, v2, v9, v1, v1, v4, v1); - C5[i] = packIntoLong(v1, v8, v5, v2, v9, v1, v1, v4); - C6[i] = packIntoLong(v4, v1, v8, v5, v2, v9, v1, v1); - C7[i] = packIntoLong(v1, v4, v1, v8, v5, v2, v9, v1); - - } - - _rc[0] = 0L; - for (int r = 1; r <= ROUNDS; r++) - { - int i = 8 * (r - 1); - _rc[r] = (C0[i ] & 0xff00000000000000L) ^ - (C1[i + 1] & 0x00ff000000000000L) ^ - (C2[i + 2] & 0x0000ff0000000000L) ^ - (C3[i + 3] & 0x000000ff00000000L) ^ - (C4[i + 4] & 0x00000000ff000000L) ^ - (C5[i + 5] & 0x0000000000ff0000L) ^ - (C6[i + 6] & 0x000000000000ff00L) ^ - (C7[i + 7] & 0x00000000000000ffL); - } - - } - - private long packIntoLong(int b7, int b6, int b5, int b4, int b3, int b2, int b1, int b0) - { - return - ((long)b7 << 56) ^ - ((long)b6 << 48) ^ - ((long)b5 << 40) ^ - ((long)b4 << 32) ^ - ((long)b3 << 24) ^ - ((long)b2 << 16) ^ - ((long)b1 << 8) ^ - b0; - } - - /* - * int's are used to prevent sign extension. The values that are really being used are - * actually just 0..255 - */ - private int maskWithReductionPolynomial(int input) - { - int rv = input; - if (rv >= 0x100L) // high bit set - { - rv ^= REDUCTION_POLYNOMIAL; // reduced by the polynomial - } - return rv; - } - - // --------------------------------------------------------------------------------------// - - // -- buffer information -- - private static final int BITCOUNT_ARRAY_SIZE = 32; - private byte[] _buffer = new byte[64]; - private int _bufferPos = 0; - private short[] _bitCount = new short[BITCOUNT_ARRAY_SIZE]; - - // -- internal hash state -- - private long[] _hash = new long[8]; - private long[] _K = new long[8]; // the round key - private long[] _L = new long[8]; - private long[] _block = new long[8]; // mu (buffer) - private long[] _state = new long[8]; // the current "cipher" state - - - - /** - * Copy constructor. This will copy the state of the provided message - * digest. - */ - public WhirlpoolDigest(WhirlpoolDigest originalDigest) - { - reset(originalDigest); - } - - public String getAlgorithmName() - { - return "Whirlpool"; - } - - public int getDigestSize() - { - return DIGEST_LENGTH_BYTES; - } - - public int doFinal(byte[] out, int outOff) - { - // sets out[outOff] .. out[outOff+DIGEST_LENGTH_BYTES] - finish(); - - for (int i = 0; i < 8; i++) - { - convertLongToByteArray(_hash[i], out, outOff + (i * 8)); - } - - reset(); - return getDigestSize(); - } - - /** - * reset the chaining variables - */ - public void reset() - { - // set variables to null, blank, whatever - _bufferPos = 0; - Arrays.fill(_bitCount, (short)0); - Arrays.fill(_buffer, (byte)0); - Arrays.fill(_hash, 0); - Arrays.fill(_K, 0); - Arrays.fill(_L, 0); - Arrays.fill(_block, 0); - Arrays.fill(_state, 0); - } - - // this takes a buffer of information and fills the block - private void processFilledBuffer(byte[] in, int inOff) - { - // copies into the block... - for (int i = 0; i < _state.length; i++) - { - _block[i] = bytesToLongFromBuffer(_buffer, i * 8); - } - processBlock(); - _bufferPos = 0; - Arrays.fill(_buffer, (byte)0); - } - - private long bytesToLongFromBuffer(byte[] buffer, int startPos) - { - long rv = (((buffer[startPos + 0] & 0xffL) << 56) | - ((buffer[startPos + 1] & 0xffL) << 48) | - ((buffer[startPos + 2] & 0xffL) << 40) | - ((buffer[startPos + 3] & 0xffL) << 32) | - ((buffer[startPos + 4] & 0xffL) << 24) | - ((buffer[startPos + 5] & 0xffL) << 16) | - ((buffer[startPos + 6] & 0xffL) << 8) | - ((buffer[startPos + 7]) & 0xffL)); - - return rv; - } - - private void convertLongToByteArray(long inputLong, byte[] outputArray, int offSet) - { - for (int i = 0; i < 8; i++) - { - outputArray[offSet + i] = (byte)((inputLong >> (56 - (i * 8))) & 0xff); - } - } - - protected void processBlock() - { - // buffer contents have been transferred to the _block[] array via - // processFilledBuffer - - // compute and apply K^0 - for (int i = 0; i < 8; i++) - { - _state[i] = _block[i] ^ (_K[i] = _hash[i]); - } - - // iterate over the rounds - for (int round = 1; round <= ROUNDS; round++) - { - for (int i = 0; i < 8; i++) - { - _L[i] = 0; - _L[i] ^= C0[(int)(_K[(i - 0) & 7] >>> 56) & 0xff]; - _L[i] ^= C1[(int)(_K[(i - 1) & 7] >>> 48) & 0xff]; - _L[i] ^= C2[(int)(_K[(i - 2) & 7] >>> 40) & 0xff]; - _L[i] ^= C3[(int)(_K[(i - 3) & 7] >>> 32) & 0xff]; - _L[i] ^= C4[(int)(_K[(i - 4) & 7] >>> 24) & 0xff]; - _L[i] ^= C5[(int)(_K[(i - 5) & 7] >>> 16) & 0xff]; - _L[i] ^= C6[(int)(_K[(i - 6) & 7] >>> 8) & 0xff]; - _L[i] ^= C7[(int)(_K[(i - 7) & 7]) & 0xff]; - } - - System.arraycopy(_L, 0, _K, 0, _K.length); - - _K[0] ^= _rc[round]; - - // apply the round transformation - for (int i = 0; i < 8; i++) - { - _L[i] = _K[i]; - - _L[i] ^= C0[(int)(_state[(i - 0) & 7] >>> 56) & 0xff]; - _L[i] ^= C1[(int)(_state[(i - 1) & 7] >>> 48) & 0xff]; - _L[i] ^= C2[(int)(_state[(i - 2) & 7] >>> 40) & 0xff]; - _L[i] ^= C3[(int)(_state[(i - 3) & 7] >>> 32) & 0xff]; - _L[i] ^= C4[(int)(_state[(i - 4) & 7] >>> 24) & 0xff]; - _L[i] ^= C5[(int)(_state[(i - 5) & 7] >>> 16) & 0xff]; - _L[i] ^= C6[(int)(_state[(i - 6) & 7] >>> 8) & 0xff]; - _L[i] ^= C7[(int)(_state[(i - 7) & 7]) & 0xff]; - } - - // save the current state - System.arraycopy(_L, 0, _state, 0, _state.length); - } - - // apply Miuaguchi-Preneel compression - for (int i = 0; i < 8; i++) - { - _hash[i] ^= _state[i] ^ _block[i]; - } - - } - - public void update(byte in) - { - _buffer[_bufferPos] = in; - - //System.out.println("adding to buffer = "+_buffer[_bufferPos]); - - ++_bufferPos; - - if (_bufferPos == _buffer.length) - { - processFilledBuffer(_buffer, 0); - } - - increment(); - } - - /* - * increment() can be implemented in this way using 2 arrays or - * by having some temporary variables that are used to set the - * value provided by EIGHT[i] and carry within the loop. - * - * not having done any timing, this seems likely to be faster - * at the slight expense of 32*(sizeof short) bytes - */ - private static final short[] EIGHT = new short[BITCOUNT_ARRAY_SIZE]; - static - { - EIGHT[BITCOUNT_ARRAY_SIZE - 1] = 8; - } - - private void increment() - { - int carry = 0; - for (int i = _bitCount.length - 1; i >= 0; i--) - { - int sum = (_bitCount[i] & 0xff) + EIGHT[i] + carry; - - carry = sum >>> 8; - _bitCount[i] = (short)(sum & 0xff); - } - } - - public void update(byte[] in, int inOff, int len) - { - while (len > 0) - { - update(in[inOff]); - ++inOff; - --len; - } - - } - - private void finish() - { - /* - * this makes a copy of the current bit length. at the expense of an - * object creation of 32 bytes rather than providing a _stopCounting - * boolean which was the alternative I could think of. - */ - byte[] bitLength = copyBitLength(); - - _buffer[_bufferPos++] |= 0x80; - - if (_bufferPos == _buffer.length) - { - processFilledBuffer(_buffer, 0); - } - - /* - * Final block contains - * [ ... data .... ][0][0][0][ length ] - * - * if [ length ] cannot fit. Need to create a new block. - */ - if (_bufferPos > 32) - { - while (_bufferPos != 0) - { - update((byte)0); - } - } - - while (_bufferPos <= 32) - { - update((byte)0); - } - - // copy the length information to the final 32 bytes of the - // 64 byte block.... - System.arraycopy(bitLength, 0, _buffer, 32, bitLength.length); - - processFilledBuffer(_buffer, 0); - } - - private byte[] copyBitLength() - { - byte[] rv = new byte[BITCOUNT_ARRAY_SIZE]; - for (int i = 0; i < rv.length; i++) - { - rv[i] = (byte)(_bitCount[i] & 0xff); - } - return rv; - } - - public int getByteLength() - { - return BYTE_LENGTH; - } - - public Memoable copy() - { - return new WhirlpoolDigest(this); - } - - public void reset(Memoable other) - { - WhirlpoolDigest originalDigest = (WhirlpoolDigest)other; - - System.arraycopy(originalDigest._rc, 0, _rc, 0, _rc.length); - - System.arraycopy(originalDigest._buffer, 0, _buffer, 0, _buffer.length); - - this._bufferPos = originalDigest._bufferPos; - System.arraycopy(originalDigest._bitCount, 0, _bitCount, 0, _bitCount.length); - - // -- internal hash state -- - System.arraycopy(originalDigest._hash, 0, _hash, 0, _hash.length); - System.arraycopy(originalDigest._K, 0, _K, 0, _K.length); - System.arraycopy(originalDigest._L, 0, _L, 0, _L.length); - System.arraycopy(originalDigest._block, 0, _block, 0, _block.length); - System.arraycopy(originalDigest._state, 0, _state, 0, _state.length); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/CustomNamedCurves.java b/core/src/main/java/org/bouncycastle/crypto/ec/CustomNamedCurves.java deleted file mode 100644 index c3d4f5bb..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/CustomNamedCurves.java +++ /dev/null @@ -1,320 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; -import java.util.Enumeration; -import java.util.Hashtable; - -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.sec.SECObjectIdentifiers; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.asn1.x9.X9ECParametersHolder; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.custom.djb.Curve25519; -import org.bouncycastle.math.ec.custom.sec.SecP192K1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP192R1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP224K1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP224R1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP256K1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP256R1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP384R1Curve; -import org.bouncycastle.math.ec.custom.sec.SecP521R1Curve; -import org.bouncycastle.math.ec.endo.GLVTypeBEndomorphism; -import org.bouncycastle.math.ec.endo.GLVTypeBParameters; -import org.bouncycastle.util.Strings; -import org.bouncycastle.util.encoders.Hex; - -public class CustomNamedCurves -{ - private static ECCurve configureCurve(ECCurve curve) - { - return curve; - } - - private static ECCurve configureCurveGLV(ECCurve c, GLVTypeBParameters p) - { - return c.configure().setEndomorphism(new GLVTypeBEndomorphism(c, p)).create(); - } - - /* - * curve25519 - */ - static X9ECParametersHolder curve25519 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = null; - ECCurve curve = configureCurve(new Curve25519()); - - /* - * NOTE: Curve25519 was specified in Montgomery form. Rewriting in Weierstrass form - * involves substitution of variables, so the base-point x coordinate is 9 + (486662 / 3). - * - * The Curve25519 paper doesn't say which of the two possible y values the base - * point has. The choice here is guided by language in the Ed25519 paper. - * - * (The other possible y value is 5F51E65E475F794B1FE122D388B72EB36DC2B28192839E4DD6163A5D81312C14) - */ - ECPoint G = curve.decodePoint(Hex.decode("04" - + "2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD245A" - + "20AE19A1B8A086B4E01EDD2C7748D14C923D4D7E6D7C61B229E9C5A27ECED3D9")); - - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp192k1 - */ - static X9ECParametersHolder secp192k1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = null; - GLVTypeBParameters glv = new GLVTypeBParameters( - new BigInteger("bb85691939b869c1d087f601554b96b80cb4f55b35f433c2", 16), - new BigInteger("3d84f26c12238d7b4f3d516613c1759033b1a5800175d0b1", 16), - new BigInteger[]{ - new BigInteger("71169be7330b3038edb025f1", 16), - new BigInteger("-b3fb3400dec5c4adceb8655c", 16) }, - new BigInteger[]{ - new BigInteger("12511cfe811d0f4e6bc688b4d", 16), - new BigInteger("71169be7330b3038edb025f1", 16) }, - new BigInteger("71169be7330b3038edb025f1d0f9", 16), - new BigInteger("b3fb3400dec5c4adceb8655d4c94", 16), - 208); - ECCurve curve = configureCurveGLV(new SecP192K1Curve(), glv); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D" - + "9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp192r1 - */ - static X9ECParametersHolder secp192r1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = Hex.decode("3045AE6FC8422F64ED579528D38120EAE12196D5"); - ECCurve curve = configureCurve(new SecP192R1Curve()); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012" - + "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp224k1 - */ - static X9ECParametersHolder secp224k1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = null; - GLVTypeBParameters glv = new GLVTypeBParameters( - new BigInteger("fe0e87005b4e83761908c5131d552a850b3f58b749c37cf5b84d6768", 16), - new BigInteger("60dcd2104c4cbc0be6eeefc2bdd610739ec34e317f9b33046c9e4788", 16), - new BigInteger[]{ - new BigInteger("6b8cf07d4ca75c88957d9d670591", 16), - new BigInteger("-b8adf1378a6eb73409fa6c9c637d", 16) }, - new BigInteger[]{ - new BigInteger("1243ae1b4d71613bc9f780a03690e", 16), - new BigInteger("6b8cf07d4ca75c88957d9d670591", 16) }, - new BigInteger("6b8cf07d4ca75c88957d9d67059037a4", 16), - new BigInteger("b8adf1378a6eb73409fa6c9c637ba7f5", 16), - 240); - ECCurve curve = configureCurveGLV(new SecP224K1Curve(), glv); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C" - + "7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp224r1 - */ - static X9ECParametersHolder secp224r1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = Hex.decode("BD71344799D5C7FCDC45B59FA3B9AB8F6A948BC5"); - ECCurve curve = configureCurve(new SecP224R1Curve()); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21" - + "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp256k1 - */ - static X9ECParametersHolder secp256k1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = null; - GLVTypeBParameters glv = new GLVTypeBParameters( - new BigInteger("7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee", 16), - new BigInteger("5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72", 16), - new BigInteger[]{ - new BigInteger("3086d221a7d46bcde86c90e49284eb15", 16), - new BigInteger("-e4437ed6010e88286f547fa90abfe4c3", 16) }, - new BigInteger[]{ - new BigInteger("114ca50f7a8e2f3f657c1108d9d44cfd8", 16), - new BigInteger("3086d221a7d46bcde86c90e49284eb15", 16) }, - new BigInteger("3086d221a7d46bcde86c90e49284eb153dab", 16), - new BigInteger("e4437ed6010e88286f547fa90abfe4c42212", 16), - 272); - ECCurve curve = configureCurveGLV(new SecP256K1Curve(), glv); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798" - + "483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp256r1 - */ - static X9ECParametersHolder secp256r1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = Hex.decode("C49D360886E704936A6678E1139D26B7819F7E90"); - ECCurve curve = configureCurve(new SecP256R1Curve()); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296" - + "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp384r1 - */ - static X9ECParametersHolder secp384r1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = Hex.decode("A335926AA319A27A1D00896A6773A4827ACDAC73"); - ECCurve curve = configureCurve(new SecP384R1Curve()); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7" - + "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - /* - * secp521r1 - */ - static X9ECParametersHolder secp521r1 = new X9ECParametersHolder() - { - protected X9ECParameters createParameters() - { - byte[] S = Hex.decode("D09E8800291CB85396CC6717393284AAA0DA64BA"); - ECCurve curve = configureCurve(new SecP521R1Curve()); - ECPoint G = curve.decodePoint(Hex.decode("04" - + "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66" - + "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650")); - return new X9ECParameters(curve, G, curve.getOrder(), curve.getCofactor(), S); - } - }; - - static final Hashtable nameToCurve = new Hashtable(); - static final Hashtable nameToOID = new Hashtable(); - static final Hashtable oidToCurve = new Hashtable(); - static final Hashtable oidToName = new Hashtable(); - - static void defineCurve(String name, X9ECParametersHolder holder) - { - nameToCurve.put(name, holder); - } - - static void defineCurveWithOID(String name, ASN1ObjectIdentifier oid, X9ECParametersHolder holder) - { - nameToCurve.put(name, holder); - nameToOID.put(name, oid); - oidToName.put(oid, name); - oidToCurve.put(oid, holder); - } - - static void defineCurveAlias(String alias, ASN1ObjectIdentifier oid) - { - alias = Strings.toLowerCase(alias); - nameToOID.put(alias, oid); - nameToCurve.put(alias, oidToCurve.get(oid)); - } - - static - { - defineCurve("curve25519", curve25519); - - defineCurveWithOID("secp192k1", SECObjectIdentifiers.secp192k1, secp192k1); - defineCurveWithOID("secp192r1", SECObjectIdentifiers.secp192r1, secp192r1); - defineCurveWithOID("secp224k1", SECObjectIdentifiers.secp224k1, secp224k1); - defineCurveWithOID("secp224r1", SECObjectIdentifiers.secp224r1, secp224r1); - defineCurveWithOID("secp256k1", SECObjectIdentifiers.secp256k1, secp256k1); - defineCurveWithOID("secp256r1", SECObjectIdentifiers.secp256r1, secp256r1); - defineCurveWithOID("secp384r1", SECObjectIdentifiers.secp384r1, secp384r1); - defineCurveWithOID("secp521r1", SECObjectIdentifiers.secp521r1, secp521r1); - - defineCurveAlias("P-192", SECObjectIdentifiers.secp192r1); - defineCurveAlias("P-224", SECObjectIdentifiers.secp224r1); - defineCurveAlias("P-256", SECObjectIdentifiers.secp256r1); - defineCurveAlias("P-384", SECObjectIdentifiers.secp384r1); - defineCurveAlias("P-521", SECObjectIdentifiers.secp521r1); - } - - public static X9ECParameters getByName(String name) - { - X9ECParametersHolder holder = (X9ECParametersHolder)nameToCurve.get(Strings.toLowerCase(name)); - return holder == null ? null : holder.getParameters(); - } - - /** - * return the X9ECParameters object for the named curve represented by the passed in object - * identifier. Null if the curve isn't present. - * - * @param oid - * an object identifier representing a named curve, if present. - */ - public static X9ECParameters getByOID(ASN1ObjectIdentifier oid) - { - X9ECParametersHolder holder = (X9ECParametersHolder)oidToCurve.get(oid); - return holder == null ? null : holder.getParameters(); - } - - /** - * return the object identifier signified by the passed in name. Null if there is no object - * identifier associated with name. - * - * @return the object identifier associated with name, if present. - */ - public static ASN1ObjectIdentifier getOID(String name) - { - return (ASN1ObjectIdentifier)nameToOID.get(Strings.toLowerCase(name)); - } - - /** - * return the named curve name represented by the given object identifier. - */ - public static String getName(ASN1ObjectIdentifier oid) - { - return (String)oidToName.get(oid); - } - - /** - * returns an enumeration containing the name strings for curves contained in this structure. - */ - public static Enumeration getNames() - { - return nameToCurve.keys(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECDecryptor.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECDecryptor.java deleted file mode 100644 index c4faf4c2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECDecryptor.java +++ /dev/null @@ -1,11 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.math.ec.ECPoint; - -public interface ECDecryptor -{ - void init(CipherParameters params); - - ECPoint decrypt(ECPair cipherText); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalDecryptor.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalDecryptor.java deleted file mode 100644 index 2f1c9374..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalDecryptor.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.math.ec.ECPoint; - -/** - * this does your basic decryption ElGamal style using EC - */ -public class ECElGamalDecryptor - implements ECDecryptor -{ - private ECPrivateKeyParameters key; - - /** - * initialise the decryptor. - * - * @param param the necessary EC key parameters. - */ - public void init( - CipherParameters param) - { - if (!(param instanceof ECPrivateKeyParameters)) - { - throw new IllegalArgumentException("ECPrivateKeyParameters are required for decryption."); - } - - this.key = (ECPrivateKeyParameters)param; - } - - /** - * Decrypt an EC pair producing the original EC point. - * - * @param pair the EC point pair to process. - * @return the result of the Elgamal process. - */ - public ECPoint decrypt(ECPair pair) - { - if (key == null) - { - throw new IllegalStateException("ECElGamalDecryptor not initialised"); - } - - ECPoint tmp = pair.getX().multiply(key.getD()); - - return pair.getY().subtract(tmp).normalize(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalEncryptor.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalEncryptor.java deleted file mode 100644 index 48fc0467..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECElGamalEncryptor.java +++ /dev/null @@ -1,86 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -/** - * this does your basic ElGamal encryption algorithm using EC - */ -public class ECElGamalEncryptor - implements ECEncryptor -{ - private ECPublicKeyParameters key; - private SecureRandom random; - - /** - * initialise the encryptor. - * - * @param param the necessary EC key parameters. - */ - public void init( - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - if (!(p.getParameters() instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for encryption."); - } - this.key = (ECPublicKeyParameters)p.getParameters(); - this.random = p.getRandom(); - } - else - { - if (!(param instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for encryption."); - } - - this.key = (ECPublicKeyParameters)param; - this.random = new SecureRandom(); - } - } - - /** - * Process a single EC point using the basic ElGamal algorithm. - * - * @param point the EC point to process. - * @return the result of the Elgamal process. - */ - public ECPair encrypt(ECPoint point) - { - if (key == null) - { - throw new IllegalStateException("ECElGamalEncryptor not initialised"); - } - - ECDomainParameters ec = key.getParameters(); - BigInteger k = ECUtil.generateK(ec.getN(), random); - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - - ECPoint[] gamma_phi = new ECPoint[]{ - basePointMultiplier.multiply(ec.getG(), k), - key.getQ().multiply(k).add(point) - }; - - ec.getCurve().normalizeAll(gamma_phi); - - return new ECPair(gamma_phi[0], gamma_phi[1]); - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECEncryptor.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECEncryptor.java deleted file mode 100644 index 39704b94..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECEncryptor.java +++ /dev/null @@ -1,11 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.math.ec.ECPoint; - -public interface ECEncryptor -{ - void init(CipherParameters params); - - ECPair encrypt(ECPoint point); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECFixedTransform.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECFixedTransform.java deleted file mode 100644 index 2c6a920b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECFixedTransform.java +++ /dev/null @@ -1,88 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -/** - * this transforms the original randomness used for an ElGamal encryption by a fixed value. - */ -public class ECFixedTransform - implements ECPairFactorTransform -{ - private ECPublicKeyParameters key; - - private BigInteger k; - - public ECFixedTransform(BigInteger k) - { - this.k = k; - } - - /** - * initialise the underlying EC ElGamal engine. - * - * @param param the necessary EC key parameters. - */ - public void init( - CipherParameters param) - { - if (!(param instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for fixed transform."); - } - - this.key = (ECPublicKeyParameters)param; - } - - /** - * Transform an existing cipher text pair using the ElGamal algorithm. Note: it is assumed this - * transform has been initialised with the same public key that was used to create the original - * cipher text. - * - * @param cipherText the EC point to process. - * @return returns a new ECPair representing the result of the process. - */ - public ECPair transform(ECPair cipherText) - { - if (key == null) - { - throw new IllegalStateException("ECFixedTransform not initialised"); - } - - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - BigInteger k = this.k.mod(n); - - ECPoint[] gamma_phi = new ECPoint[]{ - basePointMultiplier.multiply(ec.getG(), k).add(cipherText.getX()), - key.getQ().multiply(k).add(cipherText.getY()) - }; - - ec.getCurve().normalizeAll(gamma_phi); - - return new ECPair(gamma_phi[0], gamma_phi[1]); - } - - /** - * Return the last transform value used by the transform - * - * @return a BigInteger representing k value. - */ - public BigInteger getTransformValue() - { - return k; - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECNewPublicKeyTransform.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECNewPublicKeyTransform.java deleted file mode 100644 index 112d20c1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECNewPublicKeyTransform.java +++ /dev/null @@ -1,88 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -/** - * this does your basic Elgamal encryption algorithm using EC - */ -public class ECNewPublicKeyTransform - implements ECPairTransform -{ - private ECPublicKeyParameters key; - private SecureRandom random; - - /** - * initialise the EC Elgamal engine. - * - * @param param the necessary EC key parameters. - */ - public void init( - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - if (!(p.getParameters() instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for new public key transform."); - } - this.key = (ECPublicKeyParameters)p.getParameters(); - this.random = p.getRandom(); - } - else - { - if (!(param instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for new public key transform."); - } - - this.key = (ECPublicKeyParameters)param; - this.random = new SecureRandom(); - } - } - - /** - * Transform an existing cipher text pair using the ElGamal algorithm. Note: the input cipherText will - * need to be preserved in order to complete the transformation to the new public key. - * - * @param cipherText the EC point to process. - * @return returns a new ECPair representing the result of the process. - */ - public ECPair transform(ECPair cipherText) - { - if (key == null) - { - throw new IllegalStateException("ECNewPublicKeyTransform not initialised"); - } - - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - BigInteger k = ECUtil.generateK(n, random); - - ECPoint[] gamma_phi = new ECPoint[]{ - basePointMultiplier.multiply(ec.getG(), k), - key.getQ().multiply(k).add(cipherText.getY()) - }; - - ec.getCurve().normalizeAll(gamma_phi); - - return new ECPair(gamma_phi[0], gamma_phi[1]); - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECNewRandomnessTransform.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECNewRandomnessTransform.java deleted file mode 100644 index 7bfc0b30..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECNewRandomnessTransform.java +++ /dev/null @@ -1,105 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -/** - * this transforms the original randomness used for an ElGamal encryption. - */ -public class ECNewRandomnessTransform - implements ECPairFactorTransform -{ - private ECPublicKeyParameters key; - private SecureRandom random; - - private BigInteger lastK; - - /** - * initialise the underlying EC ElGamal engine. - * - * @param param the necessary EC key parameters. - */ - public void init( - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - if (!(p.getParameters() instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for new randomness transform."); - } - - this.key = (ECPublicKeyParameters)p.getParameters(); - this.random = p.getRandom(); - } - else - { - if (!(param instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("ECPublicKeyParameters are required for new randomness transform."); - } - - this.key = (ECPublicKeyParameters)param; - this.random = new SecureRandom(); - } - } - - /** - * Transform an existing cipher test pair using the ElGamal algorithm. Note: it is assumed this - * transform has been initialised with the same public key that was used to create the original - * cipher text. - * - * @param cipherText the EC point to process. - * @return returns a new ECPair representing the result of the process. - */ - public ECPair transform(ECPair cipherText) - { - if (key == null) - { - throw new IllegalStateException("ECNewRandomnessTransform not initialised"); - } - - - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - BigInteger k = ECUtil.generateK(n, random); - - ECPoint[] gamma_phi = new ECPoint[]{ - basePointMultiplier.multiply(ec.getG(), k).add(cipherText.getX()), - key.getQ().multiply(k).add(cipherText.getY()) - }; - - ec.getCurve().normalizeAll(gamma_phi); - - lastK = k; - - return new ECPair(gamma_phi[0], gamma_phi[1]); - } - - /** - * Return the last random value generated for a transform - * - * @return a BigInteger representing the last random value. - */ - public BigInteger getTransformValue() - { - return lastK; - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECPair.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECPair.java deleted file mode 100644 index ea3b4b99..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECPair.java +++ /dev/null @@ -1,40 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import org.bouncycastle.math.ec.ECPoint; - -public class ECPair -{ - private final ECPoint x; - private final ECPoint y; - - public ECPair(ECPoint x, ECPoint y) - { - this.x = x; - this.y = y; - } - - public ECPoint getX() - { - return x; - } - - public ECPoint getY() - { - return y; - } - - public boolean equals(ECPair other) - { - return other.getX().equals(getX()) && other.getY().equals(getY()); - } - - public boolean equals(Object other) - { - return other instanceof ECPair ? equals((ECPair)other) : false; - } - - public int hashCode() - { - return x.hashCode() + 37 * y.hashCode(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECPairFactorTransform.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECPairFactorTransform.java deleted file mode 100644 index be485518..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECPairFactorTransform.java +++ /dev/null @@ -1,14 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; - -public interface ECPairFactorTransform - extends ECPairTransform -{ - /** - * Return the last value used to calculated a transform. - * - * @return a BigInteger representing the last transform value used. - */ - BigInteger getTransformValue(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECPairTransform.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECPairTransform.java deleted file mode 100644 index e3f1787d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECPairTransform.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import org.bouncycastle.crypto.CipherParameters; - -public interface ECPairTransform -{ - void init(CipherParameters params); - - ECPair transform(ECPair cipherText); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/ec/ECUtil.java b/core/src/main/java/org/bouncycastle/crypto/ec/ECUtil.java deleted file mode 100644 index 74921f09..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/ec/ECUtil.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.ec; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.math.ec.ECConstants; - -class ECUtil -{ - static BigInteger generateK(BigInteger n, SecureRandom random) - { - int nBitLength = n.bitLength(); - BigInteger k; - do - { - k = new BigInteger(nBitLength, random); - } - while (k.equals(ECConstants.ZERO) || (k.compareTo(n) >= 0)); - return k; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/encodings/ISO9796d1Encoding.java b/core/src/main/java/org/bouncycastle/crypto/encodings/ISO9796d1Encoding.java deleted file mode 100644 index ec91e1ac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/encodings/ISO9796d1Encoding.java +++ /dev/null @@ -1,287 +0,0 @@ -package org.bouncycastle.crypto.encodings; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -/** - * ISO 9796-1 padding. Note in the light of recent results you should - * only use this with RSA (rather than the "simpler" Rabin keys) and you - * should never use it with anything other than a hash (ie. even if the - * message is small don't sign the message, sign it's hash) or some "random" - * value. See your favorite search engine for details. - */ -public class ISO9796d1Encoding - implements AsymmetricBlockCipher -{ - private static final BigInteger SIXTEEN = BigInteger.valueOf(16L); - private static final BigInteger SIX = BigInteger.valueOf(6L); - - private static byte[] shadows = { 0xe, 0x3, 0x5, 0x8, 0x9, 0x4, 0x2, 0xf, - 0x0, 0xd, 0xb, 0x6, 0x7, 0xa, 0xc, 0x1 }; - private static byte[] inverse = { 0x8, 0xf, 0x6, 0x1, 0x5, 0x2, 0xb, 0xc, - 0x3, 0x4, 0xd, 0xa, 0xe, 0x9, 0x0, 0x7 }; - - private AsymmetricBlockCipher engine; - private boolean forEncryption; - private int bitSize; - private int padBits = 0; - private BigInteger modulus; - - public ISO9796d1Encoding( - AsymmetricBlockCipher cipher) - { - this.engine = cipher; - } - - public AsymmetricBlockCipher getUnderlyingCipher() - { - return engine; - } - - public void init( - boolean forEncryption, - CipherParameters param) - { - RSAKeyParameters kParam = null; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - kParam = (RSAKeyParameters)rParam.getParameters(); - } - else - { - kParam = (RSAKeyParameters)param; - } - - engine.init(forEncryption, param); - - modulus = kParam.getModulus(); - bitSize = modulus.bitLength(); - - this.forEncryption = forEncryption; - } - - /** - * return the input block size. The largest message we can process - * is (key_size_in_bits + 3)/16, which in our world comes to - * key_size_in_bytes / 2. - */ - public int getInputBlockSize() - { - int baseBlockSize = engine.getInputBlockSize(); - - if (forEncryption) - { - return (baseBlockSize + 1) / 2; - } - else - { - return baseBlockSize; - } - } - - /** - * return the maximum possible size for the output. - */ - public int getOutputBlockSize() - { - int baseBlockSize = engine.getOutputBlockSize(); - - if (forEncryption) - { - return baseBlockSize; - } - else - { - return (baseBlockSize + 1) / 2; - } - } - - /** - * set the number of bits in the next message to be treated as - * pad bits. - */ - public void setPadBits( - int padBits) - { - if (padBits > 7) - { - throw new IllegalArgumentException("padBits > 7"); - } - - this.padBits = padBits; - } - - /** - * retrieve the number of pad bits in the last decoded message. - */ - public int getPadBits() - { - return padBits; - } - - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forEncryption) - { - return encodeBlock(in, inOff, inLen); - } - else - { - return decodeBlock(in, inOff, inLen); - } - } - - private byte[] encodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] block = new byte[(bitSize + 7) / 8]; - int r = padBits + 1; - int z = inLen; - int t = (bitSize + 13) / 16; - - for (int i = 0; i < t; i += z) - { - if (i > t - z) - { - System.arraycopy(in, inOff + inLen - (t - i), - block, block.length - t, t - i); - } - else - { - System.arraycopy(in, inOff, block, block.length - (i + z), z); - } - } - - for (int i = block.length - 2 * t; i != block.length; i += 2) - { - byte val = block[block.length - t + i / 2]; - - block[i] = (byte)((shadows[(val & 0xff) >>> 4] << 4) - | shadows[val & 0x0f]); - block[i + 1] = val; - } - - block[block.length - 2 * z] ^= r; - block[block.length - 1] = (byte)((block[block.length - 1] << 4) | 0x06); - - int maxBit = (8 - (bitSize - 1) % 8); - int offSet = 0; - - if (maxBit != 8) - { - block[0] &= 0xff >>> maxBit; - block[0] |= 0x80 >>> maxBit; - } - else - { - block[0] = 0x00; - block[1] |= 0x80; - offSet = 1; - } - - return engine.processBlock(block, offSet, block.length - offSet); - } - - /** - * @exception InvalidCipherTextException if the decrypted block is not a valid ISO 9796 bit string - */ - private byte[] decodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] block = engine.processBlock(in, inOff, inLen); - int r = 1; - int t = (bitSize + 13) / 16; - - BigInteger iS = new BigInteger(1, block); - BigInteger iR; - if (iS.mod(SIXTEEN).equals(SIX)) - { - iR = iS; - } - else if ((modulus.subtract(iS)).mod(SIXTEEN).equals(SIX)) - { - iR = modulus.subtract(iS); - } - else - { - throw new InvalidCipherTextException("resulting integer iS or (modulus - iS) is not congruent to 6 mod 16"); - } - - block = convertOutputDecryptOnly(iR); - - if ((block[block.length - 1] & 0x0f) != 0x6 ) - { - throw new InvalidCipherTextException("invalid forcing byte in block"); - } - - block[block.length - 1] = (byte)(((block[block.length - 1] & 0xff) >>> 4) | ((inverse[(block[block.length - 2] & 0xff) >> 4]) << 4)); - block[0] = (byte)((shadows[(block[1] & 0xff) >>> 4] << 4) - | shadows[block[1] & 0x0f]); - - boolean boundaryFound = false; - int boundary = 0; - - for (int i = block.length - 1; i >= block.length - 2 * t; i -= 2) - { - int val = ((shadows[(block[i] & 0xff) >>> 4] << 4) - | shadows[block[i] & 0x0f]); - - if (((block[i - 1] ^ val) & 0xff) != 0) - { - if (!boundaryFound) - { - boundaryFound = true; - r = (block[i - 1] ^ val) & 0xff; - boundary = i - 1; - } - else - { - throw new InvalidCipherTextException("invalid tsums in block"); - } - } - } - - block[boundary] = 0; - - byte[] nblock = new byte[(block.length - boundary) / 2]; - - for (int i = 0; i < nblock.length; i++) - { - nblock[i] = block[2 * i + boundary + 1]; - } - - padBits = r - 1; - - return nblock; - } - - private static byte[] convertOutputDecryptOnly(BigInteger result) - { - byte[] output = result.toByteArray(); - if (output[0] == 0) // have ended up with an extra zero byte, copy down. - { - byte[] tmp = new byte[output.length - 1]; - System.arraycopy(output, 1, tmp, 0, tmp.length); - return tmp; - } - return output; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/encodings/OAEPEncoding.java b/core/src/main/java/org/bouncycastle/crypto/encodings/OAEPEncoding.java deleted file mode 100644 index 17d8e3b0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/encodings/OAEPEncoding.java +++ /dev/null @@ -1,357 +0,0 @@ -package org.bouncycastle.crypto.encodings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * Optimal Asymmetric Encryption Padding (OAEP) - see PKCS 1 V 2. - */ -public class OAEPEncoding - implements AsymmetricBlockCipher -{ - private byte[] defHash; - private Digest mgf1Hash; - - private AsymmetricBlockCipher engine; - private SecureRandom random; - private boolean forEncryption; - - public OAEPEncoding( - AsymmetricBlockCipher cipher) - { - this(cipher, new SHA1Digest(), null); - } - - public OAEPEncoding( - AsymmetricBlockCipher cipher, - Digest hash) - { - this(cipher, hash, null); - } - - public OAEPEncoding( - AsymmetricBlockCipher cipher, - Digest hash, - byte[] encodingParams) - { - this(cipher, hash, hash, encodingParams); - } - - public OAEPEncoding( - AsymmetricBlockCipher cipher, - Digest hash, - Digest mgf1Hash, - byte[] encodingParams) - { - this.engine = cipher; - this.mgf1Hash = mgf1Hash; - this.defHash = new byte[hash.getDigestSize()]; - - hash.reset(); - - if (encodingParams != null) - { - hash.update(encodingParams, 0, encodingParams.length); - } - - hash.doFinal(defHash, 0); - } - - public AsymmetricBlockCipher getUnderlyingCipher() - { - return engine; - } - - public void init( - boolean forEncryption, - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - } - else - { - this.random = new SecureRandom(); - } - - engine.init(forEncryption, param); - - this.forEncryption = forEncryption; - } - - public int getInputBlockSize() - { - int baseBlockSize = engine.getInputBlockSize(); - - if (forEncryption) - { - return baseBlockSize - 1 - 2 * defHash.length; - } - else - { - return baseBlockSize; - } - } - - public int getOutputBlockSize() - { - int baseBlockSize = engine.getOutputBlockSize(); - - if (forEncryption) - { - return baseBlockSize; - } - else - { - return baseBlockSize - 1 - 2 * defHash.length; - } - } - - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forEncryption) - { - return encodeBlock(in, inOff, inLen); - } - else - { - return decodeBlock(in, inOff, inLen); - } - } - - public byte[] encodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] block = new byte[getInputBlockSize() + 1 + 2 * defHash.length]; - - // - // copy in the message - // - System.arraycopy(in, inOff, block, block.length - inLen, inLen); - - // - // add sentinel - // - block[block.length - inLen - 1] = 0x01; - - // - // as the block is already zeroed - there's no need to add PS (the >= 0 pad of 0) - // - - // - // add the hash of the encoding params. - // - System.arraycopy(defHash, 0, block, defHash.length, defHash.length); - - // - // generate the seed. - // - byte[] seed = new byte[defHash.length]; - - random.nextBytes(seed); - - // - // mask the message block. - // - byte[] mask = maskGeneratorFunction1(seed, 0, seed.length, block.length - defHash.length); - - for (int i = defHash.length; i != block.length; i++) - { - block[i] ^= mask[i - defHash.length]; - } - - // - // add in the seed - // - System.arraycopy(seed, 0, block, 0, defHash.length); - - // - // mask the seed. - // - mask = maskGeneratorFunction1( - block, defHash.length, block.length - defHash.length, defHash.length); - - for (int i = 0; i != defHash.length; i++) - { - block[i] ^= mask[i]; - } - - return engine.processBlock(block, 0, block.length); - } - - /** - * @exception InvalidCipherTextException if the decrypted block turns out to - * be badly formatted. - */ - public byte[] decodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] data = engine.processBlock(in, inOff, inLen); - byte[] block; - - // - // as we may have zeros in our leading bytes for the block we produced - // on encryption, we need to make sure our decrypted block comes back - // the same size. - // - if (data.length < engine.getOutputBlockSize()) - { - block = new byte[engine.getOutputBlockSize()]; - - System.arraycopy(data, 0, block, block.length - data.length, data.length); - } - else - { - block = data; - } - - if (block.length < (2 * defHash.length) + 1) - { - throw new InvalidCipherTextException("data too short"); - } - - // - // unmask the seed. - // - byte[] mask = maskGeneratorFunction1( - block, defHash.length, block.length - defHash.length, defHash.length); - - for (int i = 0; i != defHash.length; i++) - { - block[i] ^= mask[i]; - } - - // - // unmask the message block. - // - mask = maskGeneratorFunction1(block, 0, defHash.length, block.length - defHash.length); - - for (int i = defHash.length; i != block.length; i++) - { - block[i] ^= mask[i - defHash.length]; - } - - // - // check the hash of the encoding params. - // long check to try to avoid this been a source of a timing attack. - // - boolean defHashWrong = false; - - for (int i = 0; i != defHash.length; i++) - { - if (defHash[i] != block[defHash.length + i]) - { - defHashWrong = true; - } - } - - if (defHashWrong) - { - throw new InvalidCipherTextException("data hash wrong"); - } - - // - // find the data block - // - int start; - - for (start = 2 * defHash.length; start != block.length; start++) - { - if (block[start] != 0) - { - break; - } - } - - if (start >= (block.length - 1) || block[start] != 1) - { - throw new InvalidCipherTextException("data start wrong " + start); - } - - start++; - - // - // extract the data block - // - byte[] output = new byte[block.length - start]; - - System.arraycopy(block, start, output, 0, output.length); - - return output; - } - - /** - * int to octet string. - */ - private void ItoOSP( - int i, - byte[] sp) - { - sp[0] = (byte)(i >>> 24); - sp[1] = (byte)(i >>> 16); - sp[2] = (byte)(i >>> 8); - sp[3] = (byte)(i >>> 0); - } - - /** - * mask generator function, as described in PKCS1v2. - */ - private byte[] maskGeneratorFunction1( - byte[] Z, - int zOff, - int zLen, - int length) - { - byte[] mask = new byte[length]; - byte[] hashBuf = new byte[mgf1Hash.getDigestSize()]; - byte[] C = new byte[4]; - int counter = 0; - - mgf1Hash.reset(); - - while (counter < (length / hashBuf.length)) - { - ItoOSP(counter, C); - - mgf1Hash.update(Z, zOff, zLen); - mgf1Hash.update(C, 0, C.length); - mgf1Hash.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * hashBuf.length, hashBuf.length); - - counter++; - } - - if ((counter * hashBuf.length) < length) - { - ItoOSP(counter, C); - - mgf1Hash.update(Z, zOff, zLen); - mgf1Hash.update(C, 0, C.length); - mgf1Hash.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * hashBuf.length, mask.length - (counter * hashBuf.length)); - } - - return mask; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/encodings/PKCS1Encoding.java b/core/src/main/java/org/bouncycastle/crypto/encodings/PKCS1Encoding.java deleted file mode 100644 index dec40f01..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/encodings/PKCS1Encoding.java +++ /dev/null @@ -1,418 +0,0 @@ -package org.bouncycastle.crypto.encodings; - -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * this does your basic PKCS 1 v1.5 padding - whether or not you should be using this - * depends on your application - see PKCS1 Version 2 for details. - */ -public class PKCS1Encoding - implements AsymmetricBlockCipher -{ - /** - * some providers fail to include the leading zero in PKCS1 encoded blocks. If you need to - * work with one of these set the system property org.bouncycastle.pkcs1.strict to false. - * <p> - * The system property is checked during construction of the encoding object, it is set to - * true by default. - * </p> - */ - public static final String STRICT_LENGTH_ENABLED_PROPERTY = "org.bouncycastle.pkcs1.strict"; - - private static final int HEADER_LENGTH = 10; - - private SecureRandom random; - private AsymmetricBlockCipher engine; - private boolean forEncryption; - private boolean forPrivateKey; - private boolean useStrictLength; - private int pLen = -1; - private byte[] fallback = null; - - /** - * Basic constructor. - * @param cipher - */ - public PKCS1Encoding( - AsymmetricBlockCipher cipher) - { - this.engine = cipher; - this.useStrictLength = useStrict(); - } - - /** - * Constructor for decryption with a fixed plaintext length. - * - * @param cipher The cipher to use for cryptographic operation. - * @param pLen Length of the expected plaintext. - */ - public PKCS1Encoding( - AsymmetricBlockCipher cipher, - int pLen) - { - this.engine = cipher; - this.useStrictLength = useStrict(); - this.pLen = pLen; - } - - /** - * Constructor for decryption with a fixed plaintext length and a fallback - * value that is returned, if the padding is incorrect. - * - * @param cipher - * The cipher to use for cryptographic operation. - * @param fallback - * The fallback value, we don't to a arraycopy here. - */ - public PKCS1Encoding( - AsymmetricBlockCipher cipher, - byte[] fallback) - { - this.engine = cipher; - this.useStrictLength = useStrict(); - this.fallback = fallback; - this.pLen = fallback.length; - } - - - - // - // for J2ME compatibility - // - private boolean useStrict() - { - // required if security manager has been installed. - String strict = (String)AccessController.doPrivileged(new PrivilegedAction() - { - public Object run() - { - return System.getProperty(STRICT_LENGTH_ENABLED_PROPERTY); - } - }); - - return strict == null || strict.equals("true"); - } - - public AsymmetricBlockCipher getUnderlyingCipher() - { - return engine; - } - - public void init( - boolean forEncryption, - CipherParameters param) - { - AsymmetricKeyParameter kParam; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - kParam = (AsymmetricKeyParameter)rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - kParam = (AsymmetricKeyParameter)param; - } - - engine.init(forEncryption, param); - - this.forPrivateKey = kParam.isPrivate(); - this.forEncryption = forEncryption; - } - - public int getInputBlockSize() - { - int baseBlockSize = engine.getInputBlockSize(); - - if (forEncryption) - { - return baseBlockSize - HEADER_LENGTH; - } - else - { - return baseBlockSize; - } - } - - public int getOutputBlockSize() - { - int baseBlockSize = engine.getOutputBlockSize(); - - if (forEncryption) - { - return baseBlockSize; - } - else - { - return baseBlockSize - HEADER_LENGTH; - } - } - - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forEncryption) - { - return encodeBlock(in, inOff, inLen); - } - else - { - return decodeBlock(in, inOff, inLen); - } - } - - private byte[] encodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (inLen > getInputBlockSize()) - { - throw new IllegalArgumentException("input data too large"); - } - - byte[] block = new byte[engine.getInputBlockSize()]; - - if (forPrivateKey) - { - block[0] = 0x01; // type code 1 - - for (int i = 1; i != block.length - inLen - 1; i++) - { - block[i] = (byte)0xFF; - } - } - else - { - random.nextBytes(block); // random fill - - block[0] = 0x02; // type code 2 - - // - // a zero byte marks the end of the padding, so all - // the pad bytes must be non-zero. - // - for (int i = 1; i != block.length - inLen - 1; i++) - { - while (block[i] == 0) - { - block[i] = (byte)random.nextInt(); - } - } - } - - block[block.length - inLen - 1] = 0x00; // mark the end of the padding - System.arraycopy(in, inOff, block, block.length - inLen, inLen); - - return engine.processBlock(block, 0, block.length); - } - - /** - * Checks if the argument is a correctly PKCS#1.5 encoded Plaintext - * for encryption. - * - * @param encoded The Plaintext. - * @param pLen Expected length of the plaintext. - * @return Either 0, if the encoding is correct, or -1, if it is incorrect. - */ - private static int checkPkcs1Encoding(byte[] encoded, int pLen) { - int correct = 0; - /* - * Check if the first two bytes are 0 2 - */ - correct |= (encoded[0] ^ 2); - - /* - * Now the padding check, check for no 0 byte in the padding - */ - int plen = encoded.length - ( - pLen /* Lenght of the PMS */ - + 1 /* Final 0-byte before PMS */ - ); - - for (int i = 1; i < plen; i++) { - int tmp = encoded[i]; - tmp |= tmp >> 1; - tmp |= tmp >> 2; - tmp |= tmp >> 4; - correct |= (tmp & 1) - 1; - } - - /* - * Make sure the padding ends with a 0 byte. - */ - correct |= encoded[encoded.length - (pLen +1)]; - - /* - * Return 0 or 1, depending on the result. - */ - correct |= correct >> 1; - correct |= correct >> 2; - correct |= correct >> 4; - return ~((correct & 1) - 1); - } - - - /** - * Decode PKCS#1.5 encoding, and return a random value if the padding is not correct. - * - * @param in The encrypted block. - * @param inOff Offset in the encrypted block. - * @param inLen Length of the encrypted block. - * //@param pLen Length of the desired output. - * @return The plaintext without padding, or a random value if the padding was incorrect. - * - * @throws InvalidCipherTextException - */ - private byte[] decodeBlockOrRandom(byte[] in, int inOff, int inLen) - throws InvalidCipherTextException - { - if (!forPrivateKey) - { - throw new InvalidCipherTextException("sorry, this method is only for decryption, not for signing"); - } - - byte[] block = engine.processBlock(in, inOff, inLen); - byte[] random = null; - if (this.fallback == null) - { - random = new byte[this.pLen]; - this.random.nextBytes(random); - } - else - { - random = fallback; - } - - /* - * TODO: This is a potential dangerous side channel. However, you can - * fix this by changing the RSA engine in a way, that it will always - * return blocks of the same length and prepend them with 0 bytes if - * needed. - */ - if (block.length < getOutputBlockSize()) - { - throw new InvalidCipherTextException("block truncated"); - } - - /* - * TODO: Potential side channel. Fix it by making the engine always - * return blocks of the correct length. - */ - if (useStrictLength && block.length != engine.getOutputBlockSize()) - { - throw new InvalidCipherTextException("block incorrect size"); - } - - /* - * Check the padding. - */ - int correct = PKCS1Encoding.checkPkcs1Encoding(block, this.pLen); - - /* - * Now, to a constant time constant memory copy of the decrypted value - * or the random value, depending on the validity of the padding. - */ - byte[] result = new byte[this.pLen]; - for (int i = 0; i < this.pLen; i++) - { - result[i] = (byte)((block[i + (block.length - pLen)] & (~correct)) | (random[i] & correct)); - } - - return result; - } - - /** - * @exception InvalidCipherTextException if the decrypted block is not in PKCS1 format. - */ - private byte[] decodeBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - /* - * If the length of the expected plaintext is known, we use a constant-time decryption. - * If the decryption fails, we return a random value. - */ - if (this.pLen != -1) { - return this.decodeBlockOrRandom(in, inOff, inLen); - } - - byte[] block = engine.processBlock(in, inOff, inLen); - - if (block.length < getOutputBlockSize()) - { - throw new InvalidCipherTextException("block truncated"); - } - - byte type = block[0]; - - if (forPrivateKey) - { - if (type != 2) - { - throw new InvalidCipherTextException("unknown block type"); - } - } - else - { - if (type != 1) - { - throw new InvalidCipherTextException("unknown block type"); - } - } - - if (useStrictLength && block.length != engine.getOutputBlockSize()) - { - throw new InvalidCipherTextException("block incorrect size"); - } - - // - // find and extract the message block. - // - int start; - - for (start = 1; start != block.length; start++) - { - byte pad = block[start]; - - if (pad == 0) - { - break; - } - if (type == 1 && pad != (byte)0xff) - { - throw new InvalidCipherTextException("block padding incorrect"); - } - } - - start++; // data should start at the next byte - - if (start > block.length || start < HEADER_LENGTH) - { - throw new InvalidCipherTextException("no data in block"); - } - - byte[] result = new byte[block.length - start]; - - System.arraycopy(block, start, result, 0, result.length); - - return result; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESEngine.java deleted file mode 100644 index a0fd0840..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/AESEngine.java +++ /dev/null @@ -1,537 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * an implementation of the AES (Rijndael), from FIPS-197. - * <p> - * For further details see: <a href="http://csrc.nist.gov/encryption/aes/">http://csrc.nist.gov/encryption/aes/</a>. - * - * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at - * <a href="http://fp.gladman.plus.com/cryptography_technology/rijndael/">http://fp.gladman.plus.com/cryptography_technology/rijndael/</a> - * - * There are three levels of tradeoff of speed vs memory - * Because java has no preprocessor, they are written as three separate classes from which to choose - * - * The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption - * and 4 for decryption. - * - * The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, - * adding 12 rotate operations per round to compute the values contained in the other tables from - * the contents of the first. - * - * The slowest version uses no static tables at all and computes the values in each round. - * <p> - * This file contains the middle performance version with 2Kbytes of static tables for round precomputation. - * - */ -public class AESEngine - implements BlockCipher -{ - // The S box - private static final byte[] S = { - (byte)99, (byte)124, (byte)119, (byte)123, (byte)242, (byte)107, (byte)111, (byte)197, - (byte)48, (byte)1, (byte)103, (byte)43, (byte)254, (byte)215, (byte)171, (byte)118, - (byte)202, (byte)130, (byte)201, (byte)125, (byte)250, (byte)89, (byte)71, (byte)240, - (byte)173, (byte)212, (byte)162, (byte)175, (byte)156, (byte)164, (byte)114, (byte)192, - (byte)183, (byte)253, (byte)147, (byte)38, (byte)54, (byte)63, (byte)247, (byte)204, - (byte)52, (byte)165, (byte)229, (byte)241, (byte)113, (byte)216, (byte)49, (byte)21, - (byte)4, (byte)199, (byte)35, (byte)195, (byte)24, (byte)150, (byte)5, (byte)154, - (byte)7, (byte)18, (byte)128, (byte)226, (byte)235, (byte)39, (byte)178, (byte)117, - (byte)9, (byte)131, (byte)44, (byte)26, (byte)27, (byte)110, (byte)90, (byte)160, - (byte)82, (byte)59, (byte)214, (byte)179, (byte)41, (byte)227, (byte)47, (byte)132, - (byte)83, (byte)209, (byte)0, (byte)237, (byte)32, (byte)252, (byte)177, (byte)91, - (byte)106, (byte)203, (byte)190, (byte)57, (byte)74, (byte)76, (byte)88, (byte)207, - (byte)208, (byte)239, (byte)170, (byte)251, (byte)67, (byte)77, (byte)51, (byte)133, - (byte)69, (byte)249, (byte)2, (byte)127, (byte)80, (byte)60, (byte)159, (byte)168, - (byte)81, (byte)163, (byte)64, (byte)143, (byte)146, (byte)157, (byte)56, (byte)245, - (byte)188, (byte)182, (byte)218, (byte)33, (byte)16, (byte)255, (byte)243, (byte)210, - (byte)205, (byte)12, (byte)19, (byte)236, (byte)95, (byte)151, (byte)68, (byte)23, - (byte)196, (byte)167, (byte)126, (byte)61, (byte)100, (byte)93, (byte)25, (byte)115, - (byte)96, (byte)129, (byte)79, (byte)220, (byte)34, (byte)42, (byte)144, (byte)136, - (byte)70, (byte)238, (byte)184, (byte)20, (byte)222, (byte)94, (byte)11, (byte)219, - (byte)224, (byte)50, (byte)58, (byte)10, (byte)73, (byte)6, (byte)36, (byte)92, - (byte)194, (byte)211, (byte)172, (byte)98, (byte)145, (byte)149, (byte)228, (byte)121, - (byte)231, (byte)200, (byte)55, (byte)109, (byte)141, (byte)213, (byte)78, (byte)169, - (byte)108, (byte)86, (byte)244, (byte)234, (byte)101, (byte)122, (byte)174, (byte)8, - (byte)186, (byte)120, (byte)37, (byte)46, (byte)28, (byte)166, (byte)180, (byte)198, - (byte)232, (byte)221, (byte)116, (byte)31, (byte)75, (byte)189, (byte)139, (byte)138, - (byte)112, (byte)62, (byte)181, (byte)102, (byte)72, (byte)3, (byte)246, (byte)14, - (byte)97, (byte)53, (byte)87, (byte)185, (byte)134, (byte)193, (byte)29, (byte)158, - (byte)225, (byte)248, (byte)152, (byte)17, (byte)105, (byte)217, (byte)142, (byte)148, - (byte)155, (byte)30, (byte)135, (byte)233, (byte)206, (byte)85, (byte)40, (byte)223, - (byte)140, (byte)161, (byte)137, (byte)13, (byte)191, (byte)230, (byte)66, (byte)104, - (byte)65, (byte)153, (byte)45, (byte)15, (byte)176, (byte)84, (byte)187, (byte)22, - }; - - // The inverse S-box - private static final byte[] Si = { - (byte)82, (byte)9, (byte)106, (byte)213, (byte)48, (byte)54, (byte)165, (byte)56, - (byte)191, (byte)64, (byte)163, (byte)158, (byte)129, (byte)243, (byte)215, (byte)251, - (byte)124, (byte)227, (byte)57, (byte)130, (byte)155, (byte)47, (byte)255, (byte)135, - (byte)52, (byte)142, (byte)67, (byte)68, (byte)196, (byte)222, (byte)233, (byte)203, - (byte)84, (byte)123, (byte)148, (byte)50, (byte)166, (byte)194, (byte)35, (byte)61, - (byte)238, (byte)76, (byte)149, (byte)11, (byte)66, (byte)250, (byte)195, (byte)78, - (byte)8, (byte)46, (byte)161, (byte)102, (byte)40, (byte)217, (byte)36, (byte)178, - (byte)118, (byte)91, (byte)162, (byte)73, (byte)109, (byte)139, (byte)209, (byte)37, - (byte)114, (byte)248, (byte)246, (byte)100, (byte)134, (byte)104, (byte)152, (byte)22, - (byte)212, (byte)164, (byte)92, (byte)204, (byte)93, (byte)101, (byte)182, (byte)146, - (byte)108, (byte)112, (byte)72, (byte)80, (byte)253, (byte)237, (byte)185, (byte)218, - (byte)94, (byte)21, (byte)70, (byte)87, (byte)167, (byte)141, (byte)157, (byte)132, - (byte)144, (byte)216, (byte)171, (byte)0, (byte)140, (byte)188, (byte)211, (byte)10, - (byte)247, (byte)228, (byte)88, (byte)5, (byte)184, (byte)179, (byte)69, (byte)6, - (byte)208, (byte)44, (byte)30, (byte)143, (byte)202, (byte)63, (byte)15, (byte)2, - (byte)193, (byte)175, (byte)189, (byte)3, (byte)1, (byte)19, (byte)138, (byte)107, - (byte)58, (byte)145, (byte)17, (byte)65, (byte)79, (byte)103, (byte)220, (byte)234, - (byte)151, (byte)242, (byte)207, (byte)206, (byte)240, (byte)180, (byte)230, (byte)115, - (byte)150, (byte)172, (byte)116, (byte)34, (byte)231, (byte)173, (byte)53, (byte)133, - (byte)226, (byte)249, (byte)55, (byte)232, (byte)28, (byte)117, (byte)223, (byte)110, - (byte)71, (byte)241, (byte)26, (byte)113, (byte)29, (byte)41, (byte)197, (byte)137, - (byte)111, (byte)183, (byte)98, (byte)14, (byte)170, (byte)24, (byte)190, (byte)27, - (byte)252, (byte)86, (byte)62, (byte)75, (byte)198, (byte)210, (byte)121, (byte)32, - (byte)154, (byte)219, (byte)192, (byte)254, (byte)120, (byte)205, (byte)90, (byte)244, - (byte)31, (byte)221, (byte)168, (byte)51, (byte)136, (byte)7, (byte)199, (byte)49, - (byte)177, (byte)18, (byte)16, (byte)89, (byte)39, (byte)128, (byte)236, (byte)95, - (byte)96, (byte)81, (byte)127, (byte)169, (byte)25, (byte)181, (byte)74, (byte)13, - (byte)45, (byte)229, (byte)122, (byte)159, (byte)147, (byte)201, (byte)156, (byte)239, - (byte)160, (byte)224, (byte)59, (byte)77, (byte)174, (byte)42, (byte)245, (byte)176, - (byte)200, (byte)235, (byte)187, (byte)60, (byte)131, (byte)83, (byte)153, (byte)97, - (byte)23, (byte)43, (byte)4, (byte)126, (byte)186, (byte)119, (byte)214, (byte)38, - (byte)225, (byte)105, (byte)20, (byte)99, (byte)85, (byte)33, (byte)12, (byte)125, - }; - - // vector used in calculating key schedule (powers of x in GF(256)) - private static final int[] rcon = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, - 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 }; - - // precomputation tables of calculations for rounds - private static final int[] T0 = - { - 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, - 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, - 0xa96767ce, 0x7d2b2b56, 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, - 0x9a7676ec, 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, - 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, 0xecadad41, - 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453, - 0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, - 0x6a26264c, 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, - 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, 0x937171e2, - 0x73d8d8ab, 0x53313162, 0x3f15152a, 0x0c040408, 0x52c7c795, - 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637, 0x0f05050a, - 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, - 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, - 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, - 0xee5a5ab4, 0xfba0a05b, 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, - 0xceb3b37d, 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, - 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, 0x60202040, - 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d, - 0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, - 0x4acfcf85, 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, - 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, 0xcf45458a, - 0x10f9f9e9, 0x06020204, 0x817f7ffe, 0xf05050a0, 0x443c3c78, - 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d, 0xc0404080, - 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, - 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, - 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, - 0x35131326, 0x2fececc3, 0xe15f5fbe, 0xa2979735, 0xcc444488, - 0x3917172e, 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, - 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, 0xa06060c0, - 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54, - 0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, - 0x3c141428, 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, - 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, 0xdb494992, - 0x0a06060c, 0x6c242448, 0xe45c5cb8, 0x5dc2c29f, 0x6ed3d3bd, - 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531, 0x37e4e4d3, - 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, - 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, - 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, - 0xe9aeae47, 0x18080810, 0xd5baba6f, 0x887878f0, 0x6f25254a, - 0x722e2e5c, 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, - 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 0xdd4b4b96, - 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c, - 0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, - 0x120e0e1c, 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, - 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, - 0x13f8f8eb, 0xb398982b, 0x33111122, 0xbb6969d2, 0x70d9d9a9, - 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c, 0x92878715, - 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, - 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, - 0x31e6e6d7, 0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, - 0x772d2d5a, 0x110f0f1e, 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, - 0x3a16162c}; - -private static final int[] Tinv0 = - { - 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, - 0xf1459d1f, 0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, - 0x9176cc88, 0x254c02f5, 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, - 0x8fa362b5, 0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d, - 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b, 0xe75f8f03, - 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458, - 0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, - 0xdd71b927, 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, - 0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362, 0xe07764b1, - 0x84ae6bbb, 0x1ca081fe, 0x942b08f9, 0x58684870, 0x19fd458f, - 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72, 0x578f1fe3, - 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3, - 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, - 0x92b479a7, 0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, - 0x1f6234d1, 0x8afea6c4, 0x9d532e34, 0xa055f3a2, 0x32e18a05, - 0x75ebf6a4, 0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd, - 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, 0xb58d5491, - 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6, - 0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, - 0xdbeec879, 0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, - 0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c, 0xfbff0efd, - 0x5638850f, 0x1ed5ae3d, 0x27392d36, 0x64d90f0a, 0x21a65c68, - 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793, 0xd296eeb4, - 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c, - 0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, - 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, - 0xbbdd99ee, 0xfd607fa3, 0x9f2601f7, 0xbcf5725c, 0xc53b6644, - 0x347efb5b, 0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8, - 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684, 0x7d244a85, - 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc, - 0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, - 0x2264e947, 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, - 0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498, 0xcf81f5a6, - 0x28de7aa5, 0x268eb7da, 0xa4bfad3f, 0xe49d3a2c, 0x0d927850, - 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890, 0x5ef7392e, - 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, - 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, - 0xf418596e, 0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, - 0x08cfbc21, 0xe6e815ef, 0xd99be7ba, 0xce366f4a, 0xd4099fea, - 0xd67cb029, 0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235, - 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, 0x4a9804f1, - 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43, - 0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, - 0x7f516546, 0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, - 0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d, 0x8c61d79a, - 0x7a0ca137, 0x8e14f859, 0x893c13eb, 0xee27a9ce, 0x35c961b7, - 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255, 0x79ce1418, - 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478, - 0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, - 0x0c25e2bc, 0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, - 0x9ce4b4d8, 0x90c15664, 0x6184cb7b, 0x70b632d5, 0x745c6c48, - 0x4257b8d0}; - - private static int shift(int r, int shift) - { - return (r >>> shift) | (r << -shift); - } - - /* multiply four bytes in GF(2^8) by 'x' {02} in parallel */ - - private static final int m1 = 0x80808080; - private static final int m2 = 0x7f7f7f7f; - private static final int m3 = 0x0000001b; - - private static int FFmulX(int x) - { - return (((x & m2) << 1) ^ (((x & m1) >>> 7) * m3)); - } - - /* - The following defines provide alternative definitions of FFmulX that might - give improved performance if a fast 32-bit multiply is not available. - - private int FFmulX(int x) { int u = x & m1; u |= (u >> 1); return ((x & m2) << 1) ^ ((u >>> 3) | (u >>> 6)); } - private static final int m4 = 0x1b1b1b1b; - private int FFmulX(int x) { int u = x & m1; return ((x & m2) << 1) ^ ((u - (u >>> 7)) & m4); } - - */ - - private static int inv_mcol(int x) - { - int f2 = FFmulX(x); - int f4 = FFmulX(f2); - int f8 = FFmulX(f4); - int f9 = x ^ f8; - - return f2 ^ f4 ^ f8 ^ shift(f2 ^ f9, 8) ^ shift(f4 ^ f9, 16) ^ shift(f9, 24); - } - - private static int subWord(int x) - { - return (S[x&255]&255 | ((S[(x>>8)&255]&255)<<8) | ((S[(x>>16)&255]&255)<<16) | S[(x>>24)&255]<<24); - } - - /** - * Calculate the necessary round keys - * The number of calculations depends on key size and block size - * AES specified a fixed block size of 128 bits and key sizes 128/192/256 bits - * This code is written assuming those are the only possible values - */ - private int[][] generateWorkingKey( - byte[] key, - boolean forEncryption) - { - int KC = key.length / 4; // key length in words - int t; - - if (((KC != 4) && (KC != 6) && (KC != 8)) || ((KC * 4) != key.length)) - { - throw new IllegalArgumentException("Key length not 128/192/256 bits."); - } - - ROUNDS = KC + 6; // This is not always true for the generalized Rijndael that allows larger block sizes - int[][] W = new int[ROUNDS+1][4]; // 4 words in a block - - // - // copy the key into the round key array - // - - t = 0; - int i = 0; - while (i < key.length) - { - W[t >> 2][t & 3] = (key[i]&0xff) | ((key[i+1]&0xff) << 8) | ((key[i+2]&0xff) << 16) | (key[i+3] << 24); - i+=4; - t++; - } - - // - // while not enough round key material calculated - // calculate new values - // - int k = (ROUNDS + 1) << 2; - for (i = KC; (i < k); i++) - { - int temp = W[(i-1)>>2][(i-1)&3]; - if ((i % KC) == 0) - { - temp = subWord(shift(temp, 8)) ^ rcon[(i / KC)-1]; - } - else if ((KC > 6) && ((i % KC) == 4)) - { - temp = subWord(temp); - } - - W[i>>2][i&3] = W[(i - KC)>>2][(i-KC)&3] ^ temp; - } - - if (!forEncryption) - { - for (int j = 1; j < ROUNDS; j++) - { - for (i = 0; i < 4; i++) - { - W[j][i] = inv_mcol(W[j][i]); - } - } - } - - return W; - } - - private int ROUNDS; - private int[][] WorkingKey = null; - private int C0, C1, C2, C3; - private boolean forEncryption; - - private static final int BLOCK_SIZE = 16; - - /** - * default constructor - 128 bit block size. - */ - public AESEngine() - { - } - - /** - * initialise an AES cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - WorkingKey = generateWorkingKey(((KeyParameter)params).getKey(), forEncryption); - this.forEncryption = forEncryption; - return; - } - - throw new IllegalArgumentException("invalid parameter passed to AES init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "AES"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (WorkingKey == null) - { - throw new IllegalStateException("AES engine not initialised"); - } - - if ((inOff + (32 / 2)) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + (32 / 2)) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (forEncryption) - { - unpackBlock(in, inOff); - encryptBlock(WorkingKey); - packBlock(out, outOff); - } - else - { - unpackBlock(in, inOff); - decryptBlock(WorkingKey); - packBlock(out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private void unpackBlock( - byte[] bytes, - int off) - { - int index = off; - - C0 = (bytes[index++] & 0xff); - C0 |= (bytes[index++] & 0xff) << 8; - C0 |= (bytes[index++] & 0xff) << 16; - C0 |= bytes[index++] << 24; - - C1 = (bytes[index++] & 0xff); - C1 |= (bytes[index++] & 0xff) << 8; - C1 |= (bytes[index++] & 0xff) << 16; - C1 |= bytes[index++] << 24; - - C2 = (bytes[index++] & 0xff); - C2 |= (bytes[index++] & 0xff) << 8; - C2 |= (bytes[index++] & 0xff) << 16; - C2 |= bytes[index++] << 24; - - C3 = (bytes[index++] & 0xff); - C3 |= (bytes[index++] & 0xff) << 8; - C3 |= (bytes[index++] & 0xff) << 16; - C3 |= bytes[index++] << 24; - } - - private void packBlock( - byte[] bytes, - int off) - { - int index = off; - - bytes[index++] = (byte)C0; - bytes[index++] = (byte)(C0 >> 8); - bytes[index++] = (byte)(C0 >> 16); - bytes[index++] = (byte)(C0 >> 24); - - bytes[index++] = (byte)C1; - bytes[index++] = (byte)(C1 >> 8); - bytes[index++] = (byte)(C1 >> 16); - bytes[index++] = (byte)(C1 >> 24); - - bytes[index++] = (byte)C2; - bytes[index++] = (byte)(C2 >> 8); - bytes[index++] = (byte)(C2 >> 16); - bytes[index++] = (byte)(C2 >> 24); - - bytes[index++] = (byte)C3; - bytes[index++] = (byte)(C3 >> 8); - bytes[index++] = (byte)(C3 >> 16); - bytes[index++] = (byte)(C3 >> 24); - } - - - private void encryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[0][0]; - int t1 = this.C1 ^ KW[0][1]; - int t2 = this.C2 ^ KW[0][2]; - - int r = 1, r0, r1, r2, r3 = this.C3 ^ KW[0][3]; - while (r < ROUNDS - 1) - { - r0 = T0[t0&255] ^ shift(T0[(t1>>8)&255], 24) ^ shift(T0[(t2>>16)&255], 16) ^ shift(T0[(r3>>24)&255], 8) ^ KW[r][0]; - r1 = T0[t1&255] ^ shift(T0[(t2>>8)&255], 24) ^ shift(T0[(r3>>16)&255], 16) ^ shift(T0[(t0>>24)&255], 8) ^ KW[r][1]; - r2 = T0[t2&255] ^ shift(T0[(r3>>8)&255], 24) ^ shift(T0[(t0>>16)&255], 16) ^ shift(T0[(t1>>24)&255], 8) ^ KW[r][2]; - r3 = T0[r3&255] ^ shift(T0[(t0>>8)&255], 24) ^ shift(T0[(t1>>16)&255], 16) ^ shift(T0[(t2>>24)&255], 8) ^ KW[r++][3]; - t0 = T0[r0&255] ^ shift(T0[(r1>>8)&255], 24) ^ shift(T0[(r2>>16)&255], 16) ^ shift(T0[(r3>>24)&255], 8) ^ KW[r][0]; - t1 = T0[r1&255] ^ shift(T0[(r2>>8)&255], 24) ^ shift(T0[(r3>>16)&255], 16) ^ shift(T0[(r0>>24)&255], 8) ^ KW[r][1]; - t2 = T0[r2&255] ^ shift(T0[(r3>>8)&255], 24) ^ shift(T0[(r0>>16)&255], 16) ^ shift(T0[(r1>>24)&255], 8) ^ KW[r][2]; - r3 = T0[r3&255] ^ shift(T0[(r0>>8)&255], 24) ^ shift(T0[(r1>>16)&255], 16) ^ shift(T0[(r2>>24)&255], 8) ^ KW[r++][3]; - } - - r0 = T0[t0&255] ^ shift(T0[(t1>>8)&255], 24) ^ shift(T0[(t2>>16)&255], 16) ^ shift(T0[(r3>>24)&255], 8) ^ KW[r][0]; - r1 = T0[t1&255] ^ shift(T0[(t2>>8)&255], 24) ^ shift(T0[(r3>>16)&255], 16) ^ shift(T0[(t0>>24)&255], 8) ^ KW[r][1]; - r2 = T0[t2&255] ^ shift(T0[(r3>>8)&255], 24) ^ shift(T0[(t0>>16)&255], 16) ^ shift(T0[(t1>>24)&255], 8) ^ KW[r][2]; - r3 = T0[r3&255] ^ shift(T0[(t0>>8)&255], 24) ^ shift(T0[(t1>>16)&255], 16) ^ shift(T0[(t2>>24)&255], 8) ^ KW[r++][3]; - - // the final round's table is a simple function of S so we don't use a whole other four tables for it - - this.C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((S[(r2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24) ^ KW[r][0]; - this.C1 = (S[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(r0>>24)&255]<<24) ^ KW[r][1]; - this.C2 = (S[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2]; - this.C3 = (S[r3&255]&255) ^ ((S[(r0>>8)&255]&255)<<8) ^ ((S[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3]; - } - - private void decryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[ROUNDS][0]; - int t1 = this.C1 ^ KW[ROUNDS][1]; - int t2 = this.C2 ^ KW[ROUNDS][2]; - - int r = ROUNDS - 1, r0, r1, r2, r3 = this.C3 ^ KW[ROUNDS][3]; - while (r > 1) - { - r0 = Tinv0[t0&255] ^ shift(Tinv0[(r3>>8)&255], 24) ^ shift(Tinv0[(t2>>16)&255], 16) ^ shift(Tinv0[(t1>>24)&255], 8) ^ KW[r][0]; - r1 = Tinv0[t1&255] ^ shift(Tinv0[(t0>>8)&255], 24) ^ shift(Tinv0[(r3>>16)&255], 16) ^ shift(Tinv0[(t2>>24)&255], 8) ^ KW[r][1]; - r2 = Tinv0[t2&255] ^ shift(Tinv0[(t1>>8)&255], 24) ^ shift(Tinv0[(t0>>16)&255], 16) ^ shift(Tinv0[(r3>>24)&255], 8) ^ KW[r][2]; - r3 = Tinv0[r3&255] ^ shift(Tinv0[(t2>>8)&255], 24) ^ shift(Tinv0[(t1>>16)&255], 16) ^ shift(Tinv0[(t0>>24)&255], 8) ^ KW[r--][3]; - t0 = Tinv0[r0&255] ^ shift(Tinv0[(r3>>8)&255], 24) ^ shift(Tinv0[(r2>>16)&255], 16) ^ shift(Tinv0[(r1>>24)&255], 8) ^ KW[r][0]; - t1 = Tinv0[r1&255] ^ shift(Tinv0[(r0>>8)&255], 24) ^ shift(Tinv0[(r3>>16)&255], 16) ^ shift(Tinv0[(r2>>24)&255], 8) ^ KW[r][1]; - t2 = Tinv0[r2&255] ^ shift(Tinv0[(r1>>8)&255], 24) ^ shift(Tinv0[(r0>>16)&255], 16) ^ shift(Tinv0[(r3>>24)&255], 8) ^ KW[r][2]; - r3 = Tinv0[r3&255] ^ shift(Tinv0[(r2>>8)&255], 24) ^ shift(Tinv0[(r1>>16)&255], 16) ^ shift(Tinv0[(r0>>24)&255], 8) ^ KW[r--][3]; - } - - r0 = Tinv0[t0&255] ^ shift(Tinv0[(r3>>8)&255], 24) ^ shift(Tinv0[(t2>>16)&255], 16) ^ shift(Tinv0[(t1>>24)&255], 8) ^ KW[r][0]; - r1 = Tinv0[t1&255] ^ shift(Tinv0[(t0>>8)&255], 24) ^ shift(Tinv0[(r3>>16)&255], 16) ^ shift(Tinv0[(t2>>24)&255], 8) ^ KW[r][1]; - r2 = Tinv0[t2&255] ^ shift(Tinv0[(t1>>8)&255], 24) ^ shift(Tinv0[(t0>>16)&255], 16) ^ shift(Tinv0[(r3>>24)&255], 8) ^ KW[r][2]; - r3 = Tinv0[r3&255] ^ shift(Tinv0[(t2>>8)&255], 24) ^ shift(Tinv0[(t1>>16)&255], 16) ^ shift(Tinv0[(t0>>24)&255], 8) ^ KW[r][3]; - - // the final round's table is a simple function of Si so we don't use a whole other four tables for it - - this.C0 = (Si[r0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0]; - this.C1 = (Si[r1&255]&255) ^ ((Si[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(r2>>24)&255]<<24) ^ KW[0][1]; - this.C2 = (Si[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24) ^ KW[0][2]; - this.C3 = (Si[r3&255]&255) ^ ((Si[(r2>>8)&255]&255)<<8) ^ ((Si[(r1>>16)&255]&255)<<16) ^ (Si[(r0>>24)&255]<<24) ^ KW[0][3]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESFastEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESFastEngine.java deleted file mode 100644 index e2b00d3a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/AESFastEngine.java +++ /dev/null @@ -1,928 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Pack; - -/** - * an implementation of the AES (Rijndael), from FIPS-197. - * <p> - * For further details see: <a href="http://csrc.nist.gov/encryption/aes/">http://csrc.nist.gov/encryption/aes/</a>. - * - * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at - * <a href="http://fp.gladman.plus.com/cryptography_technology/rijndael/">http://fp.gladman.plus.com/cryptography_technology/rijndael/</a> - * - * There are three levels of tradeoff of speed vs memory - * Because java has no preprocessor, they are written as three separate classes from which to choose - * - * The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption - * and 4 for decryption. - * - * The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, - * adding 12 rotate operations per round to compute the values contained in the other tables from - * the contents of the first - * - * The slowest version uses no static tables at all and computes the values in each round - * <p> - * This file contains the fast version with 8Kbytes of static tables for round precomputation - * - */ -public class AESFastEngine - implements BlockCipher -{ - // The S box - private static final byte[] S = { - (byte)99, (byte)124, (byte)119, (byte)123, (byte)242, (byte)107, (byte)111, (byte)197, - (byte)48, (byte)1, (byte)103, (byte)43, (byte)254, (byte)215, (byte)171, (byte)118, - (byte)202, (byte)130, (byte)201, (byte)125, (byte)250, (byte)89, (byte)71, (byte)240, - (byte)173, (byte)212, (byte)162, (byte)175, (byte)156, (byte)164, (byte)114, (byte)192, - (byte)183, (byte)253, (byte)147, (byte)38, (byte)54, (byte)63, (byte)247, (byte)204, - (byte)52, (byte)165, (byte)229, (byte)241, (byte)113, (byte)216, (byte)49, (byte)21, - (byte)4, (byte)199, (byte)35, (byte)195, (byte)24, (byte)150, (byte)5, (byte)154, - (byte)7, (byte)18, (byte)128, (byte)226, (byte)235, (byte)39, (byte)178, (byte)117, - (byte)9, (byte)131, (byte)44, (byte)26, (byte)27, (byte)110, (byte)90, (byte)160, - (byte)82, (byte)59, (byte)214, (byte)179, (byte)41, (byte)227, (byte)47, (byte)132, - (byte)83, (byte)209, (byte)0, (byte)237, (byte)32, (byte)252, (byte)177, (byte)91, - (byte)106, (byte)203, (byte)190, (byte)57, (byte)74, (byte)76, (byte)88, (byte)207, - (byte)208, (byte)239, (byte)170, (byte)251, (byte)67, (byte)77, (byte)51, (byte)133, - (byte)69, (byte)249, (byte)2, (byte)127, (byte)80, (byte)60, (byte)159, (byte)168, - (byte)81, (byte)163, (byte)64, (byte)143, (byte)146, (byte)157, (byte)56, (byte)245, - (byte)188, (byte)182, (byte)218, (byte)33, (byte)16, (byte)255, (byte)243, (byte)210, - (byte)205, (byte)12, (byte)19, (byte)236, (byte)95, (byte)151, (byte)68, (byte)23, - (byte)196, (byte)167, (byte)126, (byte)61, (byte)100, (byte)93, (byte)25, (byte)115, - (byte)96, (byte)129, (byte)79, (byte)220, (byte)34, (byte)42, (byte)144, (byte)136, - (byte)70, (byte)238, (byte)184, (byte)20, (byte)222, (byte)94, (byte)11, (byte)219, - (byte)224, (byte)50, (byte)58, (byte)10, (byte)73, (byte)6, (byte)36, (byte)92, - (byte)194, (byte)211, (byte)172, (byte)98, (byte)145, (byte)149, (byte)228, (byte)121, - (byte)231, (byte)200, (byte)55, (byte)109, (byte)141, (byte)213, (byte)78, (byte)169, - (byte)108, (byte)86, (byte)244, (byte)234, (byte)101, (byte)122, (byte)174, (byte)8, - (byte)186, (byte)120, (byte)37, (byte)46, (byte)28, (byte)166, (byte)180, (byte)198, - (byte)232, (byte)221, (byte)116, (byte)31, (byte)75, (byte)189, (byte)139, (byte)138, - (byte)112, (byte)62, (byte)181, (byte)102, (byte)72, (byte)3, (byte)246, (byte)14, - (byte)97, (byte)53, (byte)87, (byte)185, (byte)134, (byte)193, (byte)29, (byte)158, - (byte)225, (byte)248, (byte)152, (byte)17, (byte)105, (byte)217, (byte)142, (byte)148, - (byte)155, (byte)30, (byte)135, (byte)233, (byte)206, (byte)85, (byte)40, (byte)223, - (byte)140, (byte)161, (byte)137, (byte)13, (byte)191, (byte)230, (byte)66, (byte)104, - (byte)65, (byte)153, (byte)45, (byte)15, (byte)176, (byte)84, (byte)187, (byte)22, - }; - - // The inverse S-box - private static final byte[] Si = { - (byte)82, (byte)9, (byte)106, (byte)213, (byte)48, (byte)54, (byte)165, (byte)56, - (byte)191, (byte)64, (byte)163, (byte)158, (byte)129, (byte)243, (byte)215, (byte)251, - (byte)124, (byte)227, (byte)57, (byte)130, (byte)155, (byte)47, (byte)255, (byte)135, - (byte)52, (byte)142, (byte)67, (byte)68, (byte)196, (byte)222, (byte)233, (byte)203, - (byte)84, (byte)123, (byte)148, (byte)50, (byte)166, (byte)194, (byte)35, (byte)61, - (byte)238, (byte)76, (byte)149, (byte)11, (byte)66, (byte)250, (byte)195, (byte)78, - (byte)8, (byte)46, (byte)161, (byte)102, (byte)40, (byte)217, (byte)36, (byte)178, - (byte)118, (byte)91, (byte)162, (byte)73, (byte)109, (byte)139, (byte)209, (byte)37, - (byte)114, (byte)248, (byte)246, (byte)100, (byte)134, (byte)104, (byte)152, (byte)22, - (byte)212, (byte)164, (byte)92, (byte)204, (byte)93, (byte)101, (byte)182, (byte)146, - (byte)108, (byte)112, (byte)72, (byte)80, (byte)253, (byte)237, (byte)185, (byte)218, - (byte)94, (byte)21, (byte)70, (byte)87, (byte)167, (byte)141, (byte)157, (byte)132, - (byte)144, (byte)216, (byte)171, (byte)0, (byte)140, (byte)188, (byte)211, (byte)10, - (byte)247, (byte)228, (byte)88, (byte)5, (byte)184, (byte)179, (byte)69, (byte)6, - (byte)208, (byte)44, (byte)30, (byte)143, (byte)202, (byte)63, (byte)15, (byte)2, - (byte)193, (byte)175, (byte)189, (byte)3, (byte)1, (byte)19, (byte)138, (byte)107, - (byte)58, (byte)145, (byte)17, (byte)65, (byte)79, (byte)103, (byte)220, (byte)234, - (byte)151, (byte)242, (byte)207, (byte)206, (byte)240, (byte)180, (byte)230, (byte)115, - (byte)150, (byte)172, (byte)116, (byte)34, (byte)231, (byte)173, (byte)53, (byte)133, - (byte)226, (byte)249, (byte)55, (byte)232, (byte)28, (byte)117, (byte)223, (byte)110, - (byte)71, (byte)241, (byte)26, (byte)113, (byte)29, (byte)41, (byte)197, (byte)137, - (byte)111, (byte)183, (byte)98, (byte)14, (byte)170, (byte)24, (byte)190, (byte)27, - (byte)252, (byte)86, (byte)62, (byte)75, (byte)198, (byte)210, (byte)121, (byte)32, - (byte)154, (byte)219, (byte)192, (byte)254, (byte)120, (byte)205, (byte)90, (byte)244, - (byte)31, (byte)221, (byte)168, (byte)51, (byte)136, (byte)7, (byte)199, (byte)49, - (byte)177, (byte)18, (byte)16, (byte)89, (byte)39, (byte)128, (byte)236, (byte)95, - (byte)96, (byte)81, (byte)127, (byte)169, (byte)25, (byte)181, (byte)74, (byte)13, - (byte)45, (byte)229, (byte)122, (byte)159, (byte)147, (byte)201, (byte)156, (byte)239, - (byte)160, (byte)224, (byte)59, (byte)77, (byte)174, (byte)42, (byte)245, (byte)176, - (byte)200, (byte)235, (byte)187, (byte)60, (byte)131, (byte)83, (byte)153, (byte)97, - (byte)23, (byte)43, (byte)4, (byte)126, (byte)186, (byte)119, (byte)214, (byte)38, - (byte)225, (byte)105, (byte)20, (byte)99, (byte)85, (byte)33, (byte)12, (byte)125, - }; - - // vector used in calculating key schedule (powers of x in GF(256)) - private static final int[] rcon = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, - 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 }; - - // precomputation tables of calculations for rounds - private static final int[] T = - { - // T0 - 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, - 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, - 0xa96767ce, 0x7d2b2b56, 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, - 0x9a7676ec, 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, - 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, 0xecadad41, - 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453, - 0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, - 0x6a26264c, 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, - 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, 0x937171e2, - 0x73d8d8ab, 0x53313162, 0x3f15152a, 0x0c040408, 0x52c7c795, - 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637, 0x0f05050a, - 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, - 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, - 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, - 0xee5a5ab4, 0xfba0a05b, 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, - 0xceb3b37d, 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, - 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, 0x60202040, - 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d, - 0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, - 0x4acfcf85, 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, - 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, 0xcf45458a, - 0x10f9f9e9, 0x06020204, 0x817f7ffe, 0xf05050a0, 0x443c3c78, - 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d, 0xc0404080, - 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, - 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, - 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, - 0x35131326, 0x2fececc3, 0xe15f5fbe, 0xa2979735, 0xcc444488, - 0x3917172e, 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, - 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, 0xa06060c0, - 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54, - 0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, - 0x3c141428, 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, - 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, 0xdb494992, - 0x0a06060c, 0x6c242448, 0xe45c5cb8, 0x5dc2c29f, 0x6ed3d3bd, - 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531, 0x37e4e4d3, - 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, - 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, - 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, - 0xe9aeae47, 0x18080810, 0xd5baba6f, 0x887878f0, 0x6f25254a, - 0x722e2e5c, 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, - 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 0xdd4b4b96, - 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c, - 0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, - 0x120e0e1c, 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, - 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, - 0x13f8f8eb, 0xb398982b, 0x33111122, 0xbb6969d2, 0x70d9d9a9, - 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c, 0x92878715, - 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, - 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, - 0x31e6e6d7, 0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, - 0x772d2d5a, 0x110f0f1e, 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, - 0x3a16162c, - - // T1 - 0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 0xf2f2ff0d, - 0x6b6bd6bd, 0x6f6fdeb1, 0xc5c59154, 0x30306050, 0x01010203, - 0x6767cea9, 0x2b2b567d, 0xfefee719, 0xd7d7b562, 0xabab4de6, - 0x7676ec9a, 0xcaca8f45, 0x82821f9d, 0xc9c98940, 0x7d7dfa87, - 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b, 0xadad41ec, - 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, 0x9c9c23bf, 0xa4a453f7, - 0x7272e496, 0xc0c09b5b, 0xb7b775c2, 0xfdfde11c, 0x93933dae, - 0x26264c6a, 0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, - 0x3434685c, 0xa5a551f4, 0xe5e5d134, 0xf1f1f908, 0x7171e293, - 0xd8d8ab73, 0x31316253, 0x15152a3f, 0x0404080c, 0xc7c79552, - 0x23234665, 0xc3c39d5e, 0x18183028, 0x969637a1, 0x05050a0f, - 0x9a9a2fb5, 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d, - 0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, 0x0909121b, - 0x83831d9e, 0x2c2c5874, 0x1a1a342e, 0x1b1b362d, 0x6e6edcb2, - 0x5a5ab4ee, 0xa0a05bfb, 0x5252a4f6, 0x3b3b764d, 0xd6d6b761, - 0xb3b37dce, 0x2929527b, 0xe3e3dd3e, 0x2f2f5e71, 0x84841397, - 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c, 0x20204060, - 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, 0x6a6ad4be, 0xcbcb8d46, - 0xbebe67d9, 0x3939724b, 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, - 0xcfcf854a, 0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, - 0x434386c5, 0x4d4d9ad7, 0x33336655, 0x85851194, 0x45458acf, - 0xf9f9e910, 0x02020406, 0x7f7ffe81, 0x5050a0f0, 0x3c3c7844, - 0x9f9f25ba, 0xa8a84be3, 0x5151a2f3, 0xa3a35dfe, 0x404080c0, - 0x8f8f058a, 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104, - 0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, 0x10102030, - 0xffffe51a, 0xf3f3fd0e, 0xd2d2bf6d, 0xcdcd814c, 0x0c0c1814, - 0x13132635, 0xececc32f, 0x5f5fbee1, 0x979735a2, 0x444488cc, - 0x17172e39, 0xc4c49357, 0xa7a755f2, 0x7e7efc82, 0x3d3d7a47, - 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695, 0x6060c0a0, - 0x81811998, 0x4f4f9ed1, 0xdcdca37f, 0x22224466, 0x2a2a547e, - 0x90903bab, 0x88880b83, 0x46468cca, 0xeeeec729, 0xb8b86bd3, - 0x1414283c, 0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, - 0xe0e0db3b, 0x32326456, 0x3a3a744e, 0x0a0a141e, 0x494992db, - 0x06060c0a, 0x2424486c, 0x5c5cb8e4, 0xc2c29f5d, 0xd3d3bd6e, - 0xacac43ef, 0x6262c4a6, 0x919139a8, 0x959531a4, 0xe4e4d337, - 0x7979f28b, 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7, - 0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, 0x6c6cd8b4, - 0x5656acfa, 0xf4f4f307, 0xeaeacf25, 0x6565caaf, 0x7a7af48e, - 0xaeae47e9, 0x08081018, 0xbaba6fd5, 0x7878f088, 0x25254a6f, - 0x2e2e5c72, 0x1c1c3824, 0xa6a657f1, 0xb4b473c7, 0xc6c69751, - 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21, 0x4b4b96dd, - 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, 0x7070e090, 0x3e3e7c42, - 0xb5b571c4, 0x6666ccaa, 0x484890d8, 0x03030605, 0xf6f6f701, - 0x0e0e1c12, 0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, - 0x86861791, 0xc1c19958, 0x1d1d3a27, 0x9e9e27b9, 0xe1e1d938, - 0xf8f8eb13, 0x98982bb3, 0x11112233, 0x6969d2bb, 0xd9d9a970, - 0x8e8e0789, 0x949433a7, 0x9b9b2db6, 0x1e1e3c22, 0x87871592, - 0xe9e9c920, 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a, - 0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, 0xbfbf65da, - 0xe6e6d731, 0x424284c6, 0x6868d0b8, 0x414182c3, 0x999929b0, - 0x2d2d5a77, 0x0f0f1e11, 0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, - 0x16162c3a, - - // T2 - 0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 0xf2ff0df2, - 0x6bd6bd6b, 0x6fdeb16f, 0xc59154c5, 0x30605030, 0x01020301, - 0x67cea967, 0x2b567d2b, 0xfee719fe, 0xd7b562d7, 0xab4de6ab, - 0x76ec9a76, 0xca8f45ca, 0x821f9d82, 0xc98940c9, 0x7dfa877d, - 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0, 0xad41ecad, - 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, 0x9c23bf9c, 0xa453f7a4, - 0x72e49672, 0xc09b5bc0, 0xb775c2b7, 0xfde11cfd, 0x933dae93, - 0x264c6a26, 0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, - 0x34685c34, 0xa551f4a5, 0xe5d134e5, 0xf1f908f1, 0x71e29371, - 0xd8ab73d8, 0x31625331, 0x152a3f15, 0x04080c04, 0xc79552c7, - 0x23466523, 0xc39d5ec3, 0x18302818, 0x9637a196, 0x050a0f05, - 0x9a2fb59a, 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2, - 0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, 0x09121b09, - 0x831d9e83, 0x2c58742c, 0x1a342e1a, 0x1b362d1b, 0x6edcb26e, - 0x5ab4ee5a, 0xa05bfba0, 0x52a4f652, 0x3b764d3b, 0xd6b761d6, - 0xb37dceb3, 0x29527b29, 0xe3dd3ee3, 0x2f5e712f, 0x84139784, - 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced, 0x20406020, - 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, 0x6ad4be6a, 0xcb8d46cb, - 0xbe67d9be, 0x39724b39, 0x4a94de4a, 0x4c98d44c, 0x58b0e858, - 0xcf854acf, 0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, - 0x4386c543, 0x4d9ad74d, 0x33665533, 0x85119485, 0x458acf45, - 0xf9e910f9, 0x02040602, 0x7ffe817f, 0x50a0f050, 0x3c78443c, - 0x9f25ba9f, 0xa84be3a8, 0x51a2f351, 0xa35dfea3, 0x4080c040, - 0x8f058a8f, 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5, - 0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, 0x10203010, - 0xffe51aff, 0xf3fd0ef3, 0xd2bf6dd2, 0xcd814ccd, 0x0c18140c, - 0x13263513, 0xecc32fec, 0x5fbee15f, 0x9735a297, 0x4488cc44, - 0x172e3917, 0xc49357c4, 0xa755f2a7, 0x7efc827e, 0x3d7a473d, - 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573, 0x60c0a060, - 0x81199881, 0x4f9ed14f, 0xdca37fdc, 0x22446622, 0x2a547e2a, - 0x903bab90, 0x880b8388, 0x468cca46, 0xeec729ee, 0xb86bd3b8, - 0x14283c14, 0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, - 0xe0db3be0, 0x32645632, 0x3a744e3a, 0x0a141e0a, 0x4992db49, - 0x060c0a06, 0x24486c24, 0x5cb8e45c, 0xc29f5dc2, 0xd3bd6ed3, - 0xac43efac, 0x62c4a662, 0x9139a891, 0x9531a495, 0xe4d337e4, - 0x79f28b79, 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d, - 0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, 0x6cd8b46c, - 0x56acfa56, 0xf4f307f4, 0xeacf25ea, 0x65caaf65, 0x7af48e7a, - 0xae47e9ae, 0x08101808, 0xba6fd5ba, 0x78f08878, 0x254a6f25, - 0x2e5c722e, 0x1c38241c, 0xa657f1a6, 0xb473c7b4, 0xc69751c6, - 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f, 0x4b96dd4b, - 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, 0x70e09070, 0x3e7c423e, - 0xb571c4b5, 0x66ccaa66, 0x4890d848, 0x03060503, 0xf6f701f6, - 0x0e1c120e, 0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, - 0x86179186, 0xc19958c1, 0x1d3a271d, 0x9e27b99e, 0xe1d938e1, - 0xf8eb13f8, 0x982bb398, 0x11223311, 0x69d2bb69, 0xd9a970d9, - 0x8e07898e, 0x9433a794, 0x9b2db69b, 0x1e3c221e, 0x87159287, - 0xe9c920e9, 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf, - 0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, 0xbf65dabf, - 0xe6d731e6, 0x4284c642, 0x68d0b868, 0x4182c341, 0x9929b099, - 0x2d5a772d, 0x0f1e110f, 0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, - 0x162c3a16, - - // T3 - 0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 0xff0df2f2, - 0xd6bd6b6b, 0xdeb16f6f, 0x9154c5c5, 0x60503030, 0x02030101, - 0xcea96767, 0x567d2b2b, 0xe719fefe, 0xb562d7d7, 0x4de6abab, - 0xec9a7676, 0x8f45caca, 0x1f9d8282, 0x8940c9c9, 0xfa877d7d, - 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0, 0x41ecadad, - 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, 0x23bf9c9c, 0x53f7a4a4, - 0xe4967272, 0x9b5bc0c0, 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, - 0x4c6a2626, 0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, - 0x685c3434, 0x51f4a5a5, 0xd134e5e5, 0xf908f1f1, 0xe2937171, - 0xab73d8d8, 0x62533131, 0x2a3f1515, 0x080c0404, 0x9552c7c7, - 0x46652323, 0x9d5ec3c3, 0x30281818, 0x37a19696, 0x0a0f0505, - 0x2fb59a9a, 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2, - 0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, 0x121b0909, - 0x1d9e8383, 0x58742c2c, 0x342e1a1a, 0x362d1b1b, 0xdcb26e6e, - 0xb4ee5a5a, 0x5bfba0a0, 0xa4f65252, 0x764d3b3b, 0xb761d6d6, - 0x7dceb3b3, 0x527b2929, 0xdd3ee3e3, 0x5e712f2f, 0x13978484, - 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded, 0x40602020, - 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, 0xd4be6a6a, 0x8d46cbcb, - 0x67d9bebe, 0x724b3939, 0x94de4a4a, 0x98d44c4c, 0xb0e85858, - 0x854acfcf, 0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, - 0x86c54343, 0x9ad74d4d, 0x66553333, 0x11948585, 0x8acf4545, - 0xe910f9f9, 0x04060202, 0xfe817f7f, 0xa0f05050, 0x78443c3c, - 0x25ba9f9f, 0x4be3a8a8, 0xa2f35151, 0x5dfea3a3, 0x80c04040, - 0x058a8f8f, 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5, - 0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, 0x20301010, - 0xe51affff, 0xfd0ef3f3, 0xbf6dd2d2, 0x814ccdcd, 0x18140c0c, - 0x26351313, 0xc32fecec, 0xbee15f5f, 0x35a29797, 0x88cc4444, - 0x2e391717, 0x9357c4c4, 0x55f2a7a7, 0xfc827e7e, 0x7a473d3d, - 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373, 0xc0a06060, - 0x19988181, 0x9ed14f4f, 0xa37fdcdc, 0x44662222, 0x547e2a2a, - 0x3bab9090, 0x0b838888, 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, - 0x283c1414, 0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, - 0xdb3be0e0, 0x64563232, 0x744e3a3a, 0x141e0a0a, 0x92db4949, - 0x0c0a0606, 0x486c2424, 0xb8e45c5c, 0x9f5dc2c2, 0xbd6ed3d3, - 0x43efacac, 0xc4a66262, 0x39a89191, 0x31a49595, 0xd337e4e4, - 0xf28b7979, 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d, - 0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, 0xd8b46c6c, - 0xacfa5656, 0xf307f4f4, 0xcf25eaea, 0xcaaf6565, 0xf48e7a7a, - 0x47e9aeae, 0x10180808, 0x6fd5baba, 0xf0887878, 0x4a6f2525, - 0x5c722e2e, 0x38241c1c, 0x57f1a6a6, 0x73c7b4b4, 0x9751c6c6, - 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f, 0x96dd4b4b, - 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, 0xe0907070, 0x7c423e3e, - 0x71c4b5b5, 0xccaa6666, 0x90d84848, 0x06050303, 0xf701f6f6, - 0x1c120e0e, 0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, - 0x17918686, 0x9958c1c1, 0x3a271d1d, 0x27b99e9e, 0xd938e1e1, - 0xeb13f8f8, 0x2bb39898, 0x22331111, 0xd2bb6969, 0xa970d9d9, - 0x07898e8e, 0x33a79494, 0x2db69b9b, 0x3c221e1e, 0x15928787, - 0xc920e9e9, 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf, - 0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, 0x65dabfbf, - 0xd731e6e6, 0x84c64242, 0xd0b86868, 0x82c34141, 0x29b09999, - 0x5a772d2d, 0x1e110f0f, 0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, - 0x2c3a1616}; - - private static final int[] Tinv = - { - // Tinv0 - 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, - 0xf1459d1f, 0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, - 0x9176cc88, 0x254c02f5, 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, - 0x8fa362b5, 0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d, - 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b, 0xe75f8f03, - 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458, - 0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, - 0xdd71b927, 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, - 0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362, 0xe07764b1, - 0x84ae6bbb, 0x1ca081fe, 0x942b08f9, 0x58684870, 0x19fd458f, - 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72, 0x578f1fe3, - 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3, - 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, - 0x92b479a7, 0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, - 0x1f6234d1, 0x8afea6c4, 0x9d532e34, 0xa055f3a2, 0x32e18a05, - 0x75ebf6a4, 0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd, - 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, 0xb58d5491, - 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6, - 0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, - 0xdbeec879, 0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, - 0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c, 0xfbff0efd, - 0x5638850f, 0x1ed5ae3d, 0x27392d36, 0x64d90f0a, 0x21a65c68, - 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793, 0xd296eeb4, - 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c, - 0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, - 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, - 0xbbdd99ee, 0xfd607fa3, 0x9f2601f7, 0xbcf5725c, 0xc53b6644, - 0x347efb5b, 0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8, - 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684, 0x7d244a85, - 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc, - 0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, - 0x2264e947, 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, - 0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498, 0xcf81f5a6, - 0x28de7aa5, 0x268eb7da, 0xa4bfad3f, 0xe49d3a2c, 0x0d927850, - 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890, 0x5ef7392e, - 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, - 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, - 0xf418596e, 0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, - 0x08cfbc21, 0xe6e815ef, 0xd99be7ba, 0xce366f4a, 0xd4099fea, - 0xd67cb029, 0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235, - 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, 0x4a9804f1, - 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43, - 0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, - 0x7f516546, 0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, - 0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d, 0x8c61d79a, - 0x7a0ca137, 0x8e14f859, 0x893c13eb, 0xee27a9ce, 0x35c961b7, - 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255, 0x79ce1418, - 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478, - 0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, - 0x0c25e2bc, 0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, - 0x9ce4b4d8, 0x90c15664, 0x6184cb7b, 0x70b632d5, 0x745c6c48, - 0x4257b8d0, - - // Tinv1 - 0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 0x6bab3bcb, - 0x459d1ff1, 0x58faacab, 0x03e34b93, 0xfa302055, 0x6d76adf6, - 0x76cc8891, 0x4c02f525, 0xd7e54ffc, 0xcb2ac5d7, 0x44352680, - 0xa362b58f, 0x5ab1de49, 0x1bba2567, 0x0eea4598, 0xc0fe5de1, - 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6, 0x5f8f03e7, - 0x9c921595, 0x7a6dbfeb, 0x595295da, 0x83bed42d, 0x217458d3, - 0x69e04929, 0xc8c98e44, 0x89c2756a, 0x798ef478, 0x3e58996b, - 0x71b927dd, 0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, - 0x4adf6318, 0x311ae582, 0x33519760, 0x7f536245, 0x7764b1e0, - 0xae6bbb84, 0xa081fe1c, 0x2b08f994, 0x68487058, 0xfd458f19, - 0x6cde9487, 0xf87b52b7, 0xd373ab23, 0x024b72e2, 0x8f1fe357, - 0xab55662a, 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x0837d3a5, - 0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, 0x1ccf8a2b, - 0xb479a792, 0xf207f3f0, 0xe2694ea1, 0xf4da65cd, 0xbe0506d5, - 0x6234d11f, 0xfea6c48a, 0x532e349d, 0x55f3a2a0, 0xe18a0532, - 0xebf6a475, 0xec830b39, 0xef6040aa, 0x9f715e06, 0x106ebd51, - 0x8a213ef9, 0x06dd963d, 0x053eddae, 0xbde64d46, 0x8d5491b5, - 0x5dc47105, 0xd406046f, 0x155060ff, 0xfb981924, 0xe9bdd697, - 0x434089cc, 0x9ed96777, 0x42e8b0bd, 0x8b890788, 0x5b19e738, - 0xeec879db, 0x0a7ca147, 0x0f427ce9, 0x1e84f8c9, 0x00000000, - 0x86800983, 0xed2b3248, 0x70111eac, 0x725a6c4e, 0xff0efdfb, - 0x38850f56, 0xd5ae3d1e, 0x392d3627, 0xd90f0a64, 0xa65c6821, - 0x545b9bd1, 0x2e36243a, 0x670a0cb1, 0xe757930f, 0x96eeb4d2, - 0x919b1b9e, 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16, - 0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, 0x0d090e0b, - 0xc78bf2ad, 0xa8b62db9, 0xa91e14c8, 0x19f15785, 0x0775af4c, - 0xdd99eebb, 0x607fa3fd, 0x2601f79f, 0xf5725cbc, 0x3b6644c5, - 0x7efb5b34, 0x29438b76, 0xc623cbdc, 0xfcedb668, 0xf1e4b863, - 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420, 0x244a857d, - 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, 0x2f9e1d4b, 0x30b2dcf3, - 0x52860dec, 0xe3c177d0, 0x16b32b6c, 0xb970a999, 0x489411fa, - 0x64e94722, 0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, - 0x4e4987c7, 0xd138d9c1, 0xa2ca8cfe, 0x0bd49836, 0x81f5a6cf, - 0xde7aa528, 0x8eb7da26, 0xbfad3fa4, 0x9d3a2ce4, 0x9278500d, - 0xcc5f6a9b, 0x467e5462, 0x138df6c2, 0xb8d890e8, 0xf7392e5e, - 0xafc382f5, 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3, - 0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, 0x7826cd09, - 0x18596ef4, 0xb79aec01, 0x9a4f83a8, 0x6e95e665, 0xe6ffaa7e, - 0xcfbc2108, 0xe815efe6, 0x9be7bad9, 0x366f4ace, 0x099fead4, - 0x7cb029d6, 0xb2a431af, 0x233f2a31, 0x94a5c630, 0x66a235c0, - 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315, 0x9804f14a, - 0xdaec41f7, 0x50cd7f0e, 0xf691172f, 0xd64d768d, 0xb0ef434d, - 0x4daacc54, 0x0496e4df, 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, - 0x5165467f, 0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, - 0x1d67b35a, 0xd2db9252, 0x5610e933, 0x47d66d13, 0x61d79a8c, - 0x0ca1377a, 0x14f8598e, 0x3c13eb89, 0x27a9ceee, 0xc961b735, - 0xe51ce1ed, 0xb1477a3c, 0xdfd29c59, 0x73f2553f, 0xce141879, - 0x37c773bf, 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886, - 0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, 0xc31d1672, - 0x25e2bc0c, 0x493c288b, 0x950dff41, 0x01a83971, 0xb30c08de, - 0xe4b4d89c, 0xc1566490, 0x84cb7b61, 0xb632d570, 0x5c6c4874, - 0x57b8d042, - - // Tinv2 - 0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 0xab3bcb6b, - 0x9d1ff145, 0xfaacab58, 0xe34b9303, 0x302055fa, 0x76adf66d, - 0xcc889176, 0x02f5254c, 0xe54ffcd7, 0x2ac5d7cb, 0x35268044, - 0x62b58fa3, 0xb1de495a, 0xba25671b, 0xea45980e, 0xfe5de1c0, - 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9, 0x8f03e75f, - 0x9215959c, 0x6dbfeb7a, 0x5295da59, 0xbed42d83, 0x7458d321, - 0xe0492969, 0xc98e44c8, 0xc2756a89, 0x8ef47879, 0x58996b3e, - 0xb927dd71, 0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, - 0xdf63184a, 0x1ae58231, 0x51976033, 0x5362457f, 0x64b1e077, - 0x6bbb84ae, 0x81fe1ca0, 0x08f9942b, 0x48705868, 0x458f19fd, - 0xde94876c, 0x7b52b7f8, 0x73ab23d3, 0x4b72e202, 0x1fe3578f, - 0x55662aab, 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508, - 0x2830f287, 0xbf23b2a5, 0x0302ba6a, 0x16ed5c82, 0xcf8a2b1c, - 0x79a792b4, 0x07f3f0f2, 0x694ea1e2, 0xda65cdf4, 0x0506d5be, - 0x34d11f62, 0xa6c48afe, 0x2e349d53, 0xf3a2a055, 0x8a0532e1, - 0xf6a475eb, 0x830b39ec, 0x6040aaef, 0x715e069f, 0x6ebd5110, - 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd, 0x5491b58d, - 0xc471055d, 0x06046fd4, 0x5060ff15, 0x981924fb, 0xbdd697e9, - 0x4089cc43, 0xd967779e, 0xe8b0bd42, 0x8907888b, 0x19e7385b, - 0xc879dbee, 0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x00000000, - 0x80098386, 0x2b3248ed, 0x111eac70, 0x5a6c4e72, 0x0efdfbff, - 0x850f5638, 0xae3d1ed5, 0x2d362739, 0x0f0a64d9, 0x5c6821a6, - 0x5b9bd154, 0x36243a2e, 0x0a0cb167, 0x57930fe7, 0xeeb4d296, - 0x9b1b9e91, 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a, - 0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, 0x090e0b0d, - 0x8bf2adc7, 0xb62db9a8, 0x1e14c8a9, 0xf1578519, 0x75af4c07, - 0x99eebbdd, 0x7fa3fd60, 0x01f79f26, 0x725cbcf5, 0x6644c53b, - 0xfb5b347e, 0x438b7629, 0x23cbdcc6, 0xedb668fc, 0xe4b863f1, - 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011, 0x4a857d24, - 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, 0x9e1d4b2f, 0xb2dcf330, - 0x860dec52, 0xc177d0e3, 0xb32b6c16, 0x70a999b9, 0x9411fa48, - 0xe9472264, 0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, - 0x4987c74e, 0x38d9c1d1, 0xca8cfea2, 0xd498360b, 0xf5a6cf81, - 0x7aa528de, 0xb7da268e, 0xad3fa4bf, 0x3a2ce49d, 0x78500d92, - 0x5f6a9bcc, 0x7e546246, 0x8df6c213, 0xd890e8b8, 0x392e5ef7, - 0xc382f5af, 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312, - 0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, 0x26cd0978, - 0x596ef418, 0x9aec01b7, 0x4f83a89a, 0x95e6656e, 0xffaa7ee6, - 0xbc2108cf, 0x15efe6e8, 0xe7bad99b, 0x6f4ace36, 0x9fead409, - 0xb029d67c, 0xa431afb2, 0x3f2a3123, 0xa5c63094, 0xa235c066, - 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8, 0x04f14a98, - 0xec41f7da, 0xcd7f0e50, 0x91172ff6, 0x4d768dd6, 0xef434db0, - 0xaacc544d, 0x96e4df04, 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, - 0x65467f51, 0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0x0bfb2e41, - 0x67b35a1d, 0xdb9252d2, 0x10e93356, 0xd66d1347, 0xd79a8c61, - 0xa1377a0c, 0xf8598e14, 0x13eb893c, 0xa9ceee27, 0x61b735c9, - 0x1ce1ede5, 0x477a3cb1, 0xd29c59df, 0xf2553f73, 0x141879ce, - 0xc773bf37, 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db, - 0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, 0x1d1672c3, - 0xe2bc0c25, 0x3c288b49, 0x0dff4195, 0xa8397101, 0x0c08deb3, - 0xb4d89ce4, 0x566490c1, 0xcb7b6184, 0x32d570b6, 0x6c48745c, - 0xb8d04257, - - // Tinv3 - 0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 0x3bcb6bab, - 0x1ff1459d, 0xacab58fa, 0x4b9303e3, 0x2055fa30, 0xadf66d76, - 0x889176cc, 0xf5254c02, 0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, - 0xb58fa362, 0xde495ab1, 0x25671bba, 0x45980eea, 0x5de1c0fe, - 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3, 0x03e75f8f, - 0x15959c92, 0xbfeb7a6d, 0x95da5952, 0xd42d83be, 0x58d32174, - 0x492969e0, 0x8e44c8c9, 0x756a89c2, 0xf478798e, 0x996b3e58, - 0x27dd71b9, 0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, - 0x63184adf, 0xe582311a, 0x97603351, 0x62457f53, 0xb1e07764, - 0xbb84ae6b, 0xfe1ca081, 0xf9942b08, 0x70586848, 0x8f19fd45, - 0x94876cde, 0x52b7f87b, 0xab23d373, 0x72e2024b, 0xe3578f1f, - 0x662aab55, 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837, - 0x30f28728, 0x23b2a5bf, 0x02ba6a03, 0xed5c8216, 0x8a2b1ccf, - 0xa792b479, 0xf3f0f207, 0x4ea1e269, 0x65cdf4da, 0x06d5be05, - 0xd11f6234, 0xc48afea6, 0x349d532e, 0xa2a055f3, 0x0532e18a, - 0xa475ebf6, 0x0b39ec83, 0x40aaef60, 0x5e069f71, 0xbd51106e, - 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6, 0x91b58d54, - 0x71055dc4, 0x046fd406, 0x60ff1550, 0x1924fb98, 0xd697e9bd, - 0x89cc4340, 0x67779ed9, 0xb0bd42e8, 0x07888b89, 0xe7385b19, - 0x79dbeec8, 0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x00000000, - 0x09838680, 0x3248ed2b, 0x1eac7011, 0x6c4e725a, 0xfdfbff0e, - 0x0f563885, 0x3d1ed5ae, 0x3627392d, 0x0a64d90f, 0x6821a65c, - 0x9bd1545b, 0x243a2e36, 0x0cb1670a, 0x930fe757, 0xb4d296ee, - 0x1b9e919b, 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12, - 0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, 0x0e0b0d09, - 0xf2adc78b, 0x2db9a8b6, 0x14c8a91e, 0x578519f1, 0xaf4c0775, - 0xeebbdd99, 0xa3fd607f, 0xf79f2601, 0x5cbcf572, 0x44c53b66, - 0x5b347efb, 0x8b762943, 0xcbdcc623, 0xb668fced, 0xb863f1e4, - 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6, 0x857d244a, - 0xd2f83dbb, 0xae1132f9, 0xc76da129, 0x1d4b2f9e, 0xdcf330b2, - 0x0dec5286, 0x77d0e3c1, 0x2b6c16b3, 0xa999b970, 0x11fa4894, - 0x472264e9, 0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, - 0x87c74e49, 0xd9c1d138, 0x8cfea2ca, 0x98360bd4, 0xa6cf81f5, - 0xa528de7a, 0xda268eb7, 0x3fa4bfad, 0x2ce49d3a, 0x500d9278, - 0x6a9bcc5f, 0x5462467e, 0xf6c2138d, 0x90e8b8d8, 0x2e5ef739, - 0x82f5afc3, 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225, - 0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, 0xcd097826, - 0x6ef41859, 0xec01b79a, 0x83a89a4f, 0xe6656e95, 0xaa7ee6ff, - 0x2108cfbc, 0xefe6e815, 0xbad99be7, 0x4ace366f, 0xead4099f, - 0x29d67cb0, 0x31afb2a4, 0x2a31233f, 0xc63094a5, 0x35c066a2, - 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7, 0xf14a9804, - 0x41f7daec, 0x7f0e50cd, 0x172ff691, 0x768dd64d, 0x434db0ef, - 0xcc544daa, 0xe4df0496, 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, - 0x467f5165, 0x9d04ea5e, 0x015d358c, 0xfa737487, 0xfb2e410b, - 0xb35a1d67, 0x9252d2db, 0xe9335610, 0x6d1347d6, 0x9a8c61d7, - 0x377a0ca1, 0x598e14f8, 0xeb893c13, 0xceee27a9, 0xb735c961, - 0xe1ede51c, 0x7a3cb147, 0x9c59dfd2, 0x553f73f2, 0x1879ce14, - 0x73bf37c7, 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44, - 0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, 0x1672c31d, - 0xbc0c25e2, 0x288b493c, 0xff41950d, 0x397101a8, 0x08deb30c, - 0xd89ce4b4, 0x6490c156, 0x7b6184cb, 0xd570b632, 0x48745c6c, - 0xd04257b8}; - - private static int shift(int r, int shift) - { - return (r >>> shift) | (r << -shift); - } - - /* multiply four bytes in GF(2^8) by 'x' {02} in parallel */ - - private static final int m1 = 0x80808080; - private static final int m2 = 0x7f7f7f7f; - private static final int m3 = 0x0000001b; - - private static int FFmulX(int x) - { - return (((x & m2) << 1) ^ (((x & m1) >>> 7) * m3)); - } - - /* - The following defines provide alternative definitions of FFmulX that might - give improved performance if a fast 32-bit multiply is not available. - - private int FFmulX(int x) { int u = x & m1; u |= (u >> 1); return ((x & m2) << 1) ^ ((u >>> 3) | (u >>> 6)); } - private static final int m4 = 0x1b1b1b1b; - private int FFmulX(int x) { int u = x & m1; return ((x & m2) << 1) ^ ((u - (u >>> 7)) & m4); } - - */ - - private static int inv_mcol(int x) - { - int f2 = FFmulX(x); - int f4 = FFmulX(f2); - int f8 = FFmulX(f4); - int f9 = x ^ f8; - - return f2 ^ f4 ^ f8 ^ shift(f2 ^ f9, 8) ^ shift(f4 ^ f9, 16) ^ shift(f9, 24); - } - - private static int subWord(int x) - { - int i0 = x, i1 = x >>> 8, i2 = x >>> 16, i3 = x >>> 24; - i0 = S[i0 & 255] & 255; i1 = S[i1 & 255] & 255; i2 = S[i2 & 255] & 255; i3 = S[i3 & 255] & 255; - return i0 | i1 << 8 | i2 << 16 | i3 << 24; - } - - /** - * Calculate the necessary round keys - * The number of calculations depends on key size and block size - * AES specified a fixed block size of 128 bits and key sizes 128/192/256 bits - * This code is written assuming those are the only possible values - */ - private int[][] generateWorkingKey( - byte[] key, - boolean forEncryption) - { - int KC = key.length / 4; // key length in words - int t; - - if (((KC != 4) && (KC != 6) && (KC != 8)) || ((KC * 4) != key.length)) - { - throw new IllegalArgumentException("Key length not 128/192/256 bits."); - } - - ROUNDS = KC + 6; // This is not always true for the generalized Rijndael that allows larger block sizes - int[][] W = new int[ROUNDS+1][4]; // 4 words in a block - - // - // copy the key into the round key array - // - - t = 0; - int i = 0; - while (i < key.length) - { - W[t >> 2][t & 3] = (key[i]&0xff) | ((key[i+1]&0xff) << 8) | ((key[i+2]&0xff) << 16) | (key[i+3] << 24); - i+=4; - t++; - } - - // - // while not enough round key material calculated - // calculate new values - // - int k = (ROUNDS + 1) << 2; - for (i = KC; (i < k); i++) - { - int temp = W[(i - 1) >> 2][(i - 1) & 3]; - if ((i % KC) == 0) - { - temp = subWord(shift(temp, 8)) ^ rcon[(i / KC) - 1]; - } - else if ((KC > 6) && ((i % KC) == 4)) - { - temp = subWord(temp); - } - - W[i >> 2][i & 3] = W[(i - KC) >> 2][(i - KC) & 3] ^ temp; - } - - if (!forEncryption) - { - for (int j = 1; j < ROUNDS; j++) - { - for (i = 0; i < 4; i++) - { - W[j][i] = inv_mcol(W[j][i]); - } - } - } - - return W; - } - - private int ROUNDS; - private int[][] WorkingKey = null; - private int C0, C1, C2, C3; - private boolean forEncryption; - - private static final int BLOCK_SIZE = 16; - - /** - * default constructor - 128 bit block size. - */ - public AESFastEngine() - { - } - - /** - * initialise an AES cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - WorkingKey = generateWorkingKey(((KeyParameter)params).getKey(), forEncryption); - this.forEncryption = forEncryption; - return; - } - - throw new IllegalArgumentException("invalid parameter passed to AES init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "AES"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (WorkingKey == null) - { - throw new IllegalStateException("AES engine not initialised"); - } - - if ((inOff + (32 / 2)) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + (32 / 2)) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - unpackBlock(in, inOff); - - if (forEncryption) - { - encryptBlock(WorkingKey); - } - else - { - decryptBlock(WorkingKey); - } - - packBlock(out, outOff); - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private void unpackBlock(byte[] bytes, int off) - { - this.C0 = Pack.littleEndianToInt(bytes, off); - this.C1 = Pack.littleEndianToInt(bytes, off + 4); - this.C2 = Pack.littleEndianToInt(bytes, off + 8); - this.C3 = Pack.littleEndianToInt(bytes, off + 12); - } - - private void packBlock(byte[] bytes, int off) - { - Pack.intToLittleEndian(this.C0, bytes, off); - Pack.intToLittleEndian(this.C1, bytes, off + 4); - Pack.intToLittleEndian(this.C2, bytes, off + 8); - Pack.intToLittleEndian(this.C3, bytes, off + 12); - } - - private void encryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[0][0]; - int t1 = this.C1 ^ KW[0][1]; - int t2 = this.C2 ^ KW[0][2]; - - /* - * Fast engine has precomputed rotr(T0, 8/16/24) tables T1/T2/T3. - * - * Placing all precomputes in one array requires offsets additions for 8/16/24 rotations but - * avoids additional array range checks on 3 more arrays (which on HotSpot are more - * expensive than the offset additions). - */ - int r = 1, r0, r1, r2, r3 = this.C3 ^ KW[0][3]; - int i0, i1, i2, i3; - - while (r < ROUNDS - 1) - { - i0 = t0; i1 = t1 >>> 8; i2 = t2 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r0 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][0]; - - i0 = t1; i1 = t2 >>> 8; i2 = r3 >>> 16; i3 = t0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r1 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][1]; - - i0 = t2; i1 = r3 >>> 8; i2 = t0 >>> 16; i3 = t1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r2 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][2]; - - i0 = r3; i1 = t0 >>> 8; i2 = t1 >>> 16; i3 = t2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r++][3]; - - i0 = r0; i1 = r1 >>> 8; i2 = r2 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t0 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][0]; - - i0 = r1; i1 = r2 >>> 8; i2 = r3 >>> 16; i3 = r0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t1 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][1]; - - i0 = r2; i1 = r3 >>> 8; i2 = r0 >>> 16; i3 = r1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t2 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][2]; - - i0 = r3; i1 = r0 >>> 8; i2 = r1 >>> 16; i3 = r2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r++][3]; - } - - i0 = t0; i1 = t1 >>> 8; i2 = t2 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r0 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][0]; - - i0 = t1; i1 = t2 >>> 8; i2 = r3 >>> 16; i3 = t0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r1 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][1]; - - i0 = t2; i1 = r3 >>> 8; i2 = t0 >>> 16; i3 = t1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r2 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r][2]; - - i0 = r3; i1 = t0 >>> 8; i2 = t1 >>> 16; i3 = t2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = T[i0] ^ T[256 + i1] ^ T[512 + i2] ^ T[768 + i3] ^ KW[r++][3]; - - // the final round's table is a simple function of S so we don't use a whole other four tables for it - - i0 = r0; i1 = r1 >>> 8; i2 = r2 >>> 16; i3 = r3 >>> 24; - i0 = S[i0 & 255] & 255; i1 = S[i1 & 255] & 255; i2 = S[i2 & 255] & 255; i3 = S[i3 & 255] & 255; - this.C0 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[r][0]; - - i0 = r1; i1 = r2 >>> 8; i2 = r3 >>> 16; i3 = r0 >>> 24; - i0 = S[i0 & 255] & 255; i1 = S[i1 & 255] & 255; i2 = S[i2 & 255] & 255; i3 = S[i3 & 255] & 255; - this.C1 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[r][1]; - - i0 = r2; i1 = r3 >>> 8; i2 = r0 >>> 16; i3 = r1 >>> 24; - i0 = S[i0 & 255] & 255; i1 = S[i1 & 255] & 255; i2 = S[i2 & 255] & 255; i3 = S[i3 & 255] & 255; - this.C2 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[r][2]; - - i0 = r3; i1 = r0 >>> 8; i2 = r1 >>> 16; i3 = r2 >>> 24; - i0 = S[i0 & 255] & 255; i1 = S[i1 & 255] & 255; i2 = S[i2 & 255] & 255; i3 = S[i3 & 255] & 255; - this.C3 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[r][3]; - } - - private void decryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[ROUNDS][0]; - int t1 = this.C1 ^ KW[ROUNDS][1]; - int t2 = this.C2 ^ KW[ROUNDS][2]; - - int r = ROUNDS - 1, r0, r1, r2, r3 = this.C3 ^ KW[ROUNDS][3]; - int i0, i1, i2, i3; - - while (r > 1) - { - i0 = t0; i1 = r3 >>> 8; i2 = t2 >>> 16; i3 = t1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r0 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][0]; - - i0 = t1; i1 = t0 >>> 8; i2 = r3 >>> 16; i3 = t2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r1 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][1]; - - i0 = t2; i1 = t1 >>> 8; i2 = t0 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r2 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][2]; - - i0 = r3; i1 = t2 >>> 8; i2 = t1 >>> 16; i3 = t0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r--][3]; - - i0 = r0; i1 = r3 >>> 8; i2 = r2 >>> 16; i3 = r1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t0 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][0]; - - i0 = r1; i1 = r0 >>> 8; i2 = r3 >>> 16; i3 = r2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t1 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][1]; - - i0 = r2; i1 = r1 >>> 8; i2 = r0 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - t2 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r][2]; - - i0 = r3; i1 = r2 >>> 8; i2 = r1 >>> 16; i3 = r0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[r--][3]; - } - - i0 = t0; i1 = r3 >>> 8; i2 = t2 >>> 16; i3 = t1 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r0 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[1][0]; - - i0 = t1; i1 = t0 >>> 8; i2 = r3 >>> 16; i3 = t2 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r1 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[1][1]; - - i0 = t2; i1 = t1 >>> 8; i2 = t0 >>> 16; i3 = r3 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r2 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[1][2]; - - i0 = r3; i1 = t2 >>> 8; i2 = t1 >>> 16; i3 = t0 >>> 24; - i0 &= 255; i1 &= 255; i2 &= 255; i3 &= 255; - r3 = Tinv[i0] ^ Tinv[256 + i1] ^ Tinv[512 + i2] ^ Tinv[768 + i3] ^ KW[1][3]; - - // the final round's table is a simple function of Si so we don't use a whole other four tables for it - - i0 = r0; i1 = r3 >>> 8; i2 = r2 >>> 16; i3 = r1 >>> 24; - i0 = Si[i0 & 255] & 255; i1 = Si[i1 & 255] & 255; i2 = Si[i2 & 255] & 255; i3 = Si[i3 & 255] & 255; - this.C0 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[0][0]; - - i0 = r1; i1 = r0 >>> 8; i2 = r3 >>> 16; i3 = r2 >>> 24; - i0 = Si[i0 & 255] & 255; i1 = Si[i1 & 255] & 255; i2 = Si[i2 & 255] & 255; i3 = Si[i3 & 255] & 255; - this.C1 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[0][1]; - - i0 = r2; i1 = r1 >>> 8; i2 = r0 >>> 16; i3 = r3 >>> 24; - i0 = Si[i0 & 255] & 255; i1 = Si[i1 & 255] & 255; i2 = Si[i2 & 255] & 255; i3 = Si[i3 & 255] & 255; - this.C2 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[0][2]; - - i0 = r3; i1 = r2 >>> 8; i2 = r1 >>> 16; i3 = r0 >>> 24; - i0 = Si[i0 & 255] & 255; i1 = Si[i1 & 255] & 255; i2 = Si[i2 & 255] & 255; i3 = Si[i3 & 255] & 255; - this.C3 = i0 ^ i1 << 8 ^ i2 << 16 ^ i3 << 24 ^ KW[0][3]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESLightEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESLightEngine.java deleted file mode 100644 index 70a3f683..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/AESLightEngine.java +++ /dev/null @@ -1,434 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * an implementation of the AES (Rijndael), from FIPS-197. - * <p> - * For further details see: <a href="http://csrc.nist.gov/encryption/aes/">http://csrc.nist.gov/encryption/aes/</a>. - * - * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at - * <a href="http://fp.gladman.plus.com/cryptography_technology/rijndael/">http://fp.gladman.plus.com/cryptography_technology/rijndael/</a> - * - * There are three levels of tradeoff of speed vs memory - * Because java has no preprocessor, they are written as three separate classes from which to choose - * - * The fastest uses 8Kbytes of static tables to precompute round calculations, 4 256 word tables for encryption - * and 4 for decryption. - * - * The middle performance version uses only one 256 word table for each, for a total of 2Kbytes, - * adding 12 rotate operations per round to compute the values contained in the other tables from - * the contents of the first - * - * The slowest version uses no static tables at all and computes the values - * in each round. - * <p> - * This file contains the slowest performance version with no static tables - * for round precomputation, but it has the smallest foot print. - * - */ -public class AESLightEngine - implements BlockCipher -{ - // The S box - private static final byte[] S = { - (byte)99, (byte)124, (byte)119, (byte)123, (byte)242, (byte)107, (byte)111, (byte)197, - (byte)48, (byte)1, (byte)103, (byte)43, (byte)254, (byte)215, (byte)171, (byte)118, - (byte)202, (byte)130, (byte)201, (byte)125, (byte)250, (byte)89, (byte)71, (byte)240, - (byte)173, (byte)212, (byte)162, (byte)175, (byte)156, (byte)164, (byte)114, (byte)192, - (byte)183, (byte)253, (byte)147, (byte)38, (byte)54, (byte)63, (byte)247, (byte)204, - (byte)52, (byte)165, (byte)229, (byte)241, (byte)113, (byte)216, (byte)49, (byte)21, - (byte)4, (byte)199, (byte)35, (byte)195, (byte)24, (byte)150, (byte)5, (byte)154, - (byte)7, (byte)18, (byte)128, (byte)226, (byte)235, (byte)39, (byte)178, (byte)117, - (byte)9, (byte)131, (byte)44, (byte)26, (byte)27, (byte)110, (byte)90, (byte)160, - (byte)82, (byte)59, (byte)214, (byte)179, (byte)41, (byte)227, (byte)47, (byte)132, - (byte)83, (byte)209, (byte)0, (byte)237, (byte)32, (byte)252, (byte)177, (byte)91, - (byte)106, (byte)203, (byte)190, (byte)57, (byte)74, (byte)76, (byte)88, (byte)207, - (byte)208, (byte)239, (byte)170, (byte)251, (byte)67, (byte)77, (byte)51, (byte)133, - (byte)69, (byte)249, (byte)2, (byte)127, (byte)80, (byte)60, (byte)159, (byte)168, - (byte)81, (byte)163, (byte)64, (byte)143, (byte)146, (byte)157, (byte)56, (byte)245, - (byte)188, (byte)182, (byte)218, (byte)33, (byte)16, (byte)255, (byte)243, (byte)210, - (byte)205, (byte)12, (byte)19, (byte)236, (byte)95, (byte)151, (byte)68, (byte)23, - (byte)196, (byte)167, (byte)126, (byte)61, (byte)100, (byte)93, (byte)25, (byte)115, - (byte)96, (byte)129, (byte)79, (byte)220, (byte)34, (byte)42, (byte)144, (byte)136, - (byte)70, (byte)238, (byte)184, (byte)20, (byte)222, (byte)94, (byte)11, (byte)219, - (byte)224, (byte)50, (byte)58, (byte)10, (byte)73, (byte)6, (byte)36, (byte)92, - (byte)194, (byte)211, (byte)172, (byte)98, (byte)145, (byte)149, (byte)228, (byte)121, - (byte)231, (byte)200, (byte)55, (byte)109, (byte)141, (byte)213, (byte)78, (byte)169, - (byte)108, (byte)86, (byte)244, (byte)234, (byte)101, (byte)122, (byte)174, (byte)8, - (byte)186, (byte)120, (byte)37, (byte)46, (byte)28, (byte)166, (byte)180, (byte)198, - (byte)232, (byte)221, (byte)116, (byte)31, (byte)75, (byte)189, (byte)139, (byte)138, - (byte)112, (byte)62, (byte)181, (byte)102, (byte)72, (byte)3, (byte)246, (byte)14, - (byte)97, (byte)53, (byte)87, (byte)185, (byte)134, (byte)193, (byte)29, (byte)158, - (byte)225, (byte)248, (byte)152, (byte)17, (byte)105, (byte)217, (byte)142, (byte)148, - (byte)155, (byte)30, (byte)135, (byte)233, (byte)206, (byte)85, (byte)40, (byte)223, - (byte)140, (byte)161, (byte)137, (byte)13, (byte)191, (byte)230, (byte)66, (byte)104, - (byte)65, (byte)153, (byte)45, (byte)15, (byte)176, (byte)84, (byte)187, (byte)22, - }; - - // The inverse S-box - private static final byte[] Si = { - (byte)82, (byte)9, (byte)106, (byte)213, (byte)48, (byte)54, (byte)165, (byte)56, - (byte)191, (byte)64, (byte)163, (byte)158, (byte)129, (byte)243, (byte)215, (byte)251, - (byte)124, (byte)227, (byte)57, (byte)130, (byte)155, (byte)47, (byte)255, (byte)135, - (byte)52, (byte)142, (byte)67, (byte)68, (byte)196, (byte)222, (byte)233, (byte)203, - (byte)84, (byte)123, (byte)148, (byte)50, (byte)166, (byte)194, (byte)35, (byte)61, - (byte)238, (byte)76, (byte)149, (byte)11, (byte)66, (byte)250, (byte)195, (byte)78, - (byte)8, (byte)46, (byte)161, (byte)102, (byte)40, (byte)217, (byte)36, (byte)178, - (byte)118, (byte)91, (byte)162, (byte)73, (byte)109, (byte)139, (byte)209, (byte)37, - (byte)114, (byte)248, (byte)246, (byte)100, (byte)134, (byte)104, (byte)152, (byte)22, - (byte)212, (byte)164, (byte)92, (byte)204, (byte)93, (byte)101, (byte)182, (byte)146, - (byte)108, (byte)112, (byte)72, (byte)80, (byte)253, (byte)237, (byte)185, (byte)218, - (byte)94, (byte)21, (byte)70, (byte)87, (byte)167, (byte)141, (byte)157, (byte)132, - (byte)144, (byte)216, (byte)171, (byte)0, (byte)140, (byte)188, (byte)211, (byte)10, - (byte)247, (byte)228, (byte)88, (byte)5, (byte)184, (byte)179, (byte)69, (byte)6, - (byte)208, (byte)44, (byte)30, (byte)143, (byte)202, (byte)63, (byte)15, (byte)2, - (byte)193, (byte)175, (byte)189, (byte)3, (byte)1, (byte)19, (byte)138, (byte)107, - (byte)58, (byte)145, (byte)17, (byte)65, (byte)79, (byte)103, (byte)220, (byte)234, - (byte)151, (byte)242, (byte)207, (byte)206, (byte)240, (byte)180, (byte)230, (byte)115, - (byte)150, (byte)172, (byte)116, (byte)34, (byte)231, (byte)173, (byte)53, (byte)133, - (byte)226, (byte)249, (byte)55, (byte)232, (byte)28, (byte)117, (byte)223, (byte)110, - (byte)71, (byte)241, (byte)26, (byte)113, (byte)29, (byte)41, (byte)197, (byte)137, - (byte)111, (byte)183, (byte)98, (byte)14, (byte)170, (byte)24, (byte)190, (byte)27, - (byte)252, (byte)86, (byte)62, (byte)75, (byte)198, (byte)210, (byte)121, (byte)32, - (byte)154, (byte)219, (byte)192, (byte)254, (byte)120, (byte)205, (byte)90, (byte)244, - (byte)31, (byte)221, (byte)168, (byte)51, (byte)136, (byte)7, (byte)199, (byte)49, - (byte)177, (byte)18, (byte)16, (byte)89, (byte)39, (byte)128, (byte)236, (byte)95, - (byte)96, (byte)81, (byte)127, (byte)169, (byte)25, (byte)181, (byte)74, (byte)13, - (byte)45, (byte)229, (byte)122, (byte)159, (byte)147, (byte)201, (byte)156, (byte)239, - (byte)160, (byte)224, (byte)59, (byte)77, (byte)174, (byte)42, (byte)245, (byte)176, - (byte)200, (byte)235, (byte)187, (byte)60, (byte)131, (byte)83, (byte)153, (byte)97, - (byte)23, (byte)43, (byte)4, (byte)126, (byte)186, (byte)119, (byte)214, (byte)38, - (byte)225, (byte)105, (byte)20, (byte)99, (byte)85, (byte)33, (byte)12, (byte)125, - }; - - // vector used in calculating key schedule (powers of x in GF(256)) - private static final int[] rcon = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, - 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 }; - - private static int shift(int r, int shift) - { - return (r >>> shift) | (r << -shift); - } - - /* multiply four bytes in GF(2^8) by 'x' {02} in parallel */ - - private static final int m1 = 0x80808080; - private static final int m2 = 0x7f7f7f7f; - private static final int m3 = 0x0000001b; - - private static int FFmulX(int x) - { - return (((x & m2) << 1) ^ (((x & m1) >>> 7) * m3)); - } - - /* - The following defines provide alternative definitions of FFmulX that might - give improved performance if a fast 32-bit multiply is not available. - - private int FFmulX(int x) { int u = x & m1; u |= (u >> 1); return ((x & m2) << 1) ^ ((u >>> 3) | (u >>> 6)); } - private static final int m4 = 0x1b1b1b1b; - private int FFmulX(int x) { int u = x & m1; return ((x & m2) << 1) ^ ((u - (u >>> 7)) & m4); } - - */ - - private static int mcol(int x) - { - int f2 = FFmulX(x); - return f2 ^ shift(x ^ f2, 8) ^ shift(x, 16) ^ shift(x, 24); - } - - private static int inv_mcol(int x) - { - int f2 = FFmulX(x); - int f4 = FFmulX(f2); - int f8 = FFmulX(f4); - int f9 = x ^ f8; - - return f2 ^ f4 ^ f8 ^ shift(f2 ^ f9, 8) ^ shift(f4 ^ f9, 16) ^ shift(f9, 24); - } - - - private static int subWord(int x) - { - return (S[x&255]&255 | ((S[(x>>8)&255]&255)<<8) | ((S[(x>>16)&255]&255)<<16) | S[(x>>24)&255]<<24); - } - - /** - * Calculate the necessary round keys - * The number of calculations depends on key size and block size - * AES specified a fixed block size of 128 bits and key sizes 128/192/256 bits - * This code is written assuming those are the only possible values - */ - private int[][] generateWorkingKey( - byte[] key, - boolean forEncryption) - { - int KC = key.length / 4; // key length in words - int t; - - if (((KC != 4) && (KC != 6) && (KC != 8)) || ((KC * 4) != key.length)) - { - throw new IllegalArgumentException("Key length not 128/192/256 bits."); - } - - ROUNDS = KC + 6; // This is not always true for the generalized Rijndael that allows larger block sizes - int[][] W = new int[ROUNDS+1][4]; // 4 words in a block - - // - // copy the key into the round key array - // - - t = 0; - int i = 0; - while (i < key.length) - { - W[t >> 2][t & 3] = (key[i]&0xff) | ((key[i+1]&0xff) << 8) | ((key[i+2]&0xff) << 16) | (key[i+3] << 24); - i+=4; - t++; - } - - // - // while not enough round key material calculated - // calculate new values - // - int k = (ROUNDS + 1) << 2; - for (i = KC; (i < k); i++) - { - int temp = W[(i-1)>>2][(i-1)&3]; - if ((i % KC) == 0) - { - temp = subWord(shift(temp, 8)) ^ rcon[(i / KC)-1]; - } - else if ((KC > 6) && ((i % KC) == 4)) - { - temp = subWord(temp); - } - - W[i>>2][i&3] = W[(i - KC)>>2][(i-KC)&3] ^ temp; - } - - if (!forEncryption) - { - for (int j = 1; j < ROUNDS; j++) - { - for (i = 0; i < 4; i++) - { - W[j][i] = inv_mcol(W[j][i]); - } - } - } - - return W; - } - - private int ROUNDS; - private int[][] WorkingKey = null; - private int C0, C1, C2, C3; - private boolean forEncryption; - - private static final int BLOCK_SIZE = 16; - - /** - * default constructor - 128 bit block size. - */ - public AESLightEngine() - { - } - - /** - * initialise an AES cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - WorkingKey = generateWorkingKey(((KeyParameter)params).getKey(), forEncryption); - this.forEncryption = forEncryption; - return; - } - - throw new IllegalArgumentException("invalid parameter passed to AES init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "AES"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (WorkingKey == null) - { - throw new IllegalStateException("AES engine not initialised"); - } - - if ((inOff + (32 / 2)) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + (32 / 2)) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (forEncryption) - { - unpackBlock(in, inOff); - encryptBlock(WorkingKey); - packBlock(out, outOff); - } - else - { - unpackBlock(in, inOff); - decryptBlock(WorkingKey); - packBlock(out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private void unpackBlock( - byte[] bytes, - int off) - { - int index = off; - - C0 = (bytes[index++] & 0xff); - C0 |= (bytes[index++] & 0xff) << 8; - C0 |= (bytes[index++] & 0xff) << 16; - C0 |= bytes[index++] << 24; - - C1 = (bytes[index++] & 0xff); - C1 |= (bytes[index++] & 0xff) << 8; - C1 |= (bytes[index++] & 0xff) << 16; - C1 |= bytes[index++] << 24; - - C2 = (bytes[index++] & 0xff); - C2 |= (bytes[index++] & 0xff) << 8; - C2 |= (bytes[index++] & 0xff) << 16; - C2 |= bytes[index++] << 24; - - C3 = (bytes[index++] & 0xff); - C3 |= (bytes[index++] & 0xff) << 8; - C3 |= (bytes[index++] & 0xff) << 16; - C3 |= bytes[index++] << 24; - } - - private void packBlock( - byte[] bytes, - int off) - { - int index = off; - - bytes[index++] = (byte)C0; - bytes[index++] = (byte)(C0 >> 8); - bytes[index++] = (byte)(C0 >> 16); - bytes[index++] = (byte)(C0 >> 24); - - bytes[index++] = (byte)C1; - bytes[index++] = (byte)(C1 >> 8); - bytes[index++] = (byte)(C1 >> 16); - bytes[index++] = (byte)(C1 >> 24); - - bytes[index++] = (byte)C2; - bytes[index++] = (byte)(C2 >> 8); - bytes[index++] = (byte)(C2 >> 16); - bytes[index++] = (byte)(C2 >> 24); - - bytes[index++] = (byte)C3; - bytes[index++] = (byte)(C3 >> 8); - bytes[index++] = (byte)(C3 >> 16); - bytes[index++] = (byte)(C3 >> 24); - } - - private void encryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[0][0]; - int t1 = this.C1 ^ KW[0][1]; - int t2 = this.C2 ^ KW[0][2]; - - int r = 1, r0, r1, r2, r3 = this.C3 ^ KW[0][3]; - while (r < ROUNDS - 1) - { - r0 = mcol((S[t0&255]&255) ^ ((S[(t1>>8)&255]&255)<<8) ^ ((S[(t2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24)) ^ KW[r][0]; - r1 = mcol((S[t1&255]&255) ^ ((S[(t2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(t0>>24)&255]<<24)) ^ KW[r][1]; - r2 = mcol((S[t2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(t0>>16)&255]&255)<<16) ^ (S[(t1>>24)&255]<<24)) ^ KW[r][2]; - r3 = mcol((S[r3&255]&255) ^ ((S[(t0>>8)&255]&255)<<8) ^ ((S[(t1>>16)&255]&255)<<16) ^ (S[(t2>>24)&255]<<24)) ^ KW[r++][3]; - t0 = mcol((S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((S[(r2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24)) ^ KW[r][0]; - t1 = mcol((S[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(r0>>24)&255]<<24)) ^ KW[r][1]; - t2 = mcol((S[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24)) ^ KW[r][2]; - r3 = mcol((S[r3&255]&255) ^ ((S[(r0>>8)&255]&255)<<8) ^ ((S[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24)) ^ KW[r++][3]; - } - - r0 = mcol((S[t0&255]&255) ^ ((S[(t1>>8)&255]&255)<<8) ^ ((S[(t2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24)) ^ KW[r][0]; - r1 = mcol((S[t1&255]&255) ^ ((S[(t2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(t0>>24)&255]<<24)) ^ KW[r][1]; - r2 = mcol((S[t2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(t0>>16)&255]&255)<<16) ^ (S[(t1>>24)&255]<<24)) ^ KW[r][2]; - r3 = mcol((S[r3&255]&255) ^ ((S[(t0>>8)&255]&255)<<8) ^ ((S[(t1>>16)&255]&255)<<16) ^ (S[(t2>>24)&255]<<24)) ^ KW[r++][3]; - - // the final round is a simple function of S - - this.C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((S[(r2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24) ^ KW[r][0]; - this.C1 = (S[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(r0>>24)&255]<<24) ^ KW[r][1]; - this.C2 = (S[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2]; - this.C3 = (S[r3&255]&255) ^ ((S[(r0>>8)&255]&255)<<8) ^ ((S[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3]; - } - - private void decryptBlock(int[][] KW) - { - int t0 = this.C0 ^ KW[ROUNDS][0]; - int t1 = this.C1 ^ KW[ROUNDS][1]; - int t2 = this.C2 ^ KW[ROUNDS][2]; - - int r = ROUNDS - 1, r0, r1, r2, r3 = this.C3 ^ KW[ROUNDS][3]; - while (r > 1) - { - r0 = inv_mcol((Si[t0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(t2>>16)&255]&255)<<16) ^ (Si[(t1>>24)&255]<<24)) ^ KW[r][0]; - r1 = inv_mcol((Si[t1&255]&255) ^ ((Si[(t0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(t2>>24)&255]<<24)) ^ KW[r][1]; - r2 = inv_mcol((Si[t2&255]&255) ^ ((Si[(t1>>8)&255]&255)<<8) ^ ((Si[(t0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24)) ^ KW[r][2]; - r3 = inv_mcol((Si[r3&255]&255) ^ ((Si[(t2>>8)&255]&255)<<8) ^ ((Si[(t1>>16)&255]&255)<<16) ^ (Si[(t0>>24)&255]<<24)) ^ KW[r--][3]; - t0 = inv_mcol((Si[r0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24)) ^ KW[r][0]; - t1 = inv_mcol((Si[r1&255]&255) ^ ((Si[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(r2>>24)&255]<<24)) ^ KW[r][1]; - t2 = inv_mcol((Si[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24)) ^ KW[r][2]; - r3 = inv_mcol((Si[r3&255]&255) ^ ((Si[(r2>>8)&255]&255)<<8) ^ ((Si[(r1>>16)&255]&255)<<16) ^ (Si[(r0>>24)&255]<<24)) ^ KW[r--][3]; - } - - r0 = inv_mcol((Si[t0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(t2>>16)&255]&255)<<16) ^ (Si[(t1>>24)&255]<<24)) ^ KW[r][0]; - r1 = inv_mcol((Si[t1&255]&255) ^ ((Si[(t0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(t2>>24)&255]<<24)) ^ KW[r][1]; - r2 = inv_mcol((Si[t2&255]&255) ^ ((Si[(t1>>8)&255]&255)<<8) ^ ((Si[(t0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24)) ^ KW[r][2]; - r3 = inv_mcol((Si[r3&255]&255) ^ ((Si[(t2>>8)&255]&255)<<8) ^ ((Si[(t1>>16)&255]&255)<<16) ^ (Si[(t0>>24)&255]<<24)) ^ KW[r][3]; - - // the final round's table is a simple function of Si - - this.C0 = (Si[r0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0]; - this.C1 = (Si[r1&255]&255) ^ ((Si[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(r2>>24)&255]<<24) ^ KW[0][1]; - this.C2 = (Si[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24) ^ KW[0][2]; - this.C3 = (Si[r3&255]&255) ^ ((Si[(r2>>8)&255]&255)<<8) ^ ((Si[(r1>>16)&255]&255)<<16) ^ (Si[(r0>>24)&255]<<24) ^ KW[0][3]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapEngine.java deleted file mode 100644 index 5d316ac4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapEngine.java +++ /dev/null @@ -1,16 +0,0 @@ -package org.bouncycastle.crypto.engines; - -/** - * an implementation of the AES Key Wrapper from the NIST Key Wrap - * Specification. - * <p> - * For further details see: <a href="http://csrc.nist.gov/encryption/kms/key-wrap.pdf">http://csrc.nist.gov/encryption/kms/key-wrap.pdf</a>. - */ -public class AESWrapEngine - extends RFC3394WrapEngine -{ - public AESWrapEngine() - { - super(new AESEngine()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapPadEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapPadEngine.java deleted file mode 100644 index 77760612..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/AESWrapPadEngine.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto.engines; - -public class AESWrapPadEngine - extends RFC5649WrapEngine -{ - public AESWrapPadEngine() - { - super(new AESEngine()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/BlowfishEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/BlowfishEngine.java deleted file mode 100644 index cfe7f1ff..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/BlowfishEngine.java +++ /dev/null @@ -1,577 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * A class that provides Blowfish key encryption operations, - * such as encoding data and generating keys. - * All the algorithms herein are from Applied Cryptography - * and implement a simplified cryptography interface. - */ -public final class BlowfishEngine -implements BlockCipher -{ - private final static int[] - KP = { - 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, - 0xA4093822, 0x299F31D0, 0x082EFA98, 0xEC4E6C89, - 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, - 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, - 0x9216D5D9, 0x8979FB1B - }, - - KS0 = { - 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, - 0xB8E1AFED, 0x6A267E96, 0xBA7C9045, 0xF12C7F99, - 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16, - 0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, - 0x0D95748F, 0x728EB658, 0x718BCD58, 0x82154AEE, - 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013, - 0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, - 0x8E79DCB0, 0x603A180E, 0x6C9E0E8B, 0xB01E8A3E, - 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60, - 0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, - 0x55CA396A, 0x2AAB10B6, 0xB4CC5C34, 0x1141E8CE, - 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A, - 0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, - 0xAFD6BA33, 0x6C24CF5C, 0x7A325381, 0x28958677, - 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193, - 0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, - 0xEF845D5D, 0xE98575B1, 0xDC262302, 0xEB651B88, - 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239, - 0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, - 0x21C66842, 0xF6E96C9A, 0x670C9C61, 0xABD388F0, - 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3, - 0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, - 0xA1F1651D, 0x39AF0176, 0x66CA593E, 0x82430E88, - 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE, - 0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, - 0x4ED3AA62, 0x363F7706, 0x1BFEDF72, 0x429B023D, - 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B, - 0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, - 0xE3FE501A, 0xB6794C3B, 0x976CE0BD, 0x04C006BA, - 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463, - 0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, - 0x6DFC511F, 0x9B30952C, 0xCC814544, 0xAF5EBD09, - 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3, - 0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, - 0x5579C0BD, 0x1A60320A, 0xD6A100C6, 0x402C7279, - 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8, - 0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, - 0x323DB5FA, 0xFD238760, 0x53317B48, 0x3E00DF82, - 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB, - 0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, - 0x695B27B0, 0xBBCA58C8, 0xE1FFA35D, 0xB8F011A0, - 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B, - 0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, - 0xE1DDF2DA, 0xA4CB7E33, 0x62FB1341, 0xCEE4C6E8, - 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4, - 0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, - 0xD08ED1D0, 0xAFC725E0, 0x8E3C5B2F, 0x8E7594B7, - 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C, - 0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, - 0x2F2F2218, 0xBE0E1777, 0xEA752DFE, 0x8B021FA1, - 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299, - 0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, - 0x165FA266, 0x80957705, 0x93CC7314, 0x211A1477, - 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF, - 0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, - 0x00250E2D, 0x2071B35E, 0x226800BB, 0x57B8E0AF, - 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA, - 0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, - 0x83260376, 0x6295CFA9, 0x11C81968, 0x4E734A41, - 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915, - 0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, - 0x08BA6FB5, 0x571BE91F, 0xF296EC6B, 0x2A0DD915, - 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664, - 0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A - }, - - KS1 = { - 0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, - 0xAD6EA6B0, 0x49A7DF7D, 0x9CEE60B8, 0x8FEDB266, - 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1, - 0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, - 0x3F54989A, 0x5B429D65, 0x6B8FE4D6, 0x99F73FD6, - 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1, - 0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, - 0x09686B3F, 0x3EBAEFC9, 0x3C971814, 0x6B6A70A1, - 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737, - 0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, - 0xB03ADA37, 0xF0500C0D, 0xF01C1F04, 0x0200B3FF, - 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD, - 0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, - 0x3AE5E581, 0x37C2DADC, 0xC8B57634, 0x9AF3DDA7, - 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41, - 0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, - 0x4E548B38, 0x4F6DB908, 0x6F420D03, 0xF60A04BF, - 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF, - 0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, - 0x5512721F, 0x2E6B7124, 0x501ADDE6, 0x9F84CD87, - 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C, - 0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, - 0xEF1C1847, 0x3215D908, 0xDD433B37, 0x24C2BA16, - 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD, - 0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, - 0x043556F1, 0xD7A3C76B, 0x3C11183B, 0x5924A509, - 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E, - 0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, - 0x771FE71C, 0x4E3D06FA, 0x2965DCB9, 0x99E71D0F, - 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A, - 0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, - 0xF2F74EA7, 0x361D2B3D, 0x1939260F, 0x19C27960, - 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66, - 0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, - 0xC332DDEF, 0xBE6C5AA5, 0x65582185, 0x68AB9802, - 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84, - 0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, - 0x13CCA830, 0xEB61BD96, 0x0334FE1E, 0xAA0363CF, - 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14, - 0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, - 0x648B1EAF, 0x19BDF0CA, 0xA02369B9, 0x655ABB50, - 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7, - 0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, - 0xF837889A, 0x97E32D77, 0x11ED935F, 0x16681281, - 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99, - 0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, - 0xCDB30AEB, 0x532E3054, 0x8FD948E4, 0x6DBC3128, - 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73, - 0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, - 0x45EEE2B6, 0xA3AAABEA, 0xDB6C4F15, 0xFACB4FD0, - 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105, - 0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, - 0xCF62A1F2, 0x5B8D2646, 0xFC8883A0, 0xC1C7B6A3, - 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285, - 0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, - 0x58428D2A, 0x0C55F5EA, 0x1DADF43E, 0x233F7061, - 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB, - 0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, - 0xA6078084, 0x19F8509E, 0xE8EFD855, 0x61D99735, - 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC, - 0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, - 0xDB73DBD3, 0x105588CD, 0x675FDA79, 0xE3674340, - 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20, - 0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7 - }, - - KS2 = { - 0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, - 0x411520F7, 0x7602D4F7, 0xBCF46B2E, 0xD4A20068, - 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF, - 0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, - 0x4D95FC1D, 0x96B591AF, 0x70F4DDD3, 0x66A02F45, - 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504, - 0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, - 0x28507825, 0x530429F4, 0x0A2C86DA, 0xE9B66DFB, - 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE, - 0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, - 0xAACE1E7C, 0xD3375FEC, 0xCE78A399, 0x406B2A42, - 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B, - 0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, - 0x3A6EFA74, 0xDD5B4332, 0x6841E7F7, 0xCA7820FB, - 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527, - 0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, - 0x55A867BC, 0xA1159A58, 0xCCA92963, 0x99E1DB33, - 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C, - 0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, - 0x95C11548, 0xE4C66D22, 0x48C1133F, 0xC70F86DC, - 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17, - 0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, - 0x257B7834, 0x602A9C60, 0xDFF8E8A3, 0x1F636C1B, - 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115, - 0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, - 0x85B2A20E, 0xE6BA0D99, 0xDE720C8C, 0x2DA2F728, - 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0, - 0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, - 0x0A476341, 0x992EFF74, 0x3A6F6EAB, 0xF4F8FD37, - 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D, - 0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, - 0xF1290DC7, 0xCC00FFA3, 0xB5390F92, 0x690FED0B, - 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3, - 0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, - 0x37392EB3, 0xCC115979, 0x8026E297, 0xF42E312D, - 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C, - 0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, - 0x1A6B1018, 0x11CAEDFA, 0x3D25BDD8, 0xE2E1C3C9, - 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A, - 0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, - 0x9DBC8057, 0xF0F7C086, 0x60787BF8, 0x6003604D, - 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC, - 0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, - 0x77A057BE, 0xBDE8AE24, 0x55464299, 0xBF582E61, - 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2, - 0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, - 0x7AEB2661, 0x8B1DDF84, 0x846A0E79, 0x915F95E2, - 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C, - 0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, - 0xB77F19B6, 0xE0A9DC09, 0x662D09A1, 0xC4324633, - 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10, - 0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, - 0xDCB7DA83, 0x573906FE, 0xA1E2CE9B, 0x4FCD7F52, - 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027, - 0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, - 0xF0177A28, 0xC0F586E0, 0x006058AA, 0x30DC7D62, - 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634, - 0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, - 0x6F05E409, 0x4B7C0188, 0x39720A3D, 0x7C927C24, - 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC, - 0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, - 0x1E50EF5E, 0xB161E6F8, 0xA28514D9, 0x6C51133C, - 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837, - 0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0 - }, - - KS3 = { - 0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, - 0x5CB0679E, 0x4FA33742, 0xD3822740, 0x99BC9BBE, - 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B, - 0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, - 0x5748AB2F, 0xBC946E79, 0xC6A376D2, 0x6549C2C8, - 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6, - 0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, - 0xA1FAD5F0, 0x6A2D519A, 0x63EF8CE2, 0x9A86EE22, - 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4, - 0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, - 0x2826A2F9, 0xA73A3AE1, 0x4BA99586, 0xEF5562E9, - 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59, - 0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, - 0xE990FD5A, 0x9E34D797, 0x2CF0B7D9, 0x022B8B51, - 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28, - 0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, - 0xE029AC71, 0xE019A5E6, 0x47B0ACFD, 0xED93FA9B, - 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28, - 0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, - 0x15056DD4, 0x88F46DBA, 0x03A16125, 0x0564F0BD, - 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A, - 0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, - 0x7533D928, 0xB155FDF5, 0x03563482, 0x8ABA3CBB, - 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F, - 0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, - 0xEA7A90C2, 0xFB3E7BCE, 0x5121CE64, 0x774FBE32, - 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680, - 0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, - 0xB39A460A, 0x6445C0DD, 0x586CDECF, 0x1C20C8AE, - 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB, - 0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, - 0x72EACEA8, 0xFA6484BB, 0x8D6612AE, 0xBF3C6F47, - 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370, - 0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, - 0x4040CB08, 0x4EB4E2CC, 0x34D2466A, 0x0115AF84, - 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048, - 0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, - 0x611560B1, 0xE7933FDC, 0xBB3A792B, 0x344525BD, - 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9, - 0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, - 0x1A908749, 0xD44FBD9A, 0xD0DADECB, 0xD50ADA38, - 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F, - 0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, - 0xBF97222C, 0x15E6FC2A, 0x0F91FC71, 0x9B941525, - 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1, - 0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, - 0xE0EC6E0E, 0x1698DB3B, 0x4C98A0BE, 0x3278E964, - 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E, - 0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, - 0xDF359F8D, 0x9B992F2E, 0xE60B6F47, 0x0FE3F11D, - 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F, - 0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, - 0xF523F357, 0xA6327623, 0x93A83531, 0x56CCCD02, - 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC, - 0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, - 0xE6C6C7BD, 0x327A140A, 0x45E1D006, 0xC3F27B9A, - 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6, - 0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, - 0x53113EC0, 0x1640E3D3, 0x38ABBD60, 0x2547ADF0, - 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060, - 0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, - 0x1948C25C, 0x02FB8A8C, 0x01C36AE4, 0xD6EBE1F9, - 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F, - 0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6 - }; - - //==================================== - // Useful constants - //==================================== - - private static final int ROUNDS = 16; - private static final int BLOCK_SIZE = 8; // bytes = 64 bits - private static final int SBOX_SK = 256; - private static final int P_SZ = ROUNDS+2; - - private final int[] S0, S1, S2, S3; // the s-boxes - private final int[] P; // the p-array - - private boolean encrypting = false; - - private byte[] workingKey = null; - - public BlowfishEngine() - { - S0 = new int[SBOX_SK]; - S1 = new int[SBOX_SK]; - S2 = new int[SBOX_SK]; - S3 = new int[SBOX_SK]; - P = new int[P_SZ]; - } - - /** - * initialise a Blowfish cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - this.encrypting = encrypting; - this.workingKey = ((KeyParameter)params).getKey(); - setKey(this.workingKey); - - return; - } - - throw new IllegalArgumentException("invalid parameter passed to Blowfish init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "Blowfish"; - } - - public final int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("Blowfish not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (encrypting) - { - encryptBlock(in, inOff, out, outOff); - } - else - { - decryptBlock(in, inOff, out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - //================================== - // Private Implementation - //================================== - - private int F(int x) - { - return (((S0[(x >>> 24)] + S1[(x >>> 16) & 0xff]) - ^ S2[(x >>> 8) & 0xff]) + S3[x & 0xff]); - } - - /** - * apply the encryption cycle to each value pair in the table. - */ - private void processTable( - int xl, - int xr, - int[] table) - { - int size = table.length; - - for (int s = 0; s < size; s += 2) - { - xl ^= P[0]; - - for (int i = 1; i < ROUNDS; i += 2) - { - xr ^= F(xl) ^ P[i]; - xl ^= F(xr) ^ P[i + 1]; - } - - xr ^= P[ROUNDS + 1]; - - table[s] = xr; - table[s + 1] = xl; - - xr = xl; // end of cycle swap - xl = table[s]; - } - } - - private void setKey(byte[] key) - { - /* - * - comments are from _Applied Crypto_, Schneier, p338 - * please be careful comparing the two, AC numbers the - * arrays from 1, the enclosed code from 0. - * - * (1) - * Initialise the S-boxes and the P-array, with a fixed string - * This string contains the hexadecimal digits of pi (3.141...) - */ - System.arraycopy(KS0, 0, S0, 0, SBOX_SK); - System.arraycopy(KS1, 0, S1, 0, SBOX_SK); - System.arraycopy(KS2, 0, S2, 0, SBOX_SK); - System.arraycopy(KS3, 0, S3, 0, SBOX_SK); - - System.arraycopy(KP, 0, P, 0, P_SZ); - - /* - * (2) - * Now, XOR P[0] with the first 32 bits of the key, XOR P[1] with the - * second 32-bits of the key, and so on for all bits of the key - * (up to P[17]). Repeatedly cycle through the key bits until the - * entire P-array has been XOR-ed with the key bits - */ - int keyLength = key.length; - int keyIndex = 0; - - for (int i=0; i < P_SZ; i++) - { - // get the 32 bits of the key, in 4 * 8 bit chunks - int data = 0x0000000; - for (int j=0; j < 4; j++) - { - // create a 32 bit block - data = (data << 8) | (key[keyIndex++] & 0xff); - - // wrap when we get to the end of the key - if (keyIndex >= keyLength) - { - keyIndex = 0; - } - } - // XOR the newly created 32 bit chunk onto the P-array - P[i] ^= data; - } - - /* - * (3) - * Encrypt the all-zero string with the Blowfish algorithm, using - * the subkeys described in (1) and (2) - * - * (4) - * Replace P1 and P2 with the output of step (3) - * - * (5) - * Encrypt the output of step(3) using the Blowfish algorithm, - * with the modified subkeys. - * - * (6) - * Replace P3 and P4 with the output of step (5) - * - * (7) - * Continue the process, replacing all elements of the P-array - * and then all four S-boxes in order, with the output of the - * continuously changing Blowfish algorithm - */ - - processTable(0, 0, P); - processTable(P[P_SZ - 2], P[P_SZ - 1], S0); - processTable(S0[SBOX_SK - 2], S0[SBOX_SK - 1], S1); - processTable(S1[SBOX_SK - 2], S1[SBOX_SK - 1], S2); - processTable(S2[SBOX_SK - 2], S2[SBOX_SK - 1], S3); - } - - /** - * Encrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * The input will be an exact multiple of our blocksize. - */ - private void encryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int xl = BytesTo32bits(src, srcIndex); - int xr = BytesTo32bits(src, srcIndex+4); - - xl ^= P[0]; - - for (int i = 1; i < ROUNDS; i += 2) - { - xr ^= F(xl) ^ P[i]; - xl ^= F(xr) ^ P[i + 1]; - } - - xr ^= P[ROUNDS + 1]; - - Bits32ToBytes(xr, dst, dstIndex); - Bits32ToBytes(xl, dst, dstIndex + 4); - } - - /** - * Decrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * The input will be an exact multiple of our blocksize. - */ - private void decryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int xl = BytesTo32bits(src, srcIndex); - int xr = BytesTo32bits(src, srcIndex + 4); - - xl ^= P[ROUNDS + 1]; - - for (int i = ROUNDS; i > 0 ; i -= 2) - { - xr ^= F(xl) ^ P[i]; - xl ^= F(xr) ^ P[i - 1]; - } - - xr ^= P[0]; - - Bits32ToBytes(xr, dst, dstIndex); - Bits32ToBytes(xl, dst, dstIndex+4); - } - - private int BytesTo32bits(byte[] b, int i) - { - return ((b[i] & 0xff) << 24) | - ((b[i+1] & 0xff) << 16) | - ((b[i+2] & 0xff) << 8) | - ((b[i+3] & 0xff)); - } - - private void Bits32ToBytes(int in, byte[] b, int offset) - { - b[offset + 3] = (byte)in; - b[offset + 2] = (byte)(in >> 8); - b[offset + 1] = (byte)(in >> 16); - b[offset] = (byte)(in >> 24); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CAST5Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CAST5Engine.java deleted file mode 100644 index 5a8c7806..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CAST5Engine.java +++ /dev/null @@ -1,831 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * A class that provides CAST key encryption operations, - * such as encoding data and generating keys. - * - * All the algorithms herein are from the Internet RFC's - * - * RFC2144 - CAST5 (64bit block, 40-128bit key) - * RFC2612 - CAST6 (128bit block, 128-256bit key) - * - * and implement a simplified cryptography interface. - */ -public class CAST5Engine - implements BlockCipher -{ - protected final static int M32 = 0xffffffff; - - protected final static int[] - S1 = { -0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949, -0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, -0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d, -0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0, -0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, -0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935, -0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d, -0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, -0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe, -0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3, -0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, -0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291, -0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779, -0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2, -0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511, -0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d, -0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5, -0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324, -0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c, -0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc, -0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d, -0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96, -0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a, -0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d, -0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd, -0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6, -0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9, -0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872, -0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c, -0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e, -0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9, -0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf - }, - S2 = { -0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651, -0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3, -0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb, -0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806, -0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b, -0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359, -0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b, -0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c, -0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34, -0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb, -0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd, -0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860, -0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b, -0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304, -0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b, -0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf, -0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c, -0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13, -0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f, -0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6, -0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6, -0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58, -0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906, -0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d, -0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6, -0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4, -0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6, -0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f, -0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249, -0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa, -0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9, -0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1 - }, - S3 = { -0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90, -0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5, -0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e, -0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240, -0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5, -0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b, -0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71, -0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04, -0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82, -0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15, -0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2, -0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176, -0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148, -0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc, -0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341, -0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e, -0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51, -0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f, -0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a, -0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b, -0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b, -0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5, -0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45, -0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536, -0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc, -0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0, -0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69, -0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2, -0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49, -0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d, -0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a, -0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783 - }, - S4 = { -0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1, -0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf, -0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15, -0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121, -0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25, -0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5, -0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb, -0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5, -0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d, -0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6, -0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23, -0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003, -0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6, -0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119, -0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24, -0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a, -0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79, -0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df, -0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26, -0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab, -0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7, -0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417, -0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2, -0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2, -0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a, -0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919, -0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef, -0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876, -0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab, -0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04, -0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282, -0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2 - }, - S5 = { -0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f, -0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a, -0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff, -0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02, -0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a, -0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7, -0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9, -0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981, -0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774, -0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655, -0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2, -0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910, -0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1, -0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da, -0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049, -0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f, -0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba, -0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be, -0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3, -0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840, -0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4, -0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2, -0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7, -0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5, -0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e, -0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e, -0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801, -0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad, -0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0, -0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20, -0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8, -0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4 - }, - S6 = { -0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac, -0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138, -0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367, -0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98, -0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072, -0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3, -0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd, -0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8, -0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9, -0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54, -0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387, -0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc, -0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf, -0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf, -0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f, -0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289, -0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950, -0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f, -0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b, -0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be, -0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13, -0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976, -0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0, -0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891, -0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da, -0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc, -0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084, -0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25, -0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121, -0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5, -0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd, -0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f - }, - S7 = { -0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f, -0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de, -0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43, -0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19, -0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2, -0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516, -0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88, -0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816, -0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756, -0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a, -0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264, -0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688, -0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28, -0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3, -0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7, -0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06, -0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033, -0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a, -0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566, -0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509, -0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962, -0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e, -0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c, -0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c, -0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285, -0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301, -0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be, -0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767, -0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647, -0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914, -0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c, -0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3 - }, - S8 = { -0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5, -0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc, -0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd, -0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d, -0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2, -0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862, -0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc, -0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c, -0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e, -0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039, -0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8, -0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42, -0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5, -0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472, -0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225, -0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c, -0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb, -0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054, -0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70, -0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc, -0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c, -0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3, -0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4, -0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101, -0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f, -0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e, -0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a, -0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c, -0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384, -0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c, -0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82, -0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e - }; - - //==================================== - // Useful constants - //==================================== - - protected static final int MAX_ROUNDS = 16; - protected static final int RED_ROUNDS = 12; - - protected static final int BLOCK_SIZE = 8; // bytes = 64 bits - - protected int _Kr[] = new int[17]; // the rotating round key - protected int _Km[] = new int[17]; // the masking round key - - private boolean _encrypting = false; - - private byte[] _workingKey = null; - private int _rounds = MAX_ROUNDS; - - public CAST5Engine() - { - } - - /** - * initialise a CAST cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - _encrypting = encrypting; - _workingKey = ((KeyParameter)params).getKey(); - - setKey(_workingKey); - - return; - } - - throw new IllegalArgumentException("Invalid parameter passed to "+getAlgorithmName()+" init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "CAST5"; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (_workingKey == null) - { - throw new IllegalStateException(getAlgorithmName()+" not initialised"); - } - - int blockSize = getBlockSize(); - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("Input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new OutputLengthException("Output buffer too short"); - } - - if (_encrypting) - { - return encryptBlock(in, inOff, out, outOff); - } - else - { - return decryptBlock(in, inOff, out, outOff); - } - } - - public void reset() - { - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - //================================== - // Private Implementation - //================================== - - /* - * Creates the subkeys using the same nomenclature - * as described in RFC2144. - * - * See section 2.4 - */ - protected void setKey(byte[] key) - { - /* - * Determine the key size here, if required - * - * if keysize <= 80bits, use 12 rounds instead of 16 - * if keysize < 128bits, pad with 0 - * - * Typical key sizes => 40, 64, 80, 128 - */ - - if (key.length < 11) - { - _rounds = RED_ROUNDS; - } - - int z[] = new int[16]; - int x[] = new int[16]; - - int z03, z47, z8B, zCF; - int x03, x47, x8B, xCF; - - /* copy the key into x */ - for (int i=0; i< key.length; i++) - { - x[i] = key[i] & 0xff; - } - - /* - * This will look different because the selection of - * bytes from the input key I've already chosen the - * correct int. - */ - x03 = IntsTo32bits(x, 0x0); - x47 = IntsTo32bits(x, 0x4); - x8B = IntsTo32bits(x, 0x8); - xCF = IntsTo32bits(x, 0xC); - - z03 = x03 ^S5[x[0xD]] ^S6[x[0xF]] ^S7[x[0xC]] ^S8[x[0xE]] ^S7[x[0x8]]; - - Bits32ToInts(z03, z, 0x0); - z47 = x8B ^S5[z[0x0]] ^S6[z[0x2]] ^S7[z[0x1]] ^S8[z[0x3]] ^S8[x[0xA]]; - Bits32ToInts(z47, z, 0x4); - z8B = xCF ^S5[z[0x7]] ^S6[z[0x6]] ^S7[z[0x5]] ^S8[z[0x4]] ^S5[x[0x9]]; - Bits32ToInts(z8B, z, 0x8); - zCF = x47 ^S5[z[0xA]] ^S6[z[0x9]] ^S7[z[0xB]] ^S8[z[0x8]] ^S6[x[0xB]]; - Bits32ToInts(zCF, z, 0xC); - _Km[ 1]= S5[z[0x8]] ^ S6[z[0x9]] ^ S7[z[0x7]] ^ S8[z[0x6]] ^ S5[z[0x2]]; - _Km[ 2]= S5[z[0xA]] ^ S6[z[0xB]] ^ S7[z[0x5]] ^ S8[z[0x4]] ^ S6[z[0x6]]; - _Km[ 3]= S5[z[0xC]] ^ S6[z[0xD]] ^ S7[z[0x3]] ^ S8[z[0x2]] ^ S7[z[0x9]]; - _Km[ 4]= S5[z[0xE]] ^ S6[z[0xF]] ^ S7[z[0x1]] ^ S8[z[0x0]] ^ S8[z[0xC]]; - - z03 = IntsTo32bits(z, 0x0); - z47 = IntsTo32bits(z, 0x4); - z8B = IntsTo32bits(z, 0x8); - zCF = IntsTo32bits(z, 0xC); - x03 = z8B ^S5[z[0x5]] ^S6[z[0x7]] ^S7[z[0x4]] ^S8[z[0x6]] ^S7[z[0x0]]; - Bits32ToInts(x03, x, 0x0); - x47 = z03 ^S5[x[0x0]] ^S6[x[0x2]] ^S7[x[0x1]] ^S8[x[0x3]] ^S8[z[0x2]]; - Bits32ToInts(x47, x, 0x4); - x8B = z47 ^S5[x[0x7]] ^S6[x[0x6]] ^S7[x[0x5]] ^S8[x[0x4]] ^S5[z[0x1]]; - Bits32ToInts(x8B, x, 0x8); - xCF = zCF ^S5[x[0xA]] ^S6[x[0x9]] ^S7[x[0xB]] ^S8[x[0x8]] ^S6[z[0x3]]; - Bits32ToInts(xCF, x, 0xC); - _Km[ 5]= S5[x[0x3]] ^ S6[x[0x2]] ^ S7[x[0xC]] ^ S8[x[0xD]] ^ S5[x[0x8]]; - _Km[ 6]= S5[x[0x1]] ^ S6[x[0x0]] ^ S7[x[0xE]] ^ S8[x[0xF]] ^ S6[x[0xD]]; - _Km[ 7]= S5[x[0x7]] ^ S6[x[0x6]] ^ S7[x[0x8]] ^ S8[x[0x9]] ^ S7[x[0x3]]; - _Km[ 8]= S5[x[0x5]] ^ S6[x[0x4]] ^ S7[x[0xA]] ^ S8[x[0xB]] ^ S8[x[0x7]]; - - x03 = IntsTo32bits(x, 0x0); - x47 = IntsTo32bits(x, 0x4); - x8B = IntsTo32bits(x, 0x8); - xCF = IntsTo32bits(x, 0xC); - z03 = x03 ^S5[x[0xD]] ^S6[x[0xF]] ^S7[x[0xC]] ^S8[x[0xE]] ^S7[x[0x8]]; - Bits32ToInts(z03, z, 0x0); - z47 = x8B ^S5[z[0x0]] ^S6[z[0x2]] ^S7[z[0x1]] ^S8[z[0x3]] ^S8[x[0xA]]; - Bits32ToInts(z47, z, 0x4); - z8B = xCF ^S5[z[0x7]] ^S6[z[0x6]] ^S7[z[0x5]] ^S8[z[0x4]] ^S5[x[0x9]]; - Bits32ToInts(z8B, z, 0x8); - zCF = x47 ^S5[z[0xA]] ^S6[z[0x9]] ^S7[z[0xB]] ^S8[z[0x8]] ^S6[x[0xB]]; - Bits32ToInts(zCF, z, 0xC); - _Km[ 9]= S5[z[0x3]] ^ S6[z[0x2]] ^ S7[z[0xC]] ^ S8[z[0xD]] ^ S5[z[0x9]]; - _Km[10]= S5[z[0x1]] ^ S6[z[0x0]] ^ S7[z[0xE]] ^ S8[z[0xF]] ^ S6[z[0xc]]; - _Km[11]= S5[z[0x7]] ^ S6[z[0x6]] ^ S7[z[0x8]] ^ S8[z[0x9]] ^ S7[z[0x2]]; - _Km[12]= S5[z[0x5]] ^ S6[z[0x4]] ^ S7[z[0xA]] ^ S8[z[0xB]] ^ S8[z[0x6]]; - - z03 = IntsTo32bits(z, 0x0); - z47 = IntsTo32bits(z, 0x4); - z8B = IntsTo32bits(z, 0x8); - zCF = IntsTo32bits(z, 0xC); - x03 = z8B ^S5[z[0x5]] ^S6[z[0x7]] ^S7[z[0x4]] ^S8[z[0x6]] ^S7[z[0x0]]; - Bits32ToInts(x03, x, 0x0); - x47 = z03 ^S5[x[0x0]] ^S6[x[0x2]] ^S7[x[0x1]] ^S8[x[0x3]] ^S8[z[0x2]]; - Bits32ToInts(x47, x, 0x4); - x8B = z47 ^S5[x[0x7]] ^S6[x[0x6]] ^S7[x[0x5]] ^S8[x[0x4]] ^S5[z[0x1]]; - Bits32ToInts(x8B, x, 0x8); - xCF = zCF ^S5[x[0xA]] ^S6[x[0x9]] ^S7[x[0xB]] ^S8[x[0x8]] ^S6[z[0x3]]; - Bits32ToInts(xCF, x, 0xC); - _Km[13]= S5[x[0x8]] ^ S6[x[0x9]] ^ S7[x[0x7]] ^ S8[x[0x6]] ^ S5[x[0x3]]; - _Km[14]= S5[x[0xA]] ^ S6[x[0xB]] ^ S7[x[0x5]] ^ S8[x[0x4]] ^ S6[x[0x7]]; - _Km[15]= S5[x[0xC]] ^ S6[x[0xD]] ^ S7[x[0x3]] ^ S8[x[0x2]] ^ S7[x[0x8]]; - _Km[16]= S5[x[0xE]] ^ S6[x[0xF]] ^ S7[x[0x1]] ^ S8[x[0x0]] ^ S8[x[0xD]]; - - x03 = IntsTo32bits(x, 0x0); - x47 = IntsTo32bits(x, 0x4); - x8B = IntsTo32bits(x, 0x8); - xCF = IntsTo32bits(x, 0xC); - z03 = x03 ^S5[x[0xD]] ^S6[x[0xF]] ^S7[x[0xC]] ^S8[x[0xE]] ^S7[x[0x8]]; - Bits32ToInts(z03, z, 0x0); - z47 = x8B ^S5[z[0x0]] ^S6[z[0x2]] ^S7[z[0x1]] ^S8[z[0x3]] ^S8[x[0xA]]; - Bits32ToInts(z47, z, 0x4); - z8B = xCF ^S5[z[0x7]] ^S6[z[0x6]] ^S7[z[0x5]] ^S8[z[0x4]] ^S5[x[0x9]]; - Bits32ToInts(z8B, z, 0x8); - zCF = x47 ^S5[z[0xA]] ^S6[z[0x9]] ^S7[z[0xB]] ^S8[z[0x8]] ^S6[x[0xB]]; - Bits32ToInts(zCF, z, 0xC); - _Kr[ 1]=(S5[z[0x8]]^S6[z[0x9]]^S7[z[0x7]]^S8[z[0x6]] ^ S5[z[0x2]])&0x1f; - _Kr[ 2]=(S5[z[0xA]]^S6[z[0xB]]^S7[z[0x5]]^S8[z[0x4]] ^ S6[z[0x6]])&0x1f; - _Kr[ 3]=(S5[z[0xC]]^S6[z[0xD]]^S7[z[0x3]]^S8[z[0x2]] ^ S7[z[0x9]])&0x1f; - _Kr[ 4]=(S5[z[0xE]]^S6[z[0xF]]^S7[z[0x1]]^S8[z[0x0]] ^ S8[z[0xC]])&0x1f; - - z03 = IntsTo32bits(z, 0x0); - z47 = IntsTo32bits(z, 0x4); - z8B = IntsTo32bits(z, 0x8); - zCF = IntsTo32bits(z, 0xC); - x03 = z8B ^S5[z[0x5]] ^S6[z[0x7]] ^S7[z[0x4]] ^S8[z[0x6]] ^S7[z[0x0]]; - Bits32ToInts(x03, x, 0x0); - x47 = z03 ^S5[x[0x0]] ^S6[x[0x2]] ^S7[x[0x1]] ^S8[x[0x3]] ^S8[z[0x2]]; - Bits32ToInts(x47, x, 0x4); - x8B = z47 ^S5[x[0x7]] ^S6[x[0x6]] ^S7[x[0x5]] ^S8[x[0x4]] ^S5[z[0x1]]; - Bits32ToInts(x8B, x, 0x8); - xCF = zCF ^S5[x[0xA]] ^S6[x[0x9]] ^S7[x[0xB]] ^S8[x[0x8]] ^S6[z[0x3]]; - Bits32ToInts(xCF, x, 0xC); - _Kr[ 5]=(S5[x[0x3]]^S6[x[0x2]]^S7[x[0xC]]^S8[x[0xD]]^S5[x[0x8]])&0x1f; - _Kr[ 6]=(S5[x[0x1]]^S6[x[0x0]]^S7[x[0xE]]^S8[x[0xF]]^S6[x[0xD]])&0x1f; - _Kr[ 7]=(S5[x[0x7]]^S6[x[0x6]]^S7[x[0x8]]^S8[x[0x9]]^S7[x[0x3]])&0x1f; - _Kr[ 8]=(S5[x[0x5]]^S6[x[0x4]]^S7[x[0xA]]^S8[x[0xB]]^S8[x[0x7]])&0x1f; - - x03 = IntsTo32bits(x, 0x0); - x47 = IntsTo32bits(x, 0x4); - x8B = IntsTo32bits(x, 0x8); - xCF = IntsTo32bits(x, 0xC); - z03 = x03 ^S5[x[0xD]] ^S6[x[0xF]] ^S7[x[0xC]] ^S8[x[0xE]] ^S7[x[0x8]]; - Bits32ToInts(z03, z, 0x0); - z47 = x8B ^S5[z[0x0]] ^S6[z[0x2]] ^S7[z[0x1]] ^S8[z[0x3]] ^S8[x[0xA]]; - Bits32ToInts(z47, z, 0x4); - z8B = xCF ^S5[z[0x7]] ^S6[z[0x6]] ^S7[z[0x5]] ^S8[z[0x4]] ^S5[x[0x9]]; - Bits32ToInts(z8B, z, 0x8); - zCF = x47 ^S5[z[0xA]] ^S6[z[0x9]] ^S7[z[0xB]] ^S8[z[0x8]] ^S6[x[0xB]]; - Bits32ToInts(zCF, z, 0xC); - _Kr[ 9]=(S5[z[0x3]]^S6[z[0x2]]^S7[z[0xC]]^S8[z[0xD]]^S5[z[0x9]])&0x1f; - _Kr[10]=(S5[z[0x1]]^S6[z[0x0]]^S7[z[0xE]]^S8[z[0xF]]^S6[z[0xc]])&0x1f; - _Kr[11]=(S5[z[0x7]]^S6[z[0x6]]^S7[z[0x8]]^S8[z[0x9]]^S7[z[0x2]])&0x1f; - _Kr[12]=(S5[z[0x5]]^S6[z[0x4]]^S7[z[0xA]]^S8[z[0xB]]^S8[z[0x6]])&0x1f; - - z03 = IntsTo32bits(z, 0x0); - z47 = IntsTo32bits(z, 0x4); - z8B = IntsTo32bits(z, 0x8); - zCF = IntsTo32bits(z, 0xC); - x03 = z8B ^S5[z[0x5]] ^S6[z[0x7]] ^S7[z[0x4]] ^S8[z[0x6]] ^S7[z[0x0]]; - Bits32ToInts(x03, x, 0x0); - x47 = z03 ^S5[x[0x0]] ^S6[x[0x2]] ^S7[x[0x1]] ^S8[x[0x3]] ^S8[z[0x2]]; - Bits32ToInts(x47, x, 0x4); - x8B = z47 ^S5[x[0x7]] ^S6[x[0x6]] ^S7[x[0x5]] ^S8[x[0x4]] ^S5[z[0x1]]; - Bits32ToInts(x8B, x, 0x8); - xCF = zCF ^S5[x[0xA]] ^S6[x[0x9]] ^S7[x[0xB]] ^S8[x[0x8]] ^S6[z[0x3]]; - Bits32ToInts(xCF, x, 0xC); - _Kr[13]=(S5[x[0x8]]^S6[x[0x9]]^S7[x[0x7]]^S8[x[0x6]]^S5[x[0x3]])&0x1f; - _Kr[14]=(S5[x[0xA]]^S6[x[0xB]]^S7[x[0x5]]^S8[x[0x4]]^S6[x[0x7]])&0x1f; - _Kr[15]=(S5[x[0xC]]^S6[x[0xD]]^S7[x[0x3]]^S8[x[0x2]]^S7[x[0x8]])&0x1f; - _Kr[16]=(S5[x[0xE]]^S6[x[0xF]]^S7[x[0x1]]^S8[x[0x0]]^S8[x[0xD]])&0x1f; - } - - /** - * Encrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * - * @param src The plaintext buffer - * @param srcIndex An offset into src - * @param dst The ciphertext buffer - * @param dstIndex An offset into dst - */ - protected int encryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - - int result[] = new int[2]; - - // process the input block - // batch the units up into a 32 bit chunk and go for it - // the array is in bytes, the increment is 8x8 bits = 64 - - int L0 = BytesTo32bits(src, srcIndex); - int R0 = BytesTo32bits(src, srcIndex + 4); - - CAST_Encipher(L0, R0, result); - - // now stuff them into the destination block - Bits32ToBytes(result[0], dst, dstIndex); - Bits32ToBytes(result[1], dst, dstIndex + 4); - - return BLOCK_SIZE; - } - - /** - * Decrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * - * @param src The plaintext buffer - * @param srcIndex An offset into src - * @param dst The ciphertext buffer - * @param dstIndex An offset into dst - */ - protected int decryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int result[] = new int[2]; - - // process the input block - // batch the units up into a 32 bit chunk and go for it - // the array is in bytes, the increment is 8x8 bits = 64 - int L16 = BytesTo32bits(src, srcIndex); - int R16 = BytesTo32bits(src, srcIndex+4); - - CAST_Decipher(L16, R16, result); - - // now stuff them into the destination block - Bits32ToBytes(result[0], dst, dstIndex); - Bits32ToBytes(result[1], dst, dstIndex+4); - - return BLOCK_SIZE; - } - - /** - * The first of the three processing functions for the - * encryption and decryption. - * - * @param D the input to be processed - * @param Kmi the mask to be used from Km[n] - * @param Kri the rotation value to be used - * - */ - protected final int F1(int D, int Kmi, int Kri) - { - int I = Kmi + D; - I = I << Kri | I >>> (32-Kri); - return ((S1[(I>>>24)&0xff]^S2[(I>>>16)&0xff])-S3[(I>>> 8)&0xff])+ - S4[I & 0xff]; - } - - /** - * The second of the three processing functions for the - * encryption and decryption. - * - * @param D the input to be processed - * @param Kmi the mask to be used from Km[n] - * @param Kri the rotation value to be used - * - */ - protected final int F2(int D, int Kmi, int Kri) - { - int I = Kmi ^ D; - I = I << Kri | I >>> (32-Kri); - return ((S1[(I>>>24)&0xff]-S2[(I>>>16)&0xff])+S3[(I>>> 8)&0xff])^ - S4[I & 0xff]; - } - - /** - * The third of the three processing functions for the - * encryption and decryption. - * - * @param D the input to be processed - * @param Kmi the mask to be used from Km[n] - * @param Kri the rotation value to be used - * - */ - protected final int F3(int D, int Kmi, int Kri) - { - int I = Kmi - D; - I = I << Kri | I >>> (32-Kri); - return ((S1[(I>>>24)&0xff]+S2[(I>>>16)&0xff])^S3[(I>>> 8)&0xff])- - S4[I & 0xff]; - } - - /** - * Does the 16 rounds to encrypt the block. - * - * @param L0 the LH-32bits of the plaintext block - * @param R0 the RH-32bits of the plaintext block - */ - protected final void CAST_Encipher(int L0, int R0, int result[]) - { - int Lp = L0; // the previous value, equiv to L[i-1] - int Rp = R0; // equivalent to R[i-1] - - /* - * numbering consistent with paper to make - * checking and validating easier - */ - int Li = L0, Ri = R0; - - for (int i = 1; i<=_rounds ; i++) - { - Lp = Li; - Rp = Ri; - - Li = Rp; - switch (i) - { - case 1: - case 4: - case 7: - case 10: - case 13: - case 16: - Ri = Lp ^ F1(Rp, _Km[i], _Kr[i]); - break; - case 2: - case 5: - case 8: - case 11: - case 14: - Ri = Lp ^ F2(Rp, _Km[i], _Kr[i]); - break; - case 3: - case 6: - case 9: - case 12: - case 15: - Ri = Lp ^ F3(Rp, _Km[i], _Kr[i]); - break; - } - } - - result[0] = Ri; - result[1] = Li; - - return; - } - - protected final void CAST_Decipher(int L16, int R16, int result[]) - { - int Lp = L16; // the previous value, equiv to L[i-1] - int Rp = R16; // equivalent to R[i-1] - - /* - * numbering consistent with paper to make - * checking and validating easier - */ - int Li = L16, Ri = R16; - - for (int i = _rounds; i > 0; i--) - { - Lp = Li; - Rp = Ri; - - Li = Rp; - switch (i) - { - case 1: - case 4: - case 7: - case 10: - case 13: - case 16: - Ri = Lp ^ F1(Rp, _Km[i], _Kr[i]); - break; - case 2: - case 5: - case 8: - case 11: - case 14: - Ri = Lp ^ F2(Rp, _Km[i], _Kr[i]); - break; - case 3: - case 6: - case 9: - case 12: - case 15: - Ri = Lp ^ F3(Rp, _Km[i], _Kr[i]); - break; - } - } - - result[0] = Ri; - result[1] = Li; - - return; - } - - protected final void Bits32ToInts(int in, int[] b, int offset) - { - b[offset + 3] = (in & 0xff); - b[offset + 2] = ((in >>> 8) & 0xff); - b[offset + 1] = ((in >>> 16) & 0xff); - b[offset] = ((in >>> 24) & 0xff); - } - - protected final int IntsTo32bits(int[] b, int i) - { - int rv = 0; - - rv = ((b[i] & 0xff) << 24) | - ((b[i+1] & 0xff) << 16) | - ((b[i+2] & 0xff) << 8) | - ((b[i+3] & 0xff)); - - return rv; - } - - protected final void Bits32ToBytes(int in, byte[] b, int offset) - { - b[offset + 3] = (byte)in; - b[offset + 2] = (byte)(in >>> 8); - b[offset + 1] = (byte)(in >>> 16); - b[offset] = (byte)(in >>> 24); - } - - protected final int BytesTo32bits(byte[] b, int i) - { - return ((b[i] & 0xff) << 24) | - ((b[i+1] & 0xff) << 16) | - ((b[i+2] & 0xff) << 8) | - ((b[i+3] & 0xff)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CAST6Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CAST6Engine.java deleted file mode 100644 index db57b503..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CAST6Engine.java +++ /dev/null @@ -1,296 +0,0 @@ -package org.bouncycastle.crypto.engines; - - -/** - * A class that provides CAST6 key encryption operations, - * such as encoding data and generating keys. - * - * All the algorithms herein are from the Internet RFC - * - * RFC2612 - CAST6 (128bit block, 128-256bit key) - * - * and implement a simplified cryptography interface. - */ -public final class CAST6Engine extends CAST5Engine -{ - //==================================== - // Useful constants - //==================================== - - protected static final int ROUNDS = 12; - - protected static final int BLOCK_SIZE = 16; // bytes = 128 bits - - /* - * Put the round and mask keys into an array. - * Kr0[i] => _Kr[i*4 + 0] - */ - protected int _Kr[] = new int[ROUNDS*4]; // the rotating round key(s) - protected int _Km[] = new int[ROUNDS*4]; // the masking round key(s) - - /* - * Key setup - */ - protected int _Tr[] = new int[24 * 8]; - protected int _Tm[] = new int[24 * 8]; - - private int[] _workingKey = new int[8]; - - public CAST6Engine() - { - } - - public String getAlgorithmName() - { - return "CAST6"; - } - - public void reset() - { - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - //================================== - // Private Implementation - //================================== - - /* - * Creates the subkeys using the same nomenclature - * as described in RFC2612. - * - * See section 2.4 - */ - protected void setKey(byte[] key) - { - int Cm = 0x5a827999; - int Mm = 0x6ed9eba1; - int Cr = 19; - int Mr = 17; - - /* - * Determine the key size here, if required - * - * if keysize < 256 bytes, pad with 0 - * - * Typical key sizes => 128, 160, 192, 224, 256 - */ - for (int i=0; i< 24; i++) - { - for (int j=0; j< 8; j++) - { - _Tm[i*8 + j] = Cm; - Cm = (Cm + Mm); // mod 2^32; - - _Tr[i*8 + j] = Cr; - Cr = (Cr + Mr) & 0x1f; // mod 32 - } - } - - byte[] tmpKey = new byte[64]; - int length = key.length; - System.arraycopy(key, 0, tmpKey, 0, length); - - // now create ABCDEFGH - for (int i=0; i< 8; i++) - { - _workingKey[i] = BytesTo32bits(tmpKey, i*4); - } - - // Generate the key schedule - for (int i=0; i< 12; i++) - { - // KAPPA <- W2i(KAPPA) - int i2 = i*2 *8; - _workingKey[6] ^= F1(_workingKey[7], _Tm[i2 ], _Tr[i2 ]); - _workingKey[5] ^= F2(_workingKey[6], _Tm[i2+1], _Tr[i2+1]); - _workingKey[4] ^= F3(_workingKey[5], _Tm[i2+2], _Tr[i2+2]); - _workingKey[3] ^= F1(_workingKey[4], _Tm[i2+3], _Tr[i2+3]); - _workingKey[2] ^= F2(_workingKey[3], _Tm[i2+4], _Tr[i2+4]); - _workingKey[1] ^= F3(_workingKey[2], _Tm[i2+5], _Tr[i2+5]); - _workingKey[0] ^= F1(_workingKey[1], _Tm[i2+6], _Tr[i2+6]); - _workingKey[7] ^= F2(_workingKey[0], _Tm[i2+7], _Tr[i2+7]); - - // KAPPA <- W2i+1(KAPPA) - i2 = (i*2 + 1)*8; - _workingKey[6] ^= F1(_workingKey[7], _Tm[i2 ], _Tr[i2 ]); - _workingKey[5] ^= F2(_workingKey[6], _Tm[i2+1], _Tr[i2+1]); - _workingKey[4] ^= F3(_workingKey[5], _Tm[i2+2], _Tr[i2+2]); - _workingKey[3] ^= F1(_workingKey[4], _Tm[i2+3], _Tr[i2+3]); - _workingKey[2] ^= F2(_workingKey[3], _Tm[i2+4], _Tr[i2+4]); - _workingKey[1] ^= F3(_workingKey[2], _Tm[i2+5], _Tr[i2+5]); - _workingKey[0] ^= F1(_workingKey[1], _Tm[i2+6], _Tr[i2+6]); - _workingKey[7] ^= F2(_workingKey[0], _Tm[i2+7], _Tr[i2+7]); - - // Kr_(i) <- KAPPA - _Kr[i*4 ] = _workingKey[0] & 0x1f; - _Kr[i*4 + 1] = _workingKey[2] & 0x1f; - _Kr[i*4 + 2] = _workingKey[4] & 0x1f; - _Kr[i*4 + 3] = _workingKey[6] & 0x1f; - - - // Km_(i) <- KAPPA - _Km[i*4 ] = _workingKey[7]; - _Km[i*4 + 1] = _workingKey[5]; - _Km[i*4 + 2] = _workingKey[3]; - _Km[i*4 + 3] = _workingKey[1]; - } - - } - - /** - * Encrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * - * @param src The plaintext buffer - * @param srcIndex An offset into src - * @param dst The ciphertext buffer - * @param dstIndex An offset into dst - */ - protected int encryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - - int result[] = new int[4]; - - // process the input block - // batch the units up into 4x32 bit chunks and go for it - - int A = BytesTo32bits(src, srcIndex); - int B = BytesTo32bits(src, srcIndex + 4); - int C = BytesTo32bits(src, srcIndex + 8); - int D = BytesTo32bits(src, srcIndex + 12); - - CAST_Encipher(A, B, C, D, result); - - // now stuff them into the destination block - Bits32ToBytes(result[0], dst, dstIndex); - Bits32ToBytes(result[1], dst, dstIndex + 4); - Bits32ToBytes(result[2], dst, dstIndex + 8); - Bits32ToBytes(result[3], dst, dstIndex + 12); - - return BLOCK_SIZE; - } - - /** - * Decrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * - * @param src The plaintext buffer - * @param srcIndex An offset into src - * @param dst The ciphertext buffer - * @param dstIndex An offset into dst - */ - protected int decryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int result[] = new int[4]; - - // process the input block - // batch the units up into 4x32 bit chunks and go for it - int A = BytesTo32bits(src, srcIndex); - int B = BytesTo32bits(src, srcIndex + 4); - int C = BytesTo32bits(src, srcIndex + 8); - int D = BytesTo32bits(src, srcIndex + 12); - - CAST_Decipher(A, B, C, D, result); - - // now stuff them into the destination block - Bits32ToBytes(result[0], dst, dstIndex); - Bits32ToBytes(result[1], dst, dstIndex + 4); - Bits32ToBytes(result[2], dst, dstIndex + 8); - Bits32ToBytes(result[3], dst, dstIndex + 12); - - return BLOCK_SIZE; - } - - /** - * Does the 12 quad rounds rounds to encrypt the block. - * - * @param A the 00-31 bits of the plaintext block - * @param B the 32-63 bits of the plaintext block - * @param C the 64-95 bits of the plaintext block - * @param D the 96-127 bits of the plaintext block - * @param result the resulting ciphertext - */ - protected final void CAST_Encipher(int A, int B, int C, int D,int result[]) - { - int x; - for (int i=0; i< 6; i++) - { - x = i*4; - // BETA <- Qi(BETA) - C ^= F1(D, _Km[x], _Kr[x]); - B ^= F2(C, _Km[x + 1], _Kr[x + 1]); - A ^= F3(B, _Km[x + 2], _Kr[x + 2]); - D ^= F1(A, _Km[x + 3], _Kr[x + 3]); - - } - - for (int i=6; i<12; i++) - { - x = i*4; - // BETA <- QBARi(BETA) - D ^= F1(A, _Km[x + 3], _Kr[x + 3]); - A ^= F3(B, _Km[x + 2], _Kr[x + 2]); - B ^= F2(C, _Km[x + 1], _Kr[x + 1]); - C ^= F1(D, _Km[x], _Kr[x]); - - } - - result[0] = A; - result[1] = B; - result[2] = C; - result[3] = D; - } - - /** - * Does the 12 quad rounds rounds to decrypt the block. - * - * @param A the 00-31 bits of the ciphertext block - * @param B the 32-63 bits of the ciphertext block - * @param C the 64-95 bits of the ciphertext block - * @param D the 96-127 bits of the ciphertext block - * @param result the resulting plaintext - */ - protected final void CAST_Decipher(int A, int B, int C, int D,int result[]) - { - int x; - for (int i=0; i< 6; i++) - { - x = (11-i)*4; - // BETA <- Qi(BETA) - C ^= F1(D, _Km[x], _Kr[x]); - B ^= F2(C, _Km[x + 1], _Kr[x + 1]); - A ^= F3(B, _Km[x + 2], _Kr[x + 2]); - D ^= F1(A, _Km[x + 3], _Kr[x + 3]); - - } - - for (int i=6; i<12; i++) - { - x = (11-i)*4; - // BETA <- QBARi(BETA) - D ^= F1(A, _Km[x + 3], _Kr[x + 3]); - A ^= F3(B, _Km[x + 2], _Kr[x + 2]); - B ^= F2(C, _Km[x + 1], _Kr[x + 1]); - C ^= F1(D, _Km[x], _Kr[x]); - - } - - result[0] = A; - result[1] = B; - result[2] = C; - result[3] = D; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaEngine.java deleted file mode 100644 index a486e1b5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaEngine.java +++ /dev/null @@ -1,684 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * Camellia - based on RFC 3713. - */ -public class CamelliaEngine - implements BlockCipher -{ - private boolean initialised = false; - private boolean _keyIs128; - - private static final int BLOCK_SIZE = 16; - private static final int MASK8 = 0xff; - - private int[] subkey = new int[24 * 4]; - private int[] kw = new int[4 * 2]; // for whitening - private int[] ke = new int[6 * 2]; // for FL and FL^(-1) - private int[] state = new int[4]; // for encryption and decryption - - private static final int SIGMA[] = { - 0xa09e667f, 0x3bcc908b, - 0xb67ae858, 0x4caa73b2, - 0xc6ef372f, 0xe94f82be, - 0x54ff53a5, 0xf1d36f1c, - 0x10e527fa, 0xde682d1d, - 0xb05688c2, 0xb3e6c1fd - }; - - /* - * - * S-box data - * - */ - private static final int SBOX1_1110[] = { - 0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00, 0xb3b3b300, 0x27272700, - 0xc0c0c000, 0xe5e5e500, 0xe4e4e400, 0x85858500, 0x57575700, 0x35353500, - 0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100, 0x23232300, 0xefefef00, - 0x6b6b6b00, 0x93939300, 0x45454500, 0x19191900, 0xa5a5a500, 0x21212100, - 0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00, 0x1d1d1d00, 0x65656500, - 0x92929200, 0xbdbdbd00, 0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00, - 0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00, 0x3e3e3e00, 0x30303000, - 0xdcdcdc00, 0x5f5f5f00, 0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00, - 0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00, 0xd5d5d500, 0x47474700, - 0x5d5d5d00, 0x3d3d3d00, 0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600, - 0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00, 0x8b8b8b00, 0x0d0d0d00, - 0x9a9a9a00, 0x66666600, 0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00, - 0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000, 0xf0f0f000, 0xb1b1b100, - 0x84848400, 0x99999900, 0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200, - 0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500, 0x6d6d6d00, 0xb7b7b700, - 0xa9a9a900, 0x31313100, 0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700, - 0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100, 0xdedede00, 0x1b1b1b00, - 0x11111100, 0x1c1c1c00, 0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600, - 0x53535300, 0x18181800, 0xf2f2f200, 0x22222200, 0xfefefe00, 0x44444400, - 0xcfcfcf00, 0xb2b2b200, 0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100, - 0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800, 0x60606000, 0xfcfcfc00, - 0x69696900, 0x50505000, 0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00, - 0xa1a1a100, 0x89898900, 0x62626200, 0x97979700, 0x54545400, 0x5b5b5b00, - 0x1e1e1e00, 0x95959500, 0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200, - 0x10101000, 0xc4c4c400, 0x00000000, 0x48484800, 0xa3a3a300, 0xf7f7f700, - 0x75757500, 0xdbdbdb00, 0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00, - 0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400, 0x87878700, 0x5c5c5c00, - 0x83838300, 0x02020200, 0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300, - 0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300, 0x9d9d9d00, 0x7f7f7f00, - 0xbfbfbf00, 0xe2e2e200, 0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600, - 0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00, 0x81818100, 0x96969600, - 0x6f6f6f00, 0x4b4b4b00, 0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00, - 0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00, 0x9f9f9f00, 0x6e6e6e00, - 0xbcbcbc00, 0x8e8e8e00, 0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600, - 0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900, 0x78787800, 0x98989800, - 0x06060600, 0x6a6a6a00, 0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00, - 0xd4d4d400, 0x25252500, 0xababab00, 0x42424200, 0x88888800, 0xa2a2a200, - 0x8d8d8d00, 0xfafafa00, 0x72727200, 0x07070700, 0xb9b9b900, 0x55555500, - 0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00, 0x36363600, 0x49494900, - 0x2a2a2a00, 0x68686800, 0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400, - 0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00, 0xbbbbbb00, 0xc9c9c900, - 0x43434300, 0xc1c1c100, 0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400, - 0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00 - }; - - private static final int SBOX4_4404[] = { - 0x70700070, 0x2c2c002c, 0xb3b300b3, 0xc0c000c0, 0xe4e400e4, 0x57570057, - 0xeaea00ea, 0xaeae00ae, 0x23230023, 0x6b6b006b, 0x45450045, 0xa5a500a5, - 0xeded00ed, 0x4f4f004f, 0x1d1d001d, 0x92920092, 0x86860086, 0xafaf00af, - 0x7c7c007c, 0x1f1f001f, 0x3e3e003e, 0xdcdc00dc, 0x5e5e005e, 0x0b0b000b, - 0xa6a600a6, 0x39390039, 0xd5d500d5, 0x5d5d005d, 0xd9d900d9, 0x5a5a005a, - 0x51510051, 0x6c6c006c, 0x8b8b008b, 0x9a9a009a, 0xfbfb00fb, 0xb0b000b0, - 0x74740074, 0x2b2b002b, 0xf0f000f0, 0x84840084, 0xdfdf00df, 0xcbcb00cb, - 0x34340034, 0x76760076, 0x6d6d006d, 0xa9a900a9, 0xd1d100d1, 0x04040004, - 0x14140014, 0x3a3a003a, 0xdede00de, 0x11110011, 0x32320032, 0x9c9c009c, - 0x53530053, 0xf2f200f2, 0xfefe00fe, 0xcfcf00cf, 0xc3c300c3, 0x7a7a007a, - 0x24240024, 0xe8e800e8, 0x60600060, 0x69690069, 0xaaaa00aa, 0xa0a000a0, - 0xa1a100a1, 0x62620062, 0x54540054, 0x1e1e001e, 0xe0e000e0, 0x64640064, - 0x10100010, 0x00000000, 0xa3a300a3, 0x75750075, 0x8a8a008a, 0xe6e600e6, - 0x09090009, 0xdddd00dd, 0x87870087, 0x83830083, 0xcdcd00cd, 0x90900090, - 0x73730073, 0xf6f600f6, 0x9d9d009d, 0xbfbf00bf, 0x52520052, 0xd8d800d8, - 0xc8c800c8, 0xc6c600c6, 0x81810081, 0x6f6f006f, 0x13130013, 0x63630063, - 0xe9e900e9, 0xa7a700a7, 0x9f9f009f, 0xbcbc00bc, 0x29290029, 0xf9f900f9, - 0x2f2f002f, 0xb4b400b4, 0x78780078, 0x06060006, 0xe7e700e7, 0x71710071, - 0xd4d400d4, 0xabab00ab, 0x88880088, 0x8d8d008d, 0x72720072, 0xb9b900b9, - 0xf8f800f8, 0xacac00ac, 0x36360036, 0x2a2a002a, 0x3c3c003c, 0xf1f100f1, - 0x40400040, 0xd3d300d3, 0xbbbb00bb, 0x43430043, 0x15150015, 0xadad00ad, - 0x77770077, 0x80800080, 0x82820082, 0xecec00ec, 0x27270027, 0xe5e500e5, - 0x85850085, 0x35350035, 0x0c0c000c, 0x41410041, 0xefef00ef, 0x93930093, - 0x19190019, 0x21210021, 0x0e0e000e, 0x4e4e004e, 0x65650065, 0xbdbd00bd, - 0xb8b800b8, 0x8f8f008f, 0xebeb00eb, 0xcece00ce, 0x30300030, 0x5f5f005f, - 0xc5c500c5, 0x1a1a001a, 0xe1e100e1, 0xcaca00ca, 0x47470047, 0x3d3d003d, - 0x01010001, 0xd6d600d6, 0x56560056, 0x4d4d004d, 0x0d0d000d, 0x66660066, - 0xcccc00cc, 0x2d2d002d, 0x12120012, 0x20200020, 0xb1b100b1, 0x99990099, - 0x4c4c004c, 0xc2c200c2, 0x7e7e007e, 0x05050005, 0xb7b700b7, 0x31310031, - 0x17170017, 0xd7d700d7, 0x58580058, 0x61610061, 0x1b1b001b, 0x1c1c001c, - 0x0f0f000f, 0x16160016, 0x18180018, 0x22220022, 0x44440044, 0xb2b200b2, - 0xb5b500b5, 0x91910091, 0x08080008, 0xa8a800a8, 0xfcfc00fc, 0x50500050, - 0xd0d000d0, 0x7d7d007d, 0x89890089, 0x97970097, 0x5b5b005b, 0x95950095, - 0xffff00ff, 0xd2d200d2, 0xc4c400c4, 0x48480048, 0xf7f700f7, 0xdbdb00db, - 0x03030003, 0xdada00da, 0x3f3f003f, 0x94940094, 0x5c5c005c, 0x02020002, - 0x4a4a004a, 0x33330033, 0x67670067, 0xf3f300f3, 0x7f7f007f, 0xe2e200e2, - 0x9b9b009b, 0x26260026, 0x37370037, 0x3b3b003b, 0x96960096, 0x4b4b004b, - 0xbebe00be, 0x2e2e002e, 0x79790079, 0x8c8c008c, 0x6e6e006e, 0x8e8e008e, - 0xf5f500f5, 0xb6b600b6, 0xfdfd00fd, 0x59590059, 0x98980098, 0x6a6a006a, - 0x46460046, 0xbaba00ba, 0x25250025, 0x42420042, 0xa2a200a2, 0xfafa00fa, - 0x07070007, 0x55550055, 0xeeee00ee, 0x0a0a000a, 0x49490049, 0x68680068, - 0x38380038, 0xa4a400a4, 0x28280028, 0x7b7b007b, 0xc9c900c9, 0xc1c100c1, - 0xe3e300e3, 0xf4f400f4, 0xc7c700c7, 0x9e9e009e - }; - - private static final int SBOX2_0222[] = { - 0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9, 0x00676767, 0x004e4e4e, - 0x00818181, 0x00cbcbcb, 0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a, - 0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282, 0x00464646, 0x00dfdfdf, - 0x00d6d6d6, 0x00272727, 0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242, - 0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c, 0x003a3a3a, 0x00cacaca, - 0x00252525, 0x007b7b7b, 0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f, - 0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d, 0x007c7c7c, 0x00606060, - 0x00b9b9b9, 0x00bebebe, 0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434, - 0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595, 0x00ababab, 0x008e8e8e, - 0x00bababa, 0x007a7a7a, 0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad, - 0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a, 0x00171717, 0x001a1a1a, - 0x00353535, 0x00cccccc, 0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a, - 0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040, 0x00e1e1e1, 0x00636363, - 0x00090909, 0x00333333, 0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585, - 0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a, 0x00dadada, 0x006f6f6f, - 0x00535353, 0x00626262, 0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf, - 0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2, 0x00bdbdbd, 0x00363636, - 0x00222222, 0x00383838, 0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c, - 0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444, 0x00fdfdfd, 0x00888888, - 0x009f9f9f, 0x00656565, 0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323, - 0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151, 0x00c0c0c0, 0x00f9f9f9, - 0x00d2d2d2, 0x00a0a0a0, 0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa, - 0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f, 0x00a8a8a8, 0x00b6b6b6, - 0x003c3c3c, 0x002b2b2b, 0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5, - 0x00202020, 0x00898989, 0x00000000, 0x00909090, 0x00474747, 0x00efefef, - 0x00eaeaea, 0x00b7b7b7, 0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5, - 0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929, 0x000f0f0f, 0x00b8b8b8, - 0x00070707, 0x00040404, 0x009b9b9b, 0x00949494, 0x00212121, 0x00666666, - 0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7, 0x003b3b3b, 0x00fefefe, - 0x007f7f7f, 0x00c5c5c5, 0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c, - 0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676, 0x00030303, 0x002d2d2d, - 0x00dedede, 0x00969696, 0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c, - 0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919, 0x003f3f3f, 0x00dcdcdc, - 0x00797979, 0x001d1d1d, 0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d, - 0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2, 0x00f0f0f0, 0x00313131, - 0x000c0c0c, 0x00d4d4d4, 0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575, - 0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484, 0x00111111, 0x00454545, - 0x001b1b1b, 0x00f5f5f5, 0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa, - 0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414, 0x006c6c6c, 0x00929292, - 0x00545454, 0x00d0d0d0, 0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949, - 0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6, 0x00777777, 0x00939393, - 0x00868686, 0x00838383, 0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9, - 0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d - }; - - private static final int SBOX3_3033[] = { - 0x38003838, 0x41004141, 0x16001616, 0x76007676, 0xd900d9d9, 0x93009393, - 0x60006060, 0xf200f2f2, 0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a, - 0x75007575, 0x06000606, 0x57005757, 0xa000a0a0, 0x91009191, 0xf700f7f7, - 0xb500b5b5, 0xc900c9c9, 0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090, - 0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727, 0x8e008e8e, 0xb200b2b2, - 0x49004949, 0xde00dede, 0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7, - 0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767, 0x1f001f1f, 0x18001818, - 0x6e006e6e, 0xaf00afaf, 0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d, - 0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565, 0xea00eaea, 0xa300a3a3, - 0xae00aeae, 0x9e009e9e, 0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b, - 0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6, 0xc500c5c5, 0x86008686, - 0x4d004d4d, 0x33003333, 0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696, - 0x3a003a3a, 0x09000909, 0x95009595, 0x10001010, 0x78007878, 0xd800d8d8, - 0x42004242, 0xcc00cccc, 0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161, - 0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282, 0xb600b6b6, 0xdb00dbdb, - 0xd400d4d4, 0x98009898, 0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb, - 0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0, 0x6f006f6f, 0x8d008d8d, - 0x88008888, 0x0e000e0e, 0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b, - 0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111, 0x7f007f7f, 0x22002222, - 0xe700e7e7, 0x59005959, 0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8, - 0x12001212, 0x04000404, 0x74007474, 0x54005454, 0x30003030, 0x7e007e7e, - 0xb400b4b4, 0x28002828, 0x55005555, 0x68006868, 0x50005050, 0xbe00bebe, - 0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb, 0x2a002a2a, 0xad00adad, - 0x0f000f0f, 0xca00caca, 0x70007070, 0xff00ffff, 0x32003232, 0x69006969, - 0x08000808, 0x62006262, 0x00000000, 0x24002424, 0xd100d1d1, 0xfb00fbfb, - 0xba00baba, 0xed00eded, 0x45004545, 0x81008181, 0x73007373, 0x6d006d6d, - 0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a, 0xc300c3c3, 0x2e002e2e, - 0xc100c1c1, 0x01000101, 0xe600e6e6, 0x25002525, 0x48004848, 0x99009999, - 0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9, 0xce00cece, 0xbf00bfbf, - 0xdf00dfdf, 0x71007171, 0x29002929, 0xcd00cdcd, 0x6c006c6c, 0x13001313, - 0x64006464, 0x9b009b9b, 0x63006363, 0x9d009d9d, 0xc000c0c0, 0x4b004b4b, - 0xb700b7b7, 0xa500a5a5, 0x89008989, 0x5f005f5f, 0xb100b1b1, 0x17001717, - 0xf400f4f4, 0xbc00bcbc, 0xd300d3d3, 0x46004646, 0xcf00cfcf, 0x37003737, - 0x5e005e5e, 0x47004747, 0x94009494, 0xfa00fafa, 0xfc00fcfc, 0x5b005b5b, - 0x97009797, 0xfe00fefe, 0x5a005a5a, 0xac00acac, 0x3c003c3c, 0x4c004c4c, - 0x03000303, 0x35003535, 0xf300f3f3, 0x23002323, 0xb800b8b8, 0x5d005d5d, - 0x6a006a6a, 0x92009292, 0xd500d5d5, 0x21002121, 0x44004444, 0x51005151, - 0xc600c6c6, 0x7d007d7d, 0x39003939, 0x83008383, 0xdc00dcdc, 0xaa00aaaa, - 0x7c007c7c, 0x77007777, 0x56005656, 0x05000505, 0x1b001b1b, 0xa400a4a4, - 0x15001515, 0x34003434, 0x1e001e1e, 0x1c001c1c, 0xf800f8f8, 0x52005252, - 0x20002020, 0x14001414, 0xe900e9e9, 0xbd00bdbd, 0xdd00dddd, 0xe400e4e4, - 0xa100a1a1, 0xe000e0e0, 0x8a008a8a, 0xf100f1f1, 0xd600d6d6, 0x7a007a7a, - 0xbb00bbbb, 0xe300e3e3, 0x40004040, 0x4f004f4f - }; - - private static int rightRotate(int x, int s) - { - return (((x) >>> (s)) + ((x) << (32 - s))); - } - - private static int leftRotate(int x, int s) - { - return ((x) << (s)) + ((x) >>> (32 - s)); - } - - private static void roldq(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[0 + ooff] = (ki[0 + ioff] << rot) | (ki[1 + ioff] >>> (32 - rot)); - ko[1 + ooff] = (ki[1 + ioff] << rot) | (ki[2 + ioff] >>> (32 - rot)); - ko[2 + ooff] = (ki[2 + ioff] << rot) | (ki[3 + ioff] >>> (32 - rot)); - ko[3 + ooff] = (ki[3 + ioff] << rot) | (ki[0 + ioff] >>> (32 - rot)); - ki[0 + ioff] = ko[0 + ooff]; - ki[1 + ioff] = ko[1 + ooff]; - ki[2 + ioff] = ko[2 + ooff]; - ki[3 + ioff] = ko[3 + ooff]; - } - - private static void decroldq(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[2 + ooff] = (ki[0 + ioff] << rot) | (ki[1 + ioff] >>> (32 - rot)); - ko[3 + ooff] = (ki[1 + ioff] << rot) | (ki[2 + ioff] >>> (32 - rot)); - ko[0 + ooff] = (ki[2 + ioff] << rot) | (ki[3 + ioff] >>> (32 - rot)); - ko[1 + ooff] = (ki[3 + ioff] << rot) | (ki[0 + ioff] >>> (32 - rot)); - ki[0 + ioff] = ko[2 + ooff]; - ki[1 + ioff] = ko[3 + ooff]; - ki[2 + ioff] = ko[0 + ooff]; - ki[3 + ioff] = ko[1 + ooff]; - } - - private static void roldqo32(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[0 + ooff] = (ki[1 + ioff] << (rot - 32)) | (ki[2 + ioff] >>> (64 - rot)); - ko[1 + ooff] = (ki[2 + ioff] << (rot - 32)) | (ki[3 + ioff] >>> (64 - rot)); - ko[2 + ooff] = (ki[3 + ioff] << (rot - 32)) | (ki[0 + ioff] >>> (64 - rot)); - ko[3 + ooff] = (ki[0 + ioff] << (rot - 32)) | (ki[1 + ioff] >>> (64 - rot)); - ki[0 + ioff] = ko[0 + ooff]; - ki[1 + ioff] = ko[1 + ooff]; - ki[2 + ioff] = ko[2 + ooff]; - ki[3 + ioff] = ko[3 + ooff]; - } - - private static void decroldqo32(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[2 + ooff] = (ki[1 + ioff] << (rot - 32)) | (ki[2 + ioff] >>> (64 - rot)); - ko[3 + ooff] = (ki[2 + ioff] << (rot - 32)) | (ki[3 + ioff] >>> (64 - rot)); - ko[0 + ooff] = (ki[3 + ioff] << (rot - 32)) | (ki[0 + ioff] >>> (64 - rot)); - ko[1 + ooff] = (ki[0 + ioff] << (rot - 32)) | (ki[1 + ioff] >>> (64 - rot)); - ki[0 + ioff] = ko[2 + ooff]; - ki[1 + ioff] = ko[3 + ooff]; - ki[2 + ioff] = ko[0 + ooff]; - ki[3 + ioff] = ko[1 + ooff]; - } - - private int bytes2int(byte[] src, int offset) - { - int word = 0; - - for (int i = 0; i < 4; i++) - { - word = (word << 8) + (src[i + offset] & MASK8); - } - return word; - } - - private void int2bytes(int word, byte[] dst, int offset) - { - for (int i = 0; i < 4; i++) - { - dst[(3 - i) + offset] = (byte)word; - word >>>= 8; - } - } - - private void camelliaF2(int[] s, int[] skey, int keyoff) - { - int t1, t2, u, v; - - t1 = s[0] ^ skey[0 + keyoff]; - u = SBOX4_4404[t1 & MASK8]; - u ^= SBOX3_3033[(t1 >>> 8) & MASK8]; - u ^= SBOX2_0222[(t1 >>> 16) & MASK8]; - u ^= SBOX1_1110[(t1 >>> 24) & MASK8]; - t2 = s[1] ^ skey[1 + keyoff]; - v = SBOX1_1110[t2 & MASK8]; - v ^= SBOX4_4404[(t2 >>> 8) & MASK8]; - v ^= SBOX3_3033[(t2 >>> 16) & MASK8]; - v ^= SBOX2_0222[(t2 >>> 24) & MASK8]; - - s[2] ^= u ^ v; - s[3] ^= u ^ v ^ rightRotate(u, 8); - - t1 = s[2] ^ skey[2 + keyoff]; - u = SBOX4_4404[t1 & MASK8]; - u ^= SBOX3_3033[(t1 >>> 8) & MASK8]; - u ^= SBOX2_0222[(t1 >>> 16) & MASK8]; - u ^= SBOX1_1110[(t1 >>> 24) & MASK8]; - t2 = s[3] ^ skey[3 + keyoff]; - v = SBOX1_1110[t2 & MASK8]; - v ^= SBOX4_4404[(t2 >>> 8) & MASK8]; - v ^= SBOX3_3033[(t2 >>> 16) & MASK8]; - v ^= SBOX2_0222[(t2 >>> 24) & MASK8]; - - s[0] ^= u ^ v; - s[1] ^= u ^ v ^ rightRotate(u, 8); - } - - private void camelliaFLs(int[] s, int[] fkey, int keyoff) - { - - s[1] ^= leftRotate(s[0] & fkey[0 + keyoff], 1); - s[0] ^= fkey[1 + keyoff] | s[1]; - - s[2] ^= fkey[3 + keyoff] | s[3]; - s[3] ^= leftRotate(fkey[2 + keyoff] & s[2], 1); - } - - private void setKey(boolean forEncryption, byte[] key) - { - int[] k = new int[8]; - int[] ka = new int[4]; - int[] kb = new int[4]; - int[] t = new int[4]; - - switch (key.length) - { - case 16: - _keyIs128 = true; - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = k[5] = k[6] = k[7] = 0; - break; - case 24: - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = bytes2int(key, 16); - k[5] = bytes2int(key, 20); - k[6] = ~k[4]; - k[7] = ~k[5]; - _keyIs128 = false; - break; - case 32: - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = bytes2int(key, 16); - k[5] = bytes2int(key, 20); - k[6] = bytes2int(key, 24); - k[7] = bytes2int(key, 28); - _keyIs128 = false; - break; - default: - throw new - IllegalArgumentException("key sizes are only 16/24/32 bytes."); - } - - for (int i = 0; i < 4; i++) - { - ka[i] = k[i] ^ k[i + 4]; - } - /* compute KA */ - camelliaF2(ka, SIGMA, 0); - for (int i = 0; i < 4; i++) - { - ka[i] ^= k[i]; - } - camelliaF2(ka, SIGMA, 4); - - if (_keyIs128) - { - if (forEncryption) - { - /* KL dependant keys */ - kw[0] = k[0]; - kw[1] = k[1]; - kw[2] = k[2]; - kw[3] = k[3]; - roldq(15, k, 0, subkey, 4); - roldq(30, k, 0, subkey, 12); - roldq(15, k, 0, t, 0); - subkey[18] = t[2]; - subkey[19] = t[3]; - roldq(17, k, 0, ke, 4); - roldq(17, k, 0, subkey, 24); - roldq(17, k, 0, subkey, 32); - /* KA dependant keys */ - subkey[0] = ka[0]; - subkey[1] = ka[1]; - subkey[2] = ka[2]; - subkey[3] = ka[3]; - roldq(15, ka, 0, subkey, 8); - roldq(15, ka, 0, ke, 0); - roldq(15, ka, 0, t, 0); - subkey[16] = t[0]; - subkey[17] = t[1]; - roldq(15, ka, 0, subkey, 20); - roldqo32(34, ka, 0, subkey, 28); - roldq(17, ka, 0, kw, 4); - - } - else - { // decryption - /* KL dependant keys */ - kw[4] = k[0]; - kw[5] = k[1]; - kw[6] = k[2]; - kw[7] = k[3]; - decroldq(15, k, 0, subkey, 28); - decroldq(30, k, 0, subkey, 20); - decroldq(15, k, 0, t, 0); - subkey[16] = t[0]; - subkey[17] = t[1]; - decroldq(17, k, 0, ke, 0); - decroldq(17, k, 0, subkey, 8); - decroldq(17, k, 0, subkey, 0); - /* KA dependant keys */ - subkey[34] = ka[0]; - subkey[35] = ka[1]; - subkey[32] = ka[2]; - subkey[33] = ka[3]; - decroldq(15, ka, 0, subkey, 24); - decroldq(15, ka, 0, ke, 4); - decroldq(15, ka, 0, t, 0); - subkey[18] = t[2]; - subkey[19] = t[3]; - decroldq(15, ka, 0, subkey, 12); - decroldqo32(34, ka, 0, subkey, 4); - roldq(17, ka, 0, kw, 0); - } - } - else - { // 192bit or 256bit - /* compute KB */ - for (int i = 0; i < 4; i++) - { - kb[i] = ka[i] ^ k[i + 4]; - } - camelliaF2(kb, SIGMA, 8); - - if (forEncryption) - { - /* KL dependant keys */ - kw[0] = k[0]; - kw[1] = k[1]; - kw[2] = k[2]; - kw[3] = k[3]; - roldqo32(45, k, 0, subkey, 16); - roldq(15, k, 0, ke, 4); - roldq(17, k, 0, subkey, 32); - roldqo32(34, k, 0, subkey, 44); - /* KR dependant keys */ - roldq(15, k, 4, subkey, 4); - roldq(15, k, 4, ke, 0); - roldq(30, k, 4, subkey, 24); - roldqo32(34, k, 4, subkey, 36); - /* KA dependant keys */ - roldq(15, ka, 0, subkey, 8); - roldq(30, ka, 0, subkey, 20); - /* 32bit rotation */ - ke[8] = ka[1]; - ke[9] = ka[2]; - ke[10] = ka[3]; - ke[11] = ka[0]; - roldqo32(49, ka, 0, subkey, 40); - - /* KB dependant keys */ - subkey[0] = kb[0]; - subkey[1] = kb[1]; - subkey[2] = kb[2]; - subkey[3] = kb[3]; - roldq(30, kb, 0, subkey, 12); - roldq(30, kb, 0, subkey, 28); - roldqo32(51, kb, 0, kw, 4); - - } - else - { // decryption - /* KL dependant keys */ - kw[4] = k[0]; - kw[5] = k[1]; - kw[6] = k[2]; - kw[7] = k[3]; - decroldqo32(45, k, 0, subkey, 28); - decroldq(15, k, 0, ke, 4); - decroldq(17, k, 0, subkey, 12); - decroldqo32(34, k, 0, subkey, 0); - /* KR dependant keys */ - decroldq(15, k, 4, subkey, 40); - decroldq(15, k, 4, ke, 8); - decroldq(30, k, 4, subkey, 20); - decroldqo32(34, k, 4, subkey, 8); - /* KA dependant keys */ - decroldq(15, ka, 0, subkey, 36); - decroldq(30, ka, 0, subkey, 24); - /* 32bit rotation */ - ke[2] = ka[1]; - ke[3] = ka[2]; - ke[0] = ka[3]; - ke[1] = ka[0]; - decroldqo32(49, ka, 0, subkey, 4); - - /* KB dependant keys */ - subkey[46] = kb[0]; - subkey[47] = kb[1]; - subkey[44] = kb[2]; - subkey[45] = kb[3]; - decroldq(30, kb, 0, subkey, 32); - decroldq(30, kb, 0, subkey, 16); - roldqo32(51, kb, 0, kw, 0); - } - } - } - - private int processBlock128(byte[] in, int inOff, - byte[] out, int outOff) - { - for (int i = 0; i < 4; i++) - { - state[i] = bytes2int(in, inOff + (i * 4)); - state[i] ^= kw[i]; - } - - camelliaF2(state, subkey, 0); - camelliaF2(state, subkey, 4); - camelliaF2(state, subkey, 8); - camelliaFLs(state, ke, 0); - camelliaF2(state, subkey, 12); - camelliaF2(state, subkey, 16); - camelliaF2(state, subkey, 20); - camelliaFLs(state, ke, 4); - camelliaF2(state, subkey, 24); - camelliaF2(state, subkey, 28); - camelliaF2(state, subkey, 32); - - state[2] ^= kw[4]; - state[3] ^= kw[5]; - state[0] ^= kw[6]; - state[1] ^= kw[7]; - - int2bytes(state[2], out, outOff); - int2bytes(state[3], out, outOff + 4); - int2bytes(state[0], out, outOff + 8); - int2bytes(state[1], out, outOff + 12); - - return BLOCK_SIZE; - } - - private int processBlock192or256(byte[] in, int inOff, - byte[] out, int outOff) - { - for (int i = 0; i < 4; i++) - { - state[i] = bytes2int(in, inOff + (i * 4)); - state[i] ^= kw[i]; - } - - camelliaF2(state, subkey, 0); - camelliaF2(state, subkey, 4); - camelliaF2(state, subkey, 8); - camelliaFLs(state, ke, 0); - camelliaF2(state, subkey, 12); - camelliaF2(state, subkey, 16); - camelliaF2(state, subkey, 20); - camelliaFLs(state, ke, 4); - camelliaF2(state, subkey, 24); - camelliaF2(state, subkey, 28); - camelliaF2(state, subkey, 32); - camelliaFLs(state, ke, 8); - camelliaF2(state, subkey, 36); - camelliaF2(state, subkey, 40); - camelliaF2(state, subkey, 44); - - state[2] ^= kw[4]; - state[3] ^= kw[5]; - state[0] ^= kw[6]; - state[1] ^= kw[7]; - - int2bytes(state[2], out, outOff); - int2bytes(state[3], out, outOff + 4); - int2bytes(state[0], out, outOff + 8); - int2bytes(state[1], out, outOff + 12); - return BLOCK_SIZE; - } - - public CamelliaEngine() - { - } - - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("only simple KeyParameter expected."); - } - - setKey(forEncryption, ((KeyParameter)params).getKey()); - initialised = true; - } - - public String getAlgorithmName() - { - return "Camellia"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (!initialised) - { - throw new IllegalStateException("Camellia engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (_keyIs128) - { - return processBlock128(in, inOff, out, outOff); - } - else - { - return processBlock192or256(in, inOff, out, outOff); - } - } - - public void reset() - { - // nothing - - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaLightEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaLightEngine.java deleted file mode 100644 index 2b1e71b2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaLightEngine.java +++ /dev/null @@ -1,592 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * Camellia - based on RFC 3713, smaller implementation, about half the size of CamelliaEngine. - */ - -public class CamelliaLightEngine - implements BlockCipher -{ - private static final int BLOCK_SIZE = 16; - private static final int MASK8 = 0xff; - private boolean initialized; - private boolean _keyis128; - - private int[] subkey = new int[24 * 4]; - private int[] kw = new int[4 * 2]; // for whitening - private int[] ke = new int[6 * 2]; // for FL and FL^(-1) - private int[] state = new int[4]; // for encryption and decryption - - private static final int SIGMA[] = { - 0xa09e667f, 0x3bcc908b, - 0xb67ae858, 0x4caa73b2, - 0xc6ef372f, 0xe94f82be, - 0x54ff53a5, 0xf1d36f1c, - 0x10e527fa, 0xde682d1d, - 0xb05688c2, 0xb3e6c1fd - }; - - /* - * - * S-box data - * - */ - private static final byte SBOX1[] = { - (byte)112, (byte)130, (byte)44, (byte)236, - (byte)179, (byte)39, (byte)192, (byte)229, - (byte)228, (byte)133, (byte)87, (byte)53, - (byte)234, (byte)12, (byte)174, (byte)65, - (byte)35, (byte)239, (byte)107, (byte)147, - (byte)69, (byte)25, (byte)165, (byte)33, - (byte)237, (byte)14, (byte)79, (byte)78, - (byte)29, (byte)101, (byte)146, (byte)189, - (byte)134, (byte)184, (byte)175, (byte)143, - (byte)124, (byte)235, (byte)31, (byte)206, - (byte)62, (byte)48, (byte)220, (byte)95, - (byte)94, (byte)197, (byte)11, (byte)26, - (byte)166, (byte)225, (byte)57, (byte)202, - (byte)213, (byte)71, (byte)93, (byte)61, - (byte)217, (byte)1, (byte)90, (byte)214, - (byte)81, (byte)86, (byte)108, (byte)77, - (byte)139, (byte)13, (byte)154, (byte)102, - (byte)251, (byte)204, (byte)176, (byte)45, - (byte)116, (byte)18, (byte)43, (byte)32, - (byte)240, (byte)177, (byte)132, (byte)153, - (byte)223, (byte)76, (byte)203, (byte)194, - (byte)52, (byte)126, (byte)118, (byte)5, - (byte)109, (byte)183, (byte)169, (byte)49, - (byte)209, (byte)23, (byte)4, (byte)215, - (byte)20, (byte)88, (byte)58, (byte)97, - (byte)222, (byte)27, (byte)17, (byte)28, - (byte)50, (byte)15, (byte)156, (byte)22, - (byte)83, (byte)24, (byte)242, (byte)34, - (byte)254, (byte)68, (byte)207, (byte)178, - (byte)195, (byte)181, (byte)122, (byte)145, - (byte)36, (byte)8, (byte)232, (byte)168, - (byte)96, (byte)252, (byte)105, (byte)80, - (byte)170, (byte)208, (byte)160, (byte)125, - (byte)161, (byte)137, (byte)98, (byte)151, - (byte)84, (byte)91, (byte)30, (byte)149, - (byte)224, (byte)255, (byte)100, (byte)210, - (byte)16, (byte)196, (byte)0, (byte)72, - (byte)163, (byte)247, (byte)117, (byte)219, - (byte)138, (byte)3, (byte)230, (byte)218, - (byte)9, (byte)63, (byte)221, (byte)148, - (byte)135, (byte)92, (byte)131, (byte)2, - (byte)205, (byte)74, (byte)144, (byte)51, - (byte)115, (byte)103, (byte)246, (byte)243, - (byte)157, (byte)127, (byte)191, (byte)226, - (byte)82, (byte)155, (byte)216, (byte)38, - (byte)200, (byte)55, (byte)198, (byte)59, - (byte)129, (byte)150, (byte)111, (byte)75, - (byte)19, (byte)190, (byte)99, (byte)46, - (byte)233, (byte)121, (byte)167, (byte)140, - (byte)159, (byte)110, (byte)188, (byte)142, - (byte)41, (byte)245, (byte)249, (byte)182, - (byte)47, (byte)253, (byte)180, (byte)89, - (byte)120, (byte)152, (byte)6, (byte)106, - (byte)231, (byte)70, (byte)113, (byte)186, - (byte)212, (byte)37, (byte)171, (byte)66, - (byte)136, (byte)162, (byte)141, (byte)250, - (byte)114, (byte)7, (byte)185, (byte)85, - (byte)248, (byte)238, (byte)172, (byte)10, - (byte)54, (byte)73, (byte)42, (byte)104, - (byte)60, (byte)56, (byte)241, (byte)164, - (byte)64, (byte)40, (byte)211, (byte)123, - (byte)187, (byte)201, (byte)67, (byte)193, - (byte)21, (byte)227, (byte)173, (byte)244, - (byte)119, (byte)199, (byte)128, (byte)158 - }; - - private static int rightRotate(int x, int s) - { - return (((x) >>> (s)) + ((x) << (32 - s))); - } - - private static int leftRotate(int x, int s) - { - return ((x) << (s)) + ((x) >>> (32 - s)); - } - - private static void roldq(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[0 + ooff] = (ki[0 + ioff] << rot) | (ki[1 + ioff] >>> (32 - rot)); - ko[1 + ooff] = (ki[1 + ioff] << rot) | (ki[2 + ioff] >>> (32 - rot)); - ko[2 + ooff] = (ki[2 + ioff] << rot) | (ki[3 + ioff] >>> (32 - rot)); - ko[3 + ooff] = (ki[3 + ioff] << rot) | (ki[0 + ioff] >>> (32 - rot)); - ki[0 + ioff] = ko[0 + ooff]; - ki[1 + ioff] = ko[1 + ooff]; - ki[2 + ioff] = ko[2 + ooff]; - ki[3 + ioff] = ko[3 + ooff]; - } - - private static void decroldq(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[2 + ooff] = (ki[0 + ioff] << rot) | (ki[1 + ioff] >>> (32 - rot)); - ko[3 + ooff] = (ki[1 + ioff] << rot) | (ki[2 + ioff] >>> (32 - rot)); - ko[0 + ooff] = (ki[2 + ioff] << rot) | (ki[3 + ioff] >>> (32 - rot)); - ko[1 + ooff] = (ki[3 + ioff] << rot) | (ki[0 + ioff] >>> (32 - rot)); - ki[0 + ioff] = ko[2 + ooff]; - ki[1 + ioff] = ko[3 + ooff]; - ki[2 + ioff] = ko[0 + ooff]; - ki[3 + ioff] = ko[1 + ooff]; - } - - private static void roldqo32(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[0 + ooff] = (ki[1 + ioff] << (rot - 32)) | (ki[2 + ioff] >>> (64 - rot)); - ko[1 + ooff] = (ki[2 + ioff] << (rot - 32)) | (ki[3 + ioff] >>> (64 - rot)); - ko[2 + ooff] = (ki[3 + ioff] << (rot - 32)) | (ki[0 + ioff] >>> (64 - rot)); - ko[3 + ooff] = (ki[0 + ioff] << (rot - 32)) | (ki[1 + ioff] >>> (64 - rot)); - ki[0 + ioff] = ko[0 + ooff]; - ki[1 + ioff] = ko[1 + ooff]; - ki[2 + ioff] = ko[2 + ooff]; - ki[3 + ioff] = ko[3 + ooff]; - } - - private static void decroldqo32(int rot, int[] ki, int ioff, - int[] ko, int ooff) - { - ko[2 + ooff] = (ki[1 + ioff] << (rot - 32)) | (ki[2 + ioff] >>> (64 - rot)); - ko[3 + ooff] = (ki[2 + ioff] << (rot - 32)) | (ki[3 + ioff] >>> (64 - rot)); - ko[0 + ooff] = (ki[3 + ioff] << (rot - 32)) | (ki[0 + ioff] >>> (64 - rot)); - ko[1 + ooff] = (ki[0 + ioff] << (rot - 32)) | (ki[1 + ioff] >>> (64 - rot)); - ki[0 + ioff] = ko[2 + ooff]; - ki[1 + ioff] = ko[3 + ooff]; - ki[2 + ioff] = ko[0 + ooff]; - ki[3 + ioff] = ko[1 + ooff]; - } - - private int bytes2int(byte[] src, int offset) - { - int word = 0; - - for (int i = 0; i < 4; i++) - { - word = (word << 8) + (src[i + offset] & MASK8); - } - return word; - } - - private void int2bytes(int word, byte[] dst, int offset) - { - for (int i = 0; i < 4; i++) - { - dst[(3 - i) + offset] = (byte)word; - word >>>= 8; - } - } - - private byte lRot8(byte v, int rot) - { - return (byte)((v << rot) | ((v & 0xff) >>> (8 - rot))); - } - - private int sbox2(int x) - { - return (lRot8(SBOX1[x], 1) & MASK8); - } - - private int sbox3(int x) - { - return (lRot8(SBOX1[x], 7) & MASK8); - } - - private int sbox4(int x) - { - return (SBOX1[((int)lRot8((byte)x, 1) & MASK8)] & MASK8); - } - - private void camelliaF2(int[] s, int[] skey, int keyoff) - { - int t1, t2, u, v; - - t1 = s[0] ^ skey[0 + keyoff]; - u = sbox4((t1 & MASK8)); - u |= (sbox3(((t1 >>> 8) & MASK8)) << 8); - u |= (sbox2(((t1 >>> 16) & MASK8)) << 16); - u |= ((int)(SBOX1[((t1 >>> 24) & MASK8)] & MASK8) << 24); - - t2 = s[1] ^ skey[1 + keyoff]; - v = (int)SBOX1[(t2 & MASK8)] & MASK8; - v |= (sbox4(((t2 >>> 8) & MASK8)) << 8); - v |= (sbox3(((t2 >>> 16) & MASK8)) << 16); - v |= (sbox2(((t2 >>> 24) & MASK8)) << 24); - - v = leftRotate(v, 8); - u ^= v; - v = leftRotate(v, 8) ^ u; - u = rightRotate(u, 8) ^ v; - s[2] ^= leftRotate(v, 16) ^ u; - s[3] ^= leftRotate(u, 8); - - t1 = s[2] ^ skey[2 + keyoff]; - u = sbox4((t1 & MASK8)); - u |= sbox3(((t1 >>> 8) & MASK8)) << 8; - u |= sbox2(((t1 >>> 16) & MASK8)) << 16; - u |= ((int)SBOX1[((t1 >>> 24) & MASK8)] & MASK8) << 24; - - t2 = s[3] ^ skey[3 + keyoff]; - v = ((int)SBOX1[(t2 & MASK8)] & MASK8); - v |= sbox4(((t2 >>> 8) & MASK8)) << 8; - v |= sbox3(((t2 >>> 16) & MASK8)) << 16; - v |= sbox2(((t2 >>> 24) & MASK8)) << 24; - - v = leftRotate(v, 8); - u ^= v; - v = leftRotate(v, 8) ^ u; - u = rightRotate(u, 8) ^ v; - s[0] ^= leftRotate(v, 16) ^ u; - s[1] ^= leftRotate(u, 8); - } - - private void camelliaFLs(int[] s, int[] fkey, int keyoff) - { - - s[1] ^= leftRotate(s[0] & fkey[0 + keyoff], 1); - s[0] ^= fkey[1 + keyoff] | s[1]; - - s[2] ^= fkey[3 + keyoff] | s[3]; - s[3] ^= leftRotate(fkey[2 + keyoff] & s[2], 1); - } - - private void setKey(boolean forEncryption, byte[] key) - { - int[] k = new int[8]; - int[] ka = new int[4]; - int[] kb = new int[4]; - int[] t = new int[4]; - - switch (key.length) - { - case 16: - _keyis128 = true; - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = k[5] = k[6] = k[7] = 0; - break; - case 24: - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = bytes2int(key, 16); - k[5] = bytes2int(key, 20); - k[6] = ~k[4]; - k[7] = ~k[5]; - _keyis128 = false; - break; - case 32: - k[0] = bytes2int(key, 0); - k[1] = bytes2int(key, 4); - k[2] = bytes2int(key, 8); - k[3] = bytes2int(key, 12); - k[4] = bytes2int(key, 16); - k[5] = bytes2int(key, 20); - k[6] = bytes2int(key, 24); - k[7] = bytes2int(key, 28); - _keyis128 = false; - break; - default: - throw new - IllegalArgumentException("key sizes are only 16/24/32 bytes."); - } - - for (int i = 0; i < 4; i++) - { - ka[i] = k[i] ^ k[i + 4]; - } - /* compute KA */ - camelliaF2(ka, SIGMA, 0); - for (int i = 0; i < 4; i++) - { - ka[i] ^= k[i]; - } - camelliaF2(ka, SIGMA, 4); - - if (_keyis128) - { - if (forEncryption) - { - /* KL dependant keys */ - kw[0] = k[0]; - kw[1] = k[1]; - kw[2] = k[2]; - kw[3] = k[3]; - roldq(15, k, 0, subkey, 4); - roldq(30, k, 0, subkey, 12); - roldq(15, k, 0, t, 0); - subkey[18] = t[2]; - subkey[19] = t[3]; - roldq(17, k, 0, ke, 4); - roldq(17, k, 0, subkey, 24); - roldq(17, k, 0, subkey, 32); - /* KA dependant keys */ - subkey[0] = ka[0]; - subkey[1] = ka[1]; - subkey[2] = ka[2]; - subkey[3] = ka[3]; - roldq(15, ka, 0, subkey, 8); - roldq(15, ka, 0, ke, 0); - roldq(15, ka, 0, t, 0); - subkey[16] = t[0]; - subkey[17] = t[1]; - roldq(15, ka, 0, subkey, 20); - roldqo32(34, ka, 0, subkey, 28); - roldq(17, ka, 0, kw, 4); - - } - else - { // decryption - /* KL dependant keys */ - kw[4] = k[0]; - kw[5] = k[1]; - kw[6] = k[2]; - kw[7] = k[3]; - decroldq(15, k, 0, subkey, 28); - decroldq(30, k, 0, subkey, 20); - decroldq(15, k, 0, t, 0); - subkey[16] = t[0]; - subkey[17] = t[1]; - decroldq(17, k, 0, ke, 0); - decroldq(17, k, 0, subkey, 8); - decroldq(17, k, 0, subkey, 0); - /* KA dependant keys */ - subkey[34] = ka[0]; - subkey[35] = ka[1]; - subkey[32] = ka[2]; - subkey[33] = ka[3]; - decroldq(15, ka, 0, subkey, 24); - decroldq(15, ka, 0, ke, 4); - decroldq(15, ka, 0, t, 0); - subkey[18] = t[2]; - subkey[19] = t[3]; - decroldq(15, ka, 0, subkey, 12); - decroldqo32(34, ka, 0, subkey, 4); - roldq(17, ka, 0, kw, 0); - } - } - else - { // 192bit or 256bit - /* compute KB */ - for (int i = 0; i < 4; i++) - { - kb[i] = ka[i] ^ k[i + 4]; - } - camelliaF2(kb, SIGMA, 8); - - if (forEncryption) - { - /* KL dependant keys */ - kw[0] = k[0]; - kw[1] = k[1]; - kw[2] = k[2]; - kw[3] = k[3]; - roldqo32(45, k, 0, subkey, 16); - roldq(15, k, 0, ke, 4); - roldq(17, k, 0, subkey, 32); - roldqo32(34, k, 0, subkey, 44); - /* KR dependant keys */ - roldq(15, k, 4, subkey, 4); - roldq(15, k, 4, ke, 0); - roldq(30, k, 4, subkey, 24); - roldqo32(34, k, 4, subkey, 36); - /* KA dependant keys */ - roldq(15, ka, 0, subkey, 8); - roldq(30, ka, 0, subkey, 20); - /* 32bit rotation */ - ke[8] = ka[1]; - ke[9] = ka[2]; - ke[10] = ka[3]; - ke[11] = ka[0]; - roldqo32(49, ka, 0, subkey, 40); - - /* KB dependant keys */ - subkey[0] = kb[0]; - subkey[1] = kb[1]; - subkey[2] = kb[2]; - subkey[3] = kb[3]; - roldq(30, kb, 0, subkey, 12); - roldq(30, kb, 0, subkey, 28); - roldqo32(51, kb, 0, kw, 4); - - } - else - { // decryption - /* KL dependant keys */ - kw[4] = k[0]; - kw[5] = k[1]; - kw[6] = k[2]; - kw[7] = k[3]; - decroldqo32(45, k, 0, subkey, 28); - decroldq(15, k, 0, ke, 4); - decroldq(17, k, 0, subkey, 12); - decroldqo32(34, k, 0, subkey, 0); - /* KR dependant keys */ - decroldq(15, k, 4, subkey, 40); - decroldq(15, k, 4, ke, 8); - decroldq(30, k, 4, subkey, 20); - decroldqo32(34, k, 4, subkey, 8); - /* KA dependant keys */ - decroldq(15, ka, 0, subkey, 36); - decroldq(30, ka, 0, subkey, 24); - /* 32bit rotation */ - ke[2] = ka[1]; - ke[3] = ka[2]; - ke[0] = ka[3]; - ke[1] = ka[0]; - decroldqo32(49, ka, 0, subkey, 4); - - /* KB dependant keys */ - subkey[46] = kb[0]; - subkey[47] = kb[1]; - subkey[44] = kb[2]; - subkey[45] = kb[3]; - decroldq(30, kb, 0, subkey, 32); - decroldq(30, kb, 0, subkey, 16); - roldqo32(51, kb, 0, kw, 0); - } - } - } - - private int processBlock128(byte[] in, int inOff, - byte[] out, int outOff) - { - for (int i = 0; i < 4; i++) - { - state[i] = bytes2int(in, inOff + (i * 4)); - state[i] ^= kw[i]; - } - - camelliaF2(state, subkey, 0); - camelliaF2(state, subkey, 4); - camelliaF2(state, subkey, 8); - camelliaFLs(state, ke, 0); - camelliaF2(state, subkey, 12); - camelliaF2(state, subkey, 16); - camelliaF2(state, subkey, 20); - camelliaFLs(state, ke, 4); - camelliaF2(state, subkey, 24); - camelliaF2(state, subkey, 28); - camelliaF2(state, subkey, 32); - - state[2] ^= kw[4]; - state[3] ^= kw[5]; - state[0] ^= kw[6]; - state[1] ^= kw[7]; - - int2bytes(state[2], out, outOff); - int2bytes(state[3], out, outOff + 4); - int2bytes(state[0], out, outOff + 8); - int2bytes(state[1], out, outOff + 12); - - return BLOCK_SIZE; - } - - private int processBlock192or256(byte[] in, int inOff, - byte[] out, int outOff) - { - for (int i = 0; i < 4; i++) - { - state[i] = bytes2int(in, inOff + (i * 4)); - state[i] ^= kw[i]; - } - - camelliaF2(state, subkey, 0); - camelliaF2(state, subkey, 4); - camelliaF2(state, subkey, 8); - camelliaFLs(state, ke, 0); - camelliaF2(state, subkey, 12); - camelliaF2(state, subkey, 16); - camelliaF2(state, subkey, 20); - camelliaFLs(state, ke, 4); - camelliaF2(state, subkey, 24); - camelliaF2(state, subkey, 28); - camelliaF2(state, subkey, 32); - camelliaFLs(state, ke, 8); - camelliaF2(state, subkey, 36); - camelliaF2(state, subkey, 40); - camelliaF2(state, subkey, 44); - - state[2] ^= kw[4]; - state[3] ^= kw[5]; - state[0] ^= kw[6]; - state[1] ^= kw[7]; - - int2bytes(state[2], out, outOff); - int2bytes(state[3], out, outOff + 4); - int2bytes(state[0], out, outOff + 8); - int2bytes(state[1], out, outOff + 12); - return BLOCK_SIZE; - } - - public CamelliaLightEngine() - { - } - - public String getAlgorithmName() - { - return "Camellia"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public void init(boolean forEncryption, CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("only simple KeyParameter expected."); - } - - setKey(forEncryption, ((KeyParameter)params).getKey()); - initialized = true; - } - - public int processBlock(byte[] in, int inOff, - byte[] out, int outOff) - throws IllegalStateException - { - - if (!initialized) - { - throw new IllegalStateException("Camellia is not initialized"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (_keyis128) - { - return processBlock128(in, inOff, out, outOff); - } - else - { - return processBlock192or256(in, inOff, out, outOff); - } - } - - public void reset() - { - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java deleted file mode 100644 index 5ca239a6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.engines; - -/** - * An implementation of the Camellia key wrapper based on RFC 3657/RFC 3394. - * <p> - * For further details see: <a href="http://www.ietf.org/rfc/rfc3657.txt">http://www.ietf.org/rfc/rfc3657.txt</a>. - */ -public class CamelliaWrapEngine - extends RFC3394WrapEngine -{ - public CamelliaWrapEngine() - { - super(new CamelliaEngine()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ChaChaEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ChaChaEngine.java deleted file mode 100644 index 31da795f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/ChaChaEngine.java +++ /dev/null @@ -1,204 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.util.Pack; - -/** - * Implementation of Daniel J. Bernstein's ChaCha stream cipher. - */ -public class ChaChaEngine extends Salsa20Engine -{ - /** - * Creates a 20 rounds ChaCha engine. - */ - public ChaChaEngine() - { - super(); - } - - /** - * Creates a ChaCha engine with a specific number of rounds. - * @param rounds the number of rounds (must be an even number). - */ - public ChaChaEngine(int rounds) - { - super(rounds); - } - - public String getAlgorithmName() - { - return "ChaCha" + rounds; - } - - protected void advanceCounter() - { - if (++engineState[12] == 0) - { - ++engineState[13]; - } - } - - protected void retreatCounter() - { - if (engineState[12] == 0 && engineState[13] == 0) - { - throw new IllegalStateException("attempt to reduce counter past zero."); - } - - if (--engineState[12] == -1) - { - --engineState[13]; - } - } - - protected long getCounter() - { - return ((long)engineState[13] << 32) | (engineState[12] & 0xffffffffL); - } - - protected void resetCounter() - { - engineState[12] = engineState[13] = 0; - } - - protected void setKey(byte[] keyBytes, byte[] ivBytes) - { - if (keyBytes != null) - { - if ((keyBytes.length != 16) && (keyBytes.length != 32)) - { - throw new IllegalArgumentException(getAlgorithmName() + " requires 128 bit or 256 bit key"); - } - - // Key - engineState[4] = Pack.littleEndianToInt(keyBytes, 0); - engineState[5] = Pack.littleEndianToInt(keyBytes, 4); - engineState[6] = Pack.littleEndianToInt(keyBytes, 8); - engineState[7] = Pack.littleEndianToInt(keyBytes, 12); - - byte[] constants; - int offset; - if (keyBytes.length == 32) - { - constants = sigma; - offset = 16; - } - else - { - constants = tau; - offset = 0; - } - - engineState[8] = Pack.littleEndianToInt(keyBytes, offset); - engineState[9] = Pack.littleEndianToInt(keyBytes, offset + 4); - engineState[10] = Pack.littleEndianToInt(keyBytes, offset + 8); - engineState[11] = Pack.littleEndianToInt(keyBytes, offset + 12); - - engineState[0] = Pack.littleEndianToInt(constants, 0); - engineState[1] = Pack.littleEndianToInt(constants, 4); - engineState[2] = Pack.littleEndianToInt(constants, 8); - engineState[3] = Pack.littleEndianToInt(constants, 12); - } - - // IV - engineState[14] = Pack.littleEndianToInt(ivBytes, 0); - engineState[15] = Pack.littleEndianToInt(ivBytes, 4); - } - - protected void generateKeyStream(byte[] output) - { - chachaCore(rounds, engineState, x); - Pack.intToLittleEndian(x, output, 0); - } - - /** - * ChacCha function - * - * @param input input data - */ - public static void chachaCore(int rounds, int[] input, int[] x) - { - if (input.length != 16) - { - throw new IllegalArgumentException(); - } - if (x.length != 16) - { - throw new IllegalArgumentException(); - } - if (rounds % 2 != 0) - { - throw new IllegalArgumentException("Number of rounds must be even"); - } - - int x00 = input[ 0]; - int x01 = input[ 1]; - int x02 = input[ 2]; - int x03 = input[ 3]; - int x04 = input[ 4]; - int x05 = input[ 5]; - int x06 = input[ 6]; - int x07 = input[ 7]; - int x08 = input[ 8]; - int x09 = input[ 9]; - int x10 = input[10]; - int x11 = input[11]; - int x12 = input[12]; - int x13 = input[13]; - int x14 = input[14]; - int x15 = input[15]; - - for (int i = rounds; i > 0; i -= 2) - { - x00 += x04; x12 = rotl(x12 ^ x00, 16); - x08 += x12; x04 = rotl(x04 ^ x08, 12); - x00 += x04; x12 = rotl(x12 ^ x00, 8); - x08 += x12; x04 = rotl(x04 ^ x08, 7); - x01 += x05; x13 = rotl(x13 ^ x01, 16); - x09 += x13; x05 = rotl(x05 ^ x09, 12); - x01 += x05; x13 = rotl(x13 ^ x01, 8); - x09 += x13; x05 = rotl(x05 ^ x09, 7); - x02 += x06; x14 = rotl(x14 ^ x02, 16); - x10 += x14; x06 = rotl(x06 ^ x10, 12); - x02 += x06; x14 = rotl(x14 ^ x02, 8); - x10 += x14; x06 = rotl(x06 ^ x10, 7); - x03 += x07; x15 = rotl(x15 ^ x03, 16); - x11 += x15; x07 = rotl(x07 ^ x11, 12); - x03 += x07; x15 = rotl(x15 ^ x03, 8); - x11 += x15; x07 = rotl(x07 ^ x11, 7); - x00 += x05; x15 = rotl(x15 ^ x00, 16); - x10 += x15; x05 = rotl(x05 ^ x10, 12); - x00 += x05; x15 = rotl(x15 ^ x00, 8); - x10 += x15; x05 = rotl(x05 ^ x10, 7); - x01 += x06; x12 = rotl(x12 ^ x01, 16); - x11 += x12; x06 = rotl(x06 ^ x11, 12); - x01 += x06; x12 = rotl(x12 ^ x01, 8); - x11 += x12; x06 = rotl(x06 ^ x11, 7); - x02 += x07; x13 = rotl(x13 ^ x02, 16); - x08 += x13; x07 = rotl(x07 ^ x08, 12); - x02 += x07; x13 = rotl(x13 ^ x02, 8); - x08 += x13; x07 = rotl(x07 ^ x08, 7); - x03 += x04; x14 = rotl(x14 ^ x03, 16); - x09 += x14; x04 = rotl(x04 ^ x09, 12); - x03 += x04; x14 = rotl(x14 ^ x03, 8); - x09 += x14; x04 = rotl(x04 ^ x09, 7); - - } - - x[ 0] = x00 + input[ 0]; - x[ 1] = x01 + input[ 1]; - x[ 2] = x02 + input[ 2]; - x[ 3] = x03 + input[ 3]; - x[ 4] = x04 + input[ 4]; - x[ 5] = x05 + input[ 5]; - x[ 6] = x06 + input[ 6]; - x[ 7] = x07 + input[ 7]; - x[ 8] = x08 + input[ 8]; - x[ 9] = x09 + input[ 9]; - x[10] = x10 + input[10]; - x[11] = x11 + input[11]; - x[12] = x12 + input[12]; - x[13] = x13 + input[13]; - x[14] = x14 + input[14]; - x[15] = x15 + input[15]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCiphertext.java b/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCiphertext.java deleted file mode 100644 index 0d8ba19d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCiphertext.java +++ /dev/null @@ -1,179 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.math.BigInteger; - -/** - * Class, holding Cramer Shoup ciphertexts (u1, u2, e, v) - */ -public class CramerShoupCiphertext -{ - - BigInteger u1, u2, e, v; - - public CramerShoupCiphertext() - { - - } - - public CramerShoupCiphertext(BigInteger u1, BigInteger u2, BigInteger e, BigInteger v) - { - this.u1 = u1; - this.u2 = u2; - this.e = e; - this.v = v; - } - - public CramerShoupCiphertext(byte[] c) - { - int off = 0, s; - byte[] size = new byte[4]; - byte[] tmp; - - System.arraycopy(c, off, size, 0, 4); - s = byteArrayToInt(size); - tmp = new byte[s]; - off += 4; - System.arraycopy(c, off, tmp, 0, s); - off += s; - u1 = new BigInteger(tmp); - - System.arraycopy(c, off, size, 0, 4); - s = byteArrayToInt(size); - tmp = new byte[s]; - off += 4; - System.arraycopy(c, off, tmp, 0, s); - off += s; - u2 = new BigInteger(tmp); - - System.arraycopy(c, off, size, 0, 4); - s = byteArrayToInt(size); - tmp = new byte[s]; - off += 4; - System.arraycopy(c, off, tmp, 0, s); - off += s; - e = new BigInteger(tmp); - - System.arraycopy(c, off, size, 0, 4); - s = byteArrayToInt(size); - tmp = new byte[s]; - off += 4; - System.arraycopy(c, off, tmp, 0, s); - off += s; - v = new BigInteger(tmp); - } - - public BigInteger getU1() - { - return u1; - } - - public void setU1(BigInteger u1) - { - this.u1 = u1; - } - - public BigInteger getU2() - { - return u2; - } - - public void setU2(BigInteger u2) - { - this.u2 = u2; - } - - public BigInteger getE() - { - return e; - } - - public void setE(BigInteger e) - { - this.e = e; - } - - public BigInteger getV() - { - return v; - } - - public void setV(BigInteger v) - { - this.v = v; - } - - public String toString() - { - StringBuffer result = new StringBuffer(); - - result.append("u1: " + u1.toString()); - result.append("\nu2: " + u2.toString()); - result.append("\ne: " + e.toString()); - result.append("\nv: " + v.toString()); - - return result.toString(); - } - - /** - * convert the cipher-text in a byte array, - * prepending them with 4 Bytes for their length - * - * @return - */ - public byte[] toByteArray() - { - - byte[] u1Bytes = u1.toByteArray(); - int u1Length = u1Bytes.length; - byte[] u2Bytes = u2.toByteArray(); - int u2Length = u2Bytes.length; - byte[] eBytes = e.toByteArray(); - int eLength = eBytes.length; - byte[] vBytes = v.toByteArray(); - int vLength = vBytes.length; - - int off = 0; - byte[] result = new byte[u1Length + u2Length + eLength + vLength + 4 * 4]; - System.arraycopy(intToByteArray(u1Length), 0, result, 0, 4); - off += 4; - System.arraycopy(u1Bytes, 0, result, off, u1Length); - off += u1Length; - System.arraycopy(intToByteArray(u2Length), 0, result, off, 4); - off += 4; - System.arraycopy(u2Bytes, 0, result, off, u2Length); - off += u2Length; - System.arraycopy(intToByteArray(eLength), 0, result, off, 4); - off += 4; - System.arraycopy(eBytes, 0, result, off, eLength); - off += eLength; - System.arraycopy(intToByteArray(vLength), 0, result, off, 4); - off += 4; - System.arraycopy(vBytes, 0, result, off, vLength); - - return result; - } - - private byte[] intToByteArray(int in) - { - byte[] bytes = new byte[4]; - for (int i = 0; i < 4; i++) - { - bytes[3 - i] = (byte)(in >>> (i * 8)); - } - return bytes; - } - - private int byteArrayToInt(byte[] in) - { - if (in.length != 4) - { - return -1; - } - int r = 0; - for (int i = 3; i >= 0; i--) - { - r += (int)in[i] << ((3 - i) * 8); - } - return r; - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCoreEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCoreEngine.java deleted file mode 100644 index 4c0db1b5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/CramerShoupCoreEngine.java +++ /dev/null @@ -1,313 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.params.CramerShoupKeyParameters; -import org.bouncycastle.crypto.params.CramerShoupPrivateKeyParameters; -import org.bouncycastle.crypto.params.CramerShoupPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.BigIntegers; - -/** - * Essentially the Cramer-Shoup encryption / decryption algorithms according to - * "A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack." (Crypto 1998) - */ -public class CramerShoupCoreEngine -{ - - private static final BigInteger ONE = BigInteger.valueOf(1); - - private CramerShoupKeyParameters key; - private SecureRandom random; - private boolean forEncryption; - private String label = null; - - /** - * initialise the CramerShoup engine. - * - * @param forEncryption whether this engine should encrypt or decrypt - * @param param the necessary CramerShoup key parameters. - * @param label the label for labelled CS as {@link String} - */ - public void init(boolean forEncryption, CipherParameters param, String label) - { - init(forEncryption, param); - - this.label = label; - } - - /** - * initialise the CramerShoup engine. - * - * @param forEncryption whether this engine should encrypt or decrypt - * @param param the necessary CramerShoup key parameters. - */ - public void init(boolean forEncryption, CipherParameters param) - { - SecureRandom providedRandom = null; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - key = (CramerShoupKeyParameters)rParam.getParameters(); - providedRandom = rParam.getRandom(); - } - else - { - key = (CramerShoupKeyParameters)param; - } - - this.random = initSecureRandom(forEncryption, providedRandom); - this.forEncryption = forEncryption; - } - - /** - * Return the maximum size for an input block to this engine. For Cramer - * Shoup this is always one byte less than the key size on encryption, and - * the same length as the key size on decryption. - * - * @return maximum size for an input block. - * <p/> - * TODO: correct? - */ - public int getInputBlockSize() - { - int bitSize = key.getParameters().getP().bitLength(); - - if (forEncryption) - { - return (bitSize + 7) / 8 - 1; - } - else - { - return (bitSize + 7) / 8; - } - } - - /** - * Return the maximum size for an output block to this engine. For Cramer - * Shoup this is always one byte less than the key size on decryption, and - * the same length as the key size on encryption. - * - * @return maximum size for an output block. - * <p/> - * TODO: correct? - */ - public int getOutputBlockSize() - { - int bitSize = key.getParameters().getP().bitLength(); - - if (forEncryption) - { - return (bitSize + 7) / 8; - } - else - { - return (bitSize + 7) / 8 - 1; - } - } - - public BigInteger convertInput(byte[] in, int inOff, int inLen) - { - if (inLen > (getInputBlockSize() + 1)) - { - throw new DataLengthException("input too large for Cramer Shoup cipher."); - } - else if (inLen == (getInputBlockSize() + 1) && forEncryption) - { - throw new DataLengthException("input too large for Cramer Shoup cipher."); - } - - byte[] block; - - if (inOff != 0 || inLen != in.length) - { - block = new byte[inLen]; - - System.arraycopy(in, inOff, block, 0, inLen); - } - else - { - block = in; - } - - BigInteger res = new BigInteger(1, block); - if (res.compareTo(key.getParameters().getP()) >= 0) - { - throw new DataLengthException("input too large for Cramer Shoup cipher."); - } - - return res; - } - - public byte[] convertOutput(BigInteger result) - { - byte[] output = result.toByteArray(); - - if (!forEncryption) - { - if (output[0] == 0 && output.length > getOutputBlockSize()) - { // have ended up with an extra zero byte, copy down. - byte[] tmp = new byte[output.length - 1]; - - System.arraycopy(output, 1, tmp, 0, tmp.length); - - return tmp; - } - - if (output.length < getOutputBlockSize()) - {// have ended up with less bytes than normal, lengthen - byte[] tmp = new byte[getOutputBlockSize()]; - - System.arraycopy(output, 0, tmp, tmp.length - output.length, output.length); - - return tmp; - } - } - else - { - if (output[0] == 0) - { // have ended up with an extra zero byte, copy down. - byte[] tmp = new byte[output.length - 1]; - - System.arraycopy(output, 1, tmp, 0, tmp.length); - - return tmp; - } - } - - return output; - } - - public CramerShoupCiphertext encryptBlock(BigInteger input) - { - - CramerShoupCiphertext result = null; - - if (!key.isPrivate() && this.forEncryption && key instanceof CramerShoupPublicKeyParameters) - { - CramerShoupPublicKeyParameters pk = (CramerShoupPublicKeyParameters)key; - BigInteger p = pk.getParameters().getP(); - BigInteger g1 = pk.getParameters().getG1(); - BigInteger g2 = pk.getParameters().getG2(); - - BigInteger h = pk.getH(); - - if (!isValidMessage(input, p)) - { - return result; - } - - BigInteger r = generateRandomElement(p, random); - - BigInteger u1, u2, v, e, a; - - u1 = g1.modPow(r, p); - u2 = g2.modPow(r, p); - e = h.modPow(r, p).multiply(input).mod(p); - - Digest digest = pk.getParameters().getH(); - byte[] u1Bytes = u1.toByteArray(); - digest.update(u1Bytes, 0, u1Bytes.length); - byte[] u2Bytes = u2.toByteArray(); - digest.update(u2Bytes, 0, u2Bytes.length); - byte[] eBytes = e.toByteArray(); - digest.update(eBytes, 0, eBytes.length); - if (this.label != null) - { - byte[] lBytes = this.label.getBytes(); - digest.update(lBytes, 0, lBytes.length); - } - byte[] out = new byte[digest.getDigestSize()]; - digest.doFinal(out, 0); - a = new BigInteger(1, out); - - v = pk.getC().modPow(r, p).multiply(pk.getD().modPow(r.multiply(a), p)).mod(p); - - result = new CramerShoupCiphertext(u1, u2, e, v); - } - return result; - } - - public BigInteger decryptBlock(CramerShoupCiphertext input) - throws CramerShoupCiphertextException - { - - BigInteger result = null; - - if (key.isPrivate() && !this.forEncryption && key instanceof CramerShoupPrivateKeyParameters) - { - CramerShoupPrivateKeyParameters sk = (CramerShoupPrivateKeyParameters)key; - - BigInteger p = sk.getParameters().getP(); - - Digest digest = sk.getParameters().getH(); - byte[] u1Bytes = input.getU1().toByteArray(); - digest.update(u1Bytes, 0, u1Bytes.length); - byte[] u2Bytes = input.getU2().toByteArray(); - digest.update(u2Bytes, 0, u2Bytes.length); - byte[] eBytes = input.getE().toByteArray(); - digest.update(eBytes, 0, eBytes.length); - if (this.label != null) - { - byte[] lBytes = this.label.getBytes(); - digest.update(lBytes, 0, lBytes.length); - } - byte[] out = new byte[digest.getDigestSize()]; - digest.doFinal(out, 0); - - BigInteger a = new BigInteger(1, out); - BigInteger v = input.u1.modPow(sk.getX1().add(sk.getY1().multiply(a)), p). - multiply(input.u2.modPow(sk.getX2().add(sk.getY2().multiply(a)), p)).mod(p); - - // check correctness of ciphertext - if (input.v.equals(v)) - { - result = input.e.multiply(input.u1.modPow(sk.getZ(), p).modInverse(p)).mod(p); - } - else - { - throw new CramerShoupCiphertextException("Sorry, that ciphertext is not correct"); - } - } - return result; - } - - private BigInteger generateRandomElement(BigInteger p, SecureRandom random) - { - return BigIntegers.createRandomInRange(ONE, p.subtract(ONE), random); - } - - /** - * just checking whether the message m is actually less than the group order p - */ - private boolean isValidMessage(BigInteger m, BigInteger p) - { - return m.compareTo(p) < 0; - } - - protected SecureRandom initSecureRandom(boolean needed, SecureRandom provided) - { - return !needed ? null : (provided != null) ? provided : new SecureRandom(); - } - - /** - * CS exception for wrong cipher-texts - */ - public static class CramerShoupCiphertextException - extends Exception - { - private static final long serialVersionUID = -6360977166495345076L; - - public CramerShoupCiphertextException(String msg) - { - super(msg); - } - - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/DESEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/DESEngine.java deleted file mode 100644 index 6980fd08..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/DESEngine.java +++ /dev/null @@ -1,495 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * a class that provides a basic DES engine. - */ -public class DESEngine - implements BlockCipher -{ - protected static final int BLOCK_SIZE = 8; - - private int[] workingKey = null; - - /** - * standard constructor. - */ - public DESEngine() - { - } - - /** - * initialise a DES cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - if (((KeyParameter)params).getKey().length > 8) - { - throw new IllegalArgumentException("DES key too long - should be 8 bytes"); - } - - workingKey = generateWorkingKey(encrypting, - ((KeyParameter)params).getKey()); - - return; - } - - throw new IllegalArgumentException("invalid parameter passed to DES init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "DES"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("DES engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - desFunc(workingKey, in, inOff, out, outOff); - - return BLOCK_SIZE; - } - - public void reset() - { - } - - /** - * what follows is mainly taken from "Applied Cryptography", by - * Bruce Schneier, however it also bears great resemblance to Richard - * Outerbridge's D3DES... - */ - -// private static final short[] Df_Key = -// { -// 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef, -// 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10, -// 0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 -// }; - - private static final short[] bytebit = - { - 0200, 0100, 040, 020, 010, 04, 02, 01 - }; - - private static final int[] bigbyte = - { - 0x800000, 0x400000, 0x200000, 0x100000, - 0x80000, 0x40000, 0x20000, 0x10000, - 0x8000, 0x4000, 0x2000, 0x1000, - 0x800, 0x400, 0x200, 0x100, - 0x80, 0x40, 0x20, 0x10, - 0x8, 0x4, 0x2, 0x1 - }; - - /* - * Use the key schedule specified in the Standard (ANSI X3.92-1981). - */ - - private static final byte[] pc1 = - { - 56, 48, 40, 32, 24, 16, 8, 0, 57, 49, 41, 33, 25, 17, - 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, - 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, - 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 - }; - - private static final byte[] totrot = - { - 1, 2, 4, 6, 8, 10, 12, 14, - 15, 17, 19, 21, 23, 25, 27, 28 - }; - - private static final byte[] pc2 = - { - 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, - 22, 18, 11, 3, 25, 7, 15, 6, 26, 19, 12, 1, - 40, 51, 30, 36, 46, 54, 29, 39, 50, 44, 32, 47, - 43, 48, 38, 55, 33, 52, 45, 41, 49, 35, 28, 31 - }; - - private static final int[] SP1 = { - 0x01010400, 0x00000000, 0x00010000, 0x01010404, - 0x01010004, 0x00010404, 0x00000004, 0x00010000, - 0x00000400, 0x01010400, 0x01010404, 0x00000400, - 0x01000404, 0x01010004, 0x01000000, 0x00000004, - 0x00000404, 0x01000400, 0x01000400, 0x00010400, - 0x00010400, 0x01010000, 0x01010000, 0x01000404, - 0x00010004, 0x01000004, 0x01000004, 0x00010004, - 0x00000000, 0x00000404, 0x00010404, 0x01000000, - 0x00010000, 0x01010404, 0x00000004, 0x01010000, - 0x01010400, 0x01000000, 0x01000000, 0x00000400, - 0x01010004, 0x00010000, 0x00010400, 0x01000004, - 0x00000400, 0x00000004, 0x01000404, 0x00010404, - 0x01010404, 0x00010004, 0x01010000, 0x01000404, - 0x01000004, 0x00000404, 0x00010404, 0x01010400, - 0x00000404, 0x01000400, 0x01000400, 0x00000000, - 0x00010004, 0x00010400, 0x00000000, 0x01010004 - }; - - private static final int[] SP2 = { - 0x80108020, 0x80008000, 0x00008000, 0x00108020, - 0x00100000, 0x00000020, 0x80100020, 0x80008020, - 0x80000020, 0x80108020, 0x80108000, 0x80000000, - 0x80008000, 0x00100000, 0x00000020, 0x80100020, - 0x00108000, 0x00100020, 0x80008020, 0x00000000, - 0x80000000, 0x00008000, 0x00108020, 0x80100000, - 0x00100020, 0x80000020, 0x00000000, 0x00108000, - 0x00008020, 0x80108000, 0x80100000, 0x00008020, - 0x00000000, 0x00108020, 0x80100020, 0x00100000, - 0x80008020, 0x80100000, 0x80108000, 0x00008000, - 0x80100000, 0x80008000, 0x00000020, 0x80108020, - 0x00108020, 0x00000020, 0x00008000, 0x80000000, - 0x00008020, 0x80108000, 0x00100000, 0x80000020, - 0x00100020, 0x80008020, 0x80000020, 0x00100020, - 0x00108000, 0x00000000, 0x80008000, 0x00008020, - 0x80000000, 0x80100020, 0x80108020, 0x00108000 - }; - - private static final int[] SP3 = { - 0x00000208, 0x08020200, 0x00000000, 0x08020008, - 0x08000200, 0x00000000, 0x00020208, 0x08000200, - 0x00020008, 0x08000008, 0x08000008, 0x00020000, - 0x08020208, 0x00020008, 0x08020000, 0x00000208, - 0x08000000, 0x00000008, 0x08020200, 0x00000200, - 0x00020200, 0x08020000, 0x08020008, 0x00020208, - 0x08000208, 0x00020200, 0x00020000, 0x08000208, - 0x00000008, 0x08020208, 0x00000200, 0x08000000, - 0x08020200, 0x08000000, 0x00020008, 0x00000208, - 0x00020000, 0x08020200, 0x08000200, 0x00000000, - 0x00000200, 0x00020008, 0x08020208, 0x08000200, - 0x08000008, 0x00000200, 0x00000000, 0x08020008, - 0x08000208, 0x00020000, 0x08000000, 0x08020208, - 0x00000008, 0x00020208, 0x00020200, 0x08000008, - 0x08020000, 0x08000208, 0x00000208, 0x08020000, - 0x00020208, 0x00000008, 0x08020008, 0x00020200 - }; - - private static final int[] SP4 = { - 0x00802001, 0x00002081, 0x00002081, 0x00000080, - 0x00802080, 0x00800081, 0x00800001, 0x00002001, - 0x00000000, 0x00802000, 0x00802000, 0x00802081, - 0x00000081, 0x00000000, 0x00800080, 0x00800001, - 0x00000001, 0x00002000, 0x00800000, 0x00802001, - 0x00000080, 0x00800000, 0x00002001, 0x00002080, - 0x00800081, 0x00000001, 0x00002080, 0x00800080, - 0x00002000, 0x00802080, 0x00802081, 0x00000081, - 0x00800080, 0x00800001, 0x00802000, 0x00802081, - 0x00000081, 0x00000000, 0x00000000, 0x00802000, - 0x00002080, 0x00800080, 0x00800081, 0x00000001, - 0x00802001, 0x00002081, 0x00002081, 0x00000080, - 0x00802081, 0x00000081, 0x00000001, 0x00002000, - 0x00800001, 0x00002001, 0x00802080, 0x00800081, - 0x00002001, 0x00002080, 0x00800000, 0x00802001, - 0x00000080, 0x00800000, 0x00002000, 0x00802080 - }; - - private static final int[] SP5 = { - 0x00000100, 0x02080100, 0x02080000, 0x42000100, - 0x00080000, 0x00000100, 0x40000000, 0x02080000, - 0x40080100, 0x00080000, 0x02000100, 0x40080100, - 0x42000100, 0x42080000, 0x00080100, 0x40000000, - 0x02000000, 0x40080000, 0x40080000, 0x00000000, - 0x40000100, 0x42080100, 0x42080100, 0x02000100, - 0x42080000, 0x40000100, 0x00000000, 0x42000000, - 0x02080100, 0x02000000, 0x42000000, 0x00080100, - 0x00080000, 0x42000100, 0x00000100, 0x02000000, - 0x40000000, 0x02080000, 0x42000100, 0x40080100, - 0x02000100, 0x40000000, 0x42080000, 0x02080100, - 0x40080100, 0x00000100, 0x02000000, 0x42080000, - 0x42080100, 0x00080100, 0x42000000, 0x42080100, - 0x02080000, 0x00000000, 0x40080000, 0x42000000, - 0x00080100, 0x02000100, 0x40000100, 0x00080000, - 0x00000000, 0x40080000, 0x02080100, 0x40000100 - }; - - private static final int[] SP6 = { - 0x20000010, 0x20400000, 0x00004000, 0x20404010, - 0x20400000, 0x00000010, 0x20404010, 0x00400000, - 0x20004000, 0x00404010, 0x00400000, 0x20000010, - 0x00400010, 0x20004000, 0x20000000, 0x00004010, - 0x00000000, 0x00400010, 0x20004010, 0x00004000, - 0x00404000, 0x20004010, 0x00000010, 0x20400010, - 0x20400010, 0x00000000, 0x00404010, 0x20404000, - 0x00004010, 0x00404000, 0x20404000, 0x20000000, - 0x20004000, 0x00000010, 0x20400010, 0x00404000, - 0x20404010, 0x00400000, 0x00004010, 0x20000010, - 0x00400000, 0x20004000, 0x20000000, 0x00004010, - 0x20000010, 0x20404010, 0x00404000, 0x20400000, - 0x00404010, 0x20404000, 0x00000000, 0x20400010, - 0x00000010, 0x00004000, 0x20400000, 0x00404010, - 0x00004000, 0x00400010, 0x20004010, 0x00000000, - 0x20404000, 0x20000000, 0x00400010, 0x20004010 - }; - - private static final int[] SP7 = { - 0x00200000, 0x04200002, 0x04000802, 0x00000000, - 0x00000800, 0x04000802, 0x00200802, 0x04200800, - 0x04200802, 0x00200000, 0x00000000, 0x04000002, - 0x00000002, 0x04000000, 0x04200002, 0x00000802, - 0x04000800, 0x00200802, 0x00200002, 0x04000800, - 0x04000002, 0x04200000, 0x04200800, 0x00200002, - 0x04200000, 0x00000800, 0x00000802, 0x04200802, - 0x00200800, 0x00000002, 0x04000000, 0x00200800, - 0x04000000, 0x00200800, 0x00200000, 0x04000802, - 0x04000802, 0x04200002, 0x04200002, 0x00000002, - 0x00200002, 0x04000000, 0x04000800, 0x00200000, - 0x04200800, 0x00000802, 0x00200802, 0x04200800, - 0x00000802, 0x04000002, 0x04200802, 0x04200000, - 0x00200800, 0x00000000, 0x00000002, 0x04200802, - 0x00000000, 0x00200802, 0x04200000, 0x00000800, - 0x04000002, 0x04000800, 0x00000800, 0x00200002 - }; - - private static final int[] SP8 = { - 0x10001040, 0x00001000, 0x00040000, 0x10041040, - 0x10000000, 0x10001040, 0x00000040, 0x10000000, - 0x00040040, 0x10040000, 0x10041040, 0x00041000, - 0x10041000, 0x00041040, 0x00001000, 0x00000040, - 0x10040000, 0x10000040, 0x10001000, 0x00001040, - 0x00041000, 0x00040040, 0x10040040, 0x10041000, - 0x00001040, 0x00000000, 0x00000000, 0x10040040, - 0x10000040, 0x10001000, 0x00041040, 0x00040000, - 0x00041040, 0x00040000, 0x10041000, 0x00001000, - 0x00000040, 0x10040040, 0x00001000, 0x00041040, - 0x10001000, 0x00000040, 0x10000040, 0x10040000, - 0x10040040, 0x10000000, 0x00040000, 0x10001040, - 0x00000000, 0x10041040, 0x00040040, 0x10000040, - 0x10040000, 0x10001000, 0x10001040, 0x00000000, - 0x10041040, 0x00041000, 0x00041000, 0x00001040, - 0x00001040, 0x00040040, 0x10000000, 0x10041000 - }; - - /** - * generate an integer based working key based on our secret key - * and what we processing we are planning to do. - * - * Acknowledgements for this routine go to James Gillogly & Phil Karn. - * (whoever, and wherever they are!). - */ - protected int[] generateWorkingKey( - boolean encrypting, - byte[] key) - { - int[] newKey = new int[32]; - boolean[] pc1m = new boolean[56], - pcr = new boolean[56]; - - for (int j = 0; j < 56; j++) - { - int l = pc1[j]; - - pc1m[j] = ((key[l >>> 3] & bytebit[l & 07]) != 0); - } - - for (int i = 0; i < 16; i++) - { - int l, m, n; - - if (encrypting) - { - m = i << 1; - } - else - { - m = (15 - i) << 1; - } - - n = m + 1; - newKey[m] = newKey[n] = 0; - - for (int j = 0; j < 28; j++) - { - l = j + totrot[i]; - if (l < 28) - { - pcr[j] = pc1m[l]; - } - else - { - pcr[j] = pc1m[l - 28]; - } - } - - for (int j = 28; j < 56; j++) - { - l = j + totrot[i]; - if (l < 56) - { - pcr[j] = pc1m[l]; - } - else - { - pcr[j] = pc1m[l - 28]; - } - } - - for (int j = 0; j < 24; j++) - { - if (pcr[pc2[j]]) - { - newKey[m] |= bigbyte[j]; - } - - if (pcr[pc2[j + 24]]) - { - newKey[n] |= bigbyte[j]; - } - } - } - - // - // store the processed key - // - for (int i = 0; i != 32; i += 2) - { - int i1, i2; - - i1 = newKey[i]; - i2 = newKey[i + 1]; - - newKey[i] = ((i1 & 0x00fc0000) << 6) | ((i1 & 0x00000fc0) << 10) - | ((i2 & 0x00fc0000) >>> 10) | ((i2 & 0x00000fc0) >>> 6); - - newKey[i + 1] = ((i1 & 0x0003f000) << 12) | ((i1 & 0x0000003f) << 16) - | ((i2 & 0x0003f000) >>> 4) | (i2 & 0x0000003f); - } - - return newKey; - } - - /** - * the DES engine. - */ - protected void desFunc( - int[] wKey, - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int work, right, left; - - left = (in[inOff + 0] & 0xff) << 24; - left |= (in[inOff + 1] & 0xff) << 16; - left |= (in[inOff + 2] & 0xff) << 8; - left |= (in[inOff + 3] & 0xff); - - right = (in[inOff + 4] & 0xff) << 24; - right |= (in[inOff + 5] & 0xff) << 16; - right |= (in[inOff + 6] & 0xff) << 8; - right |= (in[inOff + 7] & 0xff); - - work = ((left >>> 4) ^ right) & 0x0f0f0f0f; - right ^= work; - left ^= (work << 4); - work = ((left >>> 16) ^ right) & 0x0000ffff; - right ^= work; - left ^= (work << 16); - work = ((right >>> 2) ^ left) & 0x33333333; - left ^= work; - right ^= (work << 2); - work = ((right >>> 8) ^ left) & 0x00ff00ff; - left ^= work; - right ^= (work << 8); - right = ((right << 1) | ((right >>> 31) & 1)) & 0xffffffff; - work = (left ^ right) & 0xaaaaaaaa; - left ^= work; - right ^= work; - left = ((left << 1) | ((left >>> 31) & 1)) & 0xffffffff; - - for (int round = 0; round < 8; round++) - { - int fval; - - work = (right << 28) | (right >>> 4); - work ^= wKey[round * 4 + 0]; - fval = SP7[ work & 0x3f]; - fval |= SP5[(work >>> 8) & 0x3f]; - fval |= SP3[(work >>> 16) & 0x3f]; - fval |= SP1[(work >>> 24) & 0x3f]; - work = right ^ wKey[round * 4 + 1]; - fval |= SP8[ work & 0x3f]; - fval |= SP6[(work >>> 8) & 0x3f]; - fval |= SP4[(work >>> 16) & 0x3f]; - fval |= SP2[(work >>> 24) & 0x3f]; - left ^= fval; - work = (left << 28) | (left >>> 4); - work ^= wKey[round * 4 + 2]; - fval = SP7[ work & 0x3f]; - fval |= SP5[(work >>> 8) & 0x3f]; - fval |= SP3[(work >>> 16) & 0x3f]; - fval |= SP1[(work >>> 24) & 0x3f]; - work = left ^ wKey[round * 4 + 3]; - fval |= SP8[ work & 0x3f]; - fval |= SP6[(work >>> 8) & 0x3f]; - fval |= SP4[(work >>> 16) & 0x3f]; - fval |= SP2[(work >>> 24) & 0x3f]; - right ^= fval; - } - - right = (right << 31) | (right >>> 1); - work = (left ^ right) & 0xaaaaaaaa; - left ^= work; - right ^= work; - left = (left << 31) | (left >>> 1); - work = ((left >>> 8) ^ right) & 0x00ff00ff; - right ^= work; - left ^= (work << 8); - work = ((left >>> 2) ^ right) & 0x33333333; - right ^= work; - left ^= (work << 2); - work = ((right >>> 16) ^ left) & 0x0000ffff; - left ^= work; - right ^= (work << 16); - work = ((right >>> 4) ^ left) & 0x0f0f0f0f; - left ^= work; - right ^= (work << 4); - - out[outOff + 0] = (byte)((right >>> 24) & 0xff); - out[outOff + 1] = (byte)((right >>> 16) & 0xff); - out[outOff + 2] = (byte)((right >>> 8) & 0xff); - out[outOff + 3] = (byte)(right & 0xff); - out[outOff + 4] = (byte)((left >>> 24) & 0xff); - out[outOff + 5] = (byte)((left >>> 16) & 0xff); - out[outOff + 6] = (byte)((left >>> 8) & 0xff); - out[outOff + 7] = (byte)(left & 0xff); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/DESedeEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/DESedeEngine.java deleted file mode 100644 index 513eccdf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/DESedeEngine.java +++ /dev/null @@ -1,127 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * a class that provides a basic DESede (or Triple DES) engine. - */ -public class DESedeEngine - extends DESEngine -{ - protected static final int BLOCK_SIZE = 8; - - private int[] workingKey1 = null; - private int[] workingKey2 = null; - private int[] workingKey3 = null; - - private boolean forEncryption; - - /** - * standard constructor. - */ - public DESedeEngine() - { - } - - /** - * initialise a DESede cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to DESede init - " + params.getClass().getName()); - } - - byte[] keyMaster = ((KeyParameter)params).getKey(); - - if (keyMaster.length != 24 && keyMaster.length != 16) - { - throw new IllegalArgumentException("key size must be 16 or 24 bytes."); - } - - this.forEncryption = encrypting; - - byte[] key1 = new byte[8]; - System.arraycopy(keyMaster, 0, key1, 0, key1.length); - workingKey1 = generateWorkingKey(encrypting, key1); - - byte[] key2 = new byte[8]; - System.arraycopy(keyMaster, 8, key2, 0, key2.length); - workingKey2 = generateWorkingKey(!encrypting, key2); - - if (keyMaster.length == 24) - { - byte[] key3 = new byte[8]; - System.arraycopy(keyMaster, 16, key3, 0, key3.length); - workingKey3 = generateWorkingKey(encrypting, key3); - } - else // 16 byte key - { - workingKey3 = workingKey1; - } - } - - public String getAlgorithmName() - { - return "DESede"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey1 == null) - { - throw new IllegalStateException("DESede engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - byte[] temp = new byte[BLOCK_SIZE]; - - if (forEncryption) - { - desFunc(workingKey1, in, inOff, temp, 0); - desFunc(workingKey2, temp, 0, temp, 0); - desFunc(workingKey3, temp, 0, out, outOff); - } - else - { - desFunc(workingKey3, in, inOff, temp, 0); - desFunc(workingKey2, temp, 0, temp, 0); - desFunc(workingKey1, temp, 0, out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/DESedeWrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/DESedeWrapEngine.java deleted file mode 100644 index 923a79cd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/DESedeWrapEngine.java +++ /dev/null @@ -1,350 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Wrapper; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; - -/** - * Wrap keys according to - * <A HREF="http://www.ietf.org/internet-drafts/draft-ietf-smime-key-wrap-01.txt"> - * draft-ietf-smime-key-wrap-01.txt</A>. - * <p> - * Note: - * <ul> - * <li>this is based on a draft, and as such is subject to change - don't use this class for anything requiring long term storage. - * <li>if you are using this to wrap triple-des keys you need to set the - * parity bits on the key and, if it's a two-key triple-des key, pad it - * yourself. - * </ul> - */ -public class DESedeWrapEngine - implements Wrapper -{ - /** Field engine */ - private CBCBlockCipher engine; - - /** Field param */ - private KeyParameter param; - - /** Field paramPlusIV */ - private ParametersWithIV paramPlusIV; - - /** Field iv */ - private byte[] iv; - - /** Field forWrapping */ - private boolean forWrapping; - - /** Field IV2 */ - private static final byte[] IV2 = { (byte) 0x4a, (byte) 0xdd, (byte) 0xa2, - (byte) 0x2c, (byte) 0x79, (byte) 0xe8, - (byte) 0x21, (byte) 0x05 }; - - // - // checksum digest - // - Digest sha1 = new SHA1Digest(); - byte[] digest = new byte[20]; - - /** - * Method init - * - * @param forWrapping true if for wrapping, false otherwise. - * @param param necessary parameters, may include KeyParameter, ParametersWithRandom, and ParametersWithIV - */ - public void init(boolean forWrapping, CipherParameters param) - { - - this.forWrapping = forWrapping; - this.engine = new CBCBlockCipher(new DESedeEngine()); - - SecureRandom sr; - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom pr = (ParametersWithRandom) param; - param = pr.getParameters(); - sr = pr.getRandom(); - } - else - { - sr = new SecureRandom(); - } - - if (param instanceof KeyParameter) - { - this.param = (KeyParameter)param; - - if (this.forWrapping) - { - - // Hm, we have no IV but we want to wrap ?!? - // well, then we have to create our own IV. - this.iv = new byte[8]; - sr.nextBytes(iv); - - this.paramPlusIV = new ParametersWithIV(this.param, this.iv); - } - } - else if (param instanceof ParametersWithIV) - { - this.paramPlusIV = (ParametersWithIV)param; - this.iv = this.paramPlusIV.getIV(); - this.param = (KeyParameter)this.paramPlusIV.getParameters(); - - if (this.forWrapping) - { - if ((this.iv == null) || (this.iv.length != 8)) - { - throw new IllegalArgumentException("IV is not 8 octets"); - } - } - else - { - throw new IllegalArgumentException( - "You should not supply an IV for unwrapping"); - } - } - } - - /** - * Method getAlgorithmName - * - * @return the algorithm name "DESede". - */ - public String getAlgorithmName() - { - return "DESede"; - } - - /** - * Method wrap - * - * @param in byte array containing the encoded key. - * @param inOff off set into in that the data starts at. - * @param inLen length of the data. - * @return the wrapped bytes. - */ - public byte[] wrap(byte[] in, int inOff, int inLen) - { - if (!forWrapping) - { - throw new IllegalStateException("Not initialized for wrapping"); - } - - byte keyToBeWrapped[] = new byte[inLen]; - - System.arraycopy(in, inOff, keyToBeWrapped, 0, inLen); - - // Compute the CMS Key Checksum, (section 5.6.1), call this CKS. - byte[] CKS = calculateCMSKeyChecksum(keyToBeWrapped); - - // Let WKCKS = WK || CKS where || is concatenation. - byte[] WKCKS = new byte[keyToBeWrapped.length + CKS.length]; - - System.arraycopy(keyToBeWrapped, 0, WKCKS, 0, keyToBeWrapped.length); - System.arraycopy(CKS, 0, WKCKS, keyToBeWrapped.length, CKS.length); - - // Encrypt WKCKS in CBC mode using KEK as the key and IV as the - // initialization vector. Call the results TEMP1. - - int blockSize = engine.getBlockSize(); - - if (WKCKS.length % blockSize != 0) - { - throw new IllegalStateException("Not multiple of block length"); - } - - engine.init(true, paramPlusIV); - - byte TEMP1[] = new byte[WKCKS.length]; - - for (int currentBytePos = 0; currentBytePos != WKCKS.length; currentBytePos += blockSize) - { - engine.processBlock(WKCKS, currentBytePos, TEMP1, currentBytePos); - } - - // Let TEMP2 = IV || TEMP1. - byte[] TEMP2 = new byte[this.iv.length + TEMP1.length]; - - System.arraycopy(this.iv, 0, TEMP2, 0, this.iv.length); - System.arraycopy(TEMP1, 0, TEMP2, this.iv.length, TEMP1.length); - - // Reverse the order of the octets in TEMP2 and call the result TEMP3. - byte[] TEMP3 = reverse(TEMP2); - - // Encrypt TEMP3 in CBC mode using the KEK and an initialization vector - // of 0x 4a dd a2 2c 79 e8 21 05. The resulting cipher text is the desired - // result. It is 40 octets long if a 168 bit key is being wrapped. - ParametersWithIV param2 = new ParametersWithIV(this.param, IV2); - - this.engine.init(true, param2); - - for (int currentBytePos = 0; currentBytePos != TEMP3.length; currentBytePos += blockSize) - { - engine.processBlock(TEMP3, currentBytePos, TEMP3, currentBytePos); - } - - return TEMP3; - } - - /** - * Method unwrap - * - * @param in byte array containing the wrapped key. - * @param inOff off set into in that the data starts at. - * @param inLen length of the data. - * @return the unwrapped bytes. - * @throws InvalidCipherTextException - */ - public byte[] unwrap(byte[] in, int inOff, int inLen) - throws InvalidCipherTextException - { - if (forWrapping) - { - throw new IllegalStateException("Not set for unwrapping"); - } - - if (in == null) - { - throw new InvalidCipherTextException("Null pointer as ciphertext"); - } - - final int blockSize = engine.getBlockSize(); - if (inLen % blockSize != 0) - { - throw new InvalidCipherTextException("Ciphertext not multiple of " + blockSize); - } - - /* - // Check if the length of the cipher text is reasonable given the key - // type. It must be 40 bytes for a 168 bit key and either 32, 40, or - // 48 bytes for a 128, 192, or 256 bit key. If the length is not supported - // or inconsistent with the algorithm for which the key is intended, - // return error. - // - // we do not accept 168 bit keys. it has to be 192 bit. - int lengthA = (estimatedKeyLengthInBit / 8) + 16; - int lengthB = estimatedKeyLengthInBit % 8; - - if ((lengthA != keyToBeUnwrapped.length) || (lengthB != 0)) { - throw new XMLSecurityException("empty"); - } - */ - - // Decrypt the cipher text with TRIPLedeS in CBC mode using the KEK - // and an initialization vector (IV) of 0x4adda22c79e82105. Call the output TEMP3. - ParametersWithIV param2 = new ParametersWithIV(this.param, IV2); - - this.engine.init(false, param2); - - byte TEMP3[] = new byte[inLen]; - - for (int currentBytePos = 0; currentBytePos != inLen; currentBytePos += blockSize) - { - engine.processBlock(in, inOff + currentBytePos, TEMP3, currentBytePos); - } - - // Reverse the order of the octets in TEMP3 and call the result TEMP2. - byte[] TEMP2 = reverse(TEMP3); - - // Decompose TEMP2 into IV, the first 8 octets, and TEMP1, the remaining octets. - this.iv = new byte[8]; - - byte[] TEMP1 = new byte[TEMP2.length - 8]; - - System.arraycopy(TEMP2, 0, this.iv, 0, 8); - System.arraycopy(TEMP2, 8, TEMP1, 0, TEMP2.length - 8); - - // Decrypt TEMP1 using TRIPLedeS in CBC mode using the KEK and the IV - // found in the previous step. Call the result WKCKS. - this.paramPlusIV = new ParametersWithIV(this.param, this.iv); - - this.engine.init(false, this.paramPlusIV); - - byte[] WKCKS = new byte[TEMP1.length]; - - for (int currentBytePos = 0; currentBytePos != WKCKS.length; currentBytePos += blockSize) - { - engine.processBlock(TEMP1, currentBytePos, WKCKS, currentBytePos); - } - - // Decompose WKCKS. CKS is the last 8 octets and WK, the wrapped key, are - // those octets before the CKS. - byte[] result = new byte[WKCKS.length - 8]; - byte[] CKStoBeVerified = new byte[8]; - - System.arraycopy(WKCKS, 0, result, 0, WKCKS.length - 8); - System.arraycopy(WKCKS, WKCKS.length - 8, CKStoBeVerified, 0, 8); - - // Calculate a CMS Key Checksum, (section 5.6.1), over the WK and compare - // with the CKS extracted in the above step. If they are not equal, return error. - if (!checkCMSKeyChecksum(result, CKStoBeVerified)) - { - throw new InvalidCipherTextException( - "Checksum inside ciphertext is corrupted"); - } - - // WK is the wrapped key, now extracted for use in data decryption. - return result; - } - - /** - * Some key wrap algorithms make use of the Key Checksum defined - * in CMS [CMS-Algorithms]. This is used to provide an integrity - * check value for the key being wrapped. The algorithm is - * - * - Compute the 20 octet SHA-1 hash on the key being wrapped. - * - Use the first 8 octets of this hash as the checksum value. - * - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum. - * - * @param key the key to check, - * @return the CMS checksum. - * @throws RuntimeException - */ - private byte[] calculateCMSKeyChecksum( - byte[] key) - { - byte[] result = new byte[8]; - - sha1.update(key, 0, key.length); - sha1.doFinal(digest, 0); - - System.arraycopy(digest, 0, result, 0, 8); - - return result; - } - - /** - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum - * - * @param key key to be validated. - * @param checksum the checksum. - * @return true if okay, false otherwise. - */ - private boolean checkCMSKeyChecksum( - byte[] key, - byte[] checksum) - { - return Arrays.constantTimeAreEqual(calculateCMSKeyChecksum(key), checksum); - } - - private static byte[] reverse(byte[] bs) - { - byte[] result = new byte[bs.length]; - for (int i = 0; i < bs.length; i++) - { - result[i] = bs[bs.length - (i + 1)]; - } - return result; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ElGamalEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ElGamalEngine.java deleted file mode 100644 index ef8e799d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/ElGamalEngine.java +++ /dev/null @@ -1,217 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ElGamalKeyParameters; -import org.bouncycastle.crypto.params.ElGamalPrivateKeyParameters; -import org.bouncycastle.crypto.params.ElGamalPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.BigIntegers; - -/** - * this does your basic ElGamal algorithm. - */ -public class ElGamalEngine - implements AsymmetricBlockCipher -{ - private ElGamalKeyParameters key; - private SecureRandom random; - private boolean forEncryption; - private int bitSize; - - private static final BigInteger ZERO = BigInteger.valueOf(0); - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - - /** - * initialise the ElGamal engine. - * - * @param forEncryption true if we are encrypting, false otherwise. - * @param param the necessary ElGamal key parameters. - */ - public void init( - boolean forEncryption, - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - this.key = (ElGamalKeyParameters)p.getParameters(); - this.random = p.getRandom(); - } - else - { - this.key = (ElGamalKeyParameters)param; - this.random = new SecureRandom(); - } - - this.forEncryption = forEncryption; - - BigInteger p = key.getParameters().getP(); - - bitSize = p.bitLength(); - - if (forEncryption) - { - if (!(key instanceof ElGamalPublicKeyParameters)) - { - throw new IllegalArgumentException("ElGamalPublicKeyParameters are required for encryption."); - } - } - else - { - if (!(key instanceof ElGamalPrivateKeyParameters)) - { - throw new IllegalArgumentException("ElGamalPrivateKeyParameters are required for decryption."); - } - } - } - - /** - * Return the maximum size for an input block to this engine. - * For ElGamal this is always one byte less than the size of P on - * encryption, and twice the length as the size of P on decryption. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - if (forEncryption) - { - return (bitSize - 1) / 8; - } - - return 2 * ((bitSize + 7) / 8); - } - - /** - * Return the maximum size for an output block to this engine. - * For ElGamal this is always one byte less than the size of P on - * decryption, and twice the length as the size of P on encryption. - * - * @return maximum size for an output block. - */ - public int getOutputBlockSize() - { - if (forEncryption) - { - return 2 * ((bitSize + 7) / 8); - } - - return (bitSize - 1) / 8; - } - - /** - * Process a single block using the basic ElGamal algorithm. - * - * @param in the input array. - * @param inOff the offset into the input buffer where the data starts. - * @param inLen the length of the data to be processed. - * @return the result of the ElGamal process. - * @exception DataLengthException the input block is too large. - */ - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - { - if (key == null) - { - throw new IllegalStateException("ElGamal engine not initialised"); - } - - int maxLength = forEncryption - ? (bitSize - 1 + 7) / 8 - : getInputBlockSize(); - - if (inLen > maxLength) - { - throw new DataLengthException("input too large for ElGamal cipher.\n"); - } - - BigInteger p = key.getParameters().getP(); - - if (key instanceof ElGamalPrivateKeyParameters) // decryption - { - byte[] in1 = new byte[inLen / 2]; - byte[] in2 = new byte[inLen / 2]; - - System.arraycopy(in, inOff, in1, 0, in1.length); - System.arraycopy(in, inOff + in1.length, in2, 0, in2.length); - - BigInteger gamma = new BigInteger(1, in1); - BigInteger phi = new BigInteger(1, in2); - - ElGamalPrivateKeyParameters priv = (ElGamalPrivateKeyParameters)key; - // a shortcut, which generally relies on p being prime amongst other things. - // if a problem with this shows up, check the p and g values! - BigInteger m = gamma.modPow(p.subtract(ONE).subtract(priv.getX()), p).multiply(phi).mod(p); - - return BigIntegers.asUnsignedByteArray(m); - } - else // encryption - { - byte[] block; - if (inOff != 0 || inLen != in.length) - { - block = new byte[inLen]; - - System.arraycopy(in, inOff, block, 0, inLen); - } - else - { - block = in; - } - - BigInteger input = new BigInteger(1, block); - - if (input.compareTo(p) >= 0) - { - throw new DataLengthException("input too large for ElGamal cipher.\n"); - } - - ElGamalPublicKeyParameters pub = (ElGamalPublicKeyParameters)key; - - int pBitLength = p.bitLength(); - BigInteger k = new BigInteger(pBitLength, random); - - while (k.equals(ZERO) || (k.compareTo(p.subtract(TWO)) > 0)) - { - k = new BigInteger(pBitLength, random); - } - - BigInteger g = key.getParameters().getG(); - BigInteger gamma = g.modPow(k, p); - BigInteger phi = input.multiply(pub.getY().modPow(k, p)).mod(p); - - byte[] out1 = gamma.toByteArray(); - byte[] out2 = phi.toByteArray(); - byte[] output = new byte[this.getOutputBlockSize()]; - - if (out1.length > output.length / 2) - { - System.arraycopy(out1, 1, output, output.length / 2 - (out1.length - 1), out1.length - 1); - } - else - { - System.arraycopy(out1, 0, output, output.length / 2 - out1.length, out1.length); - } - - if (out2.length > output.length / 2) - { - System.arraycopy(out2, 1, output, output.length - (out2.length - 1), out2.length - 1); - } - else - { - System.arraycopy(out2, 0, output, output.length - out2.length, out2.length); - } - - return output; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/GOST28147Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/GOST28147Engine.java deleted file mode 100644 index 5a88b7fe..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/GOST28147Engine.java +++ /dev/null @@ -1,372 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.util.Hashtable; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithSBox; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Strings; - -/** - * implementation of GOST 28147-89 - */ -public class GOST28147Engine - implements BlockCipher -{ - protected static final int BLOCK_SIZE = 8; - private int[] workingKey = null; - private boolean forEncryption; - - private byte[] S = Sbox_Default; - - // these are the S-boxes given in Applied Cryptography 2nd Ed., p. 333 - // This is default S-box! - private static byte Sbox_Default[] = { - 0x4,0xA,0x9,0x2,0xD,0x8,0x0,0xE,0x6,0xB,0x1,0xC,0x7,0xF,0x5,0x3, - 0xE,0xB,0x4,0xC,0x6,0xD,0xF,0xA,0x2,0x3,0x8,0x1,0x0,0x7,0x5,0x9, - 0x5,0x8,0x1,0xD,0xA,0x3,0x4,0x2,0xE,0xF,0xC,0x7,0x6,0x0,0x9,0xB, - 0x7,0xD,0xA,0x1,0x0,0x8,0x9,0xF,0xE,0x4,0x6,0xC,0xB,0x2,0x5,0x3, - 0x6,0xC,0x7,0x1,0x5,0xF,0xD,0x8,0x4,0xA,0x9,0xE,0x0,0x3,0xB,0x2, - 0x4,0xB,0xA,0x0,0x7,0x2,0x1,0xD,0x3,0x6,0x8,0x5,0x9,0xC,0xF,0xE, - 0xD,0xB,0x4,0x1,0x3,0xF,0x5,0x9,0x0,0xA,0xE,0x7,0x6,0x8,0x2,0xC, - 0x1,0xF,0xD,0x0,0x5,0x7,0xA,0x4,0x9,0x2,0x3,0xE,0x6,0xB,0x8,0xC - }; - - /* - * class content S-box parameters for encrypting - * getting from, see: http://tools.ietf.org/id/draft-popov-cryptopro-cpalgs-01.txt - * http://tools.ietf.org/id/draft-popov-cryptopro-cpalgs-02.txt - */ - private static byte[] ESbox_Test = { - 0x4,0x2,0xF,0x5,0x9,0x1,0x0,0x8,0xE,0x3,0xB,0xC,0xD,0x7,0xA,0x6, - 0xC,0x9,0xF,0xE,0x8,0x1,0x3,0xA,0x2,0x7,0x4,0xD,0x6,0x0,0xB,0x5, - 0xD,0x8,0xE,0xC,0x7,0x3,0x9,0xA,0x1,0x5,0x2,0x4,0x6,0xF,0x0,0xB, - 0xE,0x9,0xB,0x2,0x5,0xF,0x7,0x1,0x0,0xD,0xC,0x6,0xA,0x4,0x3,0x8, - 0x3,0xE,0x5,0x9,0x6,0x8,0x0,0xD,0xA,0xB,0x7,0xC,0x2,0x1,0xF,0x4, - 0x8,0xF,0x6,0xB,0x1,0x9,0xC,0x5,0xD,0x3,0x7,0xA,0x0,0xE,0x2,0x4, - 0x9,0xB,0xC,0x0,0x3,0x6,0x7,0x5,0x4,0x8,0xE,0xF,0x1,0xA,0x2,0xD, - 0xC,0x6,0x5,0x2,0xB,0x0,0x9,0xD,0x3,0xE,0x7,0xA,0xF,0x4,0x1,0x8 - }; - - private static byte[] ESbox_A = { - 0x9,0x6,0x3,0x2,0x8,0xB,0x1,0x7,0xA,0x4,0xE,0xF,0xC,0x0,0xD,0x5, - 0x3,0x7,0xE,0x9,0x8,0xA,0xF,0x0,0x5,0x2,0x6,0xC,0xB,0x4,0xD,0x1, - 0xE,0x4,0x6,0x2,0xB,0x3,0xD,0x8,0xC,0xF,0x5,0xA,0x0,0x7,0x1,0x9, - 0xE,0x7,0xA,0xC,0xD,0x1,0x3,0x9,0x0,0x2,0xB,0x4,0xF,0x8,0x5,0x6, - 0xB,0x5,0x1,0x9,0x8,0xD,0xF,0x0,0xE,0x4,0x2,0x3,0xC,0x7,0xA,0x6, - 0x3,0xA,0xD,0xC,0x1,0x2,0x0,0xB,0x7,0x5,0x9,0x4,0x8,0xF,0xE,0x6, - 0x1,0xD,0x2,0x9,0x7,0xA,0x6,0x0,0x8,0xC,0x4,0x5,0xF,0x3,0xB,0xE, - 0xB,0xA,0xF,0x5,0x0,0xC,0xE,0x8,0x6,0x2,0x3,0x9,0x1,0x7,0xD,0x4 - }; - - private static byte[] ESbox_B = { - 0x8,0x4,0xB,0x1,0x3,0x5,0x0,0x9,0x2,0xE,0xA,0xC,0xD,0x6,0x7,0xF, - 0x0,0x1,0x2,0xA,0x4,0xD,0x5,0xC,0x9,0x7,0x3,0xF,0xB,0x8,0x6,0xE, - 0xE,0xC,0x0,0xA,0x9,0x2,0xD,0xB,0x7,0x5,0x8,0xF,0x3,0x6,0x1,0x4, - 0x7,0x5,0x0,0xD,0xB,0x6,0x1,0x2,0x3,0xA,0xC,0xF,0x4,0xE,0x9,0x8, - 0x2,0x7,0xC,0xF,0x9,0x5,0xA,0xB,0x1,0x4,0x0,0xD,0x6,0x8,0xE,0x3, - 0x8,0x3,0x2,0x6,0x4,0xD,0xE,0xB,0xC,0x1,0x7,0xF,0xA,0x0,0x9,0x5, - 0x5,0x2,0xA,0xB,0x9,0x1,0xC,0x3,0x7,0x4,0xD,0x0,0x6,0xF,0x8,0xE, - 0x0,0x4,0xB,0xE,0x8,0x3,0x7,0x1,0xA,0x2,0x9,0x6,0xF,0xD,0x5,0xC - }; - - private static byte[] ESbox_C = { - 0x1,0xB,0xC,0x2,0x9,0xD,0x0,0xF,0x4,0x5,0x8,0xE,0xA,0x7,0x6,0x3, - 0x0,0x1,0x7,0xD,0xB,0x4,0x5,0x2,0x8,0xE,0xF,0xC,0x9,0xA,0x6,0x3, - 0x8,0x2,0x5,0x0,0x4,0x9,0xF,0xA,0x3,0x7,0xC,0xD,0x6,0xE,0x1,0xB, - 0x3,0x6,0x0,0x1,0x5,0xD,0xA,0x8,0xB,0x2,0x9,0x7,0xE,0xF,0xC,0x4, - 0x8,0xD,0xB,0x0,0x4,0x5,0x1,0x2,0x9,0x3,0xC,0xE,0x6,0xF,0xA,0x7, - 0xC,0x9,0xB,0x1,0x8,0xE,0x2,0x4,0x7,0x3,0x6,0x5,0xA,0x0,0xF,0xD, - 0xA,0x9,0x6,0x8,0xD,0xE,0x2,0x0,0xF,0x3,0x5,0xB,0x4,0x1,0xC,0x7, - 0x7,0x4,0x0,0x5,0xA,0x2,0xF,0xE,0xC,0x6,0x1,0xB,0xD,0x9,0x3,0x8 - }; - - private static byte[] ESbox_D = { - 0xF,0xC,0x2,0xA,0x6,0x4,0x5,0x0,0x7,0x9,0xE,0xD,0x1,0xB,0x8,0x3, - 0xB,0x6,0x3,0x4,0xC,0xF,0xE,0x2,0x7,0xD,0x8,0x0,0x5,0xA,0x9,0x1, - 0x1,0xC,0xB,0x0,0xF,0xE,0x6,0x5,0xA,0xD,0x4,0x8,0x9,0x3,0x7,0x2, - 0x1,0x5,0xE,0xC,0xA,0x7,0x0,0xD,0x6,0x2,0xB,0x4,0x9,0x3,0xF,0x8, - 0x0,0xC,0x8,0x9,0xD,0x2,0xA,0xB,0x7,0x3,0x6,0x5,0x4,0xE,0xF,0x1, - 0x8,0x0,0xF,0x3,0x2,0x5,0xE,0xB,0x1,0xA,0x4,0x7,0xC,0x9,0xD,0x6, - 0x3,0x0,0x6,0xF,0x1,0xE,0x9,0x2,0xD,0x8,0xC,0x4,0xB,0xA,0x5,0x7, - 0x1,0xA,0x6,0x8,0xF,0xB,0x0,0x4,0xC,0x3,0x5,0x9,0x7,0xD,0x2,0xE - }; - - //S-box for digest - private static byte DSbox_Test[] = { - 0x4,0xA,0x9,0x2,0xD,0x8,0x0,0xE,0x6,0xB,0x1,0xC,0x7,0xF,0x5,0x3, - 0xE,0xB,0x4,0xC,0x6,0xD,0xF,0xA,0x2,0x3,0x8,0x1,0x0,0x7,0x5,0x9, - 0x5,0x8,0x1,0xD,0xA,0x3,0x4,0x2,0xE,0xF,0xC,0x7,0x6,0x0,0x9,0xB, - 0x7,0xD,0xA,0x1,0x0,0x8,0x9,0xF,0xE,0x4,0x6,0xC,0xB,0x2,0x5,0x3, - 0x6,0xC,0x7,0x1,0x5,0xF,0xD,0x8,0x4,0xA,0x9,0xE,0x0,0x3,0xB,0x2, - 0x4,0xB,0xA,0x0,0x7,0x2,0x1,0xD,0x3,0x6,0x8,0x5,0x9,0xC,0xF,0xE, - 0xD,0xB,0x4,0x1,0x3,0xF,0x5,0x9,0x0,0xA,0xE,0x7,0x6,0x8,0x2,0xC, - 0x1,0xF,0xD,0x0,0x5,0x7,0xA,0x4,0x9,0x2,0x3,0xE,0x6,0xB,0x8,0xC - }; - - private static byte DSbox_A[] = { - 0xA,0x4,0x5,0x6,0x8,0x1,0x3,0x7,0xD,0xC,0xE,0x0,0x9,0x2,0xB,0xF, - 0x5,0xF,0x4,0x0,0x2,0xD,0xB,0x9,0x1,0x7,0x6,0x3,0xC,0xE,0xA,0x8, - 0x7,0xF,0xC,0xE,0x9,0x4,0x1,0x0,0x3,0xB,0x5,0x2,0x6,0xA,0x8,0xD, - 0x4,0xA,0x7,0xC,0x0,0xF,0x2,0x8,0xE,0x1,0x6,0x5,0xD,0xB,0x9,0x3, - 0x7,0x6,0x4,0xB,0x9,0xC,0x2,0xA,0x1,0x8,0x0,0xE,0xF,0xD,0x3,0x5, - 0x7,0x6,0x2,0x4,0xD,0x9,0xF,0x0,0xA,0x1,0x5,0xB,0x8,0xE,0xC,0x3, - 0xD,0xE,0x4,0x1,0x7,0x0,0x5,0xA,0x3,0xC,0x8,0xF,0x6,0x2,0x9,0xB, - 0x1,0x3,0xA,0x9,0x5,0xB,0x4,0xF,0x8,0x6,0x7,0xE,0xD,0x0,0x2,0xC - }; - - // - // pre-defined sbox table - // - private static Hashtable sBoxes = new Hashtable(); - - static - { - addSBox("Default", Sbox_Default); - addSBox("E-TEST", ESbox_Test); - addSBox("E-A", ESbox_A); - addSBox("E-B", ESbox_B); - addSBox("E-C", ESbox_C); - addSBox("E-D", ESbox_D); - addSBox("D-TEST", DSbox_Test); - addSBox("D-A", DSbox_A); - } - - private static void addSBox(String sBoxName, byte[] sBox) - { - sBoxes.put(Strings.toUpperCase(sBoxName), sBox); - } - - /** - * standard constructor. - */ - public GOST28147Engine() - { - } - - /** - * initialise an GOST28147 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof ParametersWithSBox) - { - ParametersWithSBox param = (ParametersWithSBox)params; - - // - // Set the S-Box - // - byte[] sBox = param.getSBox(); - if (sBox.length != Sbox_Default.length) - { - throw new IllegalArgumentException("invalid S-box passed to GOST28147 init"); - } - this.S = Arrays.clone(sBox); - - // - // set key if there is one - // - if (param.getParameters() != null) - { - workingKey = generateWorkingKey(forEncryption, - ((KeyParameter)param.getParameters()).getKey()); - } - } - else if (params instanceof KeyParameter) - { - workingKey = generateWorkingKey(forEncryption, - ((KeyParameter)params).getKey()); - } - else if (params != null) - { - throw new IllegalArgumentException("invalid parameter passed to GOST28147 init - " + params.getClass().getName()); - } - } - - public String getAlgorithmName() - { - return "GOST28147"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("GOST28147 engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - GOST28147Func(workingKey, in, inOff, out, outOff); - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private int[] generateWorkingKey( - boolean forEncryption, - byte[] userKey) - { - this.forEncryption = forEncryption; - - if (userKey.length != 32) - { - throw new IllegalArgumentException("Key length invalid. Key needs to be 32 byte - 256 bit!!!"); - } - - int key[] = new int[8]; - for(int i=0; i!=8; i++) - { - key[i] = bytesToint(userKey,i*4); - } - - return key; - } - - private int GOST28147_mainStep(int n1, int key) - { - int cm = (key + n1); // CM1 - - // S-box replacing - - int om = S[ 0 + ((cm >> (0 * 4)) & 0xF)] << (0 * 4); - om += S[ 16 + ((cm >> (1 * 4)) & 0xF)] << (1 * 4); - om += S[ 32 + ((cm >> (2 * 4)) & 0xF)] << (2 * 4); - om += S[ 48 + ((cm >> (3 * 4)) & 0xF)] << (3 * 4); - om += S[ 64 + ((cm >> (4 * 4)) & 0xF)] << (4 * 4); - om += S[ 80 + ((cm >> (5 * 4)) & 0xF)] << (5 * 4); - om += S[ 96 + ((cm >> (6 * 4)) & 0xF)] << (6 * 4); - om += S[112 + ((cm >> (7 * 4)) & 0xF)] << (7 * 4); - - return om << 11 | om >>> (32-11); // 11-leftshift - } - - private void GOST28147Func( - int[] workingKey, - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int N1, N2, tmp; //tmp -> for saving N1 - N1 = bytesToint(in, inOff); - N2 = bytesToint(in, inOff + 4); - - if (this.forEncryption) - { - for(int k = 0; k < 3; k++) // 1-24 steps - { - for(int j = 0; j < 8; j++) - { - tmp = N1; - N1 = N2 ^ GOST28147_mainStep(N1, workingKey[j]); // CM2 - N2 = tmp; - } - } - for(int j = 7; j > 0; j--) // 25-31 steps - { - tmp = N1; - N1 = N2 ^ GOST28147_mainStep(N1, workingKey[j]); // CM2 - N2 = tmp; - } - } - else //decrypt - { - for(int j = 0; j < 8; j++) // 1-8 steps - { - tmp = N1; - N1 = N2 ^ GOST28147_mainStep(N1, workingKey[j]); // CM2 - N2 = tmp; - } - for(int k = 0; k < 3; k++) //9-31 steps - { - for(int j = 7; j >= 0; j--) - { - if ((k == 2) && (j==0)) - { - break; // break 32 step - } - tmp = N1; - N1 = N2 ^ GOST28147_mainStep(N1, workingKey[j]); // CM2 - N2 = tmp; - } - } - } - - N2 = N2 ^ GOST28147_mainStep(N1, workingKey[0]); // 32 step (N1=N1) - - intTobytes(N1, out, outOff); - intTobytes(N2, out, outOff + 4); - } - - //array of bytes to type int - private int bytesToint( - byte[] in, - int inOff) - { - return ((in[inOff + 3] << 24) & 0xff000000) + ((in[inOff + 2] << 16) & 0xff0000) + - ((in[inOff + 1] << 8) & 0xff00) + (in[inOff] & 0xff); - } - - //int to array of bytes - private void intTobytes( - int num, - byte[] out, - int outOff) - { - out[outOff + 3] = (byte)(num >>> 24); - out[outOff + 2] = (byte)(num >>> 16); - out[outOff + 1] = (byte)(num >>> 8); - out[outOff] = (byte)num; - } - - /** - * Return the S-Box associated with SBoxName - * @param sBoxName name of the S-Box - * @return byte array representing the S-Box - */ - public static byte[] getSBox( - String sBoxName) - { - byte[] sBox = (byte[])sBoxes.get(Strings.toUpperCase(sBoxName)); - - if (sBox == null) - { - throw new IllegalArgumentException("Unknown S-Box - possible types: " - + "\"Default\", \"E-Test\", \"E-A\", \"E-B\", \"E-C\", \"E-D\", \"D-Test\", \"D-A\"."); - } - - return Arrays.clone(sBox); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Grain128Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Grain128Engine.java deleted file mode 100644 index f5ecb75c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/Grain128Engine.java +++ /dev/null @@ -1,304 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Implementation of Martin Hell's, Thomas Johansson's and Willi Meier's stream - * cipher, Grain-128. - */ -public class Grain128Engine - implements StreamCipher -{ - - /** - * Constants - */ - private static final int STATE_SIZE = 4; - - /** - * Variables to hold the state of the engine during encryption and - * decryption - */ - private byte[] workingKey; - private byte[] workingIV; - private byte[] out; - private int[] lfsr; - private int[] nfsr; - private int output; - private int index = 4; - - private boolean initialised = false; - - public String getAlgorithmName() - { - return "Grain-128"; - } - - /** - * Initialize a Grain-128 cipher. - * - * @param forEncryption Whether or not we are for encryption. - * @param params The parameters required to set up the cipher. - * @throws IllegalArgumentException If the params argument is inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - /** - * Grain encryption and decryption is completely symmetrical, so the - * 'forEncryption' is irrelevant. - */ - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException( - "Grain-128 Init parameters must include an IV"); - } - - ParametersWithIV ivParams = (ParametersWithIV)params; - - byte[] iv = ivParams.getIV(); - - if (iv == null || iv.length != 12) - { - throw new IllegalArgumentException( - "Grain-128 requires exactly 12 bytes of IV"); - } - - if (!(ivParams.getParameters() instanceof KeyParameter)) - { - throw new IllegalArgumentException( - "Grain-128 Init parameters must include a key"); - } - - KeyParameter key = (KeyParameter)ivParams.getParameters(); - - /** - * Initialize variables. - */ - workingIV = new byte[key.getKey().length]; - workingKey = new byte[key.getKey().length]; - lfsr = new int[STATE_SIZE]; - nfsr = new int[STATE_SIZE]; - out = new byte[4]; - - System.arraycopy(iv, 0, workingIV, 0, iv.length); - System.arraycopy(key.getKey(), 0, workingKey, 0, key.getKey().length); - - reset(); - } - - /** - * 256 clocks initialization phase. - */ - private void initGrain() - { - for (int i = 0; i < 8; i++) - { - output = getOutput(); - nfsr = shift(nfsr, getOutputNFSR() ^ lfsr[0] ^ output); - lfsr = shift(lfsr, getOutputLFSR() ^ output); - } - initialised = true; - } - - /** - * Get output from non-linear function g(x). - * - * @return Output from NFSR. - */ - private int getOutputNFSR() - { - int b0 = nfsr[0]; - int b3 = nfsr[0] >>> 3 | nfsr[1] << 29; - int b11 = nfsr[0] >>> 11 | nfsr[1] << 21; - int b13 = nfsr[0] >>> 13 | nfsr[1] << 19; - int b17 = nfsr[0] >>> 17 | nfsr[1] << 15; - int b18 = nfsr[0] >>> 18 | nfsr[1] << 14; - int b26 = nfsr[0] >>> 26 | nfsr[1] << 6; - int b27 = nfsr[0] >>> 27 | nfsr[1] << 5; - int b40 = nfsr[1] >>> 8 | nfsr[2] << 24; - int b48 = nfsr[1] >>> 16 | nfsr[2] << 16; - int b56 = nfsr[1] >>> 24 | nfsr[2] << 8; - int b59 = nfsr[1] >>> 27 | nfsr[2] << 5; - int b61 = nfsr[1] >>> 29 | nfsr[2] << 3; - int b65 = nfsr[2] >>> 1 | nfsr[3] << 31; - int b67 = nfsr[2] >>> 3 | nfsr[3] << 29; - int b68 = nfsr[2] >>> 4 | nfsr[3] << 28; - int b84 = nfsr[2] >>> 20 | nfsr[3] << 12; - int b91 = nfsr[2] >>> 27 | nfsr[3] << 5; - int b96 = nfsr[3]; - - return b0 ^ b26 ^ b56 ^ b91 ^ b96 ^ b3 & b67 ^ b11 & b13 ^ b17 & b18 - ^ b27 & b59 ^ b40 & b48 ^ b61 & b65 ^ b68 & b84; - } - - /** - * Get output from linear function f(x). - * - * @return Output from LFSR. - */ - private int getOutputLFSR() - { - int s0 = lfsr[0]; - int s7 = lfsr[0] >>> 7 | lfsr[1] << 25; - int s38 = lfsr[1] >>> 6 | lfsr[2] << 26; - int s70 = lfsr[2] >>> 6 | lfsr[3] << 26; - int s81 = lfsr[2] >>> 17 | lfsr[3] << 15; - int s96 = lfsr[3]; - - return s0 ^ s7 ^ s38 ^ s70 ^ s81 ^ s96; - } - - /** - * Get output from output function h(x). - * - * @return Output from h(x). - */ - private int getOutput() - { - int b2 = nfsr[0] >>> 2 | nfsr[1] << 30; - int b12 = nfsr[0] >>> 12 | nfsr[1] << 20; - int b15 = nfsr[0] >>> 15 | nfsr[1] << 17; - int b36 = nfsr[1] >>> 4 | nfsr[2] << 28; - int b45 = nfsr[1] >>> 13 | nfsr[2] << 19; - int b64 = nfsr[2]; - int b73 = nfsr[2] >>> 9 | nfsr[3] << 23; - int b89 = nfsr[2] >>> 25 | nfsr[3] << 7; - int b95 = nfsr[2] >>> 31 | nfsr[3] << 1; - int s8 = lfsr[0] >>> 8 | lfsr[1] << 24; - int s13 = lfsr[0] >>> 13 | lfsr[1] << 19; - int s20 = lfsr[0] >>> 20 | lfsr[1] << 12; - int s42 = lfsr[1] >>> 10 | lfsr[2] << 22; - int s60 = lfsr[1] >>> 28 | lfsr[2] << 4; - int s79 = lfsr[2] >>> 15 | lfsr[3] << 17; - int s93 = lfsr[2] >>> 29 | lfsr[3] << 3; - int s95 = lfsr[2] >>> 31 | lfsr[3] << 1; - - return b12 & s8 ^ s13 & s20 ^ b95 & s42 ^ s60 & s79 ^ b12 & b95 & s95 ^ s93 - ^ b2 ^ b15 ^ b36 ^ b45 ^ b64 ^ b73 ^ b89; - } - - /** - * Shift array 32 bits and add val to index.length - 1. - * - * @param array The array to shift. - * @param val The value to shift in. - * @return The shifted array with val added to index.length - 1. - */ - private int[] shift(int[] array, int val) - { - array[0] = array[1]; - array[1] = array[2]; - array[2] = array[3]; - array[3] = val; - - return array; - } - - /** - * Set keys, reset cipher. - * - * @param keyBytes The key. - * @param ivBytes The IV. - */ - private void setKey(byte[] keyBytes, byte[] ivBytes) - { - ivBytes[12] = (byte)0xFF; - ivBytes[13] = (byte)0xFF; - ivBytes[14] = (byte)0xFF; - ivBytes[15] = (byte)0xFF; - workingKey = keyBytes; - workingIV = ivBytes; - - /** - * Load NFSR and LFSR - */ - int j = 0; - for (int i = 0; i < nfsr.length; i++) - { - nfsr[i] = ((workingKey[j + 3]) << 24) | ((workingKey[j + 2]) << 16) - & 0x00FF0000 | ((workingKey[j + 1]) << 8) & 0x0000FF00 - | ((workingKey[j]) & 0x000000FF); - - lfsr[i] = ((workingIV[j + 3]) << 24) | ((workingIV[j + 2]) << 16) - & 0x00FF0000 | ((workingIV[j + 1]) << 8) & 0x0000FF00 - | ((workingIV[j]) & 0x000000FF); - j += 4; - } - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, - int outOff) - throws DataLengthException - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - out[outOff + i] = (byte)(in[inOff + i] ^ getKeyStream()); - } - - return len; - } - - public void reset() - { - index = 4; - setKey(workingKey, workingIV); - initGrain(); - } - - /** - * Run Grain one round(i.e. 32 bits). - */ - private void oneRound() - { - output = getOutput(); - out[0] = (byte)output; - out[1] = (byte)(output >> 8); - out[2] = (byte)(output >> 16); - out[3] = (byte)(output >> 24); - - nfsr = shift(nfsr, getOutputNFSR() ^ lfsr[0]); - lfsr = shift(lfsr, getOutputLFSR()); - } - - public byte returnByte(byte in) - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - return (byte)(in ^ getKeyStream()); - } - - private byte getKeyStream() - { - if (index > 3) - { - oneRound(); - index = 0; - } - return out[index++]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Grainv1Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Grainv1Engine.java deleted file mode 100644 index 77f52d1c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/Grainv1Engine.java +++ /dev/null @@ -1,290 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Implementation of Martin Hell's, Thomas Johansson's and Willi Meier's stream - * cipher, Grain v1. - */ -public class Grainv1Engine - implements StreamCipher -{ - - /** - * Constants - */ - private static final int STATE_SIZE = 5; - - /** - * Variables to hold the state of the engine during encryption and - * decryption - */ - private byte[] workingKey; - private byte[] workingIV; - private byte[] out; - private int[] lfsr; - private int[] nfsr; - private int output; - private int index = 2; - - private boolean initialised = false; - - public String getAlgorithmName() - { - return "Grain v1"; - } - - /** - * Initialize a Grain v1 cipher. - * - * @param forEncryption Whether or not we are for encryption. - * @param params The parameters required to set up the cipher. - * @throws IllegalArgumentException If the params argument is inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - /** - * Grain encryption and decryption is completely symmetrical, so the - * 'forEncryption' is irrelevant. - */ - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException( - "Grain v1 Init parameters must include an IV"); - } - - ParametersWithIV ivParams = (ParametersWithIV)params; - - byte[] iv = ivParams.getIV(); - - if (iv == null || iv.length != 8) - { - throw new IllegalArgumentException( - "Grain v1 requires exactly 8 bytes of IV"); - } - - if (!(ivParams.getParameters() instanceof KeyParameter)) - { - throw new IllegalArgumentException( - "Grain v1 Init parameters must include a key"); - } - - KeyParameter key = (KeyParameter)ivParams.getParameters(); - - /** - * Initialize variables. - */ - workingIV = new byte[key.getKey().length]; - workingKey = new byte[key.getKey().length]; - lfsr = new int[STATE_SIZE]; - nfsr = new int[STATE_SIZE]; - out = new byte[2]; - - System.arraycopy(iv, 0, workingIV, 0, iv.length); - System.arraycopy(key.getKey(), 0, workingKey, 0, key.getKey().length); - - reset(); - } - - /** - * 160 clocks initialization phase. - */ - private void initGrain() - { - for (int i = 0; i < 10; i++) - { - output = getOutput(); - nfsr = shift(nfsr, getOutputNFSR() ^ lfsr[0] ^ output); - lfsr = shift(lfsr, getOutputLFSR() ^ output); - } - initialised = true; - } - - /** - * Get output from non-linear function g(x). - * - * @return Output from NFSR. - */ - private int getOutputNFSR() - { - int b0 = nfsr[0]; - int b9 = nfsr[0] >>> 9 | nfsr[1] << 7; - int b14 = nfsr[0] >>> 14 | nfsr[1] << 2; - int b15 = nfsr[0] >>> 15 | nfsr[1] << 1; - int b21 = nfsr[1] >>> 5 | nfsr[2] << 11; - int b28 = nfsr[1] >>> 12 | nfsr[2] << 4; - int b33 = nfsr[2] >>> 1 | nfsr[3] << 15; - int b37 = nfsr[2] >>> 5 | nfsr[3] << 11; - int b45 = nfsr[2] >>> 13 | nfsr[3] << 3; - int b52 = nfsr[3] >>> 4 | nfsr[4] << 12; - int b60 = nfsr[3] >>> 12 | nfsr[4] << 4; - int b62 = nfsr[3] >>> 14 | nfsr[4] << 2; - int b63 = nfsr[3] >>> 15 | nfsr[4] << 1; - - return (b62 ^ b60 ^ b52 ^ b45 ^ b37 ^ b33 ^ b28 ^ b21 ^ b14 - ^ b9 ^ b0 ^ b63 & b60 ^ b37 & b33 ^ b15 & b9 ^ b60 & b52 & b45 - ^ b33 & b28 & b21 ^ b63 & b45 & b28 & b9 ^ b60 & b52 & b37 - & b33 ^ b63 & b60 & b21 & b15 ^ b63 & b60 & b52 & b45 & b37 - ^ b33 & b28 & b21 & b15 & b9 ^ b52 & b45 & b37 & b33 & b28 - & b21) & 0x0000FFFF; - } - - /** - * Get output from linear function f(x). - * - * @return Output from LFSR. - */ - private int getOutputLFSR() - { - int s0 = lfsr[0]; - int s13 = lfsr[0] >>> 13 | lfsr[1] << 3; - int s23 = lfsr[1] >>> 7 | lfsr[2] << 9; - int s38 = lfsr[2] >>> 6 | lfsr[3] << 10; - int s51 = lfsr[3] >>> 3 | lfsr[4] << 13; - int s62 = lfsr[3] >>> 14 | lfsr[4] << 2; - - return (s0 ^ s13 ^ s23 ^ s38 ^ s51 ^ s62) & 0x0000FFFF; - } - - /** - * Get output from output function h(x). - * - * @return Output from h(x). - */ - private int getOutput() - { - int b1 = nfsr[0] >>> 1 | nfsr[1] << 15; - int b2 = nfsr[0] >>> 2 | nfsr[1] << 14; - int b4 = nfsr[0] >>> 4 | nfsr[1] << 12; - int b10 = nfsr[0] >>> 10 | nfsr[1] << 6; - int b31 = nfsr[1] >>> 15 | nfsr[2] << 1; - int b43 = nfsr[2] >>> 11 | nfsr[3] << 5; - int b56 = nfsr[3] >>> 8 | nfsr[4] << 8; - int b63 = nfsr[3] >>> 15 | nfsr[4] << 1; - int s3 = lfsr[0] >>> 3 | lfsr[1] << 13; - int s25 = lfsr[1] >>> 9 | lfsr[2] << 7; - int s46 = lfsr[2] >>> 14 | lfsr[3] << 2; - int s64 = lfsr[4]; - - return (s25 ^ b63 ^ s3 & s64 ^ s46 & s64 ^ s64 & b63 ^ s3 - & s25 & s46 ^ s3 & s46 & s64 ^ s3 & s46 & b63 ^ s25 & s46 & b63 ^ s46 - & s64 & b63 ^ b1 ^ b2 ^ b4 ^ b10 ^ b31 ^ b43 ^ b56) & 0x0000FFFF; - } - - /** - * Shift array 16 bits and add val to index.length - 1. - * - * @param array The array to shift. - * @param val The value to shift in. - * @return The shifted array with val added to index.length - 1. - */ - private int[] shift(int[] array, int val) - { - array[0] = array[1]; - array[1] = array[2]; - array[2] = array[3]; - array[3] = array[4]; - array[4] = val; - - return array; - } - - /** - * Set keys, reset cipher. - * - * @param keyBytes The key. - * @param ivBytes The IV. - */ - private void setKey(byte[] keyBytes, byte[] ivBytes) - { - ivBytes[8] = (byte)0xFF; - ivBytes[9] = (byte)0xFF; - workingKey = keyBytes; - workingIV = ivBytes; - - /** - * Load NFSR and LFSR - */ - int j = 0; - for (int i = 0; i < nfsr.length; i++) - { - nfsr[i] = (workingKey[j + 1] << 8 | workingKey[j] & 0xFF) & 0x0000FFFF; - lfsr[i] = (workingIV[j + 1] << 8 | workingIV[j] & 0xFF) & 0x0000FFFF; - j += 2; - } - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, - int outOff) - throws DataLengthException - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - out[outOff + i] = (byte)(in[inOff + i] ^ getKeyStream()); - } - - return len; - } - - public void reset() - { - index = 2; - setKey(workingKey, workingIV); - initGrain(); - } - - /** - * Run Grain one round(i.e. 16 bits). - */ - private void oneRound() - { - output = getOutput(); - out[0] = (byte)output; - out[1] = (byte)(output >> 8); - - nfsr = shift(nfsr, getOutputNFSR() ^ lfsr[0]); - lfsr = shift(lfsr, getOutputLFSR()); - } - - public byte returnByte(byte in) - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - return (byte)(in ^ getKeyStream()); - } - - private byte getKeyStream() - { - if (index > 1) - { - oneRound(); - index = 0; - } - return out[index++]; - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/HC128Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/HC128Engine.java deleted file mode 100644 index 7d18d623..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/HC128Engine.java +++ /dev/null @@ -1,259 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * HC-128 is a software-efficient stream cipher created by Hongjun Wu. It - * generates keystream from a 128-bit secret key and a 128-bit initialization - * vector. - * <p> - * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf - * </p><p> - * It is a third phase candidate in the eStream contest, and is patent-free. - * No attacks are known as of today (April 2007). See - * - * http://www.ecrypt.eu.org/stream/hcp3.html - * </p> - */ -public class HC128Engine - implements StreamCipher -{ - private int[] p = new int[512]; - private int[] q = new int[512]; - private int cnt = 0; - - private static int f1(int x) - { - return rotateRight(x, 7) ^ rotateRight(x, 18) - ^ (x >>> 3); - } - - private static int f2(int x) - { - return rotateRight(x, 17) ^ rotateRight(x, 19) - ^ (x >>> 10); - } - - private int g1(int x, int y, int z) - { - return (rotateRight(x, 10) ^ rotateRight(z, 23)) - + rotateRight(y, 8); - } - - private int g2(int x, int y, int z) - { - return (rotateLeft(x, 10) ^ rotateLeft(z, 23)) + rotateLeft(y, 8); - } - - private static int rotateLeft( - int x, - int bits) - { - return (x << bits) | (x >>> -bits); - } - - private static int rotateRight( - int x, - int bits) - { - return (x >>> bits) | (x << -bits); - } - - private int h1(int x) - { - return q[x & 0xFF] + q[((x >> 16) & 0xFF) + 256]; - } - - private int h2(int x) - { - return p[x & 0xFF] + p[((x >> 16) & 0xFF) + 256]; - } - - private static int mod1024(int x) - { - return x & 0x3FF; - } - - private static int mod512(int x) - { - return x & 0x1FF; - } - - private static int dim(int x, int y) - { - return mod512(x - y); - } - - private int step() - { - int j = mod512(cnt); - int ret; - if (cnt < 512) - { - p[j] += g1(p[dim(j, 3)], p[dim(j, 10)], p[dim(j, 511)]); - ret = h1(p[dim(j, 12)]) ^ p[j]; - } - else - { - q[j] += g2(q[dim(j, 3)], q[dim(j, 10)], q[dim(j, 511)]); - ret = h2(q[dim(j, 12)]) ^ q[j]; - } - cnt = mod1024(cnt + 1); - return ret; - } - - private byte[] key, iv; - private boolean initialised; - - private void init() - { - if (key.length != 16) - { - throw new java.lang.IllegalArgumentException( - "The key must be 128 bits long"); - } - - idx = 0; - cnt = 0; - - int[] w = new int[1280]; - - for (int i = 0; i < 16; i++) - { - w[i >> 2] |= (key[i] & 0xff) << (8 * (i & 0x3)); - } - System.arraycopy(w, 0, w, 4, 4); - - for (int i = 0; i < iv.length && i < 16; i++) - { - w[(i >> 2) + 8] |= (iv[i] & 0xff) << (8 * (i & 0x3)); - } - System.arraycopy(w, 8, w, 12, 4); - - for (int i = 16; i < 1280; i++) - { - w[i] = f2(w[i - 2]) + w[i - 7] + f1(w[i - 15]) + w[i - 16] + i; - } - - System.arraycopy(w, 256, p, 0, 512); - System.arraycopy(w, 768, q, 0, 512); - - for (int i = 0; i < 512; i++) - { - p[i] = step(); - } - for (int i = 0; i < 512; i++) - { - q[i] = step(); - } - - cnt = 0; - } - - public String getAlgorithmName() - { - return "HC-128"; - } - - /** - * Initialise a HC-128 cipher. - * - * @param forEncryption whether or not we are for encryption. Irrelevant, as - * encryption and decryption are the same. - * @param params the parameters required to set up the cipher. - * @throws IllegalArgumentException if the params argument is - * inappropriate (ie. the key is not 128 bit long). - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - CipherParameters keyParam = params; - - if (params instanceof ParametersWithIV) - { - iv = ((ParametersWithIV)params).getIV(); - keyParam = ((ParametersWithIV)params).getParameters(); - } - else - { - iv = new byte[0]; - } - - if (keyParam instanceof KeyParameter) - { - key = ((KeyParameter)keyParam).getKey(); - init(); - } - else - { - throw new IllegalArgumentException( - "Invalid parameter passed to HC128 init - " - + params.getClass().getName()); - } - - initialised = true; - } - - private byte[] buf = new byte[4]; - private int idx = 0; - - private byte getByte() - { - if (idx == 0) - { - int step = step(); - buf[0] = (byte)(step & 0xFF); - step >>= 8; - buf[1] = (byte)(step & 0xFF); - step >>= 8; - buf[2] = (byte)(step & 0xFF); - step >>= 8; - buf[3] = (byte)(step & 0xFF); - } - byte ret = buf[idx]; - idx = idx + 1 & 0x3; - return ret; - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, - int outOff) throws DataLengthException - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - out[outOff + i] = (byte)(in[inOff + i] ^ getByte()); - } - - return len; - } - - public void reset() - { - init(); - } - - public byte returnByte(byte in) - { - return (byte)(in ^ getByte()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/HC256Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/HC256Engine.java deleted file mode 100644 index a74164ae..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/HC256Engine.java +++ /dev/null @@ -1,246 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * HC-256 is a software-efficient stream cipher created by Hongjun Wu. It - * generates keystream from a 256-bit secret key and a 256-bit initialization - * vector. - * <p> - * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf - * </p><p> - * Its brother, HC-128, is a third phase candidate in the eStream contest. - * The algorithm is patent-free. No attacks are known as of today (April 2007). - * See - * - * http://www.ecrypt.eu.org/stream/hcp3.html - * </p> - */ -public class HC256Engine - implements StreamCipher -{ - private int[] p = new int[1024]; - private int[] q = new int[1024]; - private int cnt = 0; - - private int step() - { - int j = cnt & 0x3FF; - int ret; - if (cnt < 1024) - { - int x = p[(j - 3 & 0x3FF)]; - int y = p[(j - 1023 & 0x3FF)]; - p[j] += p[(j - 10 & 0x3FF)] - + (rotateRight(x, 10) ^ rotateRight(y, 23)) - + q[((x ^ y) & 0x3FF)]; - - x = p[(j - 12 & 0x3FF)]; - ret = (q[x & 0xFF] + q[((x >> 8) & 0xFF) + 256] - + q[((x >> 16) & 0xFF) + 512] + q[((x >> 24) & 0xFF) + 768]) - ^ p[j]; - } - else - { - int x = q[(j - 3 & 0x3FF)]; - int y = q[(j - 1023 & 0x3FF)]; - q[j] += q[(j - 10 & 0x3FF)] - + (rotateRight(x, 10) ^ rotateRight(y, 23)) - + p[((x ^ y) & 0x3FF)]; - - x = q[(j - 12 & 0x3FF)]; - ret = (p[x & 0xFF] + p[((x >> 8) & 0xFF) + 256] - + p[((x >> 16) & 0xFF) + 512] + p[((x >> 24) & 0xFF) + 768]) - ^ q[j]; - } - cnt = cnt + 1 & 0x7FF; - return ret; - } - - private byte[] key, iv; - private boolean initialised; - - private void init() - { - if (key.length != 32 && key.length != 16) - { - throw new IllegalArgumentException( - "The key must be 128/256 bits long"); - } - - if (iv.length < 16) - { - throw new IllegalArgumentException( - "The IV must be at least 128 bits long"); - } - - if (key.length != 32) - { - byte[] k = new byte[32]; - - System.arraycopy(key, 0, k, 0, key.length); - System.arraycopy(key, 0, k, 16, key.length); - - key = k; - } - - if (iv.length < 32) - { - byte[] newIV = new byte[32]; - - System.arraycopy(iv, 0, newIV, 0, iv.length); - System.arraycopy(iv, 0, newIV, iv.length, newIV.length - iv.length); - - iv = newIV; - } - - idx = 0; - cnt = 0; - - int[] w = new int[2560]; - - for (int i = 0; i < 32; i++) - { - w[i >> 2] |= (key[i] & 0xff) << (8 * (i & 0x3)); - } - - for (int i = 0; i < 32; i++) - { - w[(i >> 2) + 8] |= (iv[i] & 0xff) << (8 * (i & 0x3)); - } - - for (int i = 16; i < 2560; i++) - { - int x = w[i - 2]; - int y = w[i - 15]; - w[i] = (rotateRight(x, 17) ^ rotateRight(x, 19) ^ (x >>> 10)) - + w[i - 7] - + (rotateRight(y, 7) ^ rotateRight(y, 18) ^ (y >>> 3)) - + w[i - 16] + i; - } - - System.arraycopy(w, 512, p, 0, 1024); - System.arraycopy(w, 1536, q, 0, 1024); - - for (int i = 0; i < 4096; i++) - { - step(); - } - - cnt = 0; - } - - public String getAlgorithmName() - { - return "HC-256"; - } - - /** - * Initialise a HC-256 cipher. - * - * @param forEncryption whether or not we are for encryption. Irrelevant, as - * encryption and decryption are the same. - * @param params the parameters required to set up the cipher. - * @throws IllegalArgumentException if the params argument is - * inappropriate (ie. the key is not 256 bit long). - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - CipherParameters keyParam = params; - - if (params instanceof ParametersWithIV) - { - iv = ((ParametersWithIV)params).getIV(); - keyParam = ((ParametersWithIV)params).getParameters(); - } - else - { - iv = new byte[0]; - } - - if (keyParam instanceof KeyParameter) - { - key = ((KeyParameter)keyParam).getKey(); - init(); - } - else - { - throw new IllegalArgumentException( - "Invalid parameter passed to HC256 init - " - + params.getClass().getName()); - } - - initialised = true; - } - - private byte[] buf = new byte[4]; - private int idx = 0; - - private byte getByte() - { - if (idx == 0) - { - int step = step(); - buf[0] = (byte)(step & 0xFF); - step >>= 8; - buf[1] = (byte)(step & 0xFF); - step >>= 8; - buf[2] = (byte)(step & 0xFF); - step >>= 8; - buf[3] = (byte)(step & 0xFF); - } - byte ret = buf[idx]; - idx = idx + 1 & 0x3; - return ret; - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, - int outOff) throws DataLengthException - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() - + " not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - out[outOff + i] = (byte)(in[inOff + i] ^ getByte()); - } - - return len; - } - - public void reset() - { - init(); - } - - public byte returnByte(byte in) - { - return (byte)(in ^ getByte()); - } - - private static int rotateRight( - int x, - int bits) - { - return (x >>> bits) | (x << -bits); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/IDEAEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/IDEAEngine.java deleted file mode 100644 index 08cf738e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/IDEAEngine.java +++ /dev/null @@ -1,357 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * A class that provides a basic International Data Encryption Algorithm (IDEA) engine. - * <p> - * This implementation is based on the "HOWTO: INTERNATIONAL DATA ENCRYPTION ALGORITHM" - * implementation summary by Fauzan Mirza (F.U.Mirza@sheffield.ac.uk). (barring 1 typo at the - * end of the mulinv function!). - * <p> - * It can be found at ftp://ftp.funet.fi/pub/crypt/cryptography/symmetric/idea/ - * <p> - * Note: This algorithm was patented in the USA, Japan and Europe. These patents expired in 2011/2012. - */ -public class IDEAEngine - implements BlockCipher -{ - protected static final int BLOCK_SIZE = 8; - - private int[] workingKey = null; - - /** - * standard constructor. - */ - public IDEAEngine() - { - } - - /** - * initialise an IDEA cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - workingKey = generateWorkingKey(forEncryption, - ((KeyParameter)params).getKey()); - return; - } - - throw new IllegalArgumentException("invalid parameter passed to IDEA init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "IDEA"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("IDEA engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - ideaFunc(workingKey, in, inOff, out, outOff); - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private static final int MASK = 0xffff; - private static final int BASE = 0x10001; - - private int bytesToWord( - byte[] in, - int inOff) - { - return ((in[inOff] << 8) & 0xff00) + (in[inOff + 1] & 0xff); - } - - private void wordToBytes( - int word, - byte[] out, - int outOff) - { - out[outOff] = (byte)(word >>> 8); - out[outOff + 1] = (byte)word; - } - - /** - * return x = x * y where the multiplication is done modulo - * 65537 (0x10001) (as defined in the IDEA specification) and - * a zero input is taken to be 65536 (0x10000). - * - * @param x the x value - * @param y the y value - * @return x = x * y - */ - private int mul( - int x, - int y) - { - if (x == 0) - { - x = (BASE - y); - } - else if (y == 0) - { - x = (BASE - x); - } - else - { - int p = x * y; - - y = p & MASK; - x = p >>> 16; - x = y - x + ((y < x) ? 1 : 0); - } - - return x & MASK; - } - - private void ideaFunc( - int[] workingKey, - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int x0, x1, x2, x3, t0, t1; - int keyOff = 0; - - x0 = bytesToWord(in, inOff); - x1 = bytesToWord(in, inOff + 2); - x2 = bytesToWord(in, inOff + 4); - x3 = bytesToWord(in, inOff + 6); - - for (int round = 0; round < 8; round++) - { - x0 = mul(x0, workingKey[keyOff++]); - x1 += workingKey[keyOff++]; - x1 &= MASK; - x2 += workingKey[keyOff++]; - x2 &= MASK; - x3 = mul(x3, workingKey[keyOff++]); - - t0 = x1; - t1 = x2; - x2 ^= x0; - x1 ^= x3; - - x2 = mul(x2, workingKey[keyOff++]); - x1 += x2; - x1 &= MASK; - - x1 = mul(x1, workingKey[keyOff++]); - x2 += x1; - x2 &= MASK; - - x0 ^= x1; - x3 ^= x2; - x1 ^= t1; - x2 ^= t0; - } - - wordToBytes(mul(x0, workingKey[keyOff++]), out, outOff); - wordToBytes(x2 + workingKey[keyOff++], out, outOff + 2); /* NB: Order */ - wordToBytes(x1 + workingKey[keyOff++], out, outOff + 4); - wordToBytes(mul(x3, workingKey[keyOff]), out, outOff + 6); - } - - /** - * The following function is used to expand the user key to the encryption - * subkey. The first 16 bytes are the user key, and the rest of the subkey - * is calculated by rotating the previous 16 bytes by 25 bits to the left, - * and so on until the subkey is completed. - */ - private int[] expandKey( - byte[] uKey) - { - int[] key = new int[52]; - - if (uKey.length < 16) - { - byte[] tmp = new byte[16]; - - System.arraycopy(uKey, 0, tmp, tmp.length - uKey.length, uKey.length); - - uKey = tmp; - } - - for (int i = 0; i < 8; i++) - { - key[i] = bytesToWord(uKey, i * 2); - } - - for (int i = 8; i < 52; i++) - { - if ((i & 7) < 6) - { - key[i] = ((key[i - 7] & 127) << 9 | key[i - 6] >> 7) & MASK; - } - else if ((i & 7) == 6) - { - key[i] = ((key[i - 7] & 127) << 9 | key[i - 14] >> 7) & MASK; - } - else - { - key[i] = ((key[i - 15] & 127) << 9 | key[i - 14] >> 7) & MASK; - } - } - - return key; - } - - /** - * This function computes multiplicative inverse using Euclid's Greatest - * Common Divisor algorithm. Zero and one are self inverse. - * <p> - * i.e. x * mulInv(x) == 1 (modulo BASE) - */ - private int mulInv( - int x) - { - int t0, t1, q, y; - - if (x < 2) - { - return x; - } - - t0 = 1; - t1 = BASE / x; - y = BASE % x; - - while (y != 1) - { - q = x / y; - x = x % y; - t0 = (t0 + (t1 * q)) & MASK; - if (x == 1) - { - return t0; - } - q = y / x; - y = y % x; - t1 = (t1 + (t0 * q)) & MASK; - } - - return (1 - t1) & MASK; - } - - /** - * Return the additive inverse of x. - * <p> - * i.e. x + addInv(x) == 0 - */ - int addInv( - int x) - { - return (0 - x) & MASK; - } - - /** - * The function to invert the encryption subkey to the decryption subkey. - * It also involves the multiplicative inverse and the additive inverse functions. - */ - private int[] invertKey( - int[] inKey) - { - int t1, t2, t3, t4; - int p = 52; /* We work backwards */ - int[] key = new int[52]; - int inOff = 0; - - t1 = mulInv(inKey[inOff++]); - t2 = addInv(inKey[inOff++]); - t3 = addInv(inKey[inOff++]); - t4 = mulInv(inKey[inOff++]); - key[--p] = t4; - key[--p] = t3; - key[--p] = t2; - key[--p] = t1; - - for (int round = 1; round < 8; round++) - { - t1 = inKey[inOff++]; - t2 = inKey[inOff++]; - key[--p] = t2; - key[--p] = t1; - - t1 = mulInv(inKey[inOff++]); - t2 = addInv(inKey[inOff++]); - t3 = addInv(inKey[inOff++]); - t4 = mulInv(inKey[inOff++]); - key[--p] = t4; - key[--p] = t2; /* NB: Order */ - key[--p] = t3; - key[--p] = t1; - } - - t1 = inKey[inOff++]; - t2 = inKey[inOff++]; - key[--p] = t2; - key[--p] = t1; - - t1 = mulInv(inKey[inOff++]); - t2 = addInv(inKey[inOff++]); - t3 = addInv(inKey[inOff++]); - t4 = mulInv(inKey[inOff]); - key[--p] = t4; - key[--p] = t3; - key[--p] = t2; - key[--p] = t1; - - return key; - } - - private int[] generateWorkingKey( - boolean forEncryption, - byte[] userKey) - { - if (forEncryption) - { - return expandKey(userKey); - } - else - { - return invertKey(expandKey(userKey)); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java deleted file mode 100755 index 9914bd47..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/IESEngine.java +++ /dev/null @@ -1,438 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.EphemeralKeyPair; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.KeyParser; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.generators.EphemeralKeyPairGenerator; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.IESParameters; -import org.bouncycastle.crypto.params.IESWithCipherParameters; -import org.bouncycastle.crypto.params.KDFParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; -import org.bouncycastle.util.Pack; - -/** - * Support class for constructing integrated encryption ciphers - * for doing basic message exchanges on top of key agreement ciphers. - * Follows the description given in IEEE Std 1363a. - */ -public class IESEngine -{ - BasicAgreement agree; - DerivationFunction kdf; - Mac mac; - BufferedBlockCipher cipher; - byte[] macBuf; - - boolean forEncryption; - CipherParameters privParam, pubParam; - IESParameters param; - - byte[] V; - private EphemeralKeyPairGenerator keyPairGenerator; - private KeyParser keyParser; - private byte[] IV; - - /** - * set up for use with stream mode, where the key derivation function - * is used to provide a stream of bytes to xor with the message. - * - * @param agree the key agreement used as the basis for the encryption - * @param kdf the key derivation function used for byte generation - * @param mac the message authentication code generator for the message - */ - public IESEngine( - BasicAgreement agree, - DerivationFunction kdf, - Mac mac) - { - this.agree = agree; - this.kdf = kdf; - this.mac = mac; - this.macBuf = new byte[mac.getMacSize()]; - this.cipher = null; - } - - - /** - * set up for use in conjunction with a block cipher to handle the - * message. - * - * @param agree the key agreement used as the basis for the encryption - * @param kdf the key derivation function used for byte generation - * @param mac the message authentication code generator for the message - * @param cipher the cipher to used for encrypting the message - */ - public IESEngine( - BasicAgreement agree, - DerivationFunction kdf, - Mac mac, - BufferedBlockCipher cipher) - { - this.agree = agree; - this.kdf = kdf; - this.mac = mac; - this.macBuf = new byte[mac.getMacSize()]; - this.cipher = cipher; - } - - /** - * Initialise the encryptor. - * - * @param forEncryption whether or not this is encryption/decryption. - * @param privParam our private key parameters - * @param pubParam the recipient's/sender's public key parameters - * @param params encoding and derivation parameters, may be wrapped to include an IV for an underlying block cipher. - */ - public void init( - boolean forEncryption, - CipherParameters privParam, - CipherParameters pubParam, - CipherParameters params) - { - this.forEncryption = forEncryption; - this.privParam = privParam; - this.pubParam = pubParam; - this.V = new byte[0]; - - extractParams(params); - } - - - /** - * Initialise the encryptor. - * - * @param publicKey the recipient's/sender's public key parameters - * @param params encoding and derivation parameters, may be wrapped to include an IV for an underlying block cipher. - * @param ephemeralKeyPairGenerator the ephemeral key pair generator to use. - */ - public void init(AsymmetricKeyParameter publicKey, CipherParameters params, EphemeralKeyPairGenerator ephemeralKeyPairGenerator) - { - this.forEncryption = true; - this.pubParam = publicKey; - this.keyPairGenerator = ephemeralKeyPairGenerator; - - extractParams(params); - } - - /** - * Initialise the encryptor. - * - * @param privateKey the recipient's private key. - * @param params encoding and derivation parameters, may be wrapped to include an IV for an underlying block cipher. - * @param publicKeyParser the parser for reading the ephemeral public key. - */ - public void init(AsymmetricKeyParameter privateKey, CipherParameters params, KeyParser publicKeyParser) - { - this.forEncryption = false; - this.privParam = privateKey; - this.keyParser = publicKeyParser; - - extractParams(params); - } - - private void extractParams(CipherParameters params) - { - if (params instanceof ParametersWithIV) - { - this.IV = ((ParametersWithIV)params).getIV(); - this.param = (IESParameters)((ParametersWithIV)params).getParameters(); - } - else - { - this.IV = null; - this.param = (IESParameters)params; - } - } - - public BufferedBlockCipher getCipher() - { - return cipher; - } - - public Mac getMac() - { - return mac; - } - - private byte[] encryptBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] C = null, K = null, K1 = null, K2 = null; - int len; - - if (cipher == null) - { - // Streaming mode. - K1 = new byte[inLen]; - K2 = new byte[param.getMacKeySize() / 8]; - K = new byte[K1.length + K2.length]; - - kdf.generateBytes(K, 0, K.length); - - if (V.length != 0) - { - System.arraycopy(K, 0, K2, 0, K2.length); - System.arraycopy(K, K2.length, K1, 0, K1.length); - } - else - { - System.arraycopy(K, 0, K1, 0, K1.length); - System.arraycopy(K, inLen, K2, 0, K2.length); - } - - C = new byte[inLen]; - - for (int i = 0; i != inLen; i++) - { - C[i] = (byte)(in[inOff + i] ^ K1[i]); - } - len = inLen; - } - else - { - // Block cipher mode. - K1 = new byte[((IESWithCipherParameters)param).getCipherKeySize() / 8]; - K2 = new byte[param.getMacKeySize() / 8]; - K = new byte[K1.length + K2.length]; - - kdf.generateBytes(K, 0, K.length); - System.arraycopy(K, 0, K1, 0, K1.length); - System.arraycopy(K, K1.length, K2, 0, K2.length); - - // If iv provided use it to initialise the cipher - if (IV != null) - { - cipher.init(true, new ParametersWithIV(new KeyParameter(K1), IV)); - } - else - { - cipher.init(true, new KeyParameter(K1)); - } - - C = new byte[cipher.getOutputSize(inLen)]; - len = cipher.processBytes(in, inOff, inLen, C, 0); - len += cipher.doFinal(C, len); - } - - - // Convert the length of the encoding vector into a byte array. - byte[] P2 = param.getEncodingV(); - byte[] L2 = new byte[4]; - if (V.length != 0 && P2 != null) - { - Pack.intToBigEndian(P2.length * 8, L2, 0); - } - - - // Apply the MAC. - byte[] T = new byte[mac.getMacSize()]; - - mac.init(new KeyParameter(K2)); - mac.update(C, 0, C.length); - if (P2 != null) - { - mac.update(P2, 0, P2.length); - } - if (V.length != 0) - { - mac.update(L2, 0, L2.length); - } - mac.doFinal(T, 0); - - - // Output the triple (V,C,T). - byte[] Output = new byte[V.length + len + T.length]; - System.arraycopy(V, 0, Output, 0, V.length); - System.arraycopy(C, 0, Output, V.length, len); - System.arraycopy(T, 0, Output, V.length + len, T.length); - return Output; - } - - private byte[] decryptBlock( - byte[] in_enc, - int inOff, - int inLen) - throws InvalidCipherTextException - { - byte[] M = null, K = null, K1 = null, K2 = null; - int len; - - // Ensure that the length of the input is greater than the MAC in bytes - if (inLen <= (param.getMacKeySize() / 8)) - { - throw new InvalidCipherTextException("Length of input must be greater than the MAC"); - } - - if (cipher == null) - { - // Streaming mode. - K1 = new byte[inLen - V.length - mac.getMacSize()]; - K2 = new byte[param.getMacKeySize() / 8]; - K = new byte[K1.length + K2.length]; - - kdf.generateBytes(K, 0, K.length); - - if (V.length != 0) - { - System.arraycopy(K, 0, K2, 0, K2.length); - System.arraycopy(K, K2.length, K1, 0, K1.length); - } - else - { - System.arraycopy(K, 0, K1, 0, K1.length); - System.arraycopy(K, K1.length, K2, 0, K2.length); - } - - M = new byte[K1.length]; - - for (int i = 0; i != K1.length; i++) - { - M[i] = (byte)(in_enc[inOff + V.length + i] ^ K1[i]); - } - - len = K1.length; - } - else - { - // Block cipher mode. - K1 = new byte[((IESWithCipherParameters)param).getCipherKeySize() / 8]; - K2 = new byte[param.getMacKeySize() / 8]; - K = new byte[K1.length + K2.length]; - - kdf.generateBytes(K, 0, K.length); - System.arraycopy(K, 0, K1, 0, K1.length); - System.arraycopy(K, K1.length, K2, 0, K2.length); - - // If IV provide use it to initialize the cipher - if (IV != null) - { - cipher.init(false, new ParametersWithIV(new KeyParameter(K1), IV)); - } - else - { - cipher.init(false, new KeyParameter(K1)); - } - - M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())]; - len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0); - len += cipher.doFinal(M, len); - } - - - // Convert the length of the encoding vector into a byte array. - byte[] P2 = param.getEncodingV(); - byte[] L2 = new byte[4]; - if (V.length != 0 && P2 != null) - { - Pack.intToBigEndian(P2.length * 8, L2, 0); - } - - - // Verify the MAC. - int end = inOff + inLen; - byte[] T1 = Arrays.copyOfRange(in_enc, end - mac.getMacSize(), end); - - byte[] T2 = new byte[T1.length]; - mac.init(new KeyParameter(K2)); - mac.update(in_enc, inOff + V.length, inLen - V.length - T2.length); - - if (P2 != null) - { - mac.update(P2, 0, P2.length); - } - if (V.length != 0) - { - mac.update(L2, 0, L2.length); - } - mac.doFinal(T2, 0); - - if (!Arrays.constantTimeAreEqual(T1, T2)) - { - throw new InvalidCipherTextException("Invalid MAC."); - } - - - // Output the message. - return Arrays.copyOfRange(M, 0, len); - } - - - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forEncryption) - { - if (keyPairGenerator != null) - { - EphemeralKeyPair ephKeyPair = keyPairGenerator.generate(); - - this.privParam = ephKeyPair.getKeyPair().getPrivate(); - this.V = ephKeyPair.getEncodedPublicKey(); - } - } - else - { - if (keyParser != null) - { - ByteArrayInputStream bIn = new ByteArrayInputStream(in, inOff, inLen); - - try - { - this.pubParam = keyParser.readKey(bIn); - } - catch (IOException e) - { - throw new InvalidCipherTextException("unable to recover ephemeral public key: " + e.getMessage(), e); - } - - int encLength = (inLen - bIn.available()); - this.V = Arrays.copyOfRange(in, inOff, inOff + encLength); - } - } - - // Compute the common value and convert to byte array. - agree.init(privParam); - BigInteger z = agree.calculateAgreement(pubParam); - byte[] Z = BigIntegers.asUnsignedByteArray(agree.getFieldSize(), z); - - // Create input to KDF. - byte[] VZ; - if (V.length != 0) - { - VZ = new byte[V.length + Z.length]; - System.arraycopy(V, 0, VZ, 0, V.length); - System.arraycopy(Z, 0, VZ, V.length, Z.length); - } - else - { - VZ = Z; - } - - // Initialise the KDF. - KDFParameters kdfParam = new KDFParameters(VZ, param.getDerivationV()); - kdf.init(kdfParam); - - return forEncryption - ? encryptBlock(in, inOff, inLen) - : decryptBlock(in, inOff, inLen); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ISAACEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ISAACEngine.java deleted file mode 100644 index d2dd2657..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/ISAACEngine.java +++ /dev/null @@ -1,221 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Pack; - -/** - * Implementation of Bob Jenkin's ISAAC (Indirection Shift Accumulate Add and Count). - * see: http://www.burtleburtle.net/bob/rand/isaacafa.html -*/ -public class ISAACEngine - implements StreamCipher -{ - // Constants - private final int sizeL = 8, - stateArraySize = sizeL<<5; // 256 - - // Cipher's internal state - private int[] engineState = null, // mm - results = null; // randrsl - private int a = 0, b = 0, c = 0; - - // Engine state - private int index = 0; - private byte[] keyStream = new byte[stateArraySize<<2], // results expanded into bytes - workingKey = null; - private boolean initialised = false; - - /** - * initialise an ISAAC cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to ISAAC init - " + params.getClass().getName()); - } - /* - * ISAAC encryption and decryption is completely - * symmetrical, so the 'forEncryption' is - * irrelevant. - */ - KeyParameter p = (KeyParameter)params; - setKey(p.getKey()); - - return; - } - - public byte returnByte(byte in) - { - if (index == 0) - { - isaac(); - keyStream = Pack.intToBigEndian(results); - } - byte out = (byte)(keyStream[index]^in); - index = (index + 1) & 1023; - - return out; - } - - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName()+" not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - if (index == 0) - { - isaac(); - keyStream = Pack.intToBigEndian(results); - } - out[i+outOff] = (byte)(keyStream[index]^in[i+inOff]); - index = (index + 1) & 1023; - } - - return len; - } - - public String getAlgorithmName() - { - return "ISAAC"; - } - - public void reset() - { - setKey(workingKey); - } - - // Private implementation - private void setKey(byte[] keyBytes) - { - workingKey = keyBytes; - - if (engineState == null) - { - engineState = new int[stateArraySize]; - } - - if (results == null) - { - results = new int[stateArraySize]; - } - - int i, j, k; - - // Reset state - for (i = 0; i < stateArraySize; i++) - { - engineState[i] = results[i] = 0; - } - a = b = c = 0; - - // Reset index counter for output - index = 0; - - // Convert the key bytes to ints and put them into results[] for initialization - byte[] t = new byte[keyBytes.length + (keyBytes.length & 3)]; - System.arraycopy(keyBytes, 0, t, 0, keyBytes.length); - for (i = 0; i < t.length; i+=4) - { - results[i >>> 2] = Pack.littleEndianToInt(t, i); - } - - // It has begun? - int[] abcdefgh = new int[sizeL]; - - for (i = 0; i < sizeL; i++) - { - abcdefgh[i] = 0x9e3779b9; // Phi (golden ratio) - } - - for (i = 0; i < 4; i++) - { - mix(abcdefgh); - } - - for (i = 0; i < 2; i++) - { - for (j = 0; j < stateArraySize; j+=sizeL) - { - for (k = 0; k < sizeL; k++) - { - abcdefgh[k] += (i<1) ? results[j+k] : engineState[j+k]; - } - - mix(abcdefgh); - - for (k = 0; k < sizeL; k++) - { - engineState[j+k] = abcdefgh[k]; - } - } - } - - isaac(); - - initialised = true; - } - - private void isaac() - { - int i, x, y; - - b += ++c; - for (i = 0; i < stateArraySize; i++) - { - x = engineState[i]; - switch (i & 3) - { - case 0: a ^= (a << 13); break; - case 1: a ^= (a >>> 6); break; - case 2: a ^= (a << 2); break; - case 3: a ^= (a >>> 16); break; - } - a += engineState[(i+128) & 0xFF]; - engineState[i] = y = engineState[(x >>> 2) & 0xFF] + a + b; - results[i] = b = engineState[(y >>> 10) & 0xFF] + x; - } - } - - private void mix(int[] x) - { - x[0]^=x[1]<< 11; x[3]+=x[0]; x[1]+=x[2]; - x[1]^=x[2]>>> 2; x[4]+=x[1]; x[2]+=x[3]; - x[2]^=x[3]<< 8; x[5]+=x[2]; x[3]+=x[4]; - x[3]^=x[4]>>>16; x[6]+=x[3]; x[4]+=x[5]; - x[4]^=x[5]<< 10; x[7]+=x[4]; x[5]+=x[6]; - x[5]^=x[6]>>> 4; x[0]+=x[5]; x[6]+=x[7]; - x[6]^=x[7]<< 8; x[1]+=x[6]; x[7]+=x[0]; - x[7]^=x[0]>>> 9; x[2]+=x[7]; x[0]+=x[1]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/NaccacheSternEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/NaccacheSternEngine.java deleted file mode 100644 index a5403fac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/NaccacheSternEngine.java +++ /dev/null @@ -1,437 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.math.BigInteger; -import java.util.Vector; -import org.bouncycastle.util.Arrays; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.params.NaccacheSternKeyParameters; -import org.bouncycastle.crypto.params.NaccacheSternPrivateKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * NaccacheStern Engine. For details on this cipher, please see - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf - */ -public class NaccacheSternEngine - implements AsymmetricBlockCipher -{ - private boolean forEncryption; - - private NaccacheSternKeyParameters key; - - private Vector[] lookup = null; - - private boolean debug = false; - - private static BigInteger ZERO = BigInteger.valueOf(0); - private static BigInteger ONE = BigInteger.valueOf(1); - - /** - * Initializes this algorithm. Must be called before all other Functions. - * - * @see org.bouncycastle.crypto.AsymmetricBlockCipher#init(boolean, - * org.bouncycastle.crypto.CipherParameters) - */ - public void init(boolean forEncryption, CipherParameters param) - { - this.forEncryption = forEncryption; - - if (param instanceof ParametersWithRandom) - { - param = ((ParametersWithRandom) param).getParameters(); - } - - key = (NaccacheSternKeyParameters)param; - - // construct lookup table for faster decryption if necessary - if (!this.forEncryption) - { - if (debug) - { - System.out.println("Constructing lookup Array"); - } - NaccacheSternPrivateKeyParameters priv = (NaccacheSternPrivateKeyParameters)key; - Vector primes = priv.getSmallPrimes(); - lookup = new Vector[primes.size()]; - for (int i = 0; i < primes.size(); i++) - { - BigInteger actualPrime = (BigInteger)primes.elementAt(i); - int actualPrimeValue = actualPrime.intValue(); - - lookup[i] = new Vector(); - lookup[i].addElement(ONE); - - if (debug) - { - System.out.println("Constructing lookup ArrayList for " + actualPrimeValue); - } - - BigInteger accJ = ZERO; - - for (int j = 1; j < actualPrimeValue; j++) - { - accJ = accJ.add(priv.getPhi_n()); - BigInteger comp = accJ.divide(actualPrime); - lookup[i].addElement(priv.getG().modPow(comp, priv.getModulus())); - } - } - } - } - - public void setDebug(boolean debug) - { - this.debug = debug; - } - - /** - * Returns the input block size of this algorithm. - * - * @see org.bouncycastle.crypto.AsymmetricBlockCipher#getInputBlockSize() - */ - public int getInputBlockSize() - { - if (forEncryption) - { - // We can only encrypt values up to lowerSigmaBound - return (key.getLowerSigmaBound() + 7) / 8 - 1; - } - else - { - // We pad to modulus-size bytes for easier decryption. - return key.getModulus().toByteArray().length; - } - } - - /** - * Returns the output block size of this algorithm. - * - * @see org.bouncycastle.crypto.AsymmetricBlockCipher#getOutputBlockSize() - */ - public int getOutputBlockSize() - { - if (forEncryption) - { - // encrypted Data is always padded up to modulus size - return key.getModulus().toByteArray().length; - } - else - { - // decrypted Data has upper limit lowerSigmaBound - return (key.getLowerSigmaBound() + 7) / 8 - 1; - } - } - - /** - * Process a single Block using the Naccache-Stern algorithm. - * - * @see org.bouncycastle.crypto.AsymmetricBlockCipher#processBlock(byte[], - * int, int) - */ - public byte[] processBlock(byte[] in, int inOff, int len) throws InvalidCipherTextException - { - if (key == null) - { - throw new IllegalStateException("NaccacheStern engine not initialised"); - } - if (len > (getInputBlockSize() + 1)) - { - throw new DataLengthException("input too large for Naccache-Stern cipher.\n"); - } - - if (!forEncryption) - { - // At decryption make sure that we receive padded data blocks - if (len < getInputBlockSize()) - { - throw new InvalidCipherTextException("BlockLength does not match modulus for Naccache-Stern cipher.\n"); - } - } - - byte[] block; - - if (inOff != 0 || len != in.length) - { - block = new byte[len]; - System.arraycopy(in, inOff, block, 0, len); - } - else - { - block = in; - } - - // transform input into BigInteger - BigInteger input = new BigInteger(1, block); - if (debug) - { - System.out.println("input as BigInteger: " + input); - } - byte[] output; - if (forEncryption) - { - output = encrypt(input); - } - else - { - Vector plain = new Vector(); - NaccacheSternPrivateKeyParameters priv = (NaccacheSternPrivateKeyParameters)key; - Vector primes = priv.getSmallPrimes(); - // Get Chinese Remainders of CipherText - for (int i = 0; i < primes.size(); i++) - { - BigInteger exp = input.modPow(priv.getPhi_n().divide((BigInteger)primes.elementAt(i)), priv.getModulus()); - Vector al = lookup[i]; - if (lookup[i].size() != ((BigInteger)primes.elementAt(i)).intValue()) - { - if (debug) - { - System.out.println("Prime is " + primes.elementAt(i) + ", lookup table has size " + al.size()); - } - throw new InvalidCipherTextException("Error in lookup Array for " - + ((BigInteger)primes.elementAt(i)).intValue() - + ": Size mismatch. Expected ArrayList with length " - + ((BigInteger)primes.elementAt(i)).intValue() + " but found ArrayList of length " - + lookup[i].size()); - } - int lookedup = al.indexOf(exp); - - if (lookedup == -1) - { - if (debug) - { - System.out.println("Actual prime is " + primes.elementAt(i)); - System.out.println("Decrypted value is " + exp); - - System.out.println("LookupList for " + primes.elementAt(i) + " with size " + lookup[i].size() - + " is: "); - for (int j = 0; j < lookup[i].size(); j++) - { - System.out.println(lookup[i].elementAt(j)); - } - } - throw new InvalidCipherTextException("Lookup failed"); - } - plain.addElement(BigInteger.valueOf(lookedup)); - } - BigInteger test = chineseRemainder(plain, primes); - - // Should not be used as an oracle, so reencrypt output to see - // if it corresponds to input - - // this breaks probabilisic encryption, so disable it. Anyway, we do - // use the first n primes for key generation, so it is pretty easy - // to guess them. But as stated in the paper, this is not a security - // breach. So we can just work with the correct sigma. - - // if (debug) { - // System.out.println("Decryption is " + test); - // } - // if ((key.getG().modPow(test, key.getModulus())).equals(input)) { - // output = test.toByteArray(); - // } else { - // if(debug){ - // System.out.println("Engine seems to be used as an oracle, - // returning null"); - // } - // output = null; - // } - - output = test.toByteArray(); - - } - - return output; - } - - /** - * Encrypts a BigInteger aka Plaintext with the public key. - * - * @param plain - * The BigInteger to encrypt - * @return The byte[] representation of the encrypted BigInteger (i.e. - * crypted.toByteArray()) - */ - public byte[] encrypt(BigInteger plain) - { - // Always return modulus size values 0-padded at the beginning - // 0-padding at the beginning is correctly parsed by BigInteger :) - byte[] output = key.getModulus().toByteArray(); - Arrays.fill(output, (byte)0); - byte[] tmp = key.getG().modPow(plain, key.getModulus()).toByteArray(); - System - .arraycopy(tmp, 0, output, output.length - tmp.length, - tmp.length); - if (debug) - { - System.out - .println("Encrypted value is: " + new BigInteger(output)); - } - return output; - } - - /** - * Adds the contents of two encrypted blocks mod sigma - * - * @param block1 - * the first encrypted block - * @param block2 - * the second encrypted block - * @return encrypt((block1 + block2) mod sigma) - * @throws InvalidCipherTextException - */ - public byte[] addCryptedBlocks(byte[] block1, byte[] block2) - throws InvalidCipherTextException - { - // check for correct blocksize - if (forEncryption) - { - if ((block1.length > getOutputBlockSize()) - || (block2.length > getOutputBlockSize())) - { - throw new InvalidCipherTextException( - "BlockLength too large for simple addition.\n"); - } - } - else - { - if ((block1.length > getInputBlockSize()) - || (block2.length > getInputBlockSize())) - { - throw new InvalidCipherTextException( - "BlockLength too large for simple addition.\n"); - } - } - - // calculate resulting block - BigInteger m1Crypt = new BigInteger(1, block1); - BigInteger m2Crypt = new BigInteger(1, block2); - BigInteger m1m2Crypt = m1Crypt.multiply(m2Crypt); - m1m2Crypt = m1m2Crypt.mod(key.getModulus()); - if (debug) - { - System.out.println("c(m1) as BigInteger:....... " + m1Crypt); - System.out.println("c(m2) as BigInteger:....... " + m2Crypt); - System.out.println("c(m1)*c(m2)%n = c(m1+m2)%n: " + m1m2Crypt); - } - - byte[] output = key.getModulus().toByteArray(); - Arrays.fill(output, (byte)0); - System.arraycopy(m1m2Crypt.toByteArray(), 0, output, output.length - - m1m2Crypt.toByteArray().length, - m1m2Crypt.toByteArray().length); - - return output; - } - - /** - * Convenience Method for data exchange with the cipher. - * - * Determines blocksize and splits data to blocksize. - * - * @param data the data to be processed - * @return the data after it went through the NaccacheSternEngine. - * @throws InvalidCipherTextException - */ - public byte[] processData(byte[] data) throws InvalidCipherTextException - { - if (debug) - { - System.out.println(); - } - if (data.length > getInputBlockSize()) - { - int inBlocksize = getInputBlockSize(); - int outBlocksize = getOutputBlockSize(); - if (debug) - { - System.out.println("Input blocksize is: " + inBlocksize + " bytes"); - System.out.println("Output blocksize is: " + outBlocksize + " bytes"); - System.out.println("Data has length:.... " + data.length + " bytes"); - } - int datapos = 0; - int retpos = 0; - byte[] retval = new byte[(data.length / inBlocksize + 1) * outBlocksize]; - while (datapos < data.length) - { - byte[] tmp; - if (datapos + inBlocksize < data.length) - { - tmp = processBlock(data, datapos, inBlocksize); - datapos += inBlocksize; - } - else - { - tmp = processBlock(data, datapos, data.length - datapos); - datapos += data.length - datapos; - } - if (debug) - { - System.out.println("new datapos is " + datapos); - } - if (tmp != null) - { - System.arraycopy(tmp, 0, retval, retpos, tmp.length); - - retpos += tmp.length; - } - else - { - if (debug) - { - System.out.println("cipher returned null"); - } - throw new InvalidCipherTextException("cipher returned null"); - } - } - byte[] ret = new byte[retpos]; - System.arraycopy(retval, 0, ret, 0, retpos); - if (debug) - { - System.out.println("returning " + ret.length + " bytes"); - } - return ret; - } - else - { - if (debug) - { - System.out.println("data size is less then input block size, processing directly"); - } - return processBlock(data, 0, data.length); - } - } - - /** - * Computes the integer x that is expressed through the given primes and the - * congruences with the chinese remainder theorem (CRT). - * - * @param congruences - * the congruences c_i - * @param primes - * the primes p_i - * @return an integer x for that x % p_i == c_i - */ - private static BigInteger chineseRemainder(Vector congruences, Vector primes) - { - BigInteger retval = ZERO; - BigInteger all = ONE; - for (int i = 0; i < primes.size(); i++) - { - all = all.multiply((BigInteger)primes.elementAt(i)); - } - for (int i = 0; i < primes.size(); i++) - { - BigInteger a = (BigInteger)primes.elementAt(i); - BigInteger b = all.divide(a); - BigInteger b_ = b.modInverse(a); - BigInteger tmp = b.multiply(b_); - tmp = tmp.multiply((BigInteger)congruences.elementAt(i)); - retval = retval.add(tmp); - } - - return retval.mod(all); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/NoekeonEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/NoekeonEngine.java deleted file mode 100644 index c4494c40..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/NoekeonEngine.java +++ /dev/null @@ -1,263 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * A Noekeon engine, using direct-key mode. - */ - -public class NoekeonEngine - implements BlockCipher -{ - private static final int genericSize = 16; // Block and key size, as well as the amount of rounds. - - private static final int[] nullVector = - { - 0x00, 0x00, 0x00, 0x00 // Used in decryption - }, - - roundConstants = - { - 0x80, 0x1b, 0x36, 0x6c, - 0xd8, 0xab, 0x4d, 0x9a, - 0x2f, 0x5e, 0xbc, 0x63, - 0xc6, 0x97, 0x35, 0x6a, - 0xd4 - }; - - private int[] state = new int[4], // a - subKeys = new int[4], // k - decryptKeys = new int[4]; - - private boolean _initialised, - _forEncryption; - - /** - * Create an instance of the Noekeon encryption algorithm - * and set some defaults - */ - public NoekeonEngine() - { - _initialised = false; - } - - public String getAlgorithmName() - { - return "Noekeon"; - } - - public int getBlockSize() - { - return genericSize; - } - - /** - * initialise - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to Noekeon init - " + params.getClass().getName()); - } - - _forEncryption = forEncryption; - _initialised = true; - - KeyParameter p = (KeyParameter)params; - - setKey(p.getKey()); - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (!_initialised) - { - throw new IllegalStateException(getAlgorithmName()+" not initialised"); - } - - if ((inOff + genericSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + genericSize) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - return (_forEncryption) ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - subKeys[0] = bytesToIntBig(key, 0); - subKeys[1] = bytesToIntBig(key, 4); - subKeys[2] = bytesToIntBig(key, 8); - subKeys[3] = bytesToIntBig(key, 12); - } - - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - state[0] = bytesToIntBig(in, inOff); - state[1] = bytesToIntBig(in, inOff+4); - state[2] = bytesToIntBig(in, inOff+8); - state[3] = bytesToIntBig(in, inOff+12); - - int i; - for (i = 0; i < genericSize; i++) - { - state[0] ^= roundConstants[i]; - theta(state, subKeys); - pi1(state); - gamma(state); - pi2(state); - } - - state[0] ^= roundConstants[i]; - theta(state, subKeys); - - intToBytesBig(state[0], out, outOff); - intToBytesBig(state[1], out, outOff+4); - intToBytesBig(state[2], out, outOff+8); - intToBytesBig(state[3], out, outOff+12); - - return genericSize; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - state[0] = bytesToIntBig(in, inOff); - state[1] = bytesToIntBig(in, inOff+4); - state[2] = bytesToIntBig(in, inOff+8); - state[3] = bytesToIntBig(in, inOff+12); - - System.arraycopy(subKeys, 0, decryptKeys, 0, subKeys.length); - theta(decryptKeys, nullVector); - - int i; - for (i = genericSize; i > 0; i--) - { - theta(state, decryptKeys); - state[0] ^= roundConstants[i]; - pi1(state); - gamma(state); - pi2(state); - } - - theta(state, decryptKeys); - state[0] ^= roundConstants[i]; - - intToBytesBig(state[0], out, outOff); - intToBytesBig(state[1], out, outOff+4); - intToBytesBig(state[2], out, outOff+8); - intToBytesBig(state[3], out, outOff+12); - - return genericSize; - } - - private void gamma(int[] a) - { - a[1] ^= ~a[3] & ~a[2]; - a[0] ^= a[2] & a[1]; - - int tmp = a[3]; - a[3] = a[0]; - a[0] = tmp; - a[2] ^= a[0]^a[1]^a[3]; - - a[1] ^= ~a[3] & ~a[2]; - a[0] ^= a[2] & a[1]; - } - - private void theta(int[] a, int[] k) - { - int tmp; - - tmp = a[0]^a[2]; - tmp ^= rotl(tmp,8)^rotl(tmp,24); - a[1] ^= tmp; - a[3] ^= tmp; - - for (int i = 0; i < 4; i++) - { - a[i] ^= k[i]; - } - - tmp = a[1]^a[3]; - tmp ^= rotl(tmp,8)^rotl(tmp,24); - a[0] ^= tmp; - a[2] ^= tmp; - } - - private void pi1(int[] a) - { - a[1] = rotl(a[1], 1); - a[2] = rotl(a[2], 5); - a[3] = rotl(a[3], 2); - } - - private void pi2(int[] a) - { - a[1] = rotl(a[1], 31); - a[2] = rotl(a[2], 27); - a[3] = rotl(a[3], 30); - } - - // Helpers - - private int bytesToIntBig(byte[] in, int off) - { - return ((in[off++]) << 24) | - ((in[off++] & 0xff) << 16) | - ((in[off++] & 0xff) << 8) | - (in[off ] & 0xff); - } - - private void intToBytesBig(int x, byte[] out, int off) - { - out[off++] = (byte)(x >>> 24); - out[off++] = (byte)(x >>> 16); - out[off++] = (byte)(x >>> 8); - out[off ] = (byte)x; - } - - private int rotl(int x, int y) - { - return (x << y) | (x >>> (32-y)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/NullEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/NullEngine.java deleted file mode 100644 index 1ad2c9df..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/NullEngine.java +++ /dev/null @@ -1,96 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; - -/** - * The no-op engine that just copies bytes through, irrespective of whether encrypting and decrypting. - * Provided for the sake of completeness. - */ -public class NullEngine implements BlockCipher -{ - private boolean initialised; - protected static final int DEFAULT_BLOCK_SIZE = 1; - private final int blockSize; - - /** - * Constructs a null engine with a block size of 1 byte. - */ - public NullEngine() - { - this(DEFAULT_BLOCK_SIZE); - } - - /** - * Constructs a null engine with a specific block size. - * - * @param blockSize the block size in bytes. - */ - public NullEngine(int blockSize) - { - this.blockSize = blockSize; - } - - /* (non-Javadoc) - * @see org.bouncycastle.crypto.BlockCipher#init(boolean, org.bouncycastle.crypto.CipherParameters) - */ - public void init(boolean forEncryption, CipherParameters params) throws IllegalArgumentException - { - // we don't mind any parameters that may come in - this.initialised = true; - } - - /* (non-Javadoc) - * @see org.bouncycastle.crypto.BlockCipher#getAlgorithmName() - */ - public String getAlgorithmName() - { - return "Null"; - } - - /* (non-Javadoc) - * @see org.bouncycastle.crypto.BlockCipher#getBlockSize() - */ - public int getBlockSize() - { - return blockSize; - } - - /* (non-Javadoc) - * @see org.bouncycastle.crypto.BlockCipher#processBlock(byte[], int, byte[], int) - */ - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - if (!initialised) - { - throw new IllegalStateException("Null engine not initialised"); - } - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < blockSize; ++i) - { - out[outOff + i] = in[inOff + i]; - } - - return blockSize; - } - - /* (non-Javadoc) - * @see org.bouncycastle.crypto.BlockCipher#reset() - */ - public void reset() - { - // nothing needs to be done - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC2Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC2Engine.java deleted file mode 100644 index 02cb8811..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC2Engine.java +++ /dev/null @@ -1,317 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.RC2Parameters; - -/** - * an implementation of RC2 as described in RFC 2268 - * "A Description of the RC2(r) Encryption Algorithm" R. Rivest. - */ -public class RC2Engine - implements BlockCipher -{ - // - // the values we use for key expansion (based on the digits of PI) - // - private static byte[] piTable = - { - (byte)0xd9, (byte)0x78, (byte)0xf9, (byte)0xc4, (byte)0x19, (byte)0xdd, (byte)0xb5, (byte)0xed, - (byte)0x28, (byte)0xe9, (byte)0xfd, (byte)0x79, (byte)0x4a, (byte)0xa0, (byte)0xd8, (byte)0x9d, - (byte)0xc6, (byte)0x7e, (byte)0x37, (byte)0x83, (byte)0x2b, (byte)0x76, (byte)0x53, (byte)0x8e, - (byte)0x62, (byte)0x4c, (byte)0x64, (byte)0x88, (byte)0x44, (byte)0x8b, (byte)0xfb, (byte)0xa2, - (byte)0x17, (byte)0x9a, (byte)0x59, (byte)0xf5, (byte)0x87, (byte)0xb3, (byte)0x4f, (byte)0x13, - (byte)0x61, (byte)0x45, (byte)0x6d, (byte)0x8d, (byte)0x9, (byte)0x81, (byte)0x7d, (byte)0x32, - (byte)0xbd, (byte)0x8f, (byte)0x40, (byte)0xeb, (byte)0x86, (byte)0xb7, (byte)0x7b, (byte)0xb, - (byte)0xf0, (byte)0x95, (byte)0x21, (byte)0x22, (byte)0x5c, (byte)0x6b, (byte)0x4e, (byte)0x82, - (byte)0x54, (byte)0xd6, (byte)0x65, (byte)0x93, (byte)0xce, (byte)0x60, (byte)0xb2, (byte)0x1c, - (byte)0x73, (byte)0x56, (byte)0xc0, (byte)0x14, (byte)0xa7, (byte)0x8c, (byte)0xf1, (byte)0xdc, - (byte)0x12, (byte)0x75, (byte)0xca, (byte)0x1f, (byte)0x3b, (byte)0xbe, (byte)0xe4, (byte)0xd1, - (byte)0x42, (byte)0x3d, (byte)0xd4, (byte)0x30, (byte)0xa3, (byte)0x3c, (byte)0xb6, (byte)0x26, - (byte)0x6f, (byte)0xbf, (byte)0xe, (byte)0xda, (byte)0x46, (byte)0x69, (byte)0x7, (byte)0x57, - (byte)0x27, (byte)0xf2, (byte)0x1d, (byte)0x9b, (byte)0xbc, (byte)0x94, (byte)0x43, (byte)0x3, - (byte)0xf8, (byte)0x11, (byte)0xc7, (byte)0xf6, (byte)0x90, (byte)0xef, (byte)0x3e, (byte)0xe7, - (byte)0x6, (byte)0xc3, (byte)0xd5, (byte)0x2f, (byte)0xc8, (byte)0x66, (byte)0x1e, (byte)0xd7, - (byte)0x8, (byte)0xe8, (byte)0xea, (byte)0xde, (byte)0x80, (byte)0x52, (byte)0xee, (byte)0xf7, - (byte)0x84, (byte)0xaa, (byte)0x72, (byte)0xac, (byte)0x35, (byte)0x4d, (byte)0x6a, (byte)0x2a, - (byte)0x96, (byte)0x1a, (byte)0xd2, (byte)0x71, (byte)0x5a, (byte)0x15, (byte)0x49, (byte)0x74, - (byte)0x4b, (byte)0x9f, (byte)0xd0, (byte)0x5e, (byte)0x4, (byte)0x18, (byte)0xa4, (byte)0xec, - (byte)0xc2, (byte)0xe0, (byte)0x41, (byte)0x6e, (byte)0xf, (byte)0x51, (byte)0xcb, (byte)0xcc, - (byte)0x24, (byte)0x91, (byte)0xaf, (byte)0x50, (byte)0xa1, (byte)0xf4, (byte)0x70, (byte)0x39, - (byte)0x99, (byte)0x7c, (byte)0x3a, (byte)0x85, (byte)0x23, (byte)0xb8, (byte)0xb4, (byte)0x7a, - (byte)0xfc, (byte)0x2, (byte)0x36, (byte)0x5b, (byte)0x25, (byte)0x55, (byte)0x97, (byte)0x31, - (byte)0x2d, (byte)0x5d, (byte)0xfa, (byte)0x98, (byte)0xe3, (byte)0x8a, (byte)0x92, (byte)0xae, - (byte)0x5, (byte)0xdf, (byte)0x29, (byte)0x10, (byte)0x67, (byte)0x6c, (byte)0xba, (byte)0xc9, - (byte)0xd3, (byte)0x0, (byte)0xe6, (byte)0xcf, (byte)0xe1, (byte)0x9e, (byte)0xa8, (byte)0x2c, - (byte)0x63, (byte)0x16, (byte)0x1, (byte)0x3f, (byte)0x58, (byte)0xe2, (byte)0x89, (byte)0xa9, - (byte)0xd, (byte)0x38, (byte)0x34, (byte)0x1b, (byte)0xab, (byte)0x33, (byte)0xff, (byte)0xb0, - (byte)0xbb, (byte)0x48, (byte)0xc, (byte)0x5f, (byte)0xb9, (byte)0xb1, (byte)0xcd, (byte)0x2e, - (byte)0xc5, (byte)0xf3, (byte)0xdb, (byte)0x47, (byte)0xe5, (byte)0xa5, (byte)0x9c, (byte)0x77, - (byte)0xa, (byte)0xa6, (byte)0x20, (byte)0x68, (byte)0xfe, (byte)0x7f, (byte)0xc1, (byte)0xad - }; - - private static final int BLOCK_SIZE = 8; - - private int[] workingKey; - private boolean encrypting; - - private int[] generateWorkingKey( - byte[] key, - int bits) - { - int x; - int[] xKey = new int[128]; - - for (int i = 0; i != key.length; i++) - { - xKey[i] = key[i] & 0xff; - } - - // Phase 1: Expand input key to 128 bytes - int len = key.length; - - if (len < 128) - { - int index = 0; - - x = xKey[len - 1]; - - do - { - x = piTable[(x + xKey[index++]) & 255] & 0xff; - xKey[len++] = x; - } - while (len < 128); - } - - // Phase 2 - reduce effective key size to "bits" - len = (bits + 7) >> 3; - x = piTable[xKey[128 - len] & (255 >> (7 & -bits))] & 0xff; - xKey[128 - len] = x; - - for (int i = 128 - len - 1; i >= 0; i--) - { - x = piTable[x ^ xKey[i + len]] & 0xff; - xKey[i] = x; - } - - // Phase 3 - copy to newKey in little-endian order - int[] newKey = new int[64]; - - for (int i = 0; i != newKey.length; i++) - { - newKey[i] = (xKey[2 * i] + (xKey[2 * i + 1] << 8)); - } - - return newKey; - } - - /** - * initialise a RC2 cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - this.encrypting = encrypting; - - if (params instanceof RC2Parameters) - { - RC2Parameters param = (RC2Parameters)params; - - workingKey = generateWorkingKey(param.getKey(), - param.getEffectiveKeyBits()); - } - else if (params instanceof KeyParameter) - { - byte[] key = ((KeyParameter)params).getKey(); - - workingKey = generateWorkingKey(key, key.length * 8); - } - else - { - throw new IllegalArgumentException("invalid parameter passed to RC2 init - " + params.getClass().getName()); - } - - } - - public void reset() - { - } - - public String getAlgorithmName() - { - return "RC2"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public final int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("RC2 engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (encrypting) - { - encryptBlock(in, inOff, out, outOff); - } - else - { - decryptBlock(in, inOff, out, outOff); - } - - return BLOCK_SIZE; - } - - /** - * return the result rotating the 16 bit number in x left by y - */ - private int rotateWordLeft( - int x, - int y) - { - x &= 0xffff; - return (x << y) | (x >> (16 - y)); - } - - private void encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int x76, x54, x32, x10; - - x76 = ((in[inOff + 7] & 0xff) << 8) + (in[inOff + 6] & 0xff); - x54 = ((in[inOff + 5] & 0xff) << 8) + (in[inOff + 4] & 0xff); - x32 = ((in[inOff + 3] & 0xff) << 8) + (in[inOff + 2] & 0xff); - x10 = ((in[inOff + 1] & 0xff) << 8) + (in[inOff + 0] & 0xff); - - for (int i = 0; i <= 16; i += 4) - { - x10 = rotateWordLeft(x10 + (x32 & ~x76) + (x54 & x76) + workingKey[i ], 1); - x32 = rotateWordLeft(x32 + (x54 & ~x10) + (x76 & x10) + workingKey[i+1], 2); - x54 = rotateWordLeft(x54 + (x76 & ~x32) + (x10 & x32) + workingKey[i+2], 3); - x76 = rotateWordLeft(x76 + (x10 & ~x54) + (x32 & x54) + workingKey[i+3], 5); - } - - x10 += workingKey[x76 & 63]; - x32 += workingKey[x10 & 63]; - x54 += workingKey[x32 & 63]; - x76 += workingKey[x54 & 63]; - - for (int i = 20; i <= 40; i += 4) - { - x10 = rotateWordLeft(x10 + (x32 & ~x76) + (x54 & x76) + workingKey[i ], 1); - x32 = rotateWordLeft(x32 + (x54 & ~x10) + (x76 & x10) + workingKey[i+1], 2); - x54 = rotateWordLeft(x54 + (x76 & ~x32) + (x10 & x32) + workingKey[i+2], 3); - x76 = rotateWordLeft(x76 + (x10 & ~x54) + (x32 & x54) + workingKey[i+3], 5); - } - - x10 += workingKey[x76 & 63]; - x32 += workingKey[x10 & 63]; - x54 += workingKey[x32 & 63]; - x76 += workingKey[x54 & 63]; - - for (int i = 44; i < 64; i += 4) - { - x10 = rotateWordLeft(x10 + (x32 & ~x76) + (x54 & x76) + workingKey[i ], 1); - x32 = rotateWordLeft(x32 + (x54 & ~x10) + (x76 & x10) + workingKey[i+1], 2); - x54 = rotateWordLeft(x54 + (x76 & ~x32) + (x10 & x32) + workingKey[i+2], 3); - x76 = rotateWordLeft(x76 + (x10 & ~x54) + (x32 & x54) + workingKey[i+3], 5); - } - - out[outOff + 0] = (byte)x10; - out[outOff + 1] = (byte)(x10 >> 8); - out[outOff + 2] = (byte)x32; - out[outOff + 3] = (byte)(x32 >> 8); - out[outOff + 4] = (byte)x54; - out[outOff + 5] = (byte)(x54 >> 8); - out[outOff + 6] = (byte)x76; - out[outOff + 7] = (byte)(x76 >> 8); - } - - private void decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int x76, x54, x32, x10; - - x76 = ((in[inOff + 7] & 0xff) << 8) + (in[inOff + 6] & 0xff); - x54 = ((in[inOff + 5] & 0xff) << 8) + (in[inOff + 4] & 0xff); - x32 = ((in[inOff + 3] & 0xff) << 8) + (in[inOff + 2] & 0xff); - x10 = ((in[inOff + 1] & 0xff) << 8) + (in[inOff + 0] & 0xff); - - for (int i = 60; i >= 44; i -= 4) - { - x76 = rotateWordLeft(x76, 11) - ((x10 & ~x54) + (x32 & x54) + workingKey[i+3]); - x54 = rotateWordLeft(x54, 13) - ((x76 & ~x32) + (x10 & x32) + workingKey[i+2]); - x32 = rotateWordLeft(x32, 14) - ((x54 & ~x10) + (x76 & x10) + workingKey[i+1]); - x10 = rotateWordLeft(x10, 15) - ((x32 & ~x76) + (x54 & x76) + workingKey[i ]); - } - - x76 -= workingKey[x54 & 63]; - x54 -= workingKey[x32 & 63]; - x32 -= workingKey[x10 & 63]; - x10 -= workingKey[x76 & 63]; - - for (int i = 40; i >= 20; i -= 4) - { - x76 = rotateWordLeft(x76, 11) - ((x10 & ~x54) + (x32 & x54) + workingKey[i+3]); - x54 = rotateWordLeft(x54, 13) - ((x76 & ~x32) + (x10 & x32) + workingKey[i+2]); - x32 = rotateWordLeft(x32, 14) - ((x54 & ~x10) + (x76 & x10) + workingKey[i+1]); - x10 = rotateWordLeft(x10, 15) - ((x32 & ~x76) + (x54 & x76) + workingKey[i ]); - } - - x76 -= workingKey[x54 & 63]; - x54 -= workingKey[x32 & 63]; - x32 -= workingKey[x10 & 63]; - x10 -= workingKey[x76 & 63]; - - for (int i = 16; i >= 0; i -= 4) - { - x76 = rotateWordLeft(x76, 11) - ((x10 & ~x54) + (x32 & x54) + workingKey[i+3]); - x54 = rotateWordLeft(x54, 13) - ((x76 & ~x32) + (x10 & x32) + workingKey[i+2]); - x32 = rotateWordLeft(x32, 14) - ((x54 & ~x10) + (x76 & x10) + workingKey[i+1]); - x10 = rotateWordLeft(x10, 15) - ((x32 & ~x76) + (x54 & x76) + workingKey[i ]); - } - - out[outOff + 0] = (byte)x10; - out[outOff + 1] = (byte)(x10 >> 8); - out[outOff + 2] = (byte)x32; - out[outOff + 3] = (byte)(x32 >> 8); - out[outOff + 4] = (byte)x54; - out[outOff + 5] = (byte)(x54 >> 8); - out[outOff + 6] = (byte)x76; - out[outOff + 7] = (byte)(x76 >> 8); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC2WrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC2WrapEngine.java deleted file mode 100644 index ec82b1aa..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC2WrapEngine.java +++ /dev/null @@ -1,385 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Wrapper; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; - -/** - * Wrap keys according to RFC 3217 - RC2 mechanism - */ -public class RC2WrapEngine - implements Wrapper -{ - /** Field engine */ - private CBCBlockCipher engine; - - /** Field param */ - private CipherParameters param; - - /** Field paramPlusIV */ - private ParametersWithIV paramPlusIV; - - /** Field iv */ - private byte[] iv; - - /** Field forWrapping */ - private boolean forWrapping; - - private SecureRandom sr; - - /** Field IV2 */ - private static final byte[] IV2 = { (byte) 0x4a, (byte) 0xdd, (byte) 0xa2, - (byte) 0x2c, (byte) 0x79, (byte) 0xe8, - (byte) 0x21, (byte) 0x05 }; - - // - // checksum digest - // - Digest sha1 = new SHA1Digest(); - byte[] digest = new byte[20]; - - /** - * Method init - * - * @param forWrapping - * @param param - */ - public void init(boolean forWrapping, CipherParameters param) - { - this.forWrapping = forWrapping; - this.engine = new CBCBlockCipher(new RC2Engine()); - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom pWithR = (ParametersWithRandom)param; - sr = pWithR.getRandom(); - param = pWithR.getParameters(); - } - else - { - sr = new SecureRandom(); - } - - if (param instanceof ParametersWithIV) - { - this.paramPlusIV = (ParametersWithIV)param; - this.iv = this.paramPlusIV.getIV(); - this.param = this.paramPlusIV.getParameters(); - - if (this.forWrapping) - { - if ((this.iv == null) || (this.iv.length != 8)) - { - throw new IllegalArgumentException("IV is not 8 octets"); - } - } - else - { - throw new IllegalArgumentException( - "You should not supply an IV for unwrapping"); - } - } - else - { - this.param = param; - - if (this.forWrapping) - { - - // Hm, we have no IV but we want to wrap ?!? - // well, then we have to create our own IV. - this.iv = new byte[8]; - - sr.nextBytes(iv); - - this.paramPlusIV = new ParametersWithIV(this.param, this.iv); - } - } - - } - - /** - * Method getAlgorithmName - * - * @return the algorithm name "RC2". - */ - public String getAlgorithmName() - { - return "RC2"; - } - - /** - * Method wrap - * - * @param in - * @param inOff - * @param inLen - * @return the wrapped bytes. - */ - public byte[] wrap(byte[] in, int inOff, int inLen) - { - - if (!forWrapping) - { - throw new IllegalStateException("Not initialized for wrapping"); - } - - int length = inLen + 1; - if ((length % 8) != 0) - { - length += 8 - (length % 8); - } - - byte keyToBeWrapped[] = new byte[length]; - - keyToBeWrapped[0] = (byte)inLen; - System.arraycopy(in, inOff, keyToBeWrapped, 1, inLen); - - byte[] pad = new byte[keyToBeWrapped.length - inLen - 1]; - - if (pad.length > 0) - { - sr.nextBytes(pad); - System.arraycopy(pad, 0, keyToBeWrapped, inLen + 1, pad.length); - } - - // Compute the CMS Key Checksum, (section 5.6.1), call this CKS. - byte[] CKS = calculateCMSKeyChecksum(keyToBeWrapped); - - // Let WKCKS = WK || CKS where || is concatenation. - byte[] WKCKS = new byte[keyToBeWrapped.length + CKS.length]; - - System.arraycopy(keyToBeWrapped, 0, WKCKS, 0, keyToBeWrapped.length); - System.arraycopy(CKS, 0, WKCKS, keyToBeWrapped.length, CKS.length); - - // Encrypt WKCKS in CBC mode using KEK as the key and IV as the - // initialization vector. Call the results TEMP1. - byte TEMP1[] = new byte[WKCKS.length]; - - System.arraycopy(WKCKS, 0, TEMP1, 0, WKCKS.length); - - int noOfBlocks = WKCKS.length / engine.getBlockSize(); - int extraBytes = WKCKS.length % engine.getBlockSize(); - - if (extraBytes != 0) - { - throw new IllegalStateException("Not multiple of block length"); - } - - engine.init(true, paramPlusIV); - - for (int i = 0; i < noOfBlocks; i++) - { - int currentBytePos = i * engine.getBlockSize(); - - engine.processBlock(TEMP1, currentBytePos, TEMP1, currentBytePos); - } - - // Left TEMP2 = IV || TEMP1. - byte[] TEMP2 = new byte[this.iv.length + TEMP1.length]; - - System.arraycopy(this.iv, 0, TEMP2, 0, this.iv.length); - System.arraycopy(TEMP1, 0, TEMP2, this.iv.length, TEMP1.length); - - // Reverse the order of the octets in TEMP2 and call the result TEMP3. - byte[] TEMP3 = new byte[TEMP2.length]; - - for (int i = 0; i < TEMP2.length; i++) - { - TEMP3[i] = TEMP2[TEMP2.length - (i + 1)]; - } - - // Encrypt TEMP3 in CBC mode using the KEK and an initialization vector - // of 0x 4a dd a2 2c 79 e8 21 05. The resulting cipher text is the - // desired - // result. It is 40 octets long if a 168 bit key is being wrapped. - ParametersWithIV param2 = new ParametersWithIV(this.param, IV2); - - this.engine.init(true, param2); - - for (int i = 0; i < noOfBlocks + 1; i++) - { - int currentBytePos = i * engine.getBlockSize(); - - engine.processBlock(TEMP3, currentBytePos, TEMP3, currentBytePos); - } - - return TEMP3; - } - - /** - * Method unwrap - * - * @param in - * @param inOff - * @param inLen - * @return the unwrapped bytes. - * @throws InvalidCipherTextException - */ - public byte[] unwrap(byte[] in, int inOff, int inLen) - throws InvalidCipherTextException - { - - if (forWrapping) - { - throw new IllegalStateException("Not set for unwrapping"); - } - - if (in == null) - { - throw new InvalidCipherTextException("Null pointer as ciphertext"); - } - - if (inLen % engine.getBlockSize() != 0) - { - throw new InvalidCipherTextException("Ciphertext not multiple of " - + engine.getBlockSize()); - } - - /* - * // Check if the length of the cipher text is reasonable given the key // - * type. It must be 40 bytes for a 168 bit key and either 32, 40, or // - * 48 bytes for a 128, 192, or 256 bit key. If the length is not - * supported // or inconsistent with the algorithm for which the key is - * intended, // return error. // // we do not accept 168 bit keys. it - * has to be 192 bit. int lengthA = (estimatedKeyLengthInBit / 8) + 16; - * int lengthB = estimatedKeyLengthInBit % 8; - * - * if ((lengthA != keyToBeUnwrapped.length) || (lengthB != 0)) { throw - * new XMLSecurityException("empty"); } - */ - - // Decrypt the cipher text with TRIPLedeS in CBC mode using the KEK - // and an initialization vector (IV) of 0x4adda22c79e82105. Call the - // output TEMP3. - ParametersWithIV param2 = new ParametersWithIV(this.param, IV2); - - this.engine.init(false, param2); - - byte TEMP3[] = new byte[inLen]; - - System.arraycopy(in, inOff, TEMP3, 0, inLen); - - for (int i = 0; i < (TEMP3.length / engine.getBlockSize()); i++) - { - int currentBytePos = i * engine.getBlockSize(); - - engine.processBlock(TEMP3, currentBytePos, TEMP3, currentBytePos); - } - - // Reverse the order of the octets in TEMP3 and call the result TEMP2. - byte[] TEMP2 = new byte[TEMP3.length]; - - for (int i = 0; i < TEMP3.length; i++) - { - TEMP2[i] = TEMP3[TEMP3.length - (i + 1)]; - } - - // Decompose TEMP2 into IV, the first 8 octets, and TEMP1, the remaining - // octets. - this.iv = new byte[8]; - - byte[] TEMP1 = new byte[TEMP2.length - 8]; - - System.arraycopy(TEMP2, 0, this.iv, 0, 8); - System.arraycopy(TEMP2, 8, TEMP1, 0, TEMP2.length - 8); - - // Decrypt TEMP1 using TRIPLedeS in CBC mode using the KEK and the IV - // found in the previous step. Call the result WKCKS. - this.paramPlusIV = new ParametersWithIV(this.param, this.iv); - - this.engine.init(false, this.paramPlusIV); - - byte[] LCEKPADICV = new byte[TEMP1.length]; - - System.arraycopy(TEMP1, 0, LCEKPADICV, 0, TEMP1.length); - - for (int i = 0; i < (LCEKPADICV.length / engine.getBlockSize()); i++) - { - int currentBytePos = i * engine.getBlockSize(); - - engine.processBlock(LCEKPADICV, currentBytePos, LCEKPADICV, - currentBytePos); - } - - // Decompose LCEKPADICV. CKS is the last 8 octets and WK, the wrapped - // key, are - // those octets before the CKS. - byte[] result = new byte[LCEKPADICV.length - 8]; - byte[] CKStoBeVerified = new byte[8]; - - System.arraycopy(LCEKPADICV, 0, result, 0, LCEKPADICV.length - 8); - System.arraycopy(LCEKPADICV, LCEKPADICV.length - 8, CKStoBeVerified, 0, - 8); - - // Calculate a CMS Key Checksum, (section 5.6.1), over the WK and - // compare - // with the CKS extracted in the above step. If they are not equal, - // return error. - if (!checkCMSKeyChecksum(result, CKStoBeVerified)) - { - throw new InvalidCipherTextException( - "Checksum inside ciphertext is corrupted"); - } - - if ((result.length - ((result[0] & 0xff) + 1)) > 7) - { - throw new InvalidCipherTextException("too many pad bytes (" - + (result.length - ((result[0] & 0xff) + 1)) + ")"); - } - - // CEK is the wrapped key, now extracted for use in data decryption. - byte[] CEK = new byte[result[0]]; - System.arraycopy(result, 1, CEK, 0, CEK.length); - return CEK; - } - - /** - * Some key wrap algorithms make use of the Key Checksum defined - * in CMS [CMS-Algorithms]. This is used to provide an integrity - * check value for the key being wrapped. The algorithm is - * - * - Compute the 20 octet SHA-1 hash on the key being wrapped. - * - Use the first 8 octets of this hash as the checksum value. - * - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum - * @param key - * @return - * @throws RuntimeException - * - */ - private byte[] calculateCMSKeyChecksum( - byte[] key) - { - byte[] result = new byte[8]; - - sha1.update(key, 0, key.length); - sha1.doFinal(digest, 0); - - System.arraycopy(digest, 0, result, 0, 8); - - return result; - } - - /** - * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum - * - * @param key - * @param checksum - * @return - */ - private boolean checkCMSKeyChecksum( - byte[] key, - byte[] checksum) - { - return Arrays.constantTimeAreEqual(calculateCMSKeyChecksum(key), checksum); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC4Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC4Engine.java deleted file mode 100644 index c1ceaa4a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC4Engine.java +++ /dev/null @@ -1,146 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; - -public class RC4Engine implements StreamCipher -{ - private final static int STATE_LENGTH = 256; - - /* - * variables to hold the state of the RC4 engine - * during encryption and decryption - */ - - private byte[] engineState = null; - private int x = 0; - private int y = 0; - private byte[] workingKey = null; - - /** - * initialise a RC4 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params - ) - { - if (params instanceof KeyParameter) - { - /* - * RC4 encryption and decryption is completely - * symmetrical, so the 'forEncryption' is - * irrelevant. - */ - workingKey = ((KeyParameter)params).getKey(); - setKey(workingKey); - - return; - } - - throw new IllegalArgumentException("invalid parameter passed to RC4 init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "RC4"; - } - - public byte returnByte(byte in) - { - x = (x + 1) & 0xff; - y = (engineState[x] + y) & 0xff; - - // swap - byte tmp = engineState[x]; - engineState[x] = engineState[y]; - engineState[y] = tmp; - - // xor - return (byte)(in ^ engineState[(engineState[x] + engineState[y]) & 0xff]); - } - - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - { - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len ; i++) - { - x = (x + 1) & 0xff; - y = (engineState[x] + y) & 0xff; - - // swap - byte tmp = engineState[x]; - engineState[x] = engineState[y]; - engineState[y] = tmp; - - // xor - out[i+outOff] = (byte)(in[i + inOff] - ^ engineState[(engineState[x] + engineState[y]) & 0xff]); - } - - return len; - } - - public void reset() - { - setKey(workingKey); - } - - // Private implementation - - private void setKey(byte[] keyBytes) - { - workingKey = keyBytes; - - // System.out.println("the key length is ; "+ workingKey.length); - - x = 0; - y = 0; - - if (engineState == null) - { - engineState = new byte[STATE_LENGTH]; - } - - // reset the state of the engine - for (int i=0; i < STATE_LENGTH; i++) - { - engineState[i] = (byte)i; - } - - int i1 = 0; - int i2 = 0; - - for (int i=0; i < STATE_LENGTH; i++) - { - i2 = ((keyBytes[i1] & 0xff) + engineState[i] + i2) & 0xff; - // do the byte-swap inline - byte tmp = engineState[i]; - engineState[i] = engineState[i2]; - engineState[i2] = tmp; - i1 = (i1+1) % keyBytes.length; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC532Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC532Engine.java deleted file mode 100644 index 9fb6f550..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC532Engine.java +++ /dev/null @@ -1,287 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.RC5Parameters; - -/** - * The specification for RC5 came from the <code>RC5 Encryption Algorithm</code> - * publication in RSA CryptoBytes, Spring of 1995. - * <em>http://www.rsasecurity.com/rsalabs/cryptobytes</em>. - * <p> - * This implementation has a word size of 32 bits. - * <p> - * Implementation courtesy of Tito Pena. - */ -public class RC532Engine - implements BlockCipher -{ - /* - * the number of rounds to perform - */ - private int _noRounds; - - /* - * the expanded key array of size 2*(rounds + 1) - */ - private int _S[]; - - /* - * our "magic constants" for 32 32 - * - * Pw = Odd((e-2) * 2^wordsize) - * Qw = Odd((o-2) * 2^wordsize) - * - * where e is the base of natural logarithms (2.718281828...) - * and o is the golden ratio (1.61803398...) - */ - private static final int P32 = 0xb7e15163; - private static final int Q32 = 0x9e3779b9; - - private boolean forEncryption; - - /** - * Create an instance of the RC5 encryption algorithm - * and set some defaults - */ - public RC532Engine() - { - _noRounds = 12; // the default - _S = null; - } - - public String getAlgorithmName() - { - return "RC5-32"; - } - - public int getBlockSize() - { - return 2 * 4; - } - - /** - * initialise a RC5-32 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof RC5Parameters) - { - RC5Parameters p = (RC5Parameters)params; - - _noRounds = p.getRounds(); - - setKey(p.getKey()); - } - else if (params instanceof KeyParameter) - { - KeyParameter p = (KeyParameter)params; - - setKey(p.getKey()); - } - else - { - throw new IllegalArgumentException("invalid parameter passed to RC532 init - " + params.getClass().getName()); - } - - this.forEncryption = forEncryption; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - return (forEncryption) ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - // - // KEY EXPANSION: - // - // There are 3 phases to the key expansion. - // - // Phase 1: - // Copy the secret key K[0...b-1] into an array L[0..c-1] of - // c = ceil(b/u), where u = 32/8 in little-endian order. - // In other words, we fill up L using u consecutive key bytes - // of K. Any unfilled byte positions in L are zeroed. In the - // case that b = c = 0, set c = 1 and L[0] = 0. - // - int[] L = new int[(key.length + (4 - 1)) / 4]; - - for (int i = 0; i != key.length; i++) - { - L[i / 4] += (key[i] & 0xff) << (8 * (i % 4)); - } - - // - // Phase 2: - // Initialize S to a particular fixed pseudo-random bit pattern - // using an arithmetic progression modulo 2^wordsize determined - // by the magic numbers, Pw & Qw. - // - _S = new int[2*(_noRounds + 1)]; - - _S[0] = P32; - for (int i=1; i < _S.length; i++) - { - _S[i] = (_S[i-1] + Q32); - } - - // - // Phase 3: - // Mix in the user's secret key in 3 passes over the arrays S & L. - // The max of the arrays sizes is used as the loop control - // - int iter; - - if (L.length > _S.length) - { - iter = 3 * L.length; - } - else - { - iter = 3 * _S.length; - } - - int A = 0, B = 0; - int i = 0, j = 0; - - for (int k = 0; k < iter; k++) - { - A = _S[i] = rotateLeft(_S[i] + A + B, 3); - B = L[j] = rotateLeft(L[j] + A + B, A+B); - i = (i+1) % _S.length; - j = (j+1) % L.length; - } - } - - /** - * Encrypt the given block starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * <p> - * @param in in byte buffer containing data to encrypt - * @param inOff offset into src buffer - * @param out out buffer where encrypted data is written - * @param outOff offset into out buffer - */ - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int A = bytesToWord(in, inOff) + _S[0]; - int B = bytesToWord(in, inOff + 4) + _S[1]; - - for (int i = 1; i <= _noRounds; i++) - { - A = rotateLeft(A ^ B, B) + _S[2*i]; - B = rotateLeft(B ^ A, A) + _S[2*i+1]; - } - - wordToBytes(A, out, outOff); - wordToBytes(B, out, outOff + 4); - - return 2 * 4; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int A = bytesToWord(in, inOff); - int B = bytesToWord(in, inOff + 4); - - for (int i = _noRounds; i >= 1; i--) - { - B = rotateRight(B - _S[2*i+1], A) ^ A; - A = rotateRight(A - _S[2*i], B) ^ B; - } - - wordToBytes(A - _S[0], out, outOff); - wordToBytes(B - _S[1], out, outOff + 4); - - return 2 * 4; - } - - - ////////////////////////////////////////////////////////////// - // - // PRIVATE Helper Methods - // - ////////////////////////////////////////////////////////////// - - /** - * Perform a left "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(32)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is a power of 2. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % 32 - */ - private int rotateLeft(int x, int y) - { - return ((x << (y & (32-1))) | (x >>> (32 - (y & (32-1))))); - } - - /** - * Perform a right "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(32)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is a power of 2. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % 32 - */ - private int rotateRight(int x, int y) - { - return ((x >>> (y & (32-1))) | (x << (32 - (y & (32-1))))); - } - - private int bytesToWord( - byte[] src, - int srcOff) - { - return (src[srcOff] & 0xff) | ((src[srcOff + 1] & 0xff) << 8) - | ((src[srcOff + 2] & 0xff) << 16) | ((src[srcOff + 3] & 0xff) << 24); - } - - private void wordToBytes( - int word, - byte[] dst, - int dstOff) - { - dst[dstOff] = (byte)word; - dst[dstOff + 1] = (byte)(word >> 8); - dst[dstOff + 2] = (byte)(word >> 16); - dst[dstOff + 3] = (byte)(word >> 24); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC564Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC564Engine.java deleted file mode 100644 index 2121a4bc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC564Engine.java +++ /dev/null @@ -1,288 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.RC5Parameters; - -/** - * The specification for RC5 came from the <code>RC5 Encryption Algorithm</code> - * publication in RSA CryptoBytes, Spring of 1995. - * <em>http://www.rsasecurity.com/rsalabs/cryptobytes</em>. - * <p> - * This implementation is set to work with a 64 bit word size. - * <p> - * Implementation courtesy of Tito Pena. - */ -public class RC564Engine - implements BlockCipher -{ - private static final int wordSize = 64; - private static final int bytesPerWord = wordSize / 8; - - /* - * the number of rounds to perform - */ - private int _noRounds; - - /* - * the expanded key array of size 2*(rounds + 1) - */ - private long _S[]; - - /* - * our "magic constants" for wordSize 62 - * - * Pw = Odd((e-2) * 2^wordsize) - * Qw = Odd((o-2) * 2^wordsize) - * - * where e is the base of natural logarithms (2.718281828...) - * and o is the golden ratio (1.61803398...) - */ - private static final long P64 = 0xb7e151628aed2a6bL; - private static final long Q64 = 0x9e3779b97f4a7c15L; - - private boolean forEncryption; - - /** - * Create an instance of the RC5 encryption algorithm - * and set some defaults - */ - public RC564Engine() - { - _noRounds = 12; - _S = null; - } - - public String getAlgorithmName() - { - return "RC5-64"; - } - - public int getBlockSize() - { - return 2 * bytesPerWord; - } - - /** - * initialise a RC5-64 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof RC5Parameters)) - { - throw new IllegalArgumentException("invalid parameter passed to RC564 init - " + params.getClass().getName()); - } - - RC5Parameters p = (RC5Parameters)params; - - this.forEncryption = forEncryption; - - _noRounds = p.getRounds(); - - setKey(p.getKey()); - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - return (forEncryption) ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - // - // KEY EXPANSION: - // - // There are 3 phases to the key expansion. - // - // Phase 1: - // Copy the secret key K[0...b-1] into an array L[0..c-1] of - // c = ceil(b/u), where u = wordSize/8 in little-endian order. - // In other words, we fill up L using u consecutive key bytes - // of K. Any unfilled byte positions in L are zeroed. In the - // case that b = c = 0, set c = 1 and L[0] = 0. - // - long[] L = new long[(key.length + (bytesPerWord - 1)) / bytesPerWord]; - - for (int i = 0; i != key.length; i++) - { - L[i / bytesPerWord] += (long)(key[i] & 0xff) << (8 * (i % bytesPerWord)); - } - - // - // Phase 2: - // Initialize S to a particular fixed pseudo-random bit pattern - // using an arithmetic progression modulo 2^wordsize determined - // by the magic numbers, Pw & Qw. - // - _S = new long[2*(_noRounds + 1)]; - - _S[0] = P64; - for (int i=1; i < _S.length; i++) - { - _S[i] = (_S[i-1] + Q64); - } - - // - // Phase 3: - // Mix in the user's secret key in 3 passes over the arrays S & L. - // The max of the arrays sizes is used as the loop control - // - int iter; - - if (L.length > _S.length) - { - iter = 3 * L.length; - } - else - { - iter = 3 * _S.length; - } - - long A = 0, B = 0; - int i = 0, j = 0; - - for (int k = 0; k < iter; k++) - { - A = _S[i] = rotateLeft(_S[i] + A + B, 3); - B = L[j] = rotateLeft(L[j] + A + B, A+B); - i = (i+1) % _S.length; - j = (j+1) % L.length; - } - } - - /** - * Encrypt the given block starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * <p> - * @param in in byte buffer containing data to encrypt - * @param inOff offset into src buffer - * @param out out buffer where encrypted data is written - * @param outOff offset into out buffer - */ - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - long A = bytesToWord(in, inOff) + _S[0]; - long B = bytesToWord(in, inOff + bytesPerWord) + _S[1]; - - for (int i = 1; i <= _noRounds; i++) - { - A = rotateLeft(A ^ B, B) + _S[2*i]; - B = rotateLeft(B ^ A, A) + _S[2*i+1]; - } - - wordToBytes(A, out, outOff); - wordToBytes(B, out, outOff + bytesPerWord); - - return 2 * bytesPerWord; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - long A = bytesToWord(in, inOff); - long B = bytesToWord(in, inOff + bytesPerWord); - - for (int i = _noRounds; i >= 1; i--) - { - B = rotateRight(B - _S[2*i+1], A) ^ A; - A = rotateRight(A - _S[2*i], B) ^ B; - } - - wordToBytes(A - _S[0], out, outOff); - wordToBytes(B - _S[1], out, outOff + bytesPerWord); - - return 2 * bytesPerWord; - } - - - ////////////////////////////////////////////////////////////// - // - // PRIVATE Helper Methods - // - ////////////////////////////////////////////////////////////// - - /** - * Perform a left "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(wordSize)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is a power of 2. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % wordSize - */ - private long rotateLeft(long x, long y) - { - return ((x << (y & (wordSize-1))) | (x >>> (wordSize - (y & (wordSize-1))))); - } - - /** - * Perform a right "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(wordSize)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is a power of 2. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % wordSize - */ - private long rotateRight(long x, long y) - { - return ((x >>> (y & (wordSize-1))) | (x << (wordSize - (y & (wordSize-1))))); - } - - private long bytesToWord( - byte[] src, - int srcOff) - { - long word = 0; - - for (int i = bytesPerWord - 1; i >= 0; i--) - { - word = (word << 8) + (src[i + srcOff] & 0xff); - } - - return word; - } - - private void wordToBytes( - long word, - byte[] dst, - int dstOff) - { - for (int i = 0; i < bytesPerWord; i++) - { - dst[i + dstOff] = (byte)word; - word >>>= 8; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RC6Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RC6Engine.java deleted file mode 100644 index bbf5d306..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RC6Engine.java +++ /dev/null @@ -1,363 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * An RC6 engine. - */ -public class RC6Engine - implements BlockCipher -{ - private static final int wordSize = 32; - private static final int bytesPerWord = wordSize / 8; - - /* - * the number of rounds to perform - */ - private static final int _noRounds = 20; - - /* - * the expanded key array of size 2*(rounds + 1) - */ - private int _S[]; - - /* - * our "magic constants" for wordSize 32 - * - * Pw = Odd((e-2) * 2^wordsize) - * Qw = Odd((o-2) * 2^wordsize) - * - * where e is the base of natural logarithms (2.718281828...) - * and o is the golden ratio (1.61803398...) - */ - private static final int P32 = 0xb7e15163; - private static final int Q32 = 0x9e3779b9; - - private static final int LGW = 5; // log2(32) - - private boolean forEncryption; - - /** - * Create an instance of the RC6 encryption algorithm - * and set some defaults - */ - public RC6Engine() - { - _S = null; - } - - public String getAlgorithmName() - { - return "RC6"; - } - - public int getBlockSize() - { - return 4 * bytesPerWord; - } - - /** - * initialise a RC5-32 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to RC6 init - " + params.getClass().getName()); - } - - KeyParameter p = (KeyParameter)params; - this.forEncryption = forEncryption; - setKey(p.getKey()); - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int blockSize = getBlockSize(); - if (_S == null) - { - throw new IllegalStateException("RC6 engine not initialised"); - } - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - if ((outOff + blockSize) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - return (forEncryption) - ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - - // - // KEY EXPANSION: - // - // There are 3 phases to the key expansion. - // - // Phase 1: - // Copy the secret key K[0...b-1] into an array L[0..c-1] of - // c = ceil(b/u), where u = wordSize/8 in little-endian order. - // In other words, we fill up L using u consecutive key bytes - // of K. Any unfilled byte positions in L are zeroed. In the - // case that b = c = 0, set c = 1 and L[0] = 0. - // - // compute number of dwords - int c = (key.length + (bytesPerWord - 1)) / bytesPerWord; - if (c == 0) - { - c = 1; - } - int[] L = new int[(key.length + bytesPerWord - 1) / bytesPerWord]; - - // load all key bytes into array of key dwords - for (int i = key.length - 1; i >= 0; i--) - { - L[i / bytesPerWord] = (L[i / bytesPerWord] << 8) + (key[i] & 0xff); - } - - // - // Phase 2: - // Key schedule is placed in a array of 2+2*ROUNDS+2 = 44 dwords. - // Initialize S to a particular fixed pseudo-random bit pattern - // using an arithmetic progression modulo 2^wordsize determined - // by the magic numbers, Pw & Qw. - // - _S = new int[2+2*_noRounds+2]; - - _S[0] = P32; - for (int i=1; i < _S.length; i++) - { - _S[i] = (_S[i-1] + Q32); - } - - // - // Phase 3: - // Mix in the user's secret key in 3 passes over the arrays S & L. - // The max of the arrays sizes is used as the loop control - // - int iter; - - if (L.length > _S.length) - { - iter = 3 * L.length; - } - else - { - iter = 3 * _S.length; - } - - int A = 0; - int B = 0; - int i = 0, j = 0; - - for (int k = 0; k < iter; k++) - { - A = _S[i] = rotateLeft(_S[i] + A + B, 3); - B = L[j] = rotateLeft(L[j] + A + B, A+B); - i = (i+1) % _S.length; - j = (j+1) % L.length; - } - } - - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // load A,B,C and D registers from in. - int A = bytesToWord(in, inOff); - int B = bytesToWord(in, inOff + bytesPerWord); - int C = bytesToWord(in, inOff + bytesPerWord*2); - int D = bytesToWord(in, inOff + bytesPerWord*3); - - // Do pseudo-round #0: pre-whitening of B and D - B += _S[0]; - D += _S[1]; - - // perform round #1,#2 ... #ROUNDS of encryption - for (int i = 1; i <= _noRounds; i++) - { - int t = 0,u = 0; - - t = B*(2*B+1); - t = rotateLeft(t,5); - - u = D*(2*D+1); - u = rotateLeft(u,5); - - A ^= t; - A = rotateLeft(A,u); - A += _S[2*i]; - - C ^= u; - C = rotateLeft(C,t); - C += _S[2*i+1]; - - int temp = A; - A = B; - B = C; - C = D; - D = temp; - } - // do pseudo-round #(ROUNDS+1) : post-whitening of A and C - A += _S[2*_noRounds+2]; - C += _S[2*_noRounds+3]; - - // store A, B, C and D registers to out - wordToBytes(A, out, outOff); - wordToBytes(B, out, outOff + bytesPerWord); - wordToBytes(C, out, outOff + bytesPerWord*2); - wordToBytes(D, out, outOff + bytesPerWord*3); - - return 4 * bytesPerWord; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // load A,B,C and D registers from out. - int A = bytesToWord(in, inOff); - int B = bytesToWord(in, inOff + bytesPerWord); - int C = bytesToWord(in, inOff + bytesPerWord*2); - int D = bytesToWord(in, inOff + bytesPerWord*3); - - // Undo pseudo-round #(ROUNDS+1) : post whitening of A and C - C -= _S[2*_noRounds+3]; - A -= _S[2*_noRounds+2]; - - // Undo round #ROUNDS, .., #2,#1 of encryption - for (int i = _noRounds; i >= 1; i--) - { - int t=0,u = 0; - - int temp = D; - D = C; - C = B; - B = A; - A = temp; - - t = B*(2*B+1); - t = rotateLeft(t, LGW); - - u = D*(2*D+1); - u = rotateLeft(u, LGW); - - C -= _S[2*i+1]; - C = rotateRight(C,t); - C ^= u; - - A -= _S[2*i]; - A = rotateRight(A,u); - A ^= t; - - } - // Undo pseudo-round #0: pre-whitening of B and D - D -= _S[1]; - B -= _S[0]; - - wordToBytes(A, out, outOff); - wordToBytes(B, out, outOff + bytesPerWord); - wordToBytes(C, out, outOff + bytesPerWord*2); - wordToBytes(D, out, outOff + bytesPerWord*3); - - return 4 * bytesPerWord; - } - - - ////////////////////////////////////////////////////////////// - // - // PRIVATE Helper Methods - // - ////////////////////////////////////////////////////////////// - - /** - * Perform a left "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(wordSize)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is 32. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % wordSize - */ - private int rotateLeft(int x, int y) - { - return (x << y) | (x >>> -y); - } - - /** - * Perform a right "spin" of the word. The rotation of the given - * word <em>x</em> is rotated left by <em>y</em> bits. - * Only the <em>lg(wordSize)</em> low-order bits of <em>y</em> - * are used to determine the rotation amount. Here it is - * assumed that the wordsize used is a power of 2. - * <p> - * @param x word to rotate - * @param y number of bits to rotate % wordSize - */ - private int rotateRight(int x, int y) - { - return (x >>> y) | (x << -y); - } - - private int bytesToWord( - byte[] src, - int srcOff) - { - int word = 0; - - for (int i = bytesPerWord - 1; i >= 0; i--) - { - word = (word << 8) + (src[i + srcOff] & 0xff); - } - - return word; - } - - private void wordToBytes( - int word, - byte[] dst, - int dstOff) - { - for (int i = 0; i < bytesPerWord; i++) - { - dst[i + dstOff] = (byte)word; - word >>>= 8; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RFC3211WrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RFC3211WrapEngine.java deleted file mode 100644 index 0d10eeb5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RFC3211WrapEngine.java +++ /dev/null @@ -1,175 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Wrapper; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -import java.security.SecureRandom; - -/** - * an implementation of the RFC 3211 Key Wrap - * Specification. - */ -public class RFC3211WrapEngine - implements Wrapper -{ - private CBCBlockCipher engine; - private ParametersWithIV param; - private boolean forWrapping; - private SecureRandom rand; - - public RFC3211WrapEngine(BlockCipher engine) - { - this.engine = new CBCBlockCipher(engine); - } - - public void init( - boolean forWrapping, - CipherParameters param) - { - this.forWrapping = forWrapping; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - rand = p.getRandom(); - this.param = (ParametersWithIV)p.getParameters(); - } - else - { - if (forWrapping) - { - rand = new SecureRandom(); - } - - this.param = (ParametersWithIV)param; - } - } - - public String getAlgorithmName() - { - return engine.getUnderlyingCipher().getAlgorithmName() + "/RFC3211Wrap"; - } - - public byte[] wrap( - byte[] in, - int inOff, - int inLen) - { - if (!forWrapping) - { - throw new IllegalStateException("not set for wrapping"); - } - - engine.init(true, param); - - int blockSize = engine.getBlockSize(); - byte[] cekBlock; - - if (inLen + 4 < blockSize * 2) - { - cekBlock = new byte[blockSize * 2]; - } - else - { - cekBlock = new byte[(inLen + 4) % blockSize == 0 ? inLen + 4 : ((inLen + 4) / blockSize + 1) * blockSize]; - } - - cekBlock[0] = (byte)inLen; - cekBlock[1] = (byte)~in[inOff]; - cekBlock[2] = (byte)~in[inOff + 1]; - cekBlock[3] = (byte)~in[inOff + 2]; - - System.arraycopy(in, inOff, cekBlock, 4, inLen); - - for (int i = inLen + 4; i < cekBlock.length; i++) - { - cekBlock[i] = (byte)rand.nextInt(); - } - - for (int i = 0; i < cekBlock.length; i += blockSize) - { - engine.processBlock(cekBlock, i, cekBlock, i); - } - - for (int i = 0; i < cekBlock.length; i += blockSize) - { - engine.processBlock(cekBlock, i, cekBlock, i); - } - - return cekBlock; - } - - public byte[] unwrap( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forWrapping) - { - throw new IllegalStateException("not set for unwrapping"); - } - - int blockSize = engine.getBlockSize(); - - if (inLen < 2 * blockSize) - { - throw new InvalidCipherTextException("input too short"); - } - - byte[] cekBlock = new byte[inLen]; - byte[] iv = new byte[blockSize]; - - System.arraycopy(in, inOff, cekBlock, 0, inLen); - System.arraycopy(in, inOff, iv, 0, iv.length); - - engine.init(false, new ParametersWithIV(param.getParameters(), iv)); - - for (int i = blockSize; i < cekBlock.length; i += blockSize) - { - engine.processBlock(cekBlock, i, cekBlock, i); - } - - System.arraycopy(cekBlock, cekBlock.length - iv.length, iv, 0, iv.length); - - engine.init(false, new ParametersWithIV(param.getParameters(), iv)); - - engine.processBlock(cekBlock, 0, cekBlock, 0); - - engine.init(false, param); - - for (int i = 0; i < cekBlock.length; i += blockSize) - { - engine.processBlock(cekBlock, i, cekBlock, i); - } - - if ((cekBlock[0] & 0xff) > cekBlock.length - 4) - { - throw new InvalidCipherTextException("wrapped key corrupted"); - } - - byte[] key = new byte[cekBlock[0] & 0xff]; - - System.arraycopy(cekBlock, 4, key, 0, cekBlock[0]); - - // Note: Using constant time comparison - int nonEqual = 0; - for (int i = 0; i != 3; i++) - { - byte check = (byte)~cekBlock[1 + i]; - nonEqual |= (check ^ key[i]); - } - if (nonEqual != 0) - { - throw new InvalidCipherTextException("wrapped key fails checksum"); - } - - return key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java deleted file mode 100644 index cfd86fb6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java +++ /dev/null @@ -1,177 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Wrapper; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; - -/** - * an implementation of the AES Key Wrapper from the NIST Key Wrap - * Specification as described in RFC 3394. - * <p> - * For further details see: <a href="http://www.ietf.org/rfc/rfc3394.txt">http://www.ietf.org/rfc/rfc3394.txt</a> - * and <a href="http://csrc.nist.gov/encryption/kms/key-wrap.pdf">http://csrc.nist.gov/encryption/kms/key-wrap.pdf</a>. - */ -public class RFC3394WrapEngine - implements Wrapper -{ - private BlockCipher engine; - private KeyParameter param; - private boolean forWrapping; - - private byte[] iv = { - (byte)0xa6, (byte)0xa6, (byte)0xa6, (byte)0xa6, - (byte)0xa6, (byte)0xa6, (byte)0xa6, (byte)0xa6 }; - - public RFC3394WrapEngine(BlockCipher engine) - { - this.engine = engine; - } - - public void init( - boolean forWrapping, - CipherParameters param) - { - this.forWrapping = forWrapping; - - if (param instanceof ParametersWithRandom) - { - param = ((ParametersWithRandom) param).getParameters(); - } - - if (param instanceof KeyParameter) - { - this.param = (KeyParameter)param; - } - else if (param instanceof ParametersWithIV) - { - this.iv = ((ParametersWithIV)param).getIV(); - this.param = (KeyParameter)((ParametersWithIV) param).getParameters(); - if (this.iv.length != 8) - { - throw new IllegalArgumentException("IV not equal to 8"); - } - } - } - - public String getAlgorithmName() - { - return engine.getAlgorithmName(); - } - - public byte[] wrap( - byte[] in, - int inOff, - int inLen) - { - if (!forWrapping) - { - throw new IllegalStateException("not set for wrapping"); - } - - int n = inLen / 8; - - if ((n * 8) != inLen) - { - throw new DataLengthException("wrap data must be a multiple of 8 bytes"); - } - - byte[] block = new byte[inLen + iv.length]; - byte[] buf = new byte[8 + iv.length]; - - System.arraycopy(iv, 0, block, 0, iv.length); - System.arraycopy(in, inOff, block, iv.length, inLen); - - engine.init(true, param); - - for (int j = 0; j != 6; j++) - { - for (int i = 1; i <= n; i++) - { - System.arraycopy(block, 0, buf, 0, iv.length); - System.arraycopy(block, 8 * i, buf, iv.length, 8); - engine.processBlock(buf, 0, buf, 0); - - int t = n * j + i; - for (int k = 1; t != 0; k++) - { - byte v = (byte)t; - - buf[iv.length - k] ^= v; - - t >>>= 8; - } - - System.arraycopy(buf, 0, block, 0, 8); - System.arraycopy(buf, 8, block, 8 * i, 8); - } - } - - return block; - } - - public byte[] unwrap( - byte[] in, - int inOff, - int inLen) - throws InvalidCipherTextException - { - if (forWrapping) - { - throw new IllegalStateException("not set for unwrapping"); - } - - int n = inLen / 8; - - if ((n * 8) != inLen) - { - throw new InvalidCipherTextException("unwrap data must be a multiple of 8 bytes"); - } - - byte[] block = new byte[inLen - iv.length]; - byte[] a = new byte[iv.length]; - byte[] buf = new byte[8 + iv.length]; - - System.arraycopy(in, inOff, a, 0, iv.length); - System.arraycopy(in, inOff + iv.length, block, 0, inLen - iv.length); - - engine.init(false, param); - - n = n - 1; - - for (int j = 5; j >= 0; j--) - { - for (int i = n; i >= 1; i--) - { - System.arraycopy(a, 0, buf, 0, iv.length); - System.arraycopy(block, 8 * (i - 1), buf, iv.length, 8); - - int t = n * j + i; - for (int k = 1; t != 0; k++) - { - byte v = (byte)t; - - buf[iv.length - k] ^= v; - - t >>>= 8; - } - - engine.processBlock(buf, 0, buf, 0); - System.arraycopy(buf, 0, a, 0, 8); - System.arraycopy(buf, 8, block, 8 * (i - 1), 8); - } - } - - if (!Arrays.constantTimeAreEqual(a, iv)) - { - throw new InvalidCipherTextException("checksum failed"); - } - - return block; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RFC5649WrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RFC5649WrapEngine.java deleted file mode 100644 index 548969ac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RFC5649WrapEngine.java +++ /dev/null @@ -1,294 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Wrapper; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -/** - * An implementation of the AES Key Wrap with Padding specification - * as described in RFC 5649. - * <p> - * For details on the specification see: - * <a href="https://tools.ietf.org/html/rfc5649">https://tools.ietf.org/html/rfc5649</a> - * </p> - */ -public class RFC5649WrapEngine - implements Wrapper -{ - private BlockCipher engine; - private KeyParameter param; - private boolean forWrapping; - - // The AIV as defined in the RFC - private byte[] highOrderIV = {(byte)0xa6, (byte)0x59, (byte)0x59, (byte)0xa6}; - private byte[] preIV = highOrderIV; - - private byte[] extractedAIV = null; - - public RFC5649WrapEngine(BlockCipher engine) - { - this.engine = engine; - } - - public void init(boolean forWrapping, CipherParameters param) - { - this.forWrapping = forWrapping; - - if (param instanceof ParametersWithRandom) - { - param = ((ParametersWithRandom)param).getParameters(); - } - - if (param instanceof KeyParameter) - { - this.param = (KeyParameter)param; - } - else if (param instanceof ParametersWithIV) - { - this.preIV = ((ParametersWithIV)param).getIV(); - this.param = (KeyParameter)((ParametersWithIV)param).getParameters(); - if (this.preIV.length != 4) - { - throw new IllegalArgumentException("IV length not equal to 4"); - } - } - } - - public String getAlgorithmName() - { - return engine.getAlgorithmName(); - } - - /** - * Pads the plaintext (i.e., the key to be wrapped) - * as per section 4.1 of RFC 5649. - * - * @param plaintext The key being wrapped. - * @return The padded key. - */ - private byte[] padPlaintext(byte[] plaintext) - { - int plaintextLength = plaintext.length; - int numOfZerosToAppend = (8 - (plaintextLength % 8)) % 8; - byte[] paddedPlaintext = new byte[plaintextLength + numOfZerosToAppend]; - System.arraycopy(plaintext, 0, paddedPlaintext, 0, plaintextLength); - if (numOfZerosToAppend != 0) - { - // plaintext (i.e., key to be wrapped) does not have - // a multiple of 8 octet blocks so it must be padded - byte[] zeros = new byte[numOfZerosToAppend]; - System.arraycopy(zeros, 0, paddedPlaintext, plaintextLength, numOfZerosToAppend); - } - return paddedPlaintext; - } - - public byte[] wrap(byte[] in, int inOff, int inLen) - { - if (!forWrapping) - { - throw new IllegalStateException("not set for wrapping"); - } - byte[] iv = new byte[8]; - - // MLI = size of key to be wrapped - byte[] mli = Pack.intToBigEndian(inLen); - // copy in the fixed portion of the AIV - System.arraycopy(preIV, 0, iv, 0, preIV.length); - // copy in the MLI after the AIV - System.arraycopy(mli, 0, iv, preIV.length, mli.length); - - // get the relevant plaintext to be wrapped - byte[] relevantPlaintext = new byte[inLen]; - System.arraycopy(in, inOff, relevantPlaintext, 0, inLen); - byte[] paddedPlaintext = padPlaintext(relevantPlaintext); - - if (paddedPlaintext.length == 8) - { - // if the padded plaintext contains exactly 8 octets, - // then prepend iv and encrypt using AES in ECB mode. - - // prepend the IV to the plaintext - byte[] paddedPlainTextWithIV = new byte[paddedPlaintext.length + iv.length]; - System.arraycopy(iv, 0, paddedPlainTextWithIV, 0, iv.length); - System.arraycopy(paddedPlaintext, 0, paddedPlainTextWithIV, iv.length, paddedPlaintext.length); - - engine.init(true, param); - for (int i = 0; i < paddedPlainTextWithIV.length; i += engine.getBlockSize()) - { - engine.processBlock(paddedPlainTextWithIV, i, paddedPlainTextWithIV, i); - } - - return paddedPlainTextWithIV; - } - else - { - // otherwise, apply the RFC 3394 wrap to - // the padded plaintext with the new IV - Wrapper wrapper = new RFC3394WrapEngine(engine); - ParametersWithIV paramsWithIV = new ParametersWithIV(param, iv); - wrapper.init(true, paramsWithIV); - return wrapper.wrap(paddedPlaintext, inOff, paddedPlaintext.length); - } - - } - - public byte[] unwrap(byte[] in, int inOff, int inLen) - throws InvalidCipherTextException - { - if (forWrapping) - { - throw new IllegalStateException("not set for unwrapping"); - } - - int n = inLen / 8; - - if ((n * 8) != inLen) - { - throw new InvalidCipherTextException("unwrap data must be a multiple of 8 bytes"); - } - - if (n == 1) - { - throw new InvalidCipherTextException("unwrap data must be at least 16 bytes"); - } - - byte[] relevantCiphertext = new byte[inLen]; - System.arraycopy(in, inOff, relevantCiphertext, 0, inLen); - byte[] decrypted = new byte[inLen]; - byte[] paddedPlaintext; - - if (n == 2) - { - // When there are exactly two 64-bit blocks of ciphertext, - // they are decrypted as a single block using AES in ECB. - engine.init(false, param); - for (int i = 0; i < relevantCiphertext.length; i += engine.getBlockSize()) - { - engine.processBlock(relevantCiphertext, i, decrypted, i); - } - - // extract the AIV - extractedAIV = new byte[8]; - System.arraycopy(decrypted, 0, extractedAIV, 0, extractedAIV.length); - paddedPlaintext = new byte[decrypted.length - extractedAIV.length]; - System.arraycopy(decrypted, extractedAIV.length, paddedPlaintext, 0, paddedPlaintext.length); - } - else - { - // Otherwise, unwrap as per RFC 3394 but don't check IV the same way - decrypted = rfc3394UnwrapNoIvCheck(in, inOff, inLen); - paddedPlaintext = decrypted; - } - - // Decompose the extracted AIV to the fixed portion and the MLI - byte[] extractedHighOrderAIV = new byte[4]; - byte[] mliBytes = new byte[4]; - System.arraycopy(extractedAIV, 0, extractedHighOrderAIV, 0, extractedHighOrderAIV.length); - System.arraycopy(extractedAIV, extractedHighOrderAIV.length, mliBytes, 0, mliBytes.length); - int mli = Pack.bigEndianToInt(mliBytes, 0); - - // Even if a check fails we still continue and check everything - // else in order to avoid certain timing based side-channel attacks. - boolean isValid = true; - - // Check the fixed portion of the AIV - if (!Arrays.constantTimeAreEqual(extractedHighOrderAIV, preIV)) - { - isValid = false; - } - - // Check the MLI against the actual length - int upperBound = paddedPlaintext.length; - int lowerBound = upperBound - 8; - if (mli <= lowerBound) - { - isValid = false; - } - if (mli > upperBound) - { - isValid = false; - } - - // Check the number of padded zeros - int expectedZeros = upperBound - mli; - byte[] zeros = new byte[expectedZeros]; - byte[] pad = new byte[expectedZeros]; - System.arraycopy(paddedPlaintext, paddedPlaintext.length - expectedZeros, pad, 0, expectedZeros); - if (!Arrays.constantTimeAreEqual(pad, zeros)) - { - isValid = false; - } - - // Extract the plaintext from the padded plaintext - byte[] plaintext = new byte[mli]; - System.arraycopy(paddedPlaintext, 0, plaintext, 0, plaintext.length); - - if (!isValid) - { - throw new InvalidCipherTextException("checksum failed"); - } - - return plaintext; - } - - /** - * Performs steps 1 and 2 of the unwrap process defined in RFC 3394. - * This code is duplicated from RFC3394WrapEngine because that class - * will throw an error during unwrap because the IV won't match up. - * - * @param in - * @param inOff - * @param inLen - * @return Unwrapped data. - */ - private byte[] rfc3394UnwrapNoIvCheck(byte[] in, int inOff, int inLen) - { - byte[] iv = new byte[8]; - byte[] block = new byte[inLen - iv.length]; - byte[] a = new byte[iv.length]; - byte[] buf = new byte[8 + iv.length]; - - System.arraycopy(in, inOff, a, 0, iv.length); - System.arraycopy(in, inOff + iv.length, block, 0, inLen - iv.length); - - engine.init(false, param); - - int n = inLen / 8; - n = n - 1; - - for (int j = 5; j >= 0; j--) - { - for (int i = n; i >= 1; i--) - { - System.arraycopy(a, 0, buf, 0, iv.length); - System.arraycopy(block, 8 * (i - 1), buf, iv.length, 8); - - int t = n * j + i; - for (int k = 1; t != 0; k++) - { - byte v = (byte)t; - - buf[iv.length - k] ^= v; - - t >>>= 8; - } - - engine.processBlock(buf, 0, buf, 0); - System.arraycopy(buf, 0, a, 0, 8); - System.arraycopy(buf, 8, block, 8 * (i - 1), 8); - } - } - - // set the extracted AIV - extractedAIV = a; - - return block; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindedEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindedEngine.java deleted file mode 100644 index c9765bf8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindedEngine.java +++ /dev/null @@ -1,126 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; -import org.bouncycastle.util.BigIntegers; - -/** - * this does your basic RSA algorithm with blinding - */ -public class RSABlindedEngine - implements AsymmetricBlockCipher -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private RSACoreEngine core = new RSACoreEngine(); - private RSAKeyParameters key; - private SecureRandom random; - - /** - * initialise the RSA engine. - * - * @param forEncryption true if we are encrypting, false otherwise. - * @param param the necessary RSA key parameters. - */ - public void init( - boolean forEncryption, - CipherParameters param) - { - core.init(forEncryption, param); - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - key = (RSAKeyParameters)rParam.getParameters(); - random = rParam.getRandom(); - } - else - { - key = (RSAKeyParameters)param; - random = new SecureRandom(); - } - } - - /** - * Return the maximum size for an input block to this engine. - * For RSA this is always one byte less than the key size on - * encryption, and the same length as the key size on decryption. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - return core.getInputBlockSize(); - } - - /** - * Return the maximum size for an output block to this engine. - * For RSA this is always one byte less than the key size on - * decryption, and the same length as the key size on encryption. - * - * @return maximum size for an output block. - */ - public int getOutputBlockSize() - { - return core.getOutputBlockSize(); - } - - /** - * Process a single block using the basic RSA algorithm. - * - * @param in the input array. - * @param inOff the offset into the input buffer where the data starts. - * @param inLen the length of the data to be processed. - * @return the result of the RSA process. - * @exception DataLengthException the input block is too large. - */ - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - { - if (key == null) - { - throw new IllegalStateException("RSA engine not initialised"); - } - - BigInteger input = core.convertInput(in, inOff, inLen); - - BigInteger result; - if (key instanceof RSAPrivateCrtKeyParameters) - { - RSAPrivateCrtKeyParameters k = (RSAPrivateCrtKeyParameters)key; - - BigInteger e = k.getPublicExponent(); - if (e != null) // can't do blinding without a public exponent - { - BigInteger m = k.getModulus(); - BigInteger r = BigIntegers.createRandomInRange(ONE, m.subtract(ONE), random); - - BigInteger blindedInput = r.modPow(e, m).multiply(input).mod(m); - BigInteger blindedResult = core.processBlock(blindedInput); - - BigInteger rInv = r.modInverse(m); - result = blindedResult.multiply(rInv).mod(m); - } - else - { - result = core.processBlock(input); - } - } - else - { - result = core.processBlock(input); - } - - return core.convertOutput(result); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindingEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindingEngine.java deleted file mode 100644 index a8ecb9bf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RSABlindingEngine.java +++ /dev/null @@ -1,137 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSABlindingParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -import java.math.BigInteger; - -/** - * This does your basic RSA Chaum's blinding and unblinding as outlined in - * "Handbook of Applied Cryptography", page 475. You need to use this if you are - * trying to get another party to generate signatures without them being aware - * of the message they are signing. - */ -public class RSABlindingEngine - implements AsymmetricBlockCipher -{ - private RSACoreEngine core = new RSACoreEngine(); - - private RSAKeyParameters key; - private BigInteger blindingFactor; - - private boolean forEncryption; - - /** - * Initialise the blinding engine. - * - * @param forEncryption true if we are encrypting (blinding), false otherwise. - * @param param the necessary RSA key parameters. - */ - public void init( - boolean forEncryption, - CipherParameters param) - { - RSABlindingParameters p; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - p = (RSABlindingParameters)rParam.getParameters(); - } - else - { - p = (RSABlindingParameters)param; - } - - core.init(forEncryption, p.getPublicKey()); - - this.forEncryption = forEncryption; - this.key = p.getPublicKey(); - this.blindingFactor = p.getBlindingFactor(); - } - - /** - * Return the maximum size for an input block to this engine. - * For RSA this is always one byte less than the key size on - * encryption, and the same length as the key size on decryption. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - return core.getInputBlockSize(); - } - - /** - * Return the maximum size for an output block to this engine. - * For RSA this is always one byte less than the key size on - * decryption, and the same length as the key size on encryption. - * - * @return maximum size for an output block. - */ - public int getOutputBlockSize() - { - return core.getOutputBlockSize(); - } - - /** - * Process a single block using the RSA blinding algorithm. - * - * @param in the input array. - * @param inOff the offset into the input buffer where the data starts. - * @param inLen the length of the data to be processed. - * @return the result of the RSA process. - * @throws DataLengthException the input block is too large. - */ - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - { - BigInteger msg = core.convertInput(in, inOff, inLen); - - if (forEncryption) - { - msg = blindMessage(msg); - } - else - { - msg = unblindMessage(msg); - } - - return core.convertOutput(msg); - } - - /* - * Blind message with the blind factor. - */ - private BigInteger blindMessage( - BigInteger msg) - { - BigInteger blindMsg = blindingFactor; - blindMsg = msg.multiply(blindMsg.modPow(key.getExponent(), key.getModulus())); - blindMsg = blindMsg.mod(key.getModulus()); - - return blindMsg; - } - - /* - * Unblind the message blinded with the blind factor. - */ - private BigInteger unblindMessage( - BigInteger blindedMsg) - { - BigInteger m = key.getModulus(); - BigInteger msg = blindedMsg; - BigInteger blindFactorInverse = blindingFactor.modInverse(m); - msg = msg.multiply(blindFactorInverse); - msg = msg.mod(m); - - return msg; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RSACoreEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RSACoreEngine.java deleted file mode 100644 index 510cd5a5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RSACoreEngine.java +++ /dev/null @@ -1,203 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; - -import java.math.BigInteger; - -/** - * this does your basic RSA algorithm. - */ -class RSACoreEngine -{ - private RSAKeyParameters key; - private boolean forEncryption; - - /** - * initialise the RSA engine. - * - * @param forEncryption true if we are encrypting, false otherwise. - * @param param the necessary RSA key parameters. - */ - public void init( - boolean forEncryption, - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - key = (RSAKeyParameters)rParam.getParameters(); - } - else - { - key = (RSAKeyParameters)param; - } - - this.forEncryption = forEncryption; - } - - /** - * Return the maximum size for an input block to this engine. - * For RSA this is always one byte less than the key size on - * encryption, and the same length as the key size on decryption. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - int bitSize = key.getModulus().bitLength(); - - if (forEncryption) - { - return (bitSize + 7) / 8 - 1; - } - else - { - return (bitSize + 7) / 8; - } - } - - /** - * Return the maximum size for an output block to this engine. - * For RSA this is always one byte less than the key size on - * decryption, and the same length as the key size on encryption. - * - * @return maximum size for an output block. - */ - public int getOutputBlockSize() - { - int bitSize = key.getModulus().bitLength(); - - if (forEncryption) - { - return (bitSize + 7) / 8; - } - else - { - return (bitSize + 7) / 8 - 1; - } - } - - public BigInteger convertInput( - byte[] in, - int inOff, - int inLen) - { - if (inLen > (getInputBlockSize() + 1)) - { - throw new DataLengthException("input too large for RSA cipher."); - } - else if (inLen == (getInputBlockSize() + 1) && !forEncryption) - { - throw new DataLengthException("input too large for RSA cipher."); - } - - byte[] block; - - if (inOff != 0 || inLen != in.length) - { - block = new byte[inLen]; - - System.arraycopy(in, inOff, block, 0, inLen); - } - else - { - block = in; - } - - BigInteger res = new BigInteger(1, block); - if (res.compareTo(key.getModulus()) >= 0) - { - throw new DataLengthException("input too large for RSA cipher."); - } - - return res; - } - - public byte[] convertOutput( - BigInteger result) - { - byte[] output = result.toByteArray(); - - if (forEncryption) - { - if (output[0] == 0 && output.length > getOutputBlockSize()) // have ended up with an extra zero byte, copy down. - { - byte[] tmp = new byte[output.length - 1]; - - System.arraycopy(output, 1, tmp, 0, tmp.length); - - return tmp; - } - - if (output.length < getOutputBlockSize()) // have ended up with less bytes than normal, lengthen - { - byte[] tmp = new byte[getOutputBlockSize()]; - - System.arraycopy(output, 0, tmp, tmp.length - output.length, output.length); - - return tmp; - } - } - else - { - if (output[0] == 0) // have ended up with an extra zero byte, copy down. - { - byte[] tmp = new byte[output.length - 1]; - - System.arraycopy(output, 1, tmp, 0, tmp.length); - - return tmp; - } - } - - return output; - } - - public BigInteger processBlock(BigInteger input) - { - if (key instanceof RSAPrivateCrtKeyParameters) - { - // - // we have the extra factors, use the Chinese Remainder Theorem - the author - // wishes to express his thanks to Dirk Bonekaemper at rtsffm.com for - // advice regarding the expression of this. - // - RSAPrivateCrtKeyParameters crtKey = (RSAPrivateCrtKeyParameters)key; - - BigInteger p = crtKey.getP(); - BigInteger q = crtKey.getQ(); - BigInteger dP = crtKey.getDP(); - BigInteger dQ = crtKey.getDQ(); - BigInteger qInv = crtKey.getQInv(); - - BigInteger mP, mQ, h, m; - - // mP = ((input mod p) ^ dP)) mod p - mP = (input.remainder(p)).modPow(dP, p); - - // mQ = ((input mod q) ^ dQ)) mod q - mQ = (input.remainder(q)).modPow(dQ, q); - - // h = qInv * (mP - mQ) mod p - h = mP.subtract(mQ); - h = h.multiply(qInv); - h = h.mod(p); // mod (in Java) returns the positive residual - - // m = h * q + mQ - m = h.multiply(q); - m = m.add(mQ); - - return m; - } - else - { - return input.modPow( - key.getExponent(), key.getModulus()); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RSAEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RSAEngine.java deleted file mode 100644 index 009dcd43..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RSAEngine.java +++ /dev/null @@ -1,78 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; - -/** - * this does your basic RSA algorithm. - */ -public class RSAEngine - implements AsymmetricBlockCipher -{ - private RSACoreEngine core; - - /** - * initialise the RSA engine. - * - * @param forEncryption true if we are encrypting, false otherwise. - * @param param the necessary RSA key parameters. - */ - public void init( - boolean forEncryption, - CipherParameters param) - { - if (core == null) - { - core = new RSACoreEngine(); - } - - core.init(forEncryption, param); - } - - /** - * Return the maximum size for an input block to this engine. - * For RSA this is always one byte less than the key size on - * encryption, and the same length as the key size on decryption. - * - * @return maximum size for an input block. - */ - public int getInputBlockSize() - { - return core.getInputBlockSize(); - } - - /** - * Return the maximum size for an output block to this engine. - * For RSA this is always one byte less than the key size on - * decryption, and the same length as the key size on encryption. - * - * @return maximum size for an output block. - */ - public int getOutputBlockSize() - { - return core.getOutputBlockSize(); - } - - /** - * Process a single block using the basic RSA algorithm. - * - * @param in the input array. - * @param inOff the offset into the input buffer where the data starts. - * @param inLen the length of the data to be processed. - * @return the result of the RSA process. - * @exception DataLengthException the input block is too large. - */ - public byte[] processBlock( - byte[] in, - int inOff, - int inLen) - { - if (core == null) - { - throw new IllegalStateException("RSA engine not initialised"); - } - - return core.convertOutput(core.processBlock(core.convertInput(in, inOff, inLen))); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/RijndaelEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/RijndaelEngine.java deleted file mode 100644 index c80f6655..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/RijndaelEngine.java +++ /dev/null @@ -1,725 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * an implementation of Rijndael, based on the documentation and reference implementation - * by Paulo Barreto, Vincent Rijmen, for v2.0 August '99. - * <p> - * Note: this implementation is based on information prior to final NIST publication. - */ -public class RijndaelEngine - implements BlockCipher -{ - private static final int MAXROUNDS = 14; - - private static final int MAXKC = (256/4); - - private static final byte[] logtable = { - (byte)0, (byte)0, (byte)25, (byte)1, (byte)50, (byte)2, (byte)26, (byte)198, - (byte)75, (byte)199, (byte)27, (byte)104, (byte)51, (byte)238, (byte)223, (byte)3, - (byte)100, (byte)4, (byte)224, (byte)14, (byte)52, (byte)141, (byte)129, (byte)239, - (byte)76, (byte)113, (byte)8, (byte)200, (byte)248, (byte)105, (byte)28, (byte)193, - (byte)125, (byte)194, (byte)29, (byte)181, (byte)249, (byte)185, (byte)39, (byte)106, - (byte)77, (byte)228, (byte)166, (byte)114, (byte)154, (byte)201, (byte)9, (byte)120, - (byte)101, (byte)47, (byte)138, (byte)5, (byte)33, (byte)15, (byte)225, (byte)36, - (byte)18, (byte)240, (byte)130, (byte)69, (byte)53, (byte)147, (byte)218, (byte)142, - (byte)150, (byte)143, (byte)219, (byte)189, (byte)54, (byte)208, (byte)206, (byte)148, - (byte)19, (byte)92, (byte)210, (byte)241, (byte)64, (byte)70, (byte)131, (byte)56, - (byte)102, (byte)221, (byte)253, (byte)48, (byte)191, (byte)6, (byte)139, (byte)98, - (byte)179, (byte)37, (byte)226, (byte)152, (byte)34, (byte)136, (byte)145, (byte)16, - (byte)126, (byte)110, (byte)72, (byte)195, (byte)163, (byte)182, (byte)30, (byte)66, - (byte)58, (byte)107, (byte)40, (byte)84, (byte)250, (byte)133, (byte)61, (byte)186, - (byte)43, (byte)121, (byte)10, (byte)21, (byte)155, (byte)159, (byte)94, (byte)202, - (byte)78, (byte)212, (byte)172, (byte)229, (byte)243, (byte)115, (byte)167, (byte)87, - (byte)175, (byte)88, (byte)168, (byte)80, (byte)244, (byte)234, (byte)214, (byte)116, - (byte)79, (byte)174, (byte)233, (byte)213, (byte)231, (byte)230, (byte)173, (byte)232, - (byte)44, (byte)215, (byte)117, (byte)122, (byte)235, (byte)22, (byte)11, (byte)245, - (byte)89, (byte)203, (byte)95, (byte)176, (byte)156, (byte)169, (byte)81, (byte)160, - (byte)127, (byte)12, (byte)246, (byte)111, (byte)23, (byte)196, (byte)73, (byte)236, - (byte)216, (byte)67, (byte)31, (byte)45, (byte)164, (byte)118, (byte)123, (byte)183, - (byte)204, (byte)187, (byte)62, (byte)90, (byte)251, (byte)96, (byte)177, (byte)134, - (byte)59, (byte)82, (byte)161, (byte)108, (byte)170, (byte)85, (byte)41, (byte)157, - (byte)151, (byte)178, (byte)135, (byte)144, (byte)97, (byte)190, (byte)220, (byte)252, - (byte)188, (byte)149, (byte)207, (byte)205, (byte)55, (byte)63, (byte)91, (byte)209, - (byte)83, (byte)57, (byte)132, (byte)60, (byte)65, (byte)162, (byte)109, (byte)71, - (byte)20, (byte)42, (byte)158, (byte)93, (byte)86, (byte)242, (byte)211, (byte)171, - (byte)68, (byte)17, (byte)146, (byte)217, (byte)35, (byte)32, (byte)46, (byte)137, - (byte)180, (byte)124, (byte)184, (byte)38, (byte)119, (byte)153, (byte)227, (byte)165, - (byte)103, (byte)74, (byte)237, (byte)222, (byte)197, (byte)49, (byte)254, (byte)24, - (byte)13, (byte)99, (byte)140, (byte)128, (byte)192, (byte)247, (byte)112, (byte)7 - }; - - private static final byte[] aLogtable = { - (byte)0, (byte)3, (byte)5, (byte)15, (byte)17, (byte)51, (byte)85, (byte)255, (byte)26, (byte)46, (byte)114, (byte)150, (byte)161, (byte)248, (byte)19, (byte)53, - (byte)95, (byte)225, (byte)56, (byte)72, (byte)216, (byte)115, (byte)149, (byte)164, (byte)247, (byte)2, (byte)6, (byte)10, (byte)30, (byte)34, (byte)102, (byte)170, - (byte)229, (byte)52, (byte)92, (byte)228, (byte)55, (byte)89, (byte)235, (byte)38, (byte)106, (byte)190, (byte)217, (byte)112, (byte)144, (byte)171, (byte)230, (byte)49, - (byte)83, (byte)245, (byte)4, (byte)12, (byte)20, (byte)60, (byte)68, (byte)204, (byte)79, (byte)209, (byte)104, (byte)184, (byte)211, (byte)110, (byte)178, (byte)205, - (byte)76, (byte)212, (byte)103, (byte)169, (byte)224, (byte)59, (byte)77, (byte)215, (byte)98, (byte)166, (byte)241, (byte)8, (byte)24, (byte)40, (byte)120, (byte)136, - (byte)131, (byte)158, (byte)185, (byte)208, (byte)107, (byte)189, (byte)220, (byte)127, (byte)129, (byte)152, (byte)179, (byte)206, (byte)73, (byte)219, (byte)118, (byte)154, - (byte)181, (byte)196, (byte)87, (byte)249, (byte)16, (byte)48, (byte)80, (byte)240, (byte)11, (byte)29, (byte)39, (byte)105, (byte)187, (byte)214, (byte)97, (byte)163, - (byte)254, (byte)25, (byte)43, (byte)125, (byte)135, (byte)146, (byte)173, (byte)236, (byte)47, (byte)113, (byte)147, (byte)174, (byte)233, (byte)32, (byte)96, (byte)160, - (byte)251, (byte)22, (byte)58, (byte)78, (byte)210, (byte)109, (byte)183, (byte)194, (byte)93, (byte)231, (byte)50, (byte)86, (byte)250, (byte)21, (byte)63, (byte)65, - (byte)195, (byte)94, (byte)226, (byte)61, (byte)71, (byte)201, (byte)64, (byte)192, (byte)91, (byte)237, (byte)44, (byte)116, (byte)156, (byte)191, (byte)218, (byte)117, - (byte)159, (byte)186, (byte)213, (byte)100, (byte)172, (byte)239, (byte)42, (byte)126, (byte)130, (byte)157, (byte)188, (byte)223, (byte)122, (byte)142, (byte)137, (byte)128, - (byte)155, (byte)182, (byte)193, (byte)88, (byte)232, (byte)35, (byte)101, (byte)175, (byte)234, (byte)37, (byte)111, (byte)177, (byte)200, (byte)67, (byte)197, (byte)84, - (byte)252, (byte)31, (byte)33, (byte)99, (byte)165, (byte)244, (byte)7, (byte)9, (byte)27, (byte)45, (byte)119, (byte)153, (byte)176, (byte)203, (byte)70, (byte)202, - (byte)69, (byte)207, (byte)74, (byte)222, (byte)121, (byte)139, (byte)134, (byte)145, (byte)168, (byte)227, (byte)62, (byte)66, (byte)198, (byte)81, (byte)243, (byte)14, - (byte)18, (byte)54, (byte)90, (byte)238, (byte)41, (byte)123, (byte)141, (byte)140, (byte)143, (byte)138, (byte)133, (byte)148, (byte)167, (byte)242, (byte)13, (byte)23, - (byte)57, (byte)75, (byte)221, (byte)124, (byte)132, (byte)151, (byte)162, (byte)253, (byte)28, (byte)36, (byte)108, (byte)180, (byte)199, (byte)82, (byte)246, (byte)1, - (byte)3, (byte)5, (byte)15, (byte)17, (byte)51, (byte)85, (byte)255, (byte)26, (byte)46, (byte)114, (byte)150, (byte)161, (byte)248, (byte)19, (byte)53, - (byte)95, (byte)225, (byte)56, (byte)72, (byte)216, (byte)115, (byte)149, (byte)164, (byte)247, (byte)2, (byte)6, (byte)10, (byte)30, (byte)34, (byte)102, (byte)170, - (byte)229, (byte)52, (byte)92, (byte)228, (byte)55, (byte)89, (byte)235, (byte)38, (byte)106, (byte)190, (byte)217, (byte)112, (byte)144, (byte)171, (byte)230, (byte)49, - (byte)83, (byte)245, (byte)4, (byte)12, (byte)20, (byte)60, (byte)68, (byte)204, (byte)79, (byte)209, (byte)104, (byte)184, (byte)211, (byte)110, (byte)178, (byte)205, - (byte)76, (byte)212, (byte)103, (byte)169, (byte)224, (byte)59, (byte)77, (byte)215, (byte)98, (byte)166, (byte)241, (byte)8, (byte)24, (byte)40, (byte)120, (byte)136, - (byte)131, (byte)158, (byte)185, (byte)208, (byte)107, (byte)189, (byte)220, (byte)127, (byte)129, (byte)152, (byte)179, (byte)206, (byte)73, (byte)219, (byte)118, (byte)154, - (byte)181, (byte)196, (byte)87, (byte)249, (byte)16, (byte)48, (byte)80, (byte)240, (byte)11, (byte)29, (byte)39, (byte)105, (byte)187, (byte)214, (byte)97, (byte)163, - (byte)254, (byte)25, (byte)43, (byte)125, (byte)135, (byte)146, (byte)173, (byte)236, (byte)47, (byte)113, (byte)147, (byte)174, (byte)233, (byte)32, (byte)96, (byte)160, - (byte)251, (byte)22, (byte)58, (byte)78, (byte)210, (byte)109, (byte)183, (byte)194, (byte)93, (byte)231, (byte)50, (byte)86, (byte)250, (byte)21, (byte)63, (byte)65, - (byte)195, (byte)94, (byte)226, (byte)61, (byte)71, (byte)201, (byte)64, (byte)192, (byte)91, (byte)237, (byte)44, (byte)116, (byte)156, (byte)191, (byte)218, (byte)117, - (byte)159, (byte)186, (byte)213, (byte)100, (byte)172, (byte)239, (byte)42, (byte)126, (byte)130, (byte)157, (byte)188, (byte)223, (byte)122, (byte)142, (byte)137, (byte)128, - (byte)155, (byte)182, (byte)193, (byte)88, (byte)232, (byte)35, (byte)101, (byte)175, (byte)234, (byte)37, (byte)111, (byte)177, (byte)200, (byte)67, (byte)197, (byte)84, - (byte)252, (byte)31, (byte)33, (byte)99, (byte)165, (byte)244, (byte)7, (byte)9, (byte)27, (byte)45, (byte)119, (byte)153, (byte)176, (byte)203, (byte)70, (byte)202, - (byte)69, (byte)207, (byte)74, (byte)222, (byte)121, (byte)139, (byte)134, (byte)145, (byte)168, (byte)227, (byte)62, (byte)66, (byte)198, (byte)81, (byte)243, (byte)14, - (byte)18, (byte)54, (byte)90, (byte)238, (byte)41, (byte)123, (byte)141, (byte)140, (byte)143, (byte)138, (byte)133, (byte)148, (byte)167, (byte)242, (byte)13, (byte)23, - (byte)57, (byte)75, (byte)221, (byte)124, (byte)132, (byte)151, (byte)162, (byte)253, (byte)28, (byte)36, (byte)108, (byte)180, (byte)199, (byte)82, (byte)246, (byte)1, - }; - - private static final byte[] S = { - (byte)99, (byte)124, (byte)119, (byte)123, (byte)242, (byte)107, (byte)111, (byte)197, (byte)48, (byte)1, (byte)103, (byte)43, (byte)254, (byte)215, (byte)171, (byte)118, - (byte)202, (byte)130, (byte)201, (byte)125, (byte)250, (byte)89, (byte)71, (byte)240, (byte)173, (byte)212, (byte)162, (byte)175, (byte)156, (byte)164, (byte)114, (byte)192, - (byte)183, (byte)253, (byte)147, (byte)38, (byte)54, (byte)63, (byte)247, (byte)204, (byte)52, (byte)165, (byte)229, (byte)241, (byte)113, (byte)216, (byte)49, (byte)21, - (byte)4, (byte)199, (byte)35, (byte)195, (byte)24, (byte)150, (byte)5, (byte)154, (byte)7, (byte)18, (byte)128, (byte)226, (byte)235, (byte)39, (byte)178, (byte)117, - (byte)9, (byte)131, (byte)44, (byte)26, (byte)27, (byte)110, (byte)90, (byte)160, (byte)82, (byte)59, (byte)214, (byte)179, (byte)41, (byte)227, (byte)47, (byte)132, - (byte)83, (byte)209, (byte)0, (byte)237, (byte)32, (byte)252, (byte)177, (byte)91, (byte)106, (byte)203, (byte)190, (byte)57, (byte)74, (byte)76, (byte)88, (byte)207, - (byte)208, (byte)239, (byte)170, (byte)251, (byte)67, (byte)77, (byte)51, (byte)133, (byte)69, (byte)249, (byte)2, (byte)127, (byte)80, (byte)60, (byte)159, (byte)168, - (byte)81, (byte)163, (byte)64, (byte)143, (byte)146, (byte)157, (byte)56, (byte)245, (byte)188, (byte)182, (byte)218, (byte)33, (byte)16, (byte)255, (byte)243, (byte)210, - (byte)205, (byte)12, (byte)19, (byte)236, (byte)95, (byte)151, (byte)68, (byte)23, (byte)196, (byte)167, (byte)126, (byte)61, (byte)100, (byte)93, (byte)25, (byte)115, - (byte)96, (byte)129, (byte)79, (byte)220, (byte)34, (byte)42, (byte)144, (byte)136, (byte)70, (byte)238, (byte)184, (byte)20, (byte)222, (byte)94, (byte)11, (byte)219, - (byte)224, (byte)50, (byte)58, (byte)10, (byte)73, (byte)6, (byte)36, (byte)92, (byte)194, (byte)211, (byte)172, (byte)98, (byte)145, (byte)149, (byte)228, (byte)121, - (byte)231, (byte)200, (byte)55, (byte)109, (byte)141, (byte)213, (byte)78, (byte)169, (byte)108, (byte)86, (byte)244, (byte)234, (byte)101, (byte)122, (byte)174, (byte)8, - (byte)186, (byte)120, (byte)37, (byte)46, (byte)28, (byte)166, (byte)180, (byte)198, (byte)232, (byte)221, (byte)116, (byte)31, (byte)75, (byte)189, (byte)139, (byte)138, - (byte)112, (byte)62, (byte)181, (byte)102, (byte)72, (byte)3, (byte)246, (byte)14, (byte)97, (byte)53, (byte)87, (byte)185, (byte)134, (byte)193, (byte)29, (byte)158, - (byte)225, (byte)248, (byte)152, (byte)17, (byte)105, (byte)217, (byte)142, (byte)148, (byte)155, (byte)30, (byte)135, (byte)233, (byte)206, (byte)85, (byte)40, (byte)223, - (byte)140, (byte)161, (byte)137, (byte)13, (byte)191, (byte)230, (byte)66, (byte)104, (byte)65, (byte)153, (byte)45, (byte)15, (byte)176, (byte)84, (byte)187, (byte)22, - }; - - private static final byte[] Si = { - (byte)82, (byte)9, (byte)106, (byte)213, (byte)48, (byte)54, (byte)165, (byte)56, (byte)191, (byte)64, (byte)163, (byte)158, (byte)129, (byte)243, (byte)215, (byte)251, - (byte)124, (byte)227, (byte)57, (byte)130, (byte)155, (byte)47, (byte)255, (byte)135, (byte)52, (byte)142, (byte)67, (byte)68, (byte)196, (byte)222, (byte)233, (byte)203, - (byte)84, (byte)123, (byte)148, (byte)50, (byte)166, (byte)194, (byte)35, (byte)61, (byte)238, (byte)76, (byte)149, (byte)11, (byte)66, (byte)250, (byte)195, (byte)78, - (byte)8, (byte)46, (byte)161, (byte)102, (byte)40, (byte)217, (byte)36, (byte)178, (byte)118, (byte)91, (byte)162, (byte)73, (byte)109, (byte)139, (byte)209, (byte)37, - (byte)114, (byte)248, (byte)246, (byte)100, (byte)134, (byte)104, (byte)152, (byte)22, (byte)212, (byte)164, (byte)92, (byte)204, (byte)93, (byte)101, (byte)182, (byte)146, - (byte)108, (byte)112, (byte)72, (byte)80, (byte)253, (byte)237, (byte)185, (byte)218, (byte)94, (byte)21, (byte)70, (byte)87, (byte)167, (byte)141, (byte)157, (byte)132, - (byte)144, (byte)216, (byte)171, (byte)0, (byte)140, (byte)188, (byte)211, (byte)10, (byte)247, (byte)228, (byte)88, (byte)5, (byte)184, (byte)179, (byte)69, (byte)6, - (byte)208, (byte)44, (byte)30, (byte)143, (byte)202, (byte)63, (byte)15, (byte)2, (byte)193, (byte)175, (byte)189, (byte)3, (byte)1, (byte)19, (byte)138, (byte)107, - (byte)58, (byte)145, (byte)17, (byte)65, (byte)79, (byte)103, (byte)220, (byte)234, (byte)151, (byte)242, (byte)207, (byte)206, (byte)240, (byte)180, (byte)230, (byte)115, - (byte)150, (byte)172, (byte)116, (byte)34, (byte)231, (byte)173, (byte)53, (byte)133, (byte)226, (byte)249, (byte)55, (byte)232, (byte)28, (byte)117, (byte)223, (byte)110, - (byte)71, (byte)241, (byte)26, (byte)113, (byte)29, (byte)41, (byte)197, (byte)137, (byte)111, (byte)183, (byte)98, (byte)14, (byte)170, (byte)24, (byte)190, (byte)27, - (byte)252, (byte)86, (byte)62, (byte)75, (byte)198, (byte)210, (byte)121, (byte)32, (byte)154, (byte)219, (byte)192, (byte)254, (byte)120, (byte)205, (byte)90, (byte)244, - (byte)31, (byte)221, (byte)168, (byte)51, (byte)136, (byte)7, (byte)199, (byte)49, (byte)177, (byte)18, (byte)16, (byte)89, (byte)39, (byte)128, (byte)236, (byte)95, - (byte)96, (byte)81, (byte)127, (byte)169, (byte)25, (byte)181, (byte)74, (byte)13, (byte)45, (byte)229, (byte)122, (byte)159, (byte)147, (byte)201, (byte)156, (byte)239, - (byte)160, (byte)224, (byte)59, (byte)77, (byte)174, (byte)42, (byte)245, (byte)176, (byte)200, (byte)235, (byte)187, (byte)60, (byte)131, (byte)83, (byte)153, (byte)97, - (byte)23, (byte)43, (byte)4, (byte)126, (byte)186, (byte)119, (byte)214, (byte)38, (byte)225, (byte)105, (byte)20, (byte)99, (byte)85, (byte)33, (byte)12, (byte)125, - }; - - private static final int[] rcon = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 }; - - static byte[][] shifts0 = - { - { 0, 8, 16, 24 }, - { 0, 8, 16, 24 }, - { 0, 8, 16, 24 }, - { 0, 8, 16, 32 }, - { 0, 8, 24, 32 } - }; - - static byte[][] shifts1 = - { - { 0, 24, 16, 8 }, - { 0, 32, 24, 16 }, - { 0, 40, 32, 24 }, - { 0, 48, 40, 24 }, - { 0, 56, 40, 32 } - }; - - /** - * multiply two elements of GF(2^m) - * needed for MixColumn and InvMixColumn - */ - private byte mul0x2( - int b) - { - if (b != 0) - { - return aLogtable[25 + (logtable[b] & 0xff)]; - } - else - { - return 0; - } - } - - private byte mul0x3( - int b) - { - if (b != 0) - { - return aLogtable[1 + (logtable[b] & 0xff)]; - } - else - { - return 0; - } - } - - private byte mul0x9( - int b) - { - if (b >= 0) - { - return aLogtable[199 + b]; - } - else - { - return 0; - } - } - - private byte mul0xb( - int b) - { - if (b >= 0) - { - return aLogtable[104 + b]; - } - else - { - return 0; - } - } - - private byte mul0xd( - int b) - { - if (b >= 0) - { - return aLogtable[238 + b]; - } - else - { - return 0; - } - } - - private byte mul0xe( - int b) - { - if (b >= 0) - { - return aLogtable[223 + b]; - } - else - { - return 0; - } - } - - /** - * xor corresponding text input and round key input bytes - */ - private void KeyAddition( - long[] rk) - { - A0 ^= rk[0]; - A1 ^= rk[1]; - A2 ^= rk[2]; - A3 ^= rk[3]; - } - - private long shift( - long r, - int shift) - { - return (((r >>> shift) | (r << (BC - shift)))) & BC_MASK; - } - - /** - * Row 0 remains unchanged - * The other three rows are shifted a variable amount - */ - private void ShiftRow( - byte[] shiftsSC) - { - A1 = shift(A1, shiftsSC[1]); - A2 = shift(A2, shiftsSC[2]); - A3 = shift(A3, shiftsSC[3]); - } - - private long applyS( - long r, - byte[] box) - { - long res = 0; - - for (int j = 0; j < BC; j += 8) - { - res |= (long)(box[(int)((r >> j) & 0xff)] & 0xff) << j; - } - - return res; - } - - /** - * Replace every byte of the input by the byte at that place - * in the nonlinear S-box - */ - private void Substitution( - byte[] box) - { - A0 = applyS(A0, box); - A1 = applyS(A1, box); - A2 = applyS(A2, box); - A3 = applyS(A3, box); - } - - /** - * Mix the bytes of every column in a linear way - */ - private void MixColumn() - { - long r0, r1, r2, r3; - - r0 = r1 = r2 = r3 = 0; - - for (int j = 0; j < BC; j += 8) - { - int a0 = (int)((A0 >> j) & 0xff); - int a1 = (int)((A1 >> j) & 0xff); - int a2 = (int)((A2 >> j) & 0xff); - int a3 = (int)((A3 >> j) & 0xff); - - r0 |= (long)((mul0x2(a0) ^ mul0x3(a1) ^ a2 ^ a3) & 0xff) << j; - - r1 |= (long)((mul0x2(a1) ^ mul0x3(a2) ^ a3 ^ a0) & 0xff) << j; - - r2 |= (long)((mul0x2(a2) ^ mul0x3(a3) ^ a0 ^ a1) & 0xff) << j; - - r3 |= (long)((mul0x2(a3) ^ mul0x3(a0) ^ a1 ^ a2) & 0xff) << j; - } - - A0 = r0; - A1 = r1; - A2 = r2; - A3 = r3; - } - - /** - * Mix the bytes of every column in a linear way - * This is the opposite operation of Mixcolumn - */ - private void InvMixColumn() - { - long r0, r1, r2, r3; - - r0 = r1 = r2 = r3 = 0; - for (int j = 0; j < BC; j += 8) - { - int a0 = (int)((A0 >> j) & 0xff); - int a1 = (int)((A1 >> j) & 0xff); - int a2 = (int)((A2 >> j) & 0xff); - int a3 = (int)((A3 >> j) & 0xff); - - // - // pre-lookup the log table - // - a0 = (a0 != 0) ? (logtable[a0 & 0xff] & 0xff) : -1; - a1 = (a1 != 0) ? (logtable[a1 & 0xff] & 0xff) : -1; - a2 = (a2 != 0) ? (logtable[a2 & 0xff] & 0xff) : -1; - a3 = (a3 != 0) ? (logtable[a3 & 0xff] & 0xff) : -1; - - r0 |= (long)((mul0xe(a0) ^ mul0xb(a1) ^ mul0xd(a2) ^ mul0x9(a3)) & 0xff) << j; - - r1 |= (long)((mul0xe(a1) ^ mul0xb(a2) ^ mul0xd(a3) ^ mul0x9(a0)) & 0xff) << j; - - r2 |= (long)((mul0xe(a2) ^ mul0xb(a3) ^ mul0xd(a0) ^ mul0x9(a1)) & 0xff) << j; - - r3 |= (long)((mul0xe(a3) ^ mul0xb(a0) ^ mul0xd(a1) ^ mul0x9(a2)) & 0xff) << j; - } - - A0 = r0; - A1 = r1; - A2 = r2; - A3 = r3; - } - - /** - * Calculate the necessary round keys - * The number of calculations depends on keyBits and blockBits - */ - private long[][] generateWorkingKey( - byte[] key) - { - int KC; - int t, rconpointer = 0; - int keyBits = key.length * 8; - byte[][] tk = new byte[4][MAXKC]; - long[][] W = new long[MAXROUNDS+1][4]; - - switch (keyBits) - { - case 128: - KC = 4; - break; - case 160: - KC = 5; - break; - case 192: - KC = 6; - break; - case 224: - KC = 7; - break; - case 256: - KC = 8; - break; - default : - throw new IllegalArgumentException("Key length not 128/160/192/224/256 bits."); - } - - if (keyBits >= blockBits) - { - ROUNDS = KC + 6; - } - else - { - ROUNDS = (BC / 8) + 6; - } - - // - // copy the key into the processing area - // - int index = 0; - - for (int i = 0; i < key.length; i++) - { - tk[i % 4][i / 4] = key[index++]; - } - - t = 0; - - // - // copy values into round key array - // - for (int j = 0; (j < KC) && (t < (ROUNDS+1)*(BC / 8)); j++, t++) - { - for (int i = 0; i < 4; i++) - { - W[t / (BC / 8)][i] |= (long)(tk[i][j] & 0xff) << ((t * 8) % BC); - } - } - - // - // while not enough round key material calculated - // calculate new values - // - while (t < (ROUNDS+1)*(BC/8)) - { - for (int i = 0; i < 4; i++) - { - tk[i][0] ^= S[tk[(i+1)%4][KC-1] & 0xff]; - } - tk[0][0] ^= rcon[rconpointer++]; - - if (KC <= 6) - { - for (int j = 1; j < KC; j++) - { - for (int i = 0; i < 4; i++) - { - tk[i][j] ^= tk[i][j-1]; - } - } - } - else - { - for (int j = 1; j < 4; j++) - { - for (int i = 0; i < 4; i++) - { - tk[i][j] ^= tk[i][j-1]; - } - } - for (int i = 0; i < 4; i++) - { - tk[i][4] ^= S[tk[i][3] & 0xff]; - } - for (int j = 5; j < KC; j++) - { - for (int i = 0; i < 4; i++) - { - tk[i][j] ^= tk[i][j-1]; - } - } - } - - // - // copy values into round key array - // - for (int j = 0; (j < KC) && (t < (ROUNDS+1)*(BC/8)); j++, t++) - { - for (int i = 0; i < 4; i++) - { - W[t / (BC/8)][i] |= (long)(tk[i][j] & 0xff) << ((t * 8) % (BC)); - } - } - } - - return W; - } - - private int BC; - private long BC_MASK; - private int ROUNDS; - private int blockBits; - private long[][] workingKey; - private long A0, A1, A2, A3; - private boolean forEncryption; - private byte[] shifts0SC; - private byte[] shifts1SC; - - /** - * default constructor - 128 bit block size. - */ - public RijndaelEngine() - { - this(128); - } - - /** - * basic constructor - set the cipher up for a given blocksize - * - * @param blockBits the blocksize in bits, must be 128, 192, or 256. - */ - public RijndaelEngine( - int blockBits) - { - switch (blockBits) - { - case 128: - BC = 32; - BC_MASK = 0xffffffffL; - shifts0SC = shifts0[0]; - shifts1SC = shifts1[0]; - break; - case 160: - BC = 40; - BC_MASK = 0xffffffffffL; - shifts0SC = shifts0[1]; - shifts1SC = shifts1[1]; - break; - case 192: - BC = 48; - BC_MASK = 0xffffffffffffL; - shifts0SC = shifts0[2]; - shifts1SC = shifts1[2]; - break; - case 224: - BC = 56; - BC_MASK = 0xffffffffffffffL; - shifts0SC = shifts0[3]; - shifts1SC = shifts1[3]; - break; - case 256: - BC = 64; - BC_MASK = 0xffffffffffffffffL; - shifts0SC = shifts0[4]; - shifts1SC = shifts1[4]; - break; - default: - throw new IllegalArgumentException("unknown blocksize to Rijndael"); - } - - this.blockBits = blockBits; - } - - /** - * initialise a Rijndael cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - workingKey = generateWorkingKey(((KeyParameter)params).getKey()); - this.forEncryption = forEncryption; - return; - } - - throw new IllegalArgumentException("invalid parameter passed to Rijndael init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "Rijndael"; - } - - public int getBlockSize() - { - return BC / 2; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("Rijndael engine not initialised"); - } - - if ((inOff + (BC / 2)) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + (BC / 2)) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (forEncryption) - { - unpackBlock(in, inOff); - encryptBlock(workingKey); - packBlock(out, outOff); - } - else - { - unpackBlock(in, inOff); - decryptBlock(workingKey); - packBlock(out, outOff); - } - - return BC / 2; - } - - public void reset() - { - } - - private void unpackBlock( - byte[] bytes, - int off) - { - int index = off; - - A0 = (bytes[index++] & 0xff); - A1 = (bytes[index++] & 0xff); - A2 = (bytes[index++] & 0xff); - A3 = (bytes[index++] & 0xff); - - for (int j = 8; j != BC; j += 8) - { - A0 |= (long)(bytes[index++] & 0xff) << j; - A1 |= (long)(bytes[index++] & 0xff) << j; - A2 |= (long)(bytes[index++] & 0xff) << j; - A3 |= (long)(bytes[index++] & 0xff) << j; - } - } - - private void packBlock( - byte[] bytes, - int off) - { - int index = off; - - for (int j = 0; j != BC; j += 8) - { - bytes[index++] = (byte)(A0 >> j); - bytes[index++] = (byte)(A1 >> j); - bytes[index++] = (byte)(A2 >> j); - bytes[index++] = (byte)(A3 >> j); - } - } - - private void encryptBlock( - long[][] rk) - { - int r; - - // - // begin with a key addition - // - KeyAddition(rk[0]); - - // - // ROUNDS-1 ordinary rounds - // - for (r = 1; r < ROUNDS; r++) - { - Substitution(S); - ShiftRow(shifts0SC); - MixColumn(); - KeyAddition(rk[r]); - } - - // - // Last round is special: there is no MixColumn - // - Substitution(S); - ShiftRow(shifts0SC); - KeyAddition(rk[ROUNDS]); - } - - private void decryptBlock( - long[][] rk) - { - int r; - - // To decrypt: apply the inverse operations of the encrypt routine, - // in opposite order - // - // (KeyAddition is an involution: it 's equal to its inverse) - // (the inverse of Substitution with table S is Substitution with the inverse table of S) - // (the inverse of Shiftrow is Shiftrow over a suitable distance) - // - - // First the special round: - // without InvMixColumn - // with extra KeyAddition - // - KeyAddition(rk[ROUNDS]); - Substitution(Si); - ShiftRow(shifts1SC); - - // - // ROUNDS-1 ordinary rounds - // - for (r = ROUNDS-1; r > 0; r--) - { - KeyAddition(rk[r]); - InvMixColumn(); - Substitution(Si); - ShiftRow(shifts1SC); - } - - // - // End with the extra key addition - // - KeyAddition(rk[0]); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/SEEDEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/SEEDEngine.java deleted file mode 100644 index 43872ed3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/SEEDEngine.java +++ /dev/null @@ -1,346 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * Implementation of the SEED algorithm as described in RFC 4009 - */ -public class SEEDEngine - implements BlockCipher -{ - private final int BLOCK_SIZE = 16; - - private static final int[] SS0 = - { - 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0, 0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124, - 0x1d4d515c, 0x03434340, 0x18081018, 0x1e0e121c, 0x11415150, 0x3cccf0fc, 0x0acac2c8, 0x23436360, - 0x28082028, 0x04444044, 0x20002020, 0x1d8d919c, 0x20c0e0e0, 0x22c2e2e0, 0x08c8c0c8, 0x17071314, - 0x2585a1a4, 0x0f8f838c, 0x03030300, 0x3b4b7378, 0x3b8bb3b8, 0x13031310, 0x12c2d2d0, 0x2ecee2ec, - 0x30407070, 0x0c8c808c, 0x3f0f333c, 0x2888a0a8, 0x32023230, 0x1dcdd1dc, 0x36c6f2f4, 0x34447074, - 0x2ccce0ec, 0x15859194, 0x0b0b0308, 0x17475354, 0x1c4c505c, 0x1b4b5358, 0x3d8db1bc, 0x01010100, - 0x24042024, 0x1c0c101c, 0x33437370, 0x18889098, 0x10001010, 0x0cccc0cc, 0x32c2f2f0, 0x19c9d1d8, - 0x2c0c202c, 0x27c7e3e4, 0x32427270, 0x03838380, 0x1b8b9398, 0x11c1d1d0, 0x06868284, 0x09c9c1c8, - 0x20406060, 0x10405050, 0x2383a3a0, 0x2bcbe3e8, 0x0d0d010c, 0x3686b2b4, 0x1e8e929c, 0x0f4f434c, - 0x3787b3b4, 0x1a4a5258, 0x06c6c2c4, 0x38487078, 0x2686a2a4, 0x12021210, 0x2f8fa3ac, 0x15c5d1d4, - 0x21416160, 0x03c3c3c0, 0x3484b0b4, 0x01414140, 0x12425250, 0x3d4d717c, 0x0d8d818c, 0x08080008, - 0x1f0f131c, 0x19899198, 0x00000000, 0x19091118, 0x04040004, 0x13435350, 0x37c7f3f4, 0x21c1e1e0, - 0x3dcdf1fc, 0x36467274, 0x2f0f232c, 0x27072324, 0x3080b0b0, 0x0b8b8388, 0x0e0e020c, 0x2b8ba3a8, - 0x2282a2a0, 0x2e4e626c, 0x13839390, 0x0d4d414c, 0x29496168, 0x3c4c707c, 0x09090108, 0x0a0a0208, - 0x3f8fb3bc, 0x2fcfe3ec, 0x33c3f3f0, 0x05c5c1c4, 0x07878384, 0x14041014, 0x3ecef2fc, 0x24446064, - 0x1eced2dc, 0x2e0e222c, 0x0b4b4348, 0x1a0a1218, 0x06060204, 0x21012120, 0x2b4b6368, 0x26466264, - 0x02020200, 0x35c5f1f4, 0x12829290, 0x0a8a8288, 0x0c0c000c, 0x3383b3b0, 0x3e4e727c, 0x10c0d0d0, - 0x3a4a7278, 0x07474344, 0x16869294, 0x25c5e1e4, 0x26062224, 0x00808080, 0x2d8da1ac, 0x1fcfd3dc, - 0x2181a1a0, 0x30003030, 0x37073334, 0x2e8ea2ac, 0x36063234, 0x15051114, 0x22022220, 0x38083038, - 0x34c4f0f4, 0x2787a3a4, 0x05454144, 0x0c4c404c, 0x01818180, 0x29c9e1e8, 0x04848084, 0x17879394, - 0x35053134, 0x0bcbc3c8, 0x0ecec2cc, 0x3c0c303c, 0x31417170, 0x11011110, 0x07c7c3c4, 0x09898188, - 0x35457174, 0x3bcbf3f8, 0x1acad2d8, 0x38c8f0f8, 0x14849094, 0x19495158, 0x02828280, 0x04c4c0c4, - 0x3fcff3fc, 0x09494148, 0x39093138, 0x27476364, 0x00c0c0c0, 0x0fcfc3cc, 0x17c7d3d4, 0x3888b0b8, - 0x0f0f030c, 0x0e8e828c, 0x02424240, 0x23032320, 0x11819190, 0x2c4c606c, 0x1bcbd3d8, 0x2484a0a4, - 0x34043034, 0x31c1f1f0, 0x08484048, 0x02c2c2c0, 0x2f4f636c, 0x3d0d313c, 0x2d0d212c, 0x00404040, - 0x3e8eb2bc, 0x3e0e323c, 0x3c8cb0bc, 0x01c1c1c0, 0x2a8aa2a8, 0x3a8ab2b8, 0x0e4e424c, 0x15455154, - 0x3b0b3338, 0x1cccd0dc, 0x28486068, 0x3f4f737c, 0x1c8c909c, 0x18c8d0d8, 0x0a4a4248, 0x16465254, - 0x37477374, 0x2080a0a0, 0x2dcde1ec, 0x06464244, 0x3585b1b4, 0x2b0b2328, 0x25456164, 0x3acaf2f8, - 0x23c3e3e0, 0x3989b1b8, 0x3181b1b0, 0x1f8f939c, 0x1e4e525c, 0x39c9f1f8, 0x26c6e2e4, 0x3282b2b0, - 0x31013130, 0x2acae2e8, 0x2d4d616c, 0x1f4f535c, 0x24c4e0e4, 0x30c0f0f0, 0x0dcdc1cc, 0x08888088, - 0x16061214, 0x3a0a3238, 0x18485058, 0x14c4d0d4, 0x22426260, 0x29092128, 0x07070304, 0x33033330, - 0x28c8e0e8, 0x1b0b1318, 0x05050104, 0x39497178, 0x10809090, 0x2a4a6268, 0x2a0a2228, 0x1a8a9298 - }; - - private static final int[] SS1 = - { - - 0x38380830, 0xe828c8e0, 0x2c2d0d21, 0xa42686a2, 0xcc0fcfc3, 0xdc1eced2, 0xb03383b3, 0xb83888b0, - 0xac2f8fa3, 0x60204060, 0x54154551, 0xc407c7c3, 0x44044440, 0x6c2f4f63, 0x682b4b63, 0x581b4b53, - 0xc003c3c3, 0x60224262, 0x30330333, 0xb43585b1, 0x28290921, 0xa02080a0, 0xe022c2e2, 0xa42787a3, - 0xd013c3d3, 0x90118191, 0x10110111, 0x04060602, 0x1c1c0c10, 0xbc3c8cb0, 0x34360632, 0x480b4b43, - 0xec2fcfe3, 0x88088880, 0x6c2c4c60, 0xa82888a0, 0x14170713, 0xc404c4c0, 0x14160612, 0xf434c4f0, - 0xc002c2c2, 0x44054541, 0xe021c1e1, 0xd416c6d2, 0x3c3f0f33, 0x3c3d0d31, 0x8c0e8e82, 0x98188890, - 0x28280820, 0x4c0e4e42, 0xf436c6f2, 0x3c3e0e32, 0xa42585a1, 0xf839c9f1, 0x0c0d0d01, 0xdc1fcfd3, - 0xd818c8d0, 0x282b0b23, 0x64264662, 0x783a4a72, 0x24270723, 0x2c2f0f23, 0xf031c1f1, 0x70324272, - 0x40024242, 0xd414c4d0, 0x40014141, 0xc000c0c0, 0x70334373, 0x64274763, 0xac2c8ca0, 0x880b8b83, - 0xf437c7f3, 0xac2d8da1, 0x80008080, 0x1c1f0f13, 0xc80acac2, 0x2c2c0c20, 0xa82a8aa2, 0x34340430, - 0xd012c2d2, 0x080b0b03, 0xec2ecee2, 0xe829c9e1, 0x5c1d4d51, 0x94148490, 0x18180810, 0xf838c8f0, - 0x54174753, 0xac2e8ea2, 0x08080800, 0xc405c5c1, 0x10130313, 0xcc0dcdc1, 0x84068682, 0xb83989b1, - 0xfc3fcff3, 0x7c3d4d71, 0xc001c1c1, 0x30310131, 0xf435c5f1, 0x880a8a82, 0x682a4a62, 0xb03181b1, - 0xd011c1d1, 0x20200020, 0xd417c7d3, 0x00020202, 0x20220222, 0x04040400, 0x68284860, 0x70314171, - 0x04070703, 0xd81bcbd3, 0x9c1d8d91, 0x98198991, 0x60214161, 0xbc3e8eb2, 0xe426c6e2, 0x58194951, - 0xdc1dcdd1, 0x50114151, 0x90108090, 0xdc1cccd0, 0x981a8a92, 0xa02383a3, 0xa82b8ba3, 0xd010c0d0, - 0x80018181, 0x0c0f0f03, 0x44074743, 0x181a0a12, 0xe023c3e3, 0xec2ccce0, 0x8c0d8d81, 0xbc3f8fb3, - 0x94168692, 0x783b4b73, 0x5c1c4c50, 0xa02282a2, 0xa02181a1, 0x60234363, 0x20230323, 0x4c0d4d41, - 0xc808c8c0, 0x9c1e8e92, 0x9c1c8c90, 0x383a0a32, 0x0c0c0c00, 0x2c2e0e22, 0xb83a8ab2, 0x6c2e4e62, - 0x9c1f8f93, 0x581a4a52, 0xf032c2f2, 0x90128292, 0xf033c3f3, 0x48094941, 0x78384870, 0xcc0cccc0, - 0x14150511, 0xf83bcbf3, 0x70304070, 0x74354571, 0x7c3f4f73, 0x34350531, 0x10100010, 0x00030303, - 0x64244460, 0x6c2d4d61, 0xc406c6c2, 0x74344470, 0xd415c5d1, 0xb43484b0, 0xe82acae2, 0x08090901, - 0x74364672, 0x18190911, 0xfc3ecef2, 0x40004040, 0x10120212, 0xe020c0e0, 0xbc3d8db1, 0x04050501, - 0xf83acaf2, 0x00010101, 0xf030c0f0, 0x282a0a22, 0x5c1e4e52, 0xa82989a1, 0x54164652, 0x40034343, - 0x84058581, 0x14140410, 0x88098981, 0x981b8b93, 0xb03080b0, 0xe425c5e1, 0x48084840, 0x78394971, - 0x94178793, 0xfc3cccf0, 0x1c1e0e12, 0x80028282, 0x20210121, 0x8c0c8c80, 0x181b0b13, 0x5c1f4f53, - 0x74374773, 0x54144450, 0xb03282b2, 0x1c1d0d11, 0x24250521, 0x4c0f4f43, 0x00000000, 0x44064642, - 0xec2dcde1, 0x58184850, 0x50124252, 0xe82bcbe3, 0x7c3e4e72, 0xd81acad2, 0xc809c9c1, 0xfc3dcdf1, - 0x30300030, 0x94158591, 0x64254561, 0x3c3c0c30, 0xb43686b2, 0xe424c4e0, 0xb83b8bb3, 0x7c3c4c70, - 0x0c0e0e02, 0x50104050, 0x38390931, 0x24260622, 0x30320232, 0x84048480, 0x68294961, 0x90138393, - 0x34370733, 0xe427c7e3, 0x24240420, 0xa42484a0, 0xc80bcbc3, 0x50134353, 0x080a0a02, 0x84078783, - 0xd819c9d1, 0x4c0c4c40, 0x80038383, 0x8c0f8f83, 0xcc0ecec2, 0x383b0b33, 0x480a4a42, 0xb43787b3 - }; - - private static final int[] SS2 = - { - - 0xa1a82989, 0x81840585, 0xd2d416c6, 0xd3d013c3, 0x50541444, 0x111c1d0d, 0xa0ac2c8c, 0x21242505, - 0x515c1d4d, 0x43400343, 0x10181808, 0x121c1e0e, 0x51501141, 0xf0fc3ccc, 0xc2c80aca, 0x63602343, - 0x20282808, 0x40440444, 0x20202000, 0x919c1d8d, 0xe0e020c0, 0xe2e022c2, 0xc0c808c8, 0x13141707, - 0xa1a42585, 0x838c0f8f, 0x03000303, 0x73783b4b, 0xb3b83b8b, 0x13101303, 0xd2d012c2, 0xe2ec2ece, - 0x70703040, 0x808c0c8c, 0x333c3f0f, 0xa0a82888, 0x32303202, 0xd1dc1dcd, 0xf2f436c6, 0x70743444, - 0xe0ec2ccc, 0x91941585, 0x03080b0b, 0x53541747, 0x505c1c4c, 0x53581b4b, 0xb1bc3d8d, 0x01000101, - 0x20242404, 0x101c1c0c, 0x73703343, 0x90981888, 0x10101000, 0xc0cc0ccc, 0xf2f032c2, 0xd1d819c9, - 0x202c2c0c, 0xe3e427c7, 0x72703242, 0x83800383, 0x93981b8b, 0xd1d011c1, 0x82840686, 0xc1c809c9, - 0x60602040, 0x50501040, 0xa3a02383, 0xe3e82bcb, 0x010c0d0d, 0xb2b43686, 0x929c1e8e, 0x434c0f4f, - 0xb3b43787, 0x52581a4a, 0xc2c406c6, 0x70783848, 0xa2a42686, 0x12101202, 0xa3ac2f8f, 0xd1d415c5, - 0x61602141, 0xc3c003c3, 0xb0b43484, 0x41400141, 0x52501242, 0x717c3d4d, 0x818c0d8d, 0x00080808, - 0x131c1f0f, 0x91981989, 0x00000000, 0x11181909, 0x00040404, 0x53501343, 0xf3f437c7, 0xe1e021c1, - 0xf1fc3dcd, 0x72743646, 0x232c2f0f, 0x23242707, 0xb0b03080, 0x83880b8b, 0x020c0e0e, 0xa3a82b8b, - 0xa2a02282, 0x626c2e4e, 0x93901383, 0x414c0d4d, 0x61682949, 0x707c3c4c, 0x01080909, 0x02080a0a, - 0xb3bc3f8f, 0xe3ec2fcf, 0xf3f033c3, 0xc1c405c5, 0x83840787, 0x10141404, 0xf2fc3ece, 0x60642444, - 0xd2dc1ece, 0x222c2e0e, 0x43480b4b, 0x12181a0a, 0x02040606, 0x21202101, 0x63682b4b, 0x62642646, - 0x02000202, 0xf1f435c5, 0x92901282, 0x82880a8a, 0x000c0c0c, 0xb3b03383, 0x727c3e4e, 0xd0d010c0, - 0x72783a4a, 0x43440747, 0x92941686, 0xe1e425c5, 0x22242606, 0x80800080, 0xa1ac2d8d, 0xd3dc1fcf, - 0xa1a02181, 0x30303000, 0x33343707, 0xa2ac2e8e, 0x32343606, 0x11141505, 0x22202202, 0x30383808, - 0xf0f434c4, 0xa3a42787, 0x41440545, 0x404c0c4c, 0x81800181, 0xe1e829c9, 0x80840484, 0x93941787, - 0x31343505, 0xc3c80bcb, 0xc2cc0ece, 0x303c3c0c, 0x71703141, 0x11101101, 0xc3c407c7, 0x81880989, - 0x71743545, 0xf3f83bcb, 0xd2d81aca, 0xf0f838c8, 0x90941484, 0x51581949, 0x82800282, 0xc0c404c4, - 0xf3fc3fcf, 0x41480949, 0x31383909, 0x63642747, 0xc0c000c0, 0xc3cc0fcf, 0xd3d417c7, 0xb0b83888, - 0x030c0f0f, 0x828c0e8e, 0x42400242, 0x23202303, 0x91901181, 0x606c2c4c, 0xd3d81bcb, 0xa0a42484, - 0x30343404, 0xf1f031c1, 0x40480848, 0xc2c002c2, 0x636c2f4f, 0x313c3d0d, 0x212c2d0d, 0x40400040, - 0xb2bc3e8e, 0x323c3e0e, 0xb0bc3c8c, 0xc1c001c1, 0xa2a82a8a, 0xb2b83a8a, 0x424c0e4e, 0x51541545, - 0x33383b0b, 0xd0dc1ccc, 0x60682848, 0x737c3f4f, 0x909c1c8c, 0xd0d818c8, 0x42480a4a, 0x52541646, - 0x73743747, 0xa0a02080, 0xe1ec2dcd, 0x42440646, 0xb1b43585, 0x23282b0b, 0x61642545, 0xf2f83aca, - 0xe3e023c3, 0xb1b83989, 0xb1b03181, 0x939c1f8f, 0x525c1e4e, 0xf1f839c9, 0xe2e426c6, 0xb2b03282, - 0x31303101, 0xe2e82aca, 0x616c2d4d, 0x535c1f4f, 0xe0e424c4, 0xf0f030c0, 0xc1cc0dcd, 0x80880888, - 0x12141606, 0x32383a0a, 0x50581848, 0xd0d414c4, 0x62602242, 0x21282909, 0x03040707, 0x33303303, - 0xe0e828c8, 0x13181b0b, 0x01040505, 0x71783949, 0x90901080, 0x62682a4a, 0x22282a0a, 0x92981a8a - }; - - - private static final int[] SS3 = - { - - 0x08303838, 0xc8e0e828, 0x0d212c2d, 0x86a2a426, 0xcfc3cc0f, 0xced2dc1e, 0x83b3b033, 0x88b0b838, - 0x8fa3ac2f, 0x40606020, 0x45515415, 0xc7c3c407, 0x44404404, 0x4f636c2f, 0x4b63682b, 0x4b53581b, - 0xc3c3c003, 0x42626022, 0x03333033, 0x85b1b435, 0x09212829, 0x80a0a020, 0xc2e2e022, 0x87a3a427, - 0xc3d3d013, 0x81919011, 0x01111011, 0x06020406, 0x0c101c1c, 0x8cb0bc3c, 0x06323436, 0x4b43480b, - 0xcfe3ec2f, 0x88808808, 0x4c606c2c, 0x88a0a828, 0x07131417, 0xc4c0c404, 0x06121416, 0xc4f0f434, - 0xc2c2c002, 0x45414405, 0xc1e1e021, 0xc6d2d416, 0x0f333c3f, 0x0d313c3d, 0x8e828c0e, 0x88909818, - 0x08202828, 0x4e424c0e, 0xc6f2f436, 0x0e323c3e, 0x85a1a425, 0xc9f1f839, 0x0d010c0d, 0xcfd3dc1f, - 0xc8d0d818, 0x0b23282b, 0x46626426, 0x4a72783a, 0x07232427, 0x0f232c2f, 0xc1f1f031, 0x42727032, - 0x42424002, 0xc4d0d414, 0x41414001, 0xc0c0c000, 0x43737033, 0x47636427, 0x8ca0ac2c, 0x8b83880b, - 0xc7f3f437, 0x8da1ac2d, 0x80808000, 0x0f131c1f, 0xcac2c80a, 0x0c202c2c, 0x8aa2a82a, 0x04303434, - 0xc2d2d012, 0x0b03080b, 0xcee2ec2e, 0xc9e1e829, 0x4d515c1d, 0x84909414, 0x08101818, 0xc8f0f838, - 0x47535417, 0x8ea2ac2e, 0x08000808, 0xc5c1c405, 0x03131013, 0xcdc1cc0d, 0x86828406, 0x89b1b839, - 0xcff3fc3f, 0x4d717c3d, 0xc1c1c001, 0x01313031, 0xc5f1f435, 0x8a82880a, 0x4a62682a, 0x81b1b031, - 0xc1d1d011, 0x00202020, 0xc7d3d417, 0x02020002, 0x02222022, 0x04000404, 0x48606828, 0x41717031, - 0x07030407, 0xcbd3d81b, 0x8d919c1d, 0x89919819, 0x41616021, 0x8eb2bc3e, 0xc6e2e426, 0x49515819, - 0xcdd1dc1d, 0x41515011, 0x80909010, 0xccd0dc1c, 0x8a92981a, 0x83a3a023, 0x8ba3a82b, 0xc0d0d010, - 0x81818001, 0x0f030c0f, 0x47434407, 0x0a12181a, 0xc3e3e023, 0xcce0ec2c, 0x8d818c0d, 0x8fb3bc3f, - 0x86929416, 0x4b73783b, 0x4c505c1c, 0x82a2a022, 0x81a1a021, 0x43636023, 0x03232023, 0x4d414c0d, - 0xc8c0c808, 0x8e929c1e, 0x8c909c1c, 0x0a32383a, 0x0c000c0c, 0x0e222c2e, 0x8ab2b83a, 0x4e626c2e, - 0x8f939c1f, 0x4a52581a, 0xc2f2f032, 0x82929012, 0xc3f3f033, 0x49414809, 0x48707838, 0xccc0cc0c, - 0x05111415, 0xcbf3f83b, 0x40707030, 0x45717435, 0x4f737c3f, 0x05313435, 0x00101010, 0x03030003, - 0x44606424, 0x4d616c2d, 0xc6c2c406, 0x44707434, 0xc5d1d415, 0x84b0b434, 0xcae2e82a, 0x09010809, - 0x46727436, 0x09111819, 0xcef2fc3e, 0x40404000, 0x02121012, 0xc0e0e020, 0x8db1bc3d, 0x05010405, - 0xcaf2f83a, 0x01010001, 0xc0f0f030, 0x0a22282a, 0x4e525c1e, 0x89a1a829, 0x46525416, 0x43434003, - 0x85818405, 0x04101414, 0x89818809, 0x8b93981b, 0x80b0b030, 0xc5e1e425, 0x48404808, 0x49717839, - 0x87939417, 0xccf0fc3c, 0x0e121c1e, 0x82828002, 0x01212021, 0x8c808c0c, 0x0b13181b, 0x4f535c1f, - 0x47737437, 0x44505414, 0x82b2b032, 0x0d111c1d, 0x05212425, 0x4f434c0f, 0x00000000, 0x46424406, - 0xcde1ec2d, 0x48505818, 0x42525012, 0xcbe3e82b, 0x4e727c3e, 0xcad2d81a, 0xc9c1c809, 0xcdf1fc3d, - 0x00303030, 0x85919415, 0x45616425, 0x0c303c3c, 0x86b2b436, 0xc4e0e424, 0x8bb3b83b, 0x4c707c3c, - 0x0e020c0e, 0x40505010, 0x09313839, 0x06222426, 0x02323032, 0x84808404, 0x49616829, 0x83939013, - 0x07333437, 0xc7e3e427, 0x04202424, 0x84a0a424, 0xcbc3c80b, 0x43535013, 0x0a02080a, 0x87838407, - 0xc9d1d819, 0x4c404c0c, 0x83838003, 0x8f838c0f, 0xcec2cc0e, 0x0b33383b, 0x4a42480a, 0x87b3b437 - }; - - - private static final int[] KC = - { - 0x9e3779b9, 0x3c6ef373, 0x78dde6e6, 0xf1bbcdcc, - 0xe3779b99, 0xc6ef3733, 0x8dde6e67, 0x1bbcdccf, - 0x3779b99e, 0x6ef3733c, 0xdde6e678, 0xbbcdccf1, - 0x779b99e3, 0xef3733c6, 0xde6e678d, 0xbcdccf1b - }; - - private int[] wKey; - private boolean forEncryption; - - public void init(boolean forEncryption, CipherParameters params) throws IllegalArgumentException - { - this.forEncryption = forEncryption; - wKey = createWorkingKey(((KeyParameter)params).getKey()); - } - - public String getAlgorithmName() - { - return "SEED"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) throws DataLengthException, IllegalStateException - { - if (wKey == null) - { - throw new IllegalStateException("SEED engine not initialised"); - } - - if (inOff + BLOCK_SIZE > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if (outOff + BLOCK_SIZE > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - long l = bytesToLong(in, inOff + 0); - long r = bytesToLong(in, inOff + 8); - - if (forEncryption) - { - for (int i = 0; i < 16; i++) - { - long nl = r; - - r = l ^ F(wKey[2 * i], wKey[(2 * i) + 1], r); - l = nl; - } - } - else - { - for (int i = 15; i >= 0; i--) - { - long nl = r; - - r = l ^ F(wKey[2 * i], wKey[(2 * i) + 1], r); - l = nl; - } - } - - longToBytes(out, outOff + 0, r); - longToBytes(out, outOff + 8, l); - - return BLOCK_SIZE; - } - - public void reset() - { - } - - private int[] createWorkingKey(byte[] inKey) - { - int[] key = new int[32]; - long lower = bytesToLong(inKey, 0); - long upper = bytesToLong(inKey, 8); - - int key0 = extractW0(lower); - int key1 = extractW1(lower); - int key2 = extractW0(upper); - int key3 = extractW1(upper); - - for (int i = 0; i < 16; i++) - { - key[2 * i] = G(key0 + key2 - KC[i]); - key[2 * i + 1] = G(key1 - key3 + KC[i]); - - if (i % 2 == 0) - { - lower = rotateRight8(lower); - key0 = extractW0(lower); - key1 = extractW1(lower); - } - else - { - upper = rotateLeft8(upper); - key2 = extractW0(upper); - key3 = extractW1(upper); - } - } - - return key; - } - - private int extractW1(long lVal) - { - return (int)lVal; - } - - private int extractW0(long lVal) - { - return (int)(lVal >> 32); - } - - private long rotateLeft8(long x) - { - return (x << 8) | (x >>> 56); - } - - private long rotateRight8(long x) - { - return (x >>> 8) | (x << 56); - } - - private long bytesToLong( - byte[] src, - int srcOff) - { - long word = 0; - - for (int i = 0; i <= 7; i++) - { - word = (word << 8) + (src[i + srcOff] & 0xff); - } - - return word; - } - - private void longToBytes( - byte[] dest, - int destOff, - long value) - { - for (int i = 0; i < 8; i++) - { - dest[i + destOff] = (byte)(value >> ((7 - i) * 8)); - } - } - - private int G(int x) - { - return SS0[x & 0xff] ^ SS1[(x >> 8) & 0xff] ^ SS2[(x >> 16) & 0xff] ^ SS3[(x >> 24) & 0xff]; - } - - private long F(int ki0, int ki1, long r) - { - int r0 = (int)(r >> 32); - int r1 = (int)r; - int rd1 = phaseCalc2(r0, ki0, r1, ki1); - int rd0 = rd1 + phaseCalc1(r0, ki0, r1, ki1); - - return ((long)rd0 << 32) | (rd1 & 0xffffffffL); - } - - private int phaseCalc1(int r0, int ki0, int r1, int ki1) - { - return G(G((r0 ^ ki0) ^ (r1 ^ ki1)) + (r0 ^ ki0)); - } - - private int phaseCalc2(int r0, int ki0, int r1, int ki1) - { - return G(phaseCalc1(r0, ki0, r1, ki1) + G((r0 ^ ki0) ^ (r1 ^ ki1))); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/SEEDWrapEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/SEEDWrapEngine.java deleted file mode 100644 index 5b65b00c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/SEEDWrapEngine.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.engines; - -/** - * An implementation of the SEED key wrapper based on RFC 4010/RFC 3394. - * <p> - * For further details see: <a href="http://www.ietf.org/rfc/rfc4010.txt">http://www.ietf.org/rfc/rfc4010.txt</a>. - */ -public class SEEDWrapEngine - extends RFC3394WrapEngine -{ - public SEEDWrapEngine() - { - super(new SEEDEngine()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Salsa20Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Salsa20Engine.java deleted file mode 100644 index 1452d1e6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/Salsa20Engine.java +++ /dev/null @@ -1,474 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.MaxBytesExceededException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.SkippingStreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Pack; -import org.bouncycastle.util.Strings; - -/** - * Implementation of Daniel J. Bernstein's Salsa20 stream cipher, Snuffle 2005 - */ -public class Salsa20Engine - implements SkippingStreamCipher -{ - public final static int DEFAULT_ROUNDS = 20; - - /** Constants */ - private final static int STATE_SIZE = 16; // 16, 32 bit ints = 64 bytes - - protected final static byte[] - sigma = Strings.toByteArray("expand 32-byte k"), - tau = Strings.toByteArray("expand 16-byte k"); - - protected int rounds; - - /* - * variables to hold the state of the engine - * during encryption and decryption - */ - private int index = 0; - protected int[] engineState = new int[STATE_SIZE]; // state - protected int[] x = new int[STATE_SIZE] ; // internal buffer - private byte[] keyStream = new byte[STATE_SIZE * 4]; // expanded state, 64 bytes - private boolean initialised = false; - - /* - * internal counter - */ - private int cW0, cW1, cW2; - - /** - * Creates a 20 round Salsa20 engine. - */ - public Salsa20Engine() - { - this(DEFAULT_ROUNDS); - } - - /** - * Creates a Salsa20 engine with a specific number of rounds. - * @param rounds the number of rounds (must be an even number). - */ - public Salsa20Engine(int rounds) - { - if (rounds <= 0 || (rounds & 1) != 0) - { - throw new IllegalArgumentException("'rounds' must be a positive, even number"); - } - - this.rounds = rounds; - } - - /** - * initialise a Salsa20 cipher. - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - /* - * Salsa20 encryption and decryption is completely - * symmetrical, so the 'forEncryption' is - * irrelevant. (Like 90% of stream ciphers) - */ - - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException(getAlgorithmName() + " Init parameters must include an IV"); - } - - ParametersWithIV ivParams = (ParametersWithIV) params; - - byte[] iv = ivParams.getIV(); - if (iv == null || iv.length != getNonceSize()) - { - throw new IllegalArgumentException(getAlgorithmName() + " requires exactly " + getNonceSize() - + " bytes of IV"); - } - - CipherParameters keyParam = ivParams.getParameters(); - if (keyParam == null) - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() + " KeyParameter can not be null for first initialisation"); - } - - setKey(null, iv); - } - else if (keyParam instanceof KeyParameter) - { - setKey(((KeyParameter)keyParam).getKey(), iv); - } - else - { - throw new IllegalArgumentException(getAlgorithmName() + " Init parameters must contain a KeyParameter (or null for re-init)"); - } - - reset(); - - initialised = true; - } - - protected int getNonceSize() - { - return 8; - } - - public String getAlgorithmName() - { - String name = "Salsa20"; - if (rounds != DEFAULT_ROUNDS) - { - name += "/" + rounds; - } - return name; - } - - public byte returnByte(byte in) - { - if (limitExceeded()) - { - throw new MaxBytesExceededException("2^70 byte limit per IV; Change IV"); - } - - byte out = (byte)(keyStream[index]^in); - index = (index + 1) & 63; - - if (index == 0) - { - advanceCounter(); - generateKeyStream(keyStream); - } - - return out; - } - - protected void advanceCounter() - { - if (++engineState[8] == 0) - { - ++engineState[9]; - } - } - - protected void retreatCounter() - { - if (engineState[8] == 0 && engineState[9] == 0) - { - throw new IllegalStateException("attempt to reduce counter past zero."); - } - - if (--engineState[8] == -1) - { - --engineState[9]; - } - } - - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - { - if (!initialised) - { - throw new IllegalStateException(getAlgorithmName() + " not initialised"); - } - - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (limitExceeded(len)) - { - throw new MaxBytesExceededException("2^70 byte limit per IV would be exceeded; Change IV"); - } - - for (int i = 0; i < len; i++) - { - out[i + outOff] = (byte)(keyStream[index] ^ in[i + inOff]); - index = (index + 1) & 63; - - if (index == 0) - { - advanceCounter(); - generateKeyStream(keyStream); - } - } - - return len; - } - - public long skip(long numberOfBytes) - { - if (numberOfBytes >= 0) - { - for (long i = 0; i < numberOfBytes; i++) - { - index = (index + 1) & 63; - - if (index == 0) - { - advanceCounter(); - } - } - } - else - { - for (long i = 0; i > numberOfBytes; i--) - { - if (index == 0) - { - retreatCounter(); - } - - index = (index - 1) & 63; - } - } - - generateKeyStream(keyStream); - - return numberOfBytes; - } - - public long seekTo(long position) - { - reset(); - - return skip(position); - } - - public long getPosition() - { - return getCounter() * 64 + index; - } - - public void reset() - { - index = 0; - resetLimitCounter(); - resetCounter(); - - generateKeyStream(keyStream); - } - - protected long getCounter() - { - return ((long)engineState[9] << 32) | (engineState[8] & 0xffffffffL); - } - - protected void resetCounter() - { - engineState[8] = engineState[9] = 0; - } - - protected void setKey(byte[] keyBytes, byte[] ivBytes) - { - if (keyBytes != null) - { - if ((keyBytes.length != 16) && (keyBytes.length != 32)) - { - throw new IllegalArgumentException(getAlgorithmName() + " requires 128 bit or 256 bit key"); - } - - // Key - engineState[1] = Pack.littleEndianToInt(keyBytes, 0); - engineState[2] = Pack.littleEndianToInt(keyBytes, 4); - engineState[3] = Pack.littleEndianToInt(keyBytes, 8); - engineState[4] = Pack.littleEndianToInt(keyBytes, 12); - - byte[] constants; - int offset; - if (keyBytes.length == 32) - { - constants = sigma; - offset = 16; - } - else - { - constants = tau; - offset = 0; - } - - engineState[11] = Pack.littleEndianToInt(keyBytes, offset); - engineState[12] = Pack.littleEndianToInt(keyBytes, offset + 4); - engineState[13] = Pack.littleEndianToInt(keyBytes, offset + 8); - engineState[14] = Pack.littleEndianToInt(keyBytes, offset + 12); - - engineState[0 ] = Pack.littleEndianToInt(constants, 0); - engineState[5 ] = Pack.littleEndianToInt(constants, 4); - engineState[10] = Pack.littleEndianToInt(constants, 8); - engineState[15] = Pack.littleEndianToInt(constants, 12); - } - - // IV - engineState[6] = Pack.littleEndianToInt(ivBytes, 0); - engineState[7] = Pack.littleEndianToInt(ivBytes, 4); - } - - protected void generateKeyStream(byte[] output) - { - salsaCore(rounds, engineState, x); - Pack.intToLittleEndian(x, output, 0); - } - - /** - * Salsa20 function - * - * @param input input data - */ - public static void salsaCore(int rounds, int[] input, int[] x) - { - if (input.length != 16) - { - throw new IllegalArgumentException(); - } - if (x.length != 16) - { - throw new IllegalArgumentException(); - } - if (rounds % 2 != 0) - { - throw new IllegalArgumentException("Number of rounds must be even"); - } - - int x00 = input[ 0]; - int x01 = input[ 1]; - int x02 = input[ 2]; - int x03 = input[ 3]; - int x04 = input[ 4]; - int x05 = input[ 5]; - int x06 = input[ 6]; - int x07 = input[ 7]; - int x08 = input[ 8]; - int x09 = input[ 9]; - int x10 = input[10]; - int x11 = input[11]; - int x12 = input[12]; - int x13 = input[13]; - int x14 = input[14]; - int x15 = input[15]; - - for (int i = rounds; i > 0; i -= 2) - { - x04 ^= rotl(x00 + x12, 7); - x08 ^= rotl(x04 + x00, 9); - x12 ^= rotl(x08 + x04, 13); - x00 ^= rotl(x12 + x08, 18); - x09 ^= rotl(x05 + x01, 7); - x13 ^= rotl(x09 + x05, 9); - x01 ^= rotl(x13 + x09, 13); - x05 ^= rotl(x01 + x13, 18); - x14 ^= rotl(x10 + x06, 7); - x02 ^= rotl(x14 + x10, 9); - x06 ^= rotl(x02 + x14, 13); - x10 ^= rotl(x06 + x02, 18); - x03 ^= rotl(x15 + x11, 7); - x07 ^= rotl(x03 + x15, 9); - x11 ^= rotl(x07 + x03, 13); - x15 ^= rotl(x11 + x07, 18); - - x01 ^= rotl(x00 + x03, 7); - x02 ^= rotl(x01 + x00, 9); - x03 ^= rotl(x02 + x01, 13); - x00 ^= rotl(x03 + x02, 18); - x06 ^= rotl(x05 + x04, 7); - x07 ^= rotl(x06 + x05, 9); - x04 ^= rotl(x07 + x06, 13); - x05 ^= rotl(x04 + x07, 18); - x11 ^= rotl(x10 + x09, 7); - x08 ^= rotl(x11 + x10, 9); - x09 ^= rotl(x08 + x11, 13); - x10 ^= rotl(x09 + x08, 18); - x12 ^= rotl(x15 + x14, 7); - x13 ^= rotl(x12 + x15, 9); - x14 ^= rotl(x13 + x12, 13); - x15 ^= rotl(x14 + x13, 18); - } - - x[ 0] = x00 + input[ 0]; - x[ 1] = x01 + input[ 1]; - x[ 2] = x02 + input[ 2]; - x[ 3] = x03 + input[ 3]; - x[ 4] = x04 + input[ 4]; - x[ 5] = x05 + input[ 5]; - x[ 6] = x06 + input[ 6]; - x[ 7] = x07 + input[ 7]; - x[ 8] = x08 + input[ 8]; - x[ 9] = x09 + input[ 9]; - x[10] = x10 + input[10]; - x[11] = x11 + input[11]; - x[12] = x12 + input[12]; - x[13] = x13 + input[13]; - x[14] = x14 + input[14]; - x[15] = x15 + input[15]; - } - - /** - * Rotate left - * - * @param x value to rotate - * @param y amount to rotate x - * - * @return rotated x - */ - protected static int rotl(int x, int y) - { - return (x << y) | (x >>> -y); - } - - private void resetLimitCounter() - { - cW0 = 0; - cW1 = 0; - cW2 = 0; - } - - private boolean limitExceeded() - { - if (++cW0 == 0) - { - if (++cW1 == 0) - { - return (++cW2 & 0x20) != 0; // 2^(32 + 32 + 6) - } - } - - return false; - } - - /* - * this relies on the fact len will always be positive. - */ - private boolean limitExceeded(int len) - { - cW0 += len; - if (cW0 < len && cW0 >= 0) - { - if (++cW1 == 0) - { - return (++cW2 & 0x20) != 0; // 2^(32 + 32 + 6) - } - } - - return false; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/SerpentEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/SerpentEngine.java deleted file mode 100644 index 8db5a6f7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/SerpentEngine.java +++ /dev/null @@ -1,783 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * Serpent is a 128-bit 32-round block cipher with variable key lengths, - * including 128, 192 and 256 bit keys conjectured to be at least as - * secure as three-key triple-DES. - * <p> - * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a - * candidate algorithm for the NIST AES Quest. - * <p> - * For full details see the <a href="http://www.cl.cam.ac.uk/~rja14/serpent.html">The Serpent home page</a> - */ -public class SerpentEngine - implements BlockCipher -{ - private static final int BLOCK_SIZE = 16; - - static final int ROUNDS = 32; - static final int PHI = 0x9E3779B9; // (sqrt(5) - 1) * 2**31 - - private boolean encrypting; - private int[] wKey; - - private int X0, X1, X2, X3; // registers - - /** - * initialise a Serpent cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - this.encrypting = encrypting; - this.wKey = makeWorkingKey(((KeyParameter)params).getKey()); - return; - } - - throw new IllegalArgumentException("invalid parameter passed to Serpent init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "Serpent"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public final int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (wKey == null) - { - throw new IllegalStateException("Serpent not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (encrypting) - { - encryptBlock(in, inOff, out, outOff); - } - else - { - decryptBlock(in, inOff, out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } - - /** - * Expand a user-supplied key material into a session key. - * - * @param key The user-key bytes (multiples of 4) to use. - * @exception IllegalArgumentException - */ - private int[] makeWorkingKey( - byte[] key) - throws IllegalArgumentException - { - // - // pad key to 256 bits - // - int[] kPad = new int[16]; - int off = 0; - int length = 0; - - for (off = key.length - 4; off > 0; off -= 4) - { - kPad[length++] = bytesToWord(key, off); - } - - if (off == 0) - { - kPad[length++] = bytesToWord(key, 0); - if (length < 8) - { - kPad[length] = 1; - } - } - else - { - throw new IllegalArgumentException("key must be a multiple of 4 bytes"); - } - - // - // expand the padded key up to 33 x 128 bits of key material - // - int amount = (ROUNDS + 1) * 4; - int[] w = new int[amount]; - - // - // compute w0 to w7 from w-8 to w-1 - // - for (int i = 8; i < 16; i++) - { - kPad[i] = rotateLeft(kPad[i - 8] ^ kPad[i - 5] ^ kPad[i - 3] ^ kPad[i - 1] ^ PHI ^ (i - 8), 11); - } - - System.arraycopy(kPad, 8, w, 0, 8); - - // - // compute w8 to w136 - // - for (int i = 8; i < amount; i++) - { - w[i] = rotateLeft(w[i - 8] ^ w[i - 5] ^ w[i - 3] ^ w[i - 1] ^ PHI ^ i, 11); - } - - // - // create the working keys by processing w with the Sbox and IP - // - sb3(w[0], w[1], w[2], w[3]); - w[0] = X0; w[1] = X1; w[2] = X2; w[3] = X3; - sb2(w[4], w[5], w[6], w[7]); - w[4] = X0; w[5] = X1; w[6] = X2; w[7] = X3; - sb1(w[8], w[9], w[10], w[11]); - w[8] = X0; w[9] = X1; w[10] = X2; w[11] = X3; - sb0(w[12], w[13], w[14], w[15]); - w[12] = X0; w[13] = X1; w[14] = X2; w[15] = X3; - sb7(w[16], w[17], w[18], w[19]); - w[16] = X0; w[17] = X1; w[18] = X2; w[19] = X3; - sb6(w[20], w[21], w[22], w[23]); - w[20] = X0; w[21] = X1; w[22] = X2; w[23] = X3; - sb5(w[24], w[25], w[26], w[27]); - w[24] = X0; w[25] = X1; w[26] = X2; w[27] = X3; - sb4(w[28], w[29], w[30], w[31]); - w[28] = X0; w[29] = X1; w[30] = X2; w[31] = X3; - sb3(w[32], w[33], w[34], w[35]); - w[32] = X0; w[33] = X1; w[34] = X2; w[35] = X3; - sb2(w[36], w[37], w[38], w[39]); - w[36] = X0; w[37] = X1; w[38] = X2; w[39] = X3; - sb1(w[40], w[41], w[42], w[43]); - w[40] = X0; w[41] = X1; w[42] = X2; w[43] = X3; - sb0(w[44], w[45], w[46], w[47]); - w[44] = X0; w[45] = X1; w[46] = X2; w[47] = X3; - sb7(w[48], w[49], w[50], w[51]); - w[48] = X0; w[49] = X1; w[50] = X2; w[51] = X3; - sb6(w[52], w[53], w[54], w[55]); - w[52] = X0; w[53] = X1; w[54] = X2; w[55] = X3; - sb5(w[56], w[57], w[58], w[59]); - w[56] = X0; w[57] = X1; w[58] = X2; w[59] = X3; - sb4(w[60], w[61], w[62], w[63]); - w[60] = X0; w[61] = X1; w[62] = X2; w[63] = X3; - sb3(w[64], w[65], w[66], w[67]); - w[64] = X0; w[65] = X1; w[66] = X2; w[67] = X3; - sb2(w[68], w[69], w[70], w[71]); - w[68] = X0; w[69] = X1; w[70] = X2; w[71] = X3; - sb1(w[72], w[73], w[74], w[75]); - w[72] = X0; w[73] = X1; w[74] = X2; w[75] = X3; - sb0(w[76], w[77], w[78], w[79]); - w[76] = X0; w[77] = X1; w[78] = X2; w[79] = X3; - sb7(w[80], w[81], w[82], w[83]); - w[80] = X0; w[81] = X1; w[82] = X2; w[83] = X3; - sb6(w[84], w[85], w[86], w[87]); - w[84] = X0; w[85] = X1; w[86] = X2; w[87] = X3; - sb5(w[88], w[89], w[90], w[91]); - w[88] = X0; w[89] = X1; w[90] = X2; w[91] = X3; - sb4(w[92], w[93], w[94], w[95]); - w[92] = X0; w[93] = X1; w[94] = X2; w[95] = X3; - sb3(w[96], w[97], w[98], w[99]); - w[96] = X0; w[97] = X1; w[98] = X2; w[99] = X3; - sb2(w[100], w[101], w[102], w[103]); - w[100] = X0; w[101] = X1; w[102] = X2; w[103] = X3; - sb1(w[104], w[105], w[106], w[107]); - w[104] = X0; w[105] = X1; w[106] = X2; w[107] = X3; - sb0(w[108], w[109], w[110], w[111]); - w[108] = X0; w[109] = X1; w[110] = X2; w[111] = X3; - sb7(w[112], w[113], w[114], w[115]); - w[112] = X0; w[113] = X1; w[114] = X2; w[115] = X3; - sb6(w[116], w[117], w[118], w[119]); - w[116] = X0; w[117] = X1; w[118] = X2; w[119] = X3; - sb5(w[120], w[121], w[122], w[123]); - w[120] = X0; w[121] = X1; w[122] = X2; w[123] = X3; - sb4(w[124], w[125], w[126], w[127]); - w[124] = X0; w[125] = X1; w[126] = X2; w[127] = X3; - sb3(w[128], w[129], w[130], w[131]); - w[128] = X0; w[129] = X1; w[130] = X2; w[131] = X3; - - return w; - } - - private int rotateLeft( - int x, - int bits) - { - return (x << bits) | (x >>> -bits); - } - - private int rotateRight( - int x, - int bits) - { - return (x >>> bits) | (x << -bits); - } - - private int bytesToWord( - byte[] src, - int srcOff) - { - return (((src[srcOff] & 0xff) << 24) | ((src[srcOff + 1] & 0xff) << 16) | - ((src[srcOff + 2] & 0xff) << 8) | ((src[srcOff + 3] & 0xff))); - } - - private void wordToBytes( - int word, - byte[] dst, - int dstOff) - { - dst[dstOff + 3] = (byte)(word); - dst[dstOff + 2] = (byte)(word >>> 8); - dst[dstOff + 1] = (byte)(word >>> 16); - dst[dstOff] = (byte)(word >>> 24); - } - - /** - * Encrypt one block of plaintext. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - */ - private void encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - X3 = bytesToWord(in, inOff); - X2 = bytesToWord(in, inOff + 4); - X1 = bytesToWord(in, inOff + 8); - X0 = bytesToWord(in, inOff + 12); - - sb0(wKey[0] ^ X0, wKey[1] ^ X1, wKey[2] ^ X2, wKey[3] ^ X3); LT(); - sb1(wKey[4] ^ X0, wKey[5] ^ X1, wKey[6] ^ X2, wKey[7] ^ X3); LT(); - sb2(wKey[8] ^ X0, wKey[9] ^ X1, wKey[10] ^ X2, wKey[11] ^ X3); LT(); - sb3(wKey[12] ^ X0, wKey[13] ^ X1, wKey[14] ^ X2, wKey[15] ^ X3); LT(); - sb4(wKey[16] ^ X0, wKey[17] ^ X1, wKey[18] ^ X2, wKey[19] ^ X3); LT(); - sb5(wKey[20] ^ X0, wKey[21] ^ X1, wKey[22] ^ X2, wKey[23] ^ X3); LT(); - sb6(wKey[24] ^ X0, wKey[25] ^ X1, wKey[26] ^ X2, wKey[27] ^ X3); LT(); - sb7(wKey[28] ^ X0, wKey[29] ^ X1, wKey[30] ^ X2, wKey[31] ^ X3); LT(); - sb0(wKey[32] ^ X0, wKey[33] ^ X1, wKey[34] ^ X2, wKey[35] ^ X3); LT(); - sb1(wKey[36] ^ X0, wKey[37] ^ X1, wKey[38] ^ X2, wKey[39] ^ X3); LT(); - sb2(wKey[40] ^ X0, wKey[41] ^ X1, wKey[42] ^ X2, wKey[43] ^ X3); LT(); - sb3(wKey[44] ^ X0, wKey[45] ^ X1, wKey[46] ^ X2, wKey[47] ^ X3); LT(); - sb4(wKey[48] ^ X0, wKey[49] ^ X1, wKey[50] ^ X2, wKey[51] ^ X3); LT(); - sb5(wKey[52] ^ X0, wKey[53] ^ X1, wKey[54] ^ X2, wKey[55] ^ X3); LT(); - sb6(wKey[56] ^ X0, wKey[57] ^ X1, wKey[58] ^ X2, wKey[59] ^ X3); LT(); - sb7(wKey[60] ^ X0, wKey[61] ^ X1, wKey[62] ^ X2, wKey[63] ^ X3); LT(); - sb0(wKey[64] ^ X0, wKey[65] ^ X1, wKey[66] ^ X2, wKey[67] ^ X3); LT(); - sb1(wKey[68] ^ X0, wKey[69] ^ X1, wKey[70] ^ X2, wKey[71] ^ X3); LT(); - sb2(wKey[72] ^ X0, wKey[73] ^ X1, wKey[74] ^ X2, wKey[75] ^ X3); LT(); - sb3(wKey[76] ^ X0, wKey[77] ^ X1, wKey[78] ^ X2, wKey[79] ^ X3); LT(); - sb4(wKey[80] ^ X0, wKey[81] ^ X1, wKey[82] ^ X2, wKey[83] ^ X3); LT(); - sb5(wKey[84] ^ X0, wKey[85] ^ X1, wKey[86] ^ X2, wKey[87] ^ X3); LT(); - sb6(wKey[88] ^ X0, wKey[89] ^ X1, wKey[90] ^ X2, wKey[91] ^ X3); LT(); - sb7(wKey[92] ^ X0, wKey[93] ^ X1, wKey[94] ^ X2, wKey[95] ^ X3); LT(); - sb0(wKey[96] ^ X0, wKey[97] ^ X1, wKey[98] ^ X2, wKey[99] ^ X3); LT(); - sb1(wKey[100] ^ X0, wKey[101] ^ X1, wKey[102] ^ X2, wKey[103] ^ X3); LT(); - sb2(wKey[104] ^ X0, wKey[105] ^ X1, wKey[106] ^ X2, wKey[107] ^ X3); LT(); - sb3(wKey[108] ^ X0, wKey[109] ^ X1, wKey[110] ^ X2, wKey[111] ^ X3); LT(); - sb4(wKey[112] ^ X0, wKey[113] ^ X1, wKey[114] ^ X2, wKey[115] ^ X3); LT(); - sb5(wKey[116] ^ X0, wKey[117] ^ X1, wKey[118] ^ X2, wKey[119] ^ X3); LT(); - sb6(wKey[120] ^ X0, wKey[121] ^ X1, wKey[122] ^ X2, wKey[123] ^ X3); LT(); - sb7(wKey[124] ^ X0, wKey[125] ^ X1, wKey[126] ^ X2, wKey[127] ^ X3); - - wordToBytes(wKey[131] ^ X3, out, outOff); - wordToBytes(wKey[130] ^ X2, out, outOff + 4); - wordToBytes(wKey[129] ^ X1, out, outOff + 8); - wordToBytes(wKey[128] ^ X0, out, outOff + 12); - } - - /** - * Decrypt one block of ciphertext. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - */ - private void decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - X3 = wKey[131] ^ bytesToWord(in, inOff); - X2 = wKey[130] ^ bytesToWord(in, inOff + 4); - X1 = wKey[129] ^ bytesToWord(in, inOff + 8); - X0 = wKey[128] ^ bytesToWord(in, inOff + 12); - - ib7(X0, X1, X2, X3); - X0 ^= wKey[124]; X1 ^= wKey[125]; X2 ^= wKey[126]; X3 ^= wKey[127]; - inverseLT(); ib6(X0, X1, X2, X3); - X0 ^= wKey[120]; X1 ^= wKey[121]; X2 ^= wKey[122]; X3 ^= wKey[123]; - inverseLT(); ib5(X0, X1, X2, X3); - X0 ^= wKey[116]; X1 ^= wKey[117]; X2 ^= wKey[118]; X3 ^= wKey[119]; - inverseLT(); ib4(X0, X1, X2, X3); - X0 ^= wKey[112]; X1 ^= wKey[113]; X2 ^= wKey[114]; X3 ^= wKey[115]; - inverseLT(); ib3(X0, X1, X2, X3); - X0 ^= wKey[108]; X1 ^= wKey[109]; X2 ^= wKey[110]; X3 ^= wKey[111]; - inverseLT(); ib2(X0, X1, X2, X3); - X0 ^= wKey[104]; X1 ^= wKey[105]; X2 ^= wKey[106]; X3 ^= wKey[107]; - inverseLT(); ib1(X0, X1, X2, X3); - X0 ^= wKey[100]; X1 ^= wKey[101]; X2 ^= wKey[102]; X3 ^= wKey[103]; - inverseLT(); ib0(X0, X1, X2, X3); - X0 ^= wKey[96]; X1 ^= wKey[97]; X2 ^= wKey[98]; X3 ^= wKey[99]; - inverseLT(); ib7(X0, X1, X2, X3); - X0 ^= wKey[92]; X1 ^= wKey[93]; X2 ^= wKey[94]; X3 ^= wKey[95]; - inverseLT(); ib6(X0, X1, X2, X3); - X0 ^= wKey[88]; X1 ^= wKey[89]; X2 ^= wKey[90]; X3 ^= wKey[91]; - inverseLT(); ib5(X0, X1, X2, X3); - X0 ^= wKey[84]; X1 ^= wKey[85]; X2 ^= wKey[86]; X3 ^= wKey[87]; - inverseLT(); ib4(X0, X1, X2, X3); - X0 ^= wKey[80]; X1 ^= wKey[81]; X2 ^= wKey[82]; X3 ^= wKey[83]; - inverseLT(); ib3(X0, X1, X2, X3); - X0 ^= wKey[76]; X1 ^= wKey[77]; X2 ^= wKey[78]; X3 ^= wKey[79]; - inverseLT(); ib2(X0, X1, X2, X3); - X0 ^= wKey[72]; X1 ^= wKey[73]; X2 ^= wKey[74]; X3 ^= wKey[75]; - inverseLT(); ib1(X0, X1, X2, X3); - X0 ^= wKey[68]; X1 ^= wKey[69]; X2 ^= wKey[70]; X3 ^= wKey[71]; - inverseLT(); ib0(X0, X1, X2, X3); - X0 ^= wKey[64]; X1 ^= wKey[65]; X2 ^= wKey[66]; X3 ^= wKey[67]; - inverseLT(); ib7(X0, X1, X2, X3); - X0 ^= wKey[60]; X1 ^= wKey[61]; X2 ^= wKey[62]; X3 ^= wKey[63]; - inverseLT(); ib6(X0, X1, X2, X3); - X0 ^= wKey[56]; X1 ^= wKey[57]; X2 ^= wKey[58]; X3 ^= wKey[59]; - inverseLT(); ib5(X0, X1, X2, X3); - X0 ^= wKey[52]; X1 ^= wKey[53]; X2 ^= wKey[54]; X3 ^= wKey[55]; - inverseLT(); ib4(X0, X1, X2, X3); - X0 ^= wKey[48]; X1 ^= wKey[49]; X2 ^= wKey[50]; X3 ^= wKey[51]; - inverseLT(); ib3(X0, X1, X2, X3); - X0 ^= wKey[44]; X1 ^= wKey[45]; X2 ^= wKey[46]; X3 ^= wKey[47]; - inverseLT(); ib2(X0, X1, X2, X3); - X0 ^= wKey[40]; X1 ^= wKey[41]; X2 ^= wKey[42]; X3 ^= wKey[43]; - inverseLT(); ib1(X0, X1, X2, X3); - X0 ^= wKey[36]; X1 ^= wKey[37]; X2 ^= wKey[38]; X3 ^= wKey[39]; - inverseLT(); ib0(X0, X1, X2, X3); - X0 ^= wKey[32]; X1 ^= wKey[33]; X2 ^= wKey[34]; X3 ^= wKey[35]; - inverseLT(); ib7(X0, X1, X2, X3); - X0 ^= wKey[28]; X1 ^= wKey[29]; X2 ^= wKey[30]; X3 ^= wKey[31]; - inverseLT(); ib6(X0, X1, X2, X3); - X0 ^= wKey[24]; X1 ^= wKey[25]; X2 ^= wKey[26]; X3 ^= wKey[27]; - inverseLT(); ib5(X0, X1, X2, X3); - X0 ^= wKey[20]; X1 ^= wKey[21]; X2 ^= wKey[22]; X3 ^= wKey[23]; - inverseLT(); ib4(X0, X1, X2, X3); - X0 ^= wKey[16]; X1 ^= wKey[17]; X2 ^= wKey[18]; X3 ^= wKey[19]; - inverseLT(); ib3(X0, X1, X2, X3); - X0 ^= wKey[12]; X1 ^= wKey[13]; X2 ^= wKey[14]; X3 ^= wKey[15]; - inverseLT(); ib2(X0, X1, X2, X3); - X0 ^= wKey[8]; X1 ^= wKey[9]; X2 ^= wKey[10]; X3 ^= wKey[11]; - inverseLT(); ib1(X0, X1, X2, X3); - X0 ^= wKey[4]; X1 ^= wKey[5]; X2 ^= wKey[6]; X3 ^= wKey[7]; - inverseLT(); ib0(X0, X1, X2, X3); - - wordToBytes(X3 ^ wKey[3], out, outOff); - wordToBytes(X2 ^ wKey[2], out, outOff + 4); - wordToBytes(X1 ^ wKey[1], out, outOff + 8); - wordToBytes(X0 ^ wKey[0], out, outOff + 12); - } - - /** - * The sboxes below are based on the work of Brian Gladman and - * Sam Simpson, whose original notice appears below. - * <p> - * For further details see: - * http://fp.gladman.plus.com/cryptography_technology/serpent/ - */ - - /* Partially optimised Serpent S Box boolean functions derived */ - /* using a recursive descent analyser but without a full search */ - /* of all subtrees. This set of S boxes is the result of work */ - /* by Sam Simpson and Brian Gladman using the spare time on a */ - /* cluster of high capacity servers to search for S boxes with */ - /* this customised search engine. There are now an average of */ - /* 15.375 terms per S box. */ - /* */ - /* Copyright: Dr B. R Gladman (gladman@seven77.demon.co.uk) */ - /* and Sam Simpson (s.simpson@mia.co.uk) */ - /* 17th December 1998 */ - /* */ - /* We hereby give permission for information in this file to be */ - /* used freely subject only to acknowledgement of its origin. */ - - /** - * S0 - { 3, 8,15, 1,10, 6, 5,11,14,13, 4, 2, 7, 0, 9,12 } - 15 terms. - */ - private void sb0(int a, int b, int c, int d) - { - int t1 = a ^ d; - int t3 = c ^ t1; - int t4 = b ^ t3; - X3 = (a & d) ^ t4; - int t7 = a ^ (b & t1); - X2 = t4 ^ (c | t7); - int t12 = X3 & (t3 ^ t7); - X1 = (~t3) ^ t12; - X0 = t12 ^ (~t7); - } - - /** - * InvSO - {13, 3,11, 0,10, 6, 5,12, 1,14, 4, 7,15, 9, 8, 2 } - 15 terms. - */ - private void ib0(int a, int b, int c, int d) - { - int t1 = ~a; - int t2 = a ^ b; - int t4 = d ^ (t1 | t2); - int t5 = c ^ t4; - X2 = t2 ^ t5; - int t8 = t1 ^ (d & t2); - X1 = t4 ^ (X2 & t8); - X3 = (a & t4) ^ (t5 | X1); - X0 = X3 ^ (t5 ^ t8); - } - - /** - * S1 - {15,12, 2, 7, 9, 0, 5,10, 1,11,14, 8, 6,13, 3, 4 } - 14 terms. - */ - private void sb1(int a, int b, int c, int d) - { - int t2 = b ^ (~a); - int t5 = c ^ (a | t2); - X2 = d ^ t5; - int t7 = b ^ (d | t2); - int t8 = t2 ^ X2; - X3 = t8 ^ (t5 & t7); - int t11 = t5 ^ t7; - X1 = X3 ^ t11; - X0 = t5 ^ (t8 & t11); - } - - /** - * InvS1 - { 5, 8, 2,14,15, 6,12, 3,11, 4, 7, 9, 1,13,10, 0 } - 14 steps. - */ - private void ib1(int a, int b, int c, int d) - { - int t1 = b ^ d; - int t3 = a ^ (b & t1); - int t4 = t1 ^ t3; - X3 = c ^ t4; - int t7 = b ^ (t1 & t3); - int t8 = X3 | t7; - X1 = t3 ^ t8; - int t10 = ~X1; - int t11 = X3 ^ t7; - X0 = t10 ^ t11; - X2 = t4 ^ (t10 | t11); - } - - /** - * S2 - { 8, 6, 7, 9, 3,12,10,15,13, 1,14, 4, 0,11, 5, 2 } - 16 terms. - */ - private void sb2(int a, int b, int c, int d) - { - int t1 = ~a; - int t2 = b ^ d; - int t3 = c & t1; - X0 = t2 ^ t3; - int t5 = c ^ t1; - int t6 = c ^ X0; - int t7 = b & t6; - X3 = t5 ^ t7; - X2 = a ^ ((d | t7) & (X0 | t5)); - X1 = (t2 ^ X3) ^ (X2 ^ (d | t1)); - } - - /** - * InvS2 - {12, 9,15, 4,11,14, 1, 2, 0, 3, 6,13, 5, 8,10, 7 } - 16 steps. - */ - private void ib2(int a, int b, int c, int d) - { - int t1 = b ^ d; - int t2 = ~t1; - int t3 = a ^ c; - int t4 = c ^ t1; - int t5 = b & t4; - X0 = t3 ^ t5; - int t7 = a | t2; - int t8 = d ^ t7; - int t9 = t3 | t8; - X3 = t1 ^ t9; - int t11 = ~t4; - int t12 = X0 | X3; - X1 = t11 ^ t12; - X2 = (d & t11) ^ (t3 ^ t12); - } - - /** - * S3 - { 0,15,11, 8,12, 9, 6, 3,13, 1, 2, 4,10, 7, 5,14 } - 16 terms. - */ - private void sb3(int a, int b, int c, int d) - { - int t1 = a ^ b; - int t2 = a & c; - int t3 = a | d; - int t4 = c ^ d; - int t5 = t1 & t3; - int t6 = t2 | t5; - X2 = t4 ^ t6; - int t8 = b ^ t3; - int t9 = t6 ^ t8; - int t10 = t4 & t9; - X0 = t1 ^ t10; - int t12 = X2 & X0; - X1 = t9 ^ t12; - X3 = (b | d) ^ (t4 ^ t12); - } - - /** - * InvS3 - { 0, 9,10, 7,11,14, 6,13, 3, 5,12, 2, 4, 8,15, 1 } - 15 terms - */ - private void ib3(int a, int b, int c, int d) - { - int t1 = a | b; - int t2 = b ^ c; - int t3 = b & t2; - int t4 = a ^ t3; - int t5 = c ^ t4; - int t6 = d | t4; - X0 = t2 ^ t6; - int t8 = t2 | t6; - int t9 = d ^ t8; - X2 = t5 ^ t9; - int t11 = t1 ^ t9; - int t12 = X0 & t11; - X3 = t4 ^ t12; - X1 = X3 ^ (X0 ^ t11); - } - - /** - * S4 - { 1,15, 8, 3,12, 0,11, 6, 2, 5, 4,10, 9,14, 7,13 } - 15 terms. - */ - private void sb4(int a, int b, int c, int d) - { - int t1 = a ^ d; - int t2 = d & t1; - int t3 = c ^ t2; - int t4 = b | t3; - X3 = t1 ^ t4; - int t6 = ~b; - int t7 = t1 | t6; - X0 = t3 ^ t7; - int t9 = a & X0; - int t10 = t1 ^ t6; - int t11 = t4 & t10; - X2 = t9 ^ t11; - X1 = (a ^ t3) ^ (t10 & X2); - } - - /** - * InvS4 - { 5, 0, 8, 3,10, 9, 7,14, 2,12,11, 6, 4,15,13, 1 } - 15 terms. - */ - private void ib4(int a, int b, int c, int d) - { - int t1 = c | d; - int t2 = a & t1; - int t3 = b ^ t2; - int t4 = a & t3; - int t5 = c ^ t4; - X1 = d ^ t5; - int t7 = ~a; - int t8 = t5 & X1; - X3 = t3 ^ t8; - int t10 = X1 | t7; - int t11 = d ^ t10; - X0 = X3 ^ t11; - X2 = (t3 & t11) ^ (X1 ^ t7); - } - - /** - * S5 - {15, 5, 2,11, 4,10, 9,12, 0, 3,14, 8,13, 6, 7, 1 } - 16 terms. - */ - private void sb5(int a, int b, int c, int d) - { - int t1 = ~a; - int t2 = a ^ b; - int t3 = a ^ d; - int t4 = c ^ t1; - int t5 = t2 | t3; - X0 = t4 ^ t5; - int t7 = d & X0; - int t8 = t2 ^ X0; - X1 = t7 ^ t8; - int t10 = t1 | X0; - int t11 = t2 | t7; - int t12 = t3 ^ t10; - X2 = t11 ^ t12; - X3 = (b ^ t7) ^ (X1 & t12); - } - - /** - * InvS5 - { 8,15, 2, 9, 4, 1,13,14,11, 6, 5, 3, 7,12,10, 0 } - 16 terms. - */ - private void ib5(int a, int b, int c, int d) - { - int t1 = ~c; - int t2 = b & t1; - int t3 = d ^ t2; - int t4 = a & t3; - int t5 = b ^ t1; - X3 = t4 ^ t5; - int t7 = b | X3; - int t8 = a & t7; - X1 = t3 ^ t8; - int t10 = a | d; - int t11 = t1 ^ t7; - X0 = t10 ^ t11; - X2 = (b & t10) ^ (t4 | (a ^ c)); - } - - /** - * S6 - { 7, 2,12, 5, 8, 4, 6,11,14, 9, 1,15,13, 3,10, 0 } - 15 terms. - */ - private void sb6(int a, int b, int c, int d) - { - int t1 = ~a; - int t2 = a ^ d; - int t3 = b ^ t2; - int t4 = t1 | t2; - int t5 = c ^ t4; - X1 = b ^ t5; - int t7 = t2 | X1; - int t8 = d ^ t7; - int t9 = t5 & t8; - X2 = t3 ^ t9; - int t11 = t5 ^ t8; - X0 = X2 ^ t11; - X3 = (~t5) ^ (t3 & t11); - } - - /** - * InvS6 - {15,10, 1,13, 5, 3, 6, 0, 4, 9,14, 7, 2,12, 8,11 } - 15 terms. - */ - private void ib6(int a, int b, int c, int d) - { - int t1 = ~a; - int t2 = a ^ b; - int t3 = c ^ t2; - int t4 = c | t1; - int t5 = d ^ t4; - X1 = t3 ^ t5; - int t7 = t3 & t5; - int t8 = t2 ^ t7; - int t9 = b | t8; - X3 = t5 ^ t9; - int t11 = b | X3; - X0 = t8 ^ t11; - X2 = (d & t1) ^ (t3 ^ t11); - } - - /** - * S7 - { 1,13,15, 0,14, 8, 2,11, 7, 4,12,10, 9, 3, 5, 6 } - 16 terms. - */ - private void sb7(int a, int b, int c, int d) - { - int t1 = b ^ c; - int t2 = c & t1; - int t3 = d ^ t2; - int t4 = a ^ t3; - int t5 = d | t1; - int t6 = t4 & t5; - X1 = b ^ t6; - int t8 = t3 | X1; - int t9 = a & t4; - X3 = t1 ^ t9; - int t11 = t4 ^ t8; - int t12 = X3 & t11; - X2 = t3 ^ t12; - X0 = (~t11) ^ (X3 & X2); - } - - /** - * InvS7 - { 3, 0, 6,13, 9,14,15, 8, 5,12,11, 7,10, 1, 4, 2 } - 17 terms. - */ - private void ib7(int a, int b, int c, int d) - { - int t3 = c | (a & b); - int t4 = d & (a | b); - X3 = t3 ^ t4; - int t6 = ~d; - int t7 = b ^ t4; - int t9 = t7 | (X3 ^ t6); - X1 = a ^ t9; - X0 = (c ^ t7) ^ (d | X1); - X2 = (t3 ^ X1) ^ (X0 ^ (a & X3)); - } - - /** - * Apply the linear transformation to the register set. - */ - private void LT() - { - int x0 = rotateLeft(X0, 13); - int x2 = rotateLeft(X2, 3); - int x1 = X1 ^ x0 ^ x2 ; - int x3 = X3 ^ x2 ^ x0 << 3; - - X1 = rotateLeft(x1, 1); - X3 = rotateLeft(x3, 7); - X0 = rotateLeft(x0 ^ X1 ^ X3, 5); - X2 = rotateLeft(x2 ^ X3 ^ (X1 << 7), 22); - } - - /** - * Apply the inverse of the linear transformation to the register set. - */ - private void inverseLT() - { - int x2 = rotateRight(X2, 22) ^ X3 ^ (X1 << 7); - int x0 = rotateRight(X0, 5) ^ X1 ^ X3; - int x3 = rotateRight(X3, 7); - int x1 = rotateRight(X1, 1); - X3 = x3 ^ x2 ^ x0 << 3; - X1 = x1 ^ x0 ^ x2; - X2 = rotateRight(x2, 3); - X0 = rotateRight(x0, 13); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/Shacal2Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/Shacal2Engine.java deleted file mode 100644 index b59205de..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/Shacal2Engine.java +++ /dev/null @@ -1,201 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * Block cipher Shacal2, designed by Helena Handschuh and David Naccache, - * based on hash function SHA-256, - * using SHA-256-Initialization-Values as data and SHA-256-Data as key. - * <p> - * A description of Shacal can be found at: - * http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.3.4066 - * Best known cryptanalytic (Wikipedia 11.2013): - * Related-key rectangle attack on 44-rounds (Jiqiang Lu, Jongsung Kim). - * Comments are related to SHA-256-Naming as described in FIPS PUB 180-2 - * </p> - */ -public class Shacal2Engine - implements BlockCipher -{ - private final static int[] K = { // SHA-256-Constants - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, - 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, - 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, - 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, - 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, - 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 - }; - - private static final int BLOCK_SIZE = 32; - private boolean forEncryption = false; - private static final int ROUNDS = 64; - - private int[] workingKey = null; // expanded key: corresponds to the message block W in FIPS PUB 180-2 - - public Shacal2Engine() - { - } - - public void reset() - { - } - - public String getAlgorithmName() - { - return "Shacal2"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public void init(boolean _forEncryption, CipherParameters params) - throws IllegalArgumentException - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("only simple KeyParameter expected."); - } - this.forEncryption = _forEncryption; - workingKey = new int[64]; - setKey( ((KeyParameter)params).getKey() ); - } - - public void setKey(byte[] kb) - { - if (kb.length == 0 || kb.length > 64 || kb.length < 16 || kb.length % 8 != 0) - { - throw new IllegalArgumentException("Shacal2-key must be 16 - 64 bytes and multiple of 8"); - } - - bytes2ints(kb, workingKey, 0, 0); - - for ( int i = 16; i < 64; i++) - { // Key-Expansion, implicitly Zero-Padding for 16 > i > kb.length/4 - workingKey[i] = - ( (workingKey[i-2] >>> 17 | workingKey[i-2] << -17) // corresponds to ROTL n(x) of FIPS PUB 180-2 - ^ (workingKey[i-2] >>> 19 | workingKey[i-2] << -19) - ^ (workingKey[i-2] >>> 10) ) // corresponds to sigma1(x)-Function of FIPS PUB 180-2 - + workingKey[i-7] - + ( (workingKey[i-15] >>> 7 | workingKey[i-15] << -7) - ^ (workingKey[i-15] >>> 18 | workingKey[i-15] << -18) - ^ (workingKey[i-15] >>> 3) ) // corresponds to sigma0(x)-Function of FIPS PUB 180-2 - + workingKey[i-16]; - } - } - - public void encryptBlock(byte[] in, int inOffset, byte[] out, int outOffset) - { - int[] block = new int[BLOCK_SIZE / 4];// corresponds to working variables a,b,c,d,e,f,g,h of FIPS PUB 180-2 - bytes2ints(in, block, inOffset, 0); - - for (int i = 0; i < ROUNDS; i++) - { - int tmp = - (((block[4] >>> 6) | (block[4] << -6)) - ^ ((block[4] >>> 11) | (block[4] << -11)) - ^ ((block[4] >>> 25) | (block[4] << -25))) - + ((block[4] & block[5]) ^ ((~block[4]) & block[6])) - + block[7] + K[i] + workingKey[i]; // corresponds to T1 of FIPS PUB 180-2 - block[7] = block[6]; - block[6] = block[5]; - block[5] = block[4]; - block[4] = block[3] + tmp; - block[3] = block[2]; - block[2] = block[1]; - block[1] = block[0]; - block[0] = tmp - + (((block[0] >>> 2) | (block[0] << -2)) - ^ ((block[0] >>> 13) | (block[0] << -13)) - ^ ((block[0] >>> 22) | (block[0] << -22))) - + ((block[0] & block[2]) ^ (block[0] & block[3]) ^ (block[2] & block[3])); - //corresponds to T2 of FIPS PUB 180-2, block[1] and block[2] replaced - } - ints2bytes(block, out, outOffset); - } - - public void decryptBlock(byte[] in, int inOffset, byte[] out, int outOffset) - { - int[] block = new int[BLOCK_SIZE / 4]; - bytes2ints(in, block, inOffset, 0); - for (int i = ROUNDS - 1; i >-1; i--) - { - int tmp = block[0] - (((block[1] >>> 2) | (block[1] << -2)) - ^ ((block[1] >>> 13) | (block[1] << -13)) - ^ ((block[1] >>> 22) | (block[1] << -22))) - - ((block[1] & block[2]) ^ (block[1] & block[3]) ^ (block[2] & block[3])); // T2 - block[0] = block[1]; - block[1] = block[2]; - block[2] = block[3]; - block[3] = block[4] - tmp; - block[4] = block[5]; - block[5] = block[6]; - block[6] = block[7]; - block[7] = tmp - K[i] - workingKey[i] - - (((block[4] >>> 6) | (block[4] << -6)) - ^ ((block[4] >>> 11) | (block[4] << -11)) - ^ ((block[4] >>> 25) | (block[4] << -25))) - - ((block[4] & block[5]) ^ ((~block[4]) & block[6])); // T1 - } - ints2bytes(block, out, outOffset); - } - - public int processBlock(byte[] in, int inOffset, byte[] out, int outOffset) - throws DataLengthException, IllegalStateException - { - if (workingKey == null) - { - throw new IllegalStateException("Shacal2 not initialised"); - } - - if ((inOffset + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOffset + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (forEncryption) - { - encryptBlock(in, inOffset, out, outOffset); - } - else - { - decryptBlock(in, inOffset, out, outOffset); - } - - return BLOCK_SIZE; - } - - private void bytes2ints(byte[] bytes, int[] block, int bytesPos, int blockPos) - { - for (int i = blockPos; i < bytes.length / 4; i++) - { - block[i] = ((bytes[bytesPos++] & 0xFF) << 24) - | ((bytes[bytesPos++] & 0xFF) << 16) - | ((bytes[bytesPos++] & 0xFF) << 8) - | (bytes[bytesPos++] & 0xFF); - } - } - - private void ints2bytes(int[] block, byte[] out, int pos) - { - for (int i = 0; i < block.length; i++) - { - out[pos++] = (byte)(block[i] >>> 24); - out[pos++] = (byte)(block[i] >>> 16); - out[pos++] = (byte)(block[i] >>> 8); - out[pos++] = (byte)block[i]; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/SkipjackEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/SkipjackEngine.java deleted file mode 100644 index 1fac5362..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/SkipjackEngine.java +++ /dev/null @@ -1,260 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * a class that provides a basic SKIPJACK engine. - */ -public class SkipjackEngine - implements BlockCipher -{ - static final int BLOCK_SIZE = 8; - - static short ftable[] = - { - 0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4, 0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9, - 0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e, 0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28, - 0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68, 0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53, - 0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19, 0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2, - 0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b, 0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8, - 0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0, 0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90, - 0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69, 0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76, - 0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20, 0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d, - 0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43, 0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18, - 0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa, 0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4, - 0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87, 0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40, - 0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b, 0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5, - 0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0, 0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2, - 0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1, 0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8, - 0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5, 0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac, - 0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3, 0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46 - }; - - private int[] key0, key1, key2, key3; - private boolean encrypting; - - /** - * initialise a SKIPJACK cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to SKIPJACK init - " + params.getClass().getName()); - } - - byte[] keyBytes = ((KeyParameter)params).getKey(); - - this.encrypting = encrypting; - this.key0 = new int[32]; - this.key1 = new int[32]; - this.key2 = new int[32]; - this.key3 = new int[32]; - - // - // expand the key to 128 bytes in 4 parts (saving us a modulo, multiply - // and an addition). - // - for (int i = 0; i < 32; i ++) - { - key0[i] = keyBytes[(i * 4) % 10] & 0xff; - key1[i] = keyBytes[(i * 4 + 1) % 10] & 0xff; - key2[i] = keyBytes[(i * 4 + 2) % 10] & 0xff; - key3[i] = keyBytes[(i * 4 + 3) % 10] & 0xff; - } - } - - public String getAlgorithmName() - { - return "SKIPJACK"; - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (key1 == null) - { - throw new IllegalStateException("SKIPJACK engine not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (encrypting) - { - encryptBlock(in, inOff, out, outOff); - } - else - { - decryptBlock(in, inOff, out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - } - - /** - * The G permutation - */ - private int g( - int k, - int w) - { - int g1, g2, g3, g4, g5, g6; - - g1 = (w >> 8) & 0xff; - g2 = w & 0xff; - - g3 = ftable[g2 ^ key0[k]] ^ g1; - g4 = ftable[g3 ^ key1[k]] ^ g2; - g5 = ftable[g4 ^ key2[k]] ^ g3; - g6 = ftable[g5 ^ key3[k]] ^ g4; - - return ((g5 << 8) + g6); - } - - public int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int w1 = (in[inOff + 0] << 8) + (in[inOff + 1] & 0xff); - int w2 = (in[inOff + 2] << 8) + (in[inOff + 3] & 0xff); - int w3 = (in[inOff + 4] << 8) + (in[inOff + 5] & 0xff); - int w4 = (in[inOff + 6] << 8) + (in[inOff + 7] & 0xff); - - int k = 0; - - for (int t = 0; t < 2; t++) - { - for(int i = 0; i < 8; i++) - { - int tmp = w4; - w4 = w3; - w3 = w2; - w2 = g(k, w1); - w1 = w2 ^ tmp ^ (k + 1); - k++; - } - - for(int i = 0; i < 8; i++) - { - int tmp = w4; - w4 = w3; - w3 = w1 ^ w2 ^ (k + 1); - w2 = g(k, w1); - w1 = tmp; - k++; - } - } - - out[outOff + 0] = (byte)((w1 >> 8)); - out[outOff + 1] = (byte)(w1); - out[outOff + 2] = (byte)((w2 >> 8)); - out[outOff + 3] = (byte)(w2); - out[outOff + 4] = (byte)((w3 >> 8)); - out[outOff + 5] = (byte)(w3); - out[outOff + 6] = (byte)((w4 >> 8)); - out[outOff + 7] = (byte)(w4); - - return BLOCK_SIZE; - } - - /** - * the inverse of the G permutation. - */ - private int h( - int k, - int w) - { - int h1, h2, h3, h4, h5, h6; - - h1 = w & 0xff; - h2 = (w >> 8) & 0xff; - - h3 = ftable[h2 ^ key3[k]] ^ h1; - h4 = ftable[h3 ^ key2[k]] ^ h2; - h5 = ftable[h4 ^ key1[k]] ^ h3; - h6 = ftable[h5 ^ key0[k]] ^ h4; - - return ((h6 << 8) + h5); - } - - public int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int w2 = (in[inOff + 0] << 8) + (in[inOff + 1] & 0xff); - int w1 = (in[inOff + 2] << 8) + (in[inOff + 3] & 0xff); - int w4 = (in[inOff + 4] << 8) + (in[inOff + 5] & 0xff); - int w3 = (in[inOff + 6] << 8) + (in[inOff + 7] & 0xff); - - int k = 31; - - for (int t = 0; t < 2; t++) - { - for(int i = 0; i < 8; i++) - { - int tmp = w4; - w4 = w3; - w3 = w2; - w2 = h(k, w1); - w1 = w2 ^ tmp ^ (k + 1); - k--; - } - - for(int i = 0; i < 8; i++) - { - int tmp = w4; - w4 = w3; - w3 = w1 ^ w2 ^ (k + 1); - w2 = h(k, w1); - w1 = tmp; - k--; - } - } - - out[outOff + 0] = (byte)((w2 >> 8)); - out[outOff + 1] = (byte)(w2); - out[outOff + 2] = (byte)((w1 >> 8)); - out[outOff + 3] = (byte)(w1); - out[outOff + 4] = (byte)((w4 >> 8)); - out[outOff + 5] = (byte)(w4); - out[outOff + 6] = (byte)((w3 >> 8)); - out[outOff + 7] = (byte)(w3); - - return BLOCK_SIZE; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/TEAEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/TEAEngine.java deleted file mode 100644 index ac65443c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/TEAEngine.java +++ /dev/null @@ -1,184 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * An TEA engine. - */ -public class TEAEngine - implements BlockCipher -{ - private static final int rounds = 32, - block_size = 8, -// key_size = 16, - delta = 0x9E3779B9, - d_sum = 0xC6EF3720; // sum on decrypt - /* - * the expanded key array of 4 subkeys - */ - private int _a, _b, _c, _d; - private boolean _initialised; - private boolean _forEncryption; - - /** - * Create an instance of the TEA encryption algorithm - * and set some defaults - */ - public TEAEngine() - { - _initialised = false; - } - - public String getAlgorithmName() - { - return "TEA"; - } - - public int getBlockSize() - { - return block_size; - } - - /** - * initialise - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to TEA init - " + params.getClass().getName()); - } - - _forEncryption = forEncryption; - _initialised = true; - - KeyParameter p = (KeyParameter)params; - - setKey(p.getKey()); - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (!_initialised) - { - throw new IllegalStateException(getAlgorithmName()+" not initialised"); - } - - if ((inOff + block_size) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + block_size) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - return (_forEncryption) ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - if (key.length != 16) - { - throw new IllegalArgumentException("Key size must be 128 bits."); - } - - _a = bytesToInt(key, 0); - _b = bytesToInt(key, 4); - _c = bytesToInt(key, 8); - _d = bytesToInt(key, 12); - } - - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // Pack bytes into integers - int v0 = bytesToInt(in, inOff); - int v1 = bytesToInt(in, inOff + 4); - - int sum = 0; - - for (int i = 0; i != rounds; i++) - { - sum += delta; - v0 += ((v1 << 4) + _a) ^ (v1 + sum) ^ ((v1 >>> 5) + _b); - v1 += ((v0 << 4) + _c) ^ (v0 + sum) ^ ((v0 >>> 5) + _d); - } - - unpackInt(v0, out, outOff); - unpackInt(v1, out, outOff + 4); - - return block_size; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // Pack bytes into integers - int v0 = bytesToInt(in, inOff); - int v1 = bytesToInt(in, inOff + 4); - - int sum = d_sum; - - for (int i = 0; i != rounds; i++) - { - v1 -= ((v0 << 4) + _c) ^ (v0 + sum) ^ ((v0 >>> 5) + _d); - v0 -= ((v1 << 4) + _a) ^ (v1 + sum) ^ ((v1 >>> 5) + _b); - sum -= delta; - } - - unpackInt(v0, out, outOff); - unpackInt(v1, out, outOff + 4); - - return block_size; - } - - private int bytesToInt(byte[] in, int inOff) - { - return ((in[inOff++]) << 24) | - ((in[inOff++] & 255) << 16) | - ((in[inOff++] & 255) << 8) | - ((in[inOff] & 255)); - } - - private void unpackInt(int v, byte[] out, int outOff) - { - out[outOff++] = (byte)(v >>> 24); - out[outOff++] = (byte)(v >>> 16); - out[outOff++] = (byte)(v >>> 8); - out[outOff ] = (byte)v; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ThreefishEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ThreefishEngine.java deleted file mode 100644 index 33660224..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/ThreefishEngine.java +++ /dev/null @@ -1,1494 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.TweakableBlockCipherParameters; - -/** - * Implementation of the Threefish tweakable large block cipher in 256, 512 and 1024 bit block - * sizes. - * <p> - * This is the 1.3 version of Threefish defined in the Skein hash function submission to the NIST - * SHA-3 competition in October 2010. - * <p> - * Threefish was designed by Niels Ferguson - Stefan Lucks - Bruce Schneier - Doug Whiting - Mihir - * Bellare - Tadayoshi Kohno - Jon Callas - Jesse Walker. - * <p> - * This implementation inlines all round functions, unrolls 8 rounds, and uses 1.2k of static tables - * to speed up key schedule injection. <br> - * 2 x block size state is retained by each cipher instance. - */ -public class ThreefishEngine - implements BlockCipher -{ - /** - * 256 bit block size - Threefish-256 - */ - public static final int BLOCKSIZE_256 = 256; - /** - * 512 bit block size - Threefish-512 - */ - public static final int BLOCKSIZE_512 = 512; - /** - * 1024 bit block size - Threefish-1024 - */ - public static final int BLOCKSIZE_1024 = 1024; - - /** - * Size of the tweak in bytes (always 128 bit/16 bytes) - */ - private static final int TWEAK_SIZE_BYTES = 16; - private static final int TWEAK_SIZE_WORDS = TWEAK_SIZE_BYTES / 8; - - /** - * Rounds in Threefish-256 - */ - private static final int ROUNDS_256 = 72; - /** - * Rounds in Threefish-512 - */ - private static final int ROUNDS_512 = 72; - /** - * Rounds in Threefish-1024 - */ - private static final int ROUNDS_1024 = 80; - - /** - * Max rounds of any of the variants - */ - private static final int MAX_ROUNDS = ROUNDS_1024; - - /** - * Key schedule parity constant - */ - private static final long C_240 = 0x1BD11BDAA9FC1A22L; - - /* Pre-calculated modulo arithmetic tables for key schedule lookups */ - private static int[] MOD9 = new int[MAX_ROUNDS]; - private static int[] MOD17 = new int[MOD9.length]; - private static int[] MOD5 = new int[MOD9.length]; - private static int[] MOD3 = new int[MOD9.length]; - - static - { - for (int i = 0; i < MOD9.length; i++) - { - MOD17[i] = i % 17; - MOD9[i] = i % 9; - MOD5[i] = i % 5; - MOD3[i] = i % 3; - } - } - - /** - * Block size in bytes - */ - private int blocksizeBytes; - - /** - * Block size in 64 bit words - */ - private int blocksizeWords; - - /** - * Buffer for byte oriented processBytes to call internal word API - */ - private long[] currentBlock; - - /** - * Tweak bytes (2 byte t1,t2, calculated t3 and repeat of t1,t2 for modulo free lookup - */ - private long[] t = new long[5]; - - /** - * Key schedule words - */ - private long[] kw; - - /** - * The internal cipher implementation (varies by blocksize) - */ - private ThreefishCipher cipher; - - private boolean forEncryption; - - /** - * Constructs a new Threefish cipher, with a specified block size. - * - * @param blocksizeBits the block size in bits, one of {@link #BLOCKSIZE_256}, {@link #BLOCKSIZE_512}, - * {@link #BLOCKSIZE_1024}. - */ - public ThreefishEngine(final int blocksizeBits) - { - this.blocksizeBytes = (blocksizeBits / 8); - this.blocksizeWords = (this.blocksizeBytes / 8); - this.currentBlock = new long[blocksizeWords]; - - /* - * Provide room for original key words, extended key word and repeat of key words for modulo - * free lookup of key schedule words. - */ - this.kw = new long[2 * blocksizeWords + 1]; - - switch (blocksizeBits) - { - case BLOCKSIZE_256: - cipher = new Threefish256Cipher(kw, t); - break; - case BLOCKSIZE_512: - cipher = new Threefish512Cipher(kw, t); - break; - case BLOCKSIZE_1024: - cipher = new Threefish1024Cipher(kw, t); - break; - default: - throw new IllegalArgumentException( - "Invalid blocksize - Threefish is defined with block size of 256, 512, or 1024 bits"); - } - } - - /** - * Initialise the engine. - * - * @param params an instance of {@link TweakableBlockCipherParameters}, or {@link KeyParameter} (to - * use a 0 tweak) - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - final byte[] keyBytes; - final byte[] tweakBytes; - - if (params instanceof TweakableBlockCipherParameters) - { - TweakableBlockCipherParameters tParams = (TweakableBlockCipherParameters)params; - keyBytes = tParams.getKey().getKey(); - tweakBytes = tParams.getTweak(); - } - else if (params instanceof KeyParameter) - { - keyBytes = ((KeyParameter)params).getKey(); - tweakBytes = null; - } - else - { - throw new IllegalArgumentException("Invalid parameter passed to Threefish init - " - + params.getClass().getName()); - } - - long[] keyWords = null; - long[] tweakWords = null; - - if (keyBytes != null) - { - if (keyBytes.length != this.blocksizeBytes) - { - throw new IllegalArgumentException("Threefish key must be same size as block (" + blocksizeBytes - + " bytes)"); - } - keyWords = new long[blocksizeWords]; - for (int i = 0; i < keyWords.length; i++) - { - keyWords[i] = bytesToWord(keyBytes, i * 8); - } - } - if (tweakBytes != null) - { - if (tweakBytes.length != TWEAK_SIZE_BYTES) - { - throw new IllegalArgumentException("Threefish tweak must be " + TWEAK_SIZE_BYTES + " bytes"); - } - tweakWords = new long[]{bytesToWord(tweakBytes, 0), bytesToWord(tweakBytes, 8)}; - } - init(forEncryption, keyWords, tweakWords); - } - - /** - * Initialise the engine, specifying the key and tweak directly. - * - * @param forEncryption the cipher mode. - * @param key the words of the key, or <code>null</code> to use the current key. - * @param tweak the 2 word (128 bit) tweak, or <code>null</code> to use the current tweak. - */ - public void init(boolean forEncryption, final long[] key, final long[] tweak) - { - this.forEncryption = forEncryption; - if (key != null) - { - setKey(key); - } - if (tweak != null) - { - setTweak(tweak); - } - } - - private void setKey(long[] key) - { - if (key.length != this.blocksizeWords) - { - throw new IllegalArgumentException("Threefish key must be same size as block (" + blocksizeWords - + " words)"); - } - - /* - * Full subkey schedule is deferred to execution to avoid per cipher overhead (10k for 512, - * 20k for 1024). - * - * Key and tweak word sequences are repeated, and static MOD17/MOD9/MOD5/MOD3 calculations - * used, to avoid expensive mod computations during cipher operation. - */ - - long knw = C_240; - for (int i = 0; i < blocksizeWords; i++) - { - kw[i] = key[i]; - knw = knw ^ kw[i]; - } - kw[blocksizeWords] = knw; - System.arraycopy(kw, 0, kw, blocksizeWords + 1, blocksizeWords); - } - - private void setTweak(long[] tweak) - { - if (tweak.length != TWEAK_SIZE_WORDS) - { - throw new IllegalArgumentException("Tweak must be " + TWEAK_SIZE_WORDS + " words."); - } - - /* - * Tweak schedule partially repeated to avoid mod computations during cipher operation - */ - t[0] = tweak[0]; - t[1] = tweak[1]; - t[2] = t[0] ^ t[1]; - t[3] = t[0]; - t[4] = t[1]; - } - - public String getAlgorithmName() - { - return "Threefish-" + (blocksizeBytes * 8); - } - - public int getBlockSize() - { - return blocksizeBytes; - } - - public void reset() - { - } - - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) - throws DataLengthException, - IllegalStateException - { - if ((outOff + blocksizeBytes) > out.length) - { - throw new DataLengthException("Output buffer too short"); - } - - if ((inOff + blocksizeBytes) > in.length) - { - throw new DataLengthException("Input buffer too short"); - } - - for (int i = 0; i < blocksizeBytes; i += 8) - { - currentBlock[i >> 3] = bytesToWord(in, inOff + i); - } - processBlock(this.currentBlock, this.currentBlock); - for (int i = 0; i < blocksizeBytes; i += 8) - { - wordToBytes(this.currentBlock[i >> 3], out, outOff + i); - } - - return blocksizeBytes; - } - - /** - * Process a block of data represented as 64 bit words. - * - * @param in a block sized buffer of words to process. - * @param out a block sized buffer of words to receive the output of the operation. - * @return the number of 8 byte words processed (which will be the same as the block size). - * @throws DataLengthException if either the input or output is not block sized. - * @throws IllegalStateException if this engine is not initialised. - */ - public int processBlock(long[] in, long[] out) - throws DataLengthException, IllegalStateException - { - if (kw[blocksizeWords] == 0) - { - throw new IllegalStateException("Threefish engine not initialised"); - } - - if (in.length != blocksizeWords) - { - throw new DataLengthException("Input buffer too short"); - } - if (out.length != blocksizeWords) - { - throw new DataLengthException("Output buffer too short"); - } - - if (forEncryption) - { - cipher.encryptBlock(in, out); - } - else - { - cipher.decryptBlock(in, out); - } - - return blocksizeWords; - } - - /** - * Read a single 64 bit word from input in LSB first order. - */ - // At least package protected for efficient access from inner class - public static long bytesToWord(final byte[] bytes, final int off) - { - if ((off + 8) > bytes.length) - { - // Help the JIT avoid index checks - throw new IllegalArgumentException(); - } - - long word = 0; - int index = off; - - word = (bytes[index++] & 0xffL); - word |= (bytes[index++] & 0xffL) << 8; - word |= (bytes[index++] & 0xffL) << 16; - word |= (bytes[index++] & 0xffL) << 24; - word |= (bytes[index++] & 0xffL) << 32; - word |= (bytes[index++] & 0xffL) << 40; - word |= (bytes[index++] & 0xffL) << 48; - word |= (bytes[index++] & 0xffL) << 56; - - return word; - } - - /** - * Write a 64 bit word to output in LSB first order. - */ - // At least package protected for efficient access from inner class - public static void wordToBytes(final long word, final byte[] bytes, final int off) - { - if ((off + 8) > bytes.length) - { - // Help the JIT avoid index checks - throw new IllegalArgumentException(); - } - int index = off; - - bytes[index++] = (byte)word; - bytes[index++] = (byte)(word >> 8); - bytes[index++] = (byte)(word >> 16); - bytes[index++] = (byte)(word >> 24); - bytes[index++] = (byte)(word >> 32); - bytes[index++] = (byte)(word >> 40); - bytes[index++] = (byte)(word >> 48); - bytes[index++] = (byte)(word >> 56); - } - - /** - * Rotate left + xor part of the mix operation. - */ - // Package protected for efficient access from inner class - static long rotlXor(long x, int n, long xor) - { - return ((x << n) | (x >>> -n)) ^ xor; - } - - /** - * Rotate xor + rotate right part of the unmix operation. - */ - // Package protected for efficient access from inner class - static long xorRotr(long x, int n, long xor) - { - long xored = x ^ xor; - return (xored >>> n) | (xored << -n); - } - - private static abstract class ThreefishCipher - { - /** - * The extended + repeated tweak words - */ - protected final long[] t; - /** - * The extended + repeated key words - */ - protected final long[] kw; - - protected ThreefishCipher(final long[] kw, final long[] t) - { - this.kw = kw; - this.t = t; - } - - abstract void encryptBlock(long[] block, long[] out); - - abstract void decryptBlock(long[] block, long[] out); - - } - - private static final class Threefish256Cipher - extends ThreefishCipher - { - /** - * Mix rotation constants defined in Skein 1.3 specification - */ - private static final int ROTATION_0_0 = 14, ROTATION_0_1 = 16; - private static final int ROTATION_1_0 = 52, ROTATION_1_1 = 57; - private static final int ROTATION_2_0 = 23, ROTATION_2_1 = 40; - private static final int ROTATION_3_0 = 5, ROTATION_3_1 = 37; - - private static final int ROTATION_4_0 = 25, ROTATION_4_1 = 33; - private static final int ROTATION_5_0 = 46, ROTATION_5_1 = 12; - private static final int ROTATION_6_0 = 58, ROTATION_6_1 = 22; - private static final int ROTATION_7_0 = 32, ROTATION_7_1 = 32; - - public Threefish256Cipher(long[] kw, long[] t) - { - super(kw, t); - } - - void encryptBlock(long[] block, long[] out) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod5 = MOD5; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 9) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - /* - * Read 4 words of plaintext data, not using arrays for cipher state - */ - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - - /* - * First subkey injection. - */ - b0 += kw[0]; - b1 += kw[1] + t[0]; - b2 += kw[2] + t[1]; - b3 += kw[3]; - - /* - * Rounds loop, unrolled to 8 rounds per iteration. - * - * Unrolling to multiples of 4 avoids the mod 4 check for key injection, and allows - * inlining of the permutations, which cycle every of 2 rounds (avoiding array - * index/lookup). - * - * Unrolling to multiples of 8 avoids the mod 8 rotation constant lookup, and allows - * inlining constant rotation values (avoiding array index/lookup). - */ - - for (int d = 1; d < (ROUNDS_256 / 4); d += 2) - { - final int dm5 = mod5[d]; - final int dm3 = mod3[d]; - - /* - * 4 rounds of mix and permute. - * - * Permute schedule has a 2 round cycle, so permutes are inlined in the mix - * operations in each 4 round block. - */ - b1 = rotlXor(b1, ROTATION_0_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_0_1, b2 += b3); - - b3 = rotlXor(b3, ROTATION_1_0, b0 += b3); - b1 = rotlXor(b1, ROTATION_1_1, b2 += b1); - - b1 = rotlXor(b1, ROTATION_2_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_2_1, b2 += b3); - - b3 = rotlXor(b3, ROTATION_3_0, b0 += b3); - b1 = rotlXor(b1, ROTATION_3_1, b2 += b1); - - /* - * Subkey injection for first 4 rounds. - */ - b0 += kw[dm5]; - b1 += kw[dm5 + 1] + t[dm3]; - b2 += kw[dm5 + 2] + t[dm3 + 1]; - b3 += kw[dm5 + 3] + d; - - /* - * 4 more rounds of mix/permute - */ - b1 = rotlXor(b1, ROTATION_4_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_4_1, b2 += b3); - - b3 = rotlXor(b3, ROTATION_5_0, b0 += b3); - b1 = rotlXor(b1, ROTATION_5_1, b2 += b1); - - b1 = rotlXor(b1, ROTATION_6_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_6_1, b2 += b3); - - b3 = rotlXor(b3, ROTATION_7_0, b0 += b3); - b1 = rotlXor(b1, ROTATION_7_1, b2 += b1); - - /* - * Subkey injection for next 4 rounds. - */ - b0 += kw[dm5 + 1]; - b1 += kw[dm5 + 2] + t[dm3 + 1]; - b2 += kw[dm5 + 3] + t[dm3 + 2]; - b3 += kw[dm5 + 4] + d + 1; - } - - /* - * Output cipher state. - */ - out[0] = b0; - out[1] = b1; - out[2] = b2; - out[3] = b3; - } - - void decryptBlock(long[] block, long[] state) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod5 = MOD5; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 9) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - - for (int d = (ROUNDS_256 / 4) - 1; d >= 1; d -= 2) - { - final int dm5 = mod5[d]; - final int dm3 = mod3[d]; - - /* Reverse key injection for second 4 rounds */ - b0 -= kw[dm5 + 1]; - b1 -= kw[dm5 + 2] + t[dm3 + 1]; - b2 -= kw[dm5 + 3] + t[dm3 + 2]; - b3 -= kw[dm5 + 4] + d + 1; - - /* Reverse second 4 mix/permute rounds */ - - b3 = xorRotr(b3, ROTATION_7_0, b0); - b0 -= b3; - b1 = xorRotr(b1, ROTATION_7_1, b2); - b2 -= b1; - - b1 = xorRotr(b1, ROTATION_6_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_6_1, b2); - b2 -= b3; - - b3 = xorRotr(b3, ROTATION_5_0, b0); - b0 -= b3; - b1 = xorRotr(b1, ROTATION_5_1, b2); - b2 -= b1; - - b1 = xorRotr(b1, ROTATION_4_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_4_1, b2); - b2 -= b3; - - /* Reverse key injection for first 4 rounds */ - b0 -= kw[dm5]; - b1 -= kw[dm5 + 1] + t[dm3]; - b2 -= kw[dm5 + 2] + t[dm3 + 1]; - b3 -= kw[dm5 + 3] + d; - - /* Reverse first 4 mix/permute rounds */ - b3 = xorRotr(b3, ROTATION_3_0, b0); - b0 -= b3; - b1 = xorRotr(b1, ROTATION_3_1, b2); - b2 -= b1; - - b1 = xorRotr(b1, ROTATION_2_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_2_1, b2); - b2 -= b3; - - b3 = xorRotr(b3, ROTATION_1_0, b0); - b0 -= b3; - b1 = xorRotr(b1, ROTATION_1_1, b2); - b2 -= b1; - - b1 = xorRotr(b1, ROTATION_0_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_0_1, b2); - b2 -= b3; - } - - /* - * First subkey uninjection. - */ - b0 -= kw[0]; - b1 -= kw[1] + t[0]; - b2 -= kw[2] + t[1]; - b3 -= kw[3]; - - /* - * Output cipher state. - */ - state[0] = b0; - state[1] = b1; - state[2] = b2; - state[3] = b3; - } - - } - - private static final class Threefish512Cipher - extends ThreefishCipher - { - /** - * Mix rotation constants defined in Skein 1.3 specification - */ - private static final int ROTATION_0_0 = 46, ROTATION_0_1 = 36, ROTATION_0_2 = 19, ROTATION_0_3 = 37; - private static final int ROTATION_1_0 = 33, ROTATION_1_1 = 27, ROTATION_1_2 = 14, ROTATION_1_3 = 42; - private static final int ROTATION_2_0 = 17, ROTATION_2_1 = 49, ROTATION_2_2 = 36, ROTATION_2_3 = 39; - private static final int ROTATION_3_0 = 44, ROTATION_3_1 = 9, ROTATION_3_2 = 54, ROTATION_3_3 = 56; - - private static final int ROTATION_4_0 = 39, ROTATION_4_1 = 30, ROTATION_4_2 = 34, ROTATION_4_3 = 24; - private static final int ROTATION_5_0 = 13, ROTATION_5_1 = 50, ROTATION_5_2 = 10, ROTATION_5_3 = 17; - private static final int ROTATION_6_0 = 25, ROTATION_6_1 = 29, ROTATION_6_2 = 39, ROTATION_6_3 = 43; - private static final int ROTATION_7_0 = 8, ROTATION_7_1 = 35, ROTATION_7_2 = 56, ROTATION_7_3 = 22; - - protected Threefish512Cipher(long[] kw, long[] t) - { - super(kw, t); - } - - public void encryptBlock(long[] block, long[] out) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod9 = MOD9; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 17) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - /* - * Read 8 words of plaintext data, not using arrays for cipher state - */ - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - long b4 = block[4]; - long b5 = block[5]; - long b6 = block[6]; - long b7 = block[7]; - - /* - * First subkey injection. - */ - b0 += kw[0]; - b1 += kw[1]; - b2 += kw[2]; - b3 += kw[3]; - b4 += kw[4]; - b5 += kw[5] + t[0]; - b6 += kw[6] + t[1]; - b7 += kw[7]; - - /* - * Rounds loop, unrolled to 8 rounds per iteration. - * - * Unrolling to multiples of 4 avoids the mod 4 check for key injection, and allows - * inlining of the permutations, which cycle every of 4 rounds (avoiding array - * index/lookup). - * - * Unrolling to multiples of 8 avoids the mod 8 rotation constant lookup, and allows - * inlining constant rotation values (avoiding array index/lookup). - */ - - for (int d = 1; d < (ROUNDS_512 / 4); d += 2) - { - final int dm9 = mod9[d]; - final int dm3 = mod3[d]; - - /* - * 4 rounds of mix and permute. - * - * Permute schedule has a 4 round cycle, so permutes are inlined in the mix - * operations in each 4 round block. - */ - b1 = rotlXor(b1, ROTATION_0_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_0_1, b2 += b3); - b5 = rotlXor(b5, ROTATION_0_2, b4 += b5); - b7 = rotlXor(b7, ROTATION_0_3, b6 += b7); - - b1 = rotlXor(b1, ROTATION_1_0, b2 += b1); - b7 = rotlXor(b7, ROTATION_1_1, b4 += b7); - b5 = rotlXor(b5, ROTATION_1_2, b6 += b5); - b3 = rotlXor(b3, ROTATION_1_3, b0 += b3); - - b1 = rotlXor(b1, ROTATION_2_0, b4 += b1); - b3 = rotlXor(b3, ROTATION_2_1, b6 += b3); - b5 = rotlXor(b5, ROTATION_2_2, b0 += b5); - b7 = rotlXor(b7, ROTATION_2_3, b2 += b7); - - b1 = rotlXor(b1, ROTATION_3_0, b6 += b1); - b7 = rotlXor(b7, ROTATION_3_1, b0 += b7); - b5 = rotlXor(b5, ROTATION_3_2, b2 += b5); - b3 = rotlXor(b3, ROTATION_3_3, b4 += b3); - - /* - * Subkey injection for first 4 rounds. - */ - b0 += kw[dm9]; - b1 += kw[dm9 + 1]; - b2 += kw[dm9 + 2]; - b3 += kw[dm9 + 3]; - b4 += kw[dm9 + 4]; - b5 += kw[dm9 + 5] + t[dm3]; - b6 += kw[dm9 + 6] + t[dm3 + 1]; - b7 += kw[dm9 + 7] + d; - - /* - * 4 more rounds of mix/permute - */ - b1 = rotlXor(b1, ROTATION_4_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_4_1, b2 += b3); - b5 = rotlXor(b5, ROTATION_4_2, b4 += b5); - b7 = rotlXor(b7, ROTATION_4_3, b6 += b7); - - b1 = rotlXor(b1, ROTATION_5_0, b2 += b1); - b7 = rotlXor(b7, ROTATION_5_1, b4 += b7); - b5 = rotlXor(b5, ROTATION_5_2, b6 += b5); - b3 = rotlXor(b3, ROTATION_5_3, b0 += b3); - - b1 = rotlXor(b1, ROTATION_6_0, b4 += b1); - b3 = rotlXor(b3, ROTATION_6_1, b6 += b3); - b5 = rotlXor(b5, ROTATION_6_2, b0 += b5); - b7 = rotlXor(b7, ROTATION_6_3, b2 += b7); - - b1 = rotlXor(b1, ROTATION_7_0, b6 += b1); - b7 = rotlXor(b7, ROTATION_7_1, b0 += b7); - b5 = rotlXor(b5, ROTATION_7_2, b2 += b5); - b3 = rotlXor(b3, ROTATION_7_3, b4 += b3); - - /* - * Subkey injection for next 4 rounds. - */ - b0 += kw[dm9 + 1]; - b1 += kw[dm9 + 2]; - b2 += kw[dm9 + 3]; - b3 += kw[dm9 + 4]; - b4 += kw[dm9 + 5]; - b5 += kw[dm9 + 6] + t[dm3 + 1]; - b6 += kw[dm9 + 7] + t[dm3 + 2]; - b7 += kw[dm9 + 8] + d + 1; - } - - /* - * Output cipher state. - */ - out[0] = b0; - out[1] = b1; - out[2] = b2; - out[3] = b3; - out[4] = b4; - out[5] = b5; - out[6] = b6; - out[7] = b7; - } - - public void decryptBlock(long[] block, long[] state) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod9 = MOD9; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 17) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - long b4 = block[4]; - long b5 = block[5]; - long b6 = block[6]; - long b7 = block[7]; - - for (int d = (ROUNDS_512 / 4) - 1; d >= 1; d -= 2) - { - final int dm9 = mod9[d]; - final int dm3 = mod3[d]; - - /* Reverse key injection for second 4 rounds */ - b0 -= kw[dm9 + 1]; - b1 -= kw[dm9 + 2]; - b2 -= kw[dm9 + 3]; - b3 -= kw[dm9 + 4]; - b4 -= kw[dm9 + 5]; - b5 -= kw[dm9 + 6] + t[dm3 + 1]; - b6 -= kw[dm9 + 7] + t[dm3 + 2]; - b7 -= kw[dm9 + 8] + d + 1; - - /* Reverse second 4 mix/permute rounds */ - - b1 = xorRotr(b1, ROTATION_7_0, b6); - b6 -= b1; - b7 = xorRotr(b7, ROTATION_7_1, b0); - b0 -= b7; - b5 = xorRotr(b5, ROTATION_7_2, b2); - b2 -= b5; - b3 = xorRotr(b3, ROTATION_7_3, b4); - b4 -= b3; - - b1 = xorRotr(b1, ROTATION_6_0, b4); - b4 -= b1; - b3 = xorRotr(b3, ROTATION_6_1, b6); - b6 -= b3; - b5 = xorRotr(b5, ROTATION_6_2, b0); - b0 -= b5; - b7 = xorRotr(b7, ROTATION_6_3, b2); - b2 -= b7; - - b1 = xorRotr(b1, ROTATION_5_0, b2); - b2 -= b1; - b7 = xorRotr(b7, ROTATION_5_1, b4); - b4 -= b7; - b5 = xorRotr(b5, ROTATION_5_2, b6); - b6 -= b5; - b3 = xorRotr(b3, ROTATION_5_3, b0); - b0 -= b3; - - b1 = xorRotr(b1, ROTATION_4_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_4_1, b2); - b2 -= b3; - b5 = xorRotr(b5, ROTATION_4_2, b4); - b4 -= b5; - b7 = xorRotr(b7, ROTATION_4_3, b6); - b6 -= b7; - - /* Reverse key injection for first 4 rounds */ - b0 -= kw[dm9]; - b1 -= kw[dm9 + 1]; - b2 -= kw[dm9 + 2]; - b3 -= kw[dm9 + 3]; - b4 -= kw[dm9 + 4]; - b5 -= kw[dm9 + 5] + t[dm3]; - b6 -= kw[dm9 + 6] + t[dm3 + 1]; - b7 -= kw[dm9 + 7] + d; - - /* Reverse first 4 mix/permute rounds */ - b1 = xorRotr(b1, ROTATION_3_0, b6); - b6 -= b1; - b7 = xorRotr(b7, ROTATION_3_1, b0); - b0 -= b7; - b5 = xorRotr(b5, ROTATION_3_2, b2); - b2 -= b5; - b3 = xorRotr(b3, ROTATION_3_3, b4); - b4 -= b3; - - b1 = xorRotr(b1, ROTATION_2_0, b4); - b4 -= b1; - b3 = xorRotr(b3, ROTATION_2_1, b6); - b6 -= b3; - b5 = xorRotr(b5, ROTATION_2_2, b0); - b0 -= b5; - b7 = xorRotr(b7, ROTATION_2_3, b2); - b2 -= b7; - - b1 = xorRotr(b1, ROTATION_1_0, b2); - b2 -= b1; - b7 = xorRotr(b7, ROTATION_1_1, b4); - b4 -= b7; - b5 = xorRotr(b5, ROTATION_1_2, b6); - b6 -= b5; - b3 = xorRotr(b3, ROTATION_1_3, b0); - b0 -= b3; - - b1 = xorRotr(b1, ROTATION_0_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_0_1, b2); - b2 -= b3; - b5 = xorRotr(b5, ROTATION_0_2, b4); - b4 -= b5; - b7 = xorRotr(b7, ROTATION_0_3, b6); - b6 -= b7; - } - - /* - * First subkey uninjection. - */ - b0 -= kw[0]; - b1 -= kw[1]; - b2 -= kw[2]; - b3 -= kw[3]; - b4 -= kw[4]; - b5 -= kw[5] + t[0]; - b6 -= kw[6] + t[1]; - b7 -= kw[7]; - - /* - * Output cipher state. - */ - state[0] = b0; - state[1] = b1; - state[2] = b2; - state[3] = b3; - state[4] = b4; - state[5] = b5; - state[6] = b6; - state[7] = b7; - } - } - - private static final class Threefish1024Cipher - extends ThreefishCipher - { - /** - * Mix rotation constants defined in Skein 1.3 specification - */ - private static final int ROTATION_0_0 = 24, ROTATION_0_1 = 13, ROTATION_0_2 = 8, ROTATION_0_3 = 47; - private static final int ROTATION_0_4 = 8, ROTATION_0_5 = 17, ROTATION_0_6 = 22, ROTATION_0_7 = 37; - private static final int ROTATION_1_0 = 38, ROTATION_1_1 = 19, ROTATION_1_2 = 10, ROTATION_1_3 = 55; - private static final int ROTATION_1_4 = 49, ROTATION_1_5 = 18, ROTATION_1_6 = 23, ROTATION_1_7 = 52; - private static final int ROTATION_2_0 = 33, ROTATION_2_1 = 4, ROTATION_2_2 = 51, ROTATION_2_3 = 13; - private static final int ROTATION_2_4 = 34, ROTATION_2_5 = 41, ROTATION_2_6 = 59, ROTATION_2_7 = 17; - private static final int ROTATION_3_0 = 5, ROTATION_3_1 = 20, ROTATION_3_2 = 48, ROTATION_3_3 = 41; - private static final int ROTATION_3_4 = 47, ROTATION_3_5 = 28, ROTATION_3_6 = 16, ROTATION_3_7 = 25; - - private static final int ROTATION_4_0 = 41, ROTATION_4_1 = 9, ROTATION_4_2 = 37, ROTATION_4_3 = 31; - private static final int ROTATION_4_4 = 12, ROTATION_4_5 = 47, ROTATION_4_6 = 44, ROTATION_4_7 = 30; - private static final int ROTATION_5_0 = 16, ROTATION_5_1 = 34, ROTATION_5_2 = 56, ROTATION_5_3 = 51; - private static final int ROTATION_5_4 = 4, ROTATION_5_5 = 53, ROTATION_5_6 = 42, ROTATION_5_7 = 41; - private static final int ROTATION_6_0 = 31, ROTATION_6_1 = 44, ROTATION_6_2 = 47, ROTATION_6_3 = 46; - private static final int ROTATION_6_4 = 19, ROTATION_6_5 = 42, ROTATION_6_6 = 44, ROTATION_6_7 = 25; - private static final int ROTATION_7_0 = 9, ROTATION_7_1 = 48, ROTATION_7_2 = 35, ROTATION_7_3 = 52; - private static final int ROTATION_7_4 = 23, ROTATION_7_5 = 31, ROTATION_7_6 = 37, ROTATION_7_7 = 20; - - public Threefish1024Cipher(long[] kw, long[] t) - { - super(kw, t); - } - - void encryptBlock(long[] block, long[] out) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod17 = MOD17; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 33) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - /* - * Read 16 words of plaintext data, not using arrays for cipher state - */ - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - long b4 = block[4]; - long b5 = block[5]; - long b6 = block[6]; - long b7 = block[7]; - long b8 = block[8]; - long b9 = block[9]; - long b10 = block[10]; - long b11 = block[11]; - long b12 = block[12]; - long b13 = block[13]; - long b14 = block[14]; - long b15 = block[15]; - - /* - * First subkey injection. - */ - b0 += kw[0]; - b1 += kw[1]; - b2 += kw[2]; - b3 += kw[3]; - b4 += kw[4]; - b5 += kw[5]; - b6 += kw[6]; - b7 += kw[7]; - b8 += kw[8]; - b9 += kw[9]; - b10 += kw[10]; - b11 += kw[11]; - b12 += kw[12]; - b13 += kw[13] + t[0]; - b14 += kw[14] + t[1]; - b15 += kw[15]; - - /* - * Rounds loop, unrolled to 8 rounds per iteration. - * - * Unrolling to multiples of 4 avoids the mod 4 check for key injection, and allows - * inlining of the permutations, which cycle every of 4 rounds (avoiding array - * index/lookup). - * - * Unrolling to multiples of 8 avoids the mod 8 rotation constant lookup, and allows - * inlining constant rotation values (avoiding array index/lookup). - */ - - for (int d = 1; d < (ROUNDS_1024 / 4); d += 2) - { - final int dm17 = mod17[d]; - final int dm3 = mod3[d]; - - /* - * 4 rounds of mix and permute. - * - * Permute schedule has a 4 round cycle, so permutes are inlined in the mix - * operations in each 4 round block. - */ - b1 = rotlXor(b1, ROTATION_0_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_0_1, b2 += b3); - b5 = rotlXor(b5, ROTATION_0_2, b4 += b5); - b7 = rotlXor(b7, ROTATION_0_3, b6 += b7); - b9 = rotlXor(b9, ROTATION_0_4, b8 += b9); - b11 = rotlXor(b11, ROTATION_0_5, b10 += b11); - b13 = rotlXor(b13, ROTATION_0_6, b12 += b13); - b15 = rotlXor(b15, ROTATION_0_7, b14 += b15); - - b9 = rotlXor(b9, ROTATION_1_0, b0 += b9); - b13 = rotlXor(b13, ROTATION_1_1, b2 += b13); - b11 = rotlXor(b11, ROTATION_1_2, b6 += b11); - b15 = rotlXor(b15, ROTATION_1_3, b4 += b15); - b7 = rotlXor(b7, ROTATION_1_4, b10 += b7); - b3 = rotlXor(b3, ROTATION_1_5, b12 += b3); - b5 = rotlXor(b5, ROTATION_1_6, b14 += b5); - b1 = rotlXor(b1, ROTATION_1_7, b8 += b1); - - b7 = rotlXor(b7, ROTATION_2_0, b0 += b7); - b5 = rotlXor(b5, ROTATION_2_1, b2 += b5); - b3 = rotlXor(b3, ROTATION_2_2, b4 += b3); - b1 = rotlXor(b1, ROTATION_2_3, b6 += b1); - b15 = rotlXor(b15, ROTATION_2_4, b12 += b15); - b13 = rotlXor(b13, ROTATION_2_5, b14 += b13); - b11 = rotlXor(b11, ROTATION_2_6, b8 += b11); - b9 = rotlXor(b9, ROTATION_2_7, b10 += b9); - - b15 = rotlXor(b15, ROTATION_3_0, b0 += b15); - b11 = rotlXor(b11, ROTATION_3_1, b2 += b11); - b13 = rotlXor(b13, ROTATION_3_2, b6 += b13); - b9 = rotlXor(b9, ROTATION_3_3, b4 += b9); - b1 = rotlXor(b1, ROTATION_3_4, b14 += b1); - b5 = rotlXor(b5, ROTATION_3_5, b8 += b5); - b3 = rotlXor(b3, ROTATION_3_6, b10 += b3); - b7 = rotlXor(b7, ROTATION_3_7, b12 += b7); - - /* - * Subkey injection for first 4 rounds. - */ - b0 += kw[dm17]; - b1 += kw[dm17 + 1]; - b2 += kw[dm17 + 2]; - b3 += kw[dm17 + 3]; - b4 += kw[dm17 + 4]; - b5 += kw[dm17 + 5]; - b6 += kw[dm17 + 6]; - b7 += kw[dm17 + 7]; - b8 += kw[dm17 + 8]; - b9 += kw[dm17 + 9]; - b10 += kw[dm17 + 10]; - b11 += kw[dm17 + 11]; - b12 += kw[dm17 + 12]; - b13 += kw[dm17 + 13] + t[dm3]; - b14 += kw[dm17 + 14] + t[dm3 + 1]; - b15 += kw[dm17 + 15] + d; - - /* - * 4 more rounds of mix/permute - */ - b1 = rotlXor(b1, ROTATION_4_0, b0 += b1); - b3 = rotlXor(b3, ROTATION_4_1, b2 += b3); - b5 = rotlXor(b5, ROTATION_4_2, b4 += b5); - b7 = rotlXor(b7, ROTATION_4_3, b6 += b7); - b9 = rotlXor(b9, ROTATION_4_4, b8 += b9); - b11 = rotlXor(b11, ROTATION_4_5, b10 += b11); - b13 = rotlXor(b13, ROTATION_4_6, b12 += b13); - b15 = rotlXor(b15, ROTATION_4_7, b14 += b15); - - b9 = rotlXor(b9, ROTATION_5_0, b0 += b9); - b13 = rotlXor(b13, ROTATION_5_1, b2 += b13); - b11 = rotlXor(b11, ROTATION_5_2, b6 += b11); - b15 = rotlXor(b15, ROTATION_5_3, b4 += b15); - b7 = rotlXor(b7, ROTATION_5_4, b10 += b7); - b3 = rotlXor(b3, ROTATION_5_5, b12 += b3); - b5 = rotlXor(b5, ROTATION_5_6, b14 += b5); - b1 = rotlXor(b1, ROTATION_5_7, b8 += b1); - - b7 = rotlXor(b7, ROTATION_6_0, b0 += b7); - b5 = rotlXor(b5, ROTATION_6_1, b2 += b5); - b3 = rotlXor(b3, ROTATION_6_2, b4 += b3); - b1 = rotlXor(b1, ROTATION_6_3, b6 += b1); - b15 = rotlXor(b15, ROTATION_6_4, b12 += b15); - b13 = rotlXor(b13, ROTATION_6_5, b14 += b13); - b11 = rotlXor(b11, ROTATION_6_6, b8 += b11); - b9 = rotlXor(b9, ROTATION_6_7, b10 += b9); - - b15 = rotlXor(b15, ROTATION_7_0, b0 += b15); - b11 = rotlXor(b11, ROTATION_7_1, b2 += b11); - b13 = rotlXor(b13, ROTATION_7_2, b6 += b13); - b9 = rotlXor(b9, ROTATION_7_3, b4 += b9); - b1 = rotlXor(b1, ROTATION_7_4, b14 += b1); - b5 = rotlXor(b5, ROTATION_7_5, b8 += b5); - b3 = rotlXor(b3, ROTATION_7_6, b10 += b3); - b7 = rotlXor(b7, ROTATION_7_7, b12 += b7); - - /* - * Subkey injection for next 4 rounds. - */ - b0 += kw[dm17 + 1]; - b1 += kw[dm17 + 2]; - b2 += kw[dm17 + 3]; - b3 += kw[dm17 + 4]; - b4 += kw[dm17 + 5]; - b5 += kw[dm17 + 6]; - b6 += kw[dm17 + 7]; - b7 += kw[dm17 + 8]; - b8 += kw[dm17 + 9]; - b9 += kw[dm17 + 10]; - b10 += kw[dm17 + 11]; - b11 += kw[dm17 + 12]; - b12 += kw[dm17 + 13]; - b13 += kw[dm17 + 14] + t[dm3 + 1]; - b14 += kw[dm17 + 15] + t[dm3 + 2]; - b15 += kw[dm17 + 16] + d + 1; - - } - - /* - * Output cipher state. - */ - out[0] = b0; - out[1] = b1; - out[2] = b2; - out[3] = b3; - out[4] = b4; - out[5] = b5; - out[6] = b6; - out[7] = b7; - out[8] = b8; - out[9] = b9; - out[10] = b10; - out[11] = b11; - out[12] = b12; - out[13] = b13; - out[14] = b14; - out[15] = b15; - } - - void decryptBlock(long[] block, long[] state) - { - final long[] kw = this.kw; - final long[] t = this.t; - final int[] mod17 = MOD17; - final int[] mod3 = MOD3; - - /* Help the JIT avoid index bounds checks */ - if (kw.length != 33) - { - throw new IllegalArgumentException(); - } - if (t.length != 5) - { - throw new IllegalArgumentException(); - } - - long b0 = block[0]; - long b1 = block[1]; - long b2 = block[2]; - long b3 = block[3]; - long b4 = block[4]; - long b5 = block[5]; - long b6 = block[6]; - long b7 = block[7]; - long b8 = block[8]; - long b9 = block[9]; - long b10 = block[10]; - long b11 = block[11]; - long b12 = block[12]; - long b13 = block[13]; - long b14 = block[14]; - long b15 = block[15]; - - for (int d = (ROUNDS_1024 / 4) - 1; d >= 1; d -= 2) - { - final int dm17 = mod17[d]; - final int dm3 = mod3[d]; - - /* Reverse key injection for second 4 rounds */ - b0 -= kw[dm17 + 1]; - b1 -= kw[dm17 + 2]; - b2 -= kw[dm17 + 3]; - b3 -= kw[dm17 + 4]; - b4 -= kw[dm17 + 5]; - b5 -= kw[dm17 + 6]; - b6 -= kw[dm17 + 7]; - b7 -= kw[dm17 + 8]; - b8 -= kw[dm17 + 9]; - b9 -= kw[dm17 + 10]; - b10 -= kw[dm17 + 11]; - b11 -= kw[dm17 + 12]; - b12 -= kw[dm17 + 13]; - b13 -= kw[dm17 + 14] + t[dm3 + 1]; - b14 -= kw[dm17 + 15] + t[dm3 + 2]; - b15 -= kw[dm17 + 16] + d + 1; - - /* Reverse second 4 mix/permute rounds */ - b15 = xorRotr(b15, ROTATION_7_0, b0); - b0 -= b15; - b11 = xorRotr(b11, ROTATION_7_1, b2); - b2 -= b11; - b13 = xorRotr(b13, ROTATION_7_2, b6); - b6 -= b13; - b9 = xorRotr(b9, ROTATION_7_3, b4); - b4 -= b9; - b1 = xorRotr(b1, ROTATION_7_4, b14); - b14 -= b1; - b5 = xorRotr(b5, ROTATION_7_5, b8); - b8 -= b5; - b3 = xorRotr(b3, ROTATION_7_6, b10); - b10 -= b3; - b7 = xorRotr(b7, ROTATION_7_7, b12); - b12 -= b7; - - b7 = xorRotr(b7, ROTATION_6_0, b0); - b0 -= b7; - b5 = xorRotr(b5, ROTATION_6_1, b2); - b2 -= b5; - b3 = xorRotr(b3, ROTATION_6_2, b4); - b4 -= b3; - b1 = xorRotr(b1, ROTATION_6_3, b6); - b6 -= b1; - b15 = xorRotr(b15, ROTATION_6_4, b12); - b12 -= b15; - b13 = xorRotr(b13, ROTATION_6_5, b14); - b14 -= b13; - b11 = xorRotr(b11, ROTATION_6_6, b8); - b8 -= b11; - b9 = xorRotr(b9, ROTATION_6_7, b10); - b10 -= b9; - - b9 = xorRotr(b9, ROTATION_5_0, b0); - b0 -= b9; - b13 = xorRotr(b13, ROTATION_5_1, b2); - b2 -= b13; - b11 = xorRotr(b11, ROTATION_5_2, b6); - b6 -= b11; - b15 = xorRotr(b15, ROTATION_5_3, b4); - b4 -= b15; - b7 = xorRotr(b7, ROTATION_5_4, b10); - b10 -= b7; - b3 = xorRotr(b3, ROTATION_5_5, b12); - b12 -= b3; - b5 = xorRotr(b5, ROTATION_5_6, b14); - b14 -= b5; - b1 = xorRotr(b1, ROTATION_5_7, b8); - b8 -= b1; - - b1 = xorRotr(b1, ROTATION_4_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_4_1, b2); - b2 -= b3; - b5 = xorRotr(b5, ROTATION_4_2, b4); - b4 -= b5; - b7 = xorRotr(b7, ROTATION_4_3, b6); - b6 -= b7; - b9 = xorRotr(b9, ROTATION_4_4, b8); - b8 -= b9; - b11 = xorRotr(b11, ROTATION_4_5, b10); - b10 -= b11; - b13 = xorRotr(b13, ROTATION_4_6, b12); - b12 -= b13; - b15 = xorRotr(b15, ROTATION_4_7, b14); - b14 -= b15; - - /* Reverse key injection for first 4 rounds */ - b0 -= kw[dm17]; - b1 -= kw[dm17 + 1]; - b2 -= kw[dm17 + 2]; - b3 -= kw[dm17 + 3]; - b4 -= kw[dm17 + 4]; - b5 -= kw[dm17 + 5]; - b6 -= kw[dm17 + 6]; - b7 -= kw[dm17 + 7]; - b8 -= kw[dm17 + 8]; - b9 -= kw[dm17 + 9]; - b10 -= kw[dm17 + 10]; - b11 -= kw[dm17 + 11]; - b12 -= kw[dm17 + 12]; - b13 -= kw[dm17 + 13] + t[dm3]; - b14 -= kw[dm17 + 14] + t[dm3 + 1]; - b15 -= kw[dm17 + 15] + d; - - /* Reverse first 4 mix/permute rounds */ - b15 = xorRotr(b15, ROTATION_3_0, b0); - b0 -= b15; - b11 = xorRotr(b11, ROTATION_3_1, b2); - b2 -= b11; - b13 = xorRotr(b13, ROTATION_3_2, b6); - b6 -= b13; - b9 = xorRotr(b9, ROTATION_3_3, b4); - b4 -= b9; - b1 = xorRotr(b1, ROTATION_3_4, b14); - b14 -= b1; - b5 = xorRotr(b5, ROTATION_3_5, b8); - b8 -= b5; - b3 = xorRotr(b3, ROTATION_3_6, b10); - b10 -= b3; - b7 = xorRotr(b7, ROTATION_3_7, b12); - b12 -= b7; - - b7 = xorRotr(b7, ROTATION_2_0, b0); - b0 -= b7; - b5 = xorRotr(b5, ROTATION_2_1, b2); - b2 -= b5; - b3 = xorRotr(b3, ROTATION_2_2, b4); - b4 -= b3; - b1 = xorRotr(b1, ROTATION_2_3, b6); - b6 -= b1; - b15 = xorRotr(b15, ROTATION_2_4, b12); - b12 -= b15; - b13 = xorRotr(b13, ROTATION_2_5, b14); - b14 -= b13; - b11 = xorRotr(b11, ROTATION_2_6, b8); - b8 -= b11; - b9 = xorRotr(b9, ROTATION_2_7, b10); - b10 -= b9; - - b9 = xorRotr(b9, ROTATION_1_0, b0); - b0 -= b9; - b13 = xorRotr(b13, ROTATION_1_1, b2); - b2 -= b13; - b11 = xorRotr(b11, ROTATION_1_2, b6); - b6 -= b11; - b15 = xorRotr(b15, ROTATION_1_3, b4); - b4 -= b15; - b7 = xorRotr(b7, ROTATION_1_4, b10); - b10 -= b7; - b3 = xorRotr(b3, ROTATION_1_5, b12); - b12 -= b3; - b5 = xorRotr(b5, ROTATION_1_6, b14); - b14 -= b5; - b1 = xorRotr(b1, ROTATION_1_7, b8); - b8 -= b1; - - b1 = xorRotr(b1, ROTATION_0_0, b0); - b0 -= b1; - b3 = xorRotr(b3, ROTATION_0_1, b2); - b2 -= b3; - b5 = xorRotr(b5, ROTATION_0_2, b4); - b4 -= b5; - b7 = xorRotr(b7, ROTATION_0_3, b6); - b6 -= b7; - b9 = xorRotr(b9, ROTATION_0_4, b8); - b8 -= b9; - b11 = xorRotr(b11, ROTATION_0_5, b10); - b10 -= b11; - b13 = xorRotr(b13, ROTATION_0_6, b12); - b12 -= b13; - b15 = xorRotr(b15, ROTATION_0_7, b14); - b14 -= b15; - } - - /* - * First subkey uninjection. - */ - b0 -= kw[0]; - b1 -= kw[1]; - b2 -= kw[2]; - b3 -= kw[3]; - b4 -= kw[4]; - b5 -= kw[5]; - b6 -= kw[6]; - b7 -= kw[7]; - b8 -= kw[8]; - b9 -= kw[9]; - b10 -= kw[10]; - b11 -= kw[11]; - b12 -= kw[12]; - b13 -= kw[13] + t[0]; - b14 -= kw[14] + t[1]; - b15 -= kw[15]; - - /* - * Output cipher state. - */ - state[0] = b0; - state[1] = b1; - state[2] = b2; - state[3] = b3; - state[4] = b4; - state[5] = b5; - state[6] = b6; - state[7] = b7; - state[8] = b8; - state[9] = b9; - state[10] = b10; - state[11] = b11; - state[12] = b12; - state[13] = b13; - state[14] = b14; - state[15] = b15; - } - - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java deleted file mode 100644 index 31ac0878..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java +++ /dev/null @@ -1,680 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * A class that provides Twofish encryption operations. - * - * This Java implementation is based on the Java reference - * implementation provided by Bruce Schneier and developed - * by Raif S. Naffah. - */ -public final class TwofishEngine - implements BlockCipher -{ - private static final byte[][] P = { - { // p0 - (byte) 0xA9, (byte) 0x67, (byte) 0xB3, (byte) 0xE8, - (byte) 0x04, (byte) 0xFD, (byte) 0xA3, (byte) 0x76, - (byte) 0x9A, (byte) 0x92, (byte) 0x80, (byte) 0x78, - (byte) 0xE4, (byte) 0xDD, (byte) 0xD1, (byte) 0x38, - (byte) 0x0D, (byte) 0xC6, (byte) 0x35, (byte) 0x98, - (byte) 0x18, (byte) 0xF7, (byte) 0xEC, (byte) 0x6C, - (byte) 0x43, (byte) 0x75, (byte) 0x37, (byte) 0x26, - (byte) 0xFA, (byte) 0x13, (byte) 0x94, (byte) 0x48, - (byte) 0xF2, (byte) 0xD0, (byte) 0x8B, (byte) 0x30, - (byte) 0x84, (byte) 0x54, (byte) 0xDF, (byte) 0x23, - (byte) 0x19, (byte) 0x5B, (byte) 0x3D, (byte) 0x59, - (byte) 0xF3, (byte) 0xAE, (byte) 0xA2, (byte) 0x82, - (byte) 0x63, (byte) 0x01, (byte) 0x83, (byte) 0x2E, - (byte) 0xD9, (byte) 0x51, (byte) 0x9B, (byte) 0x7C, - (byte) 0xA6, (byte) 0xEB, (byte) 0xA5, (byte) 0xBE, - (byte) 0x16, (byte) 0x0C, (byte) 0xE3, (byte) 0x61, - (byte) 0xC0, (byte) 0x8C, (byte) 0x3A, (byte) 0xF5, - (byte) 0x73, (byte) 0x2C, (byte) 0x25, (byte) 0x0B, - (byte) 0xBB, (byte) 0x4E, (byte) 0x89, (byte) 0x6B, - (byte) 0x53, (byte) 0x6A, (byte) 0xB4, (byte) 0xF1, - (byte) 0xE1, (byte) 0xE6, (byte) 0xBD, (byte) 0x45, - (byte) 0xE2, (byte) 0xF4, (byte) 0xB6, (byte) 0x66, - (byte) 0xCC, (byte) 0x95, (byte) 0x03, (byte) 0x56, - (byte) 0xD4, (byte) 0x1C, (byte) 0x1E, (byte) 0xD7, - (byte) 0xFB, (byte) 0xC3, (byte) 0x8E, (byte) 0xB5, - (byte) 0xE9, (byte) 0xCF, (byte) 0xBF, (byte) 0xBA, - (byte) 0xEA, (byte) 0x77, (byte) 0x39, (byte) 0xAF, - (byte) 0x33, (byte) 0xC9, (byte) 0x62, (byte) 0x71, - (byte) 0x81, (byte) 0x79, (byte) 0x09, (byte) 0xAD, - (byte) 0x24, (byte) 0xCD, (byte) 0xF9, (byte) 0xD8, - (byte) 0xE5, (byte) 0xC5, (byte) 0xB9, (byte) 0x4D, - (byte) 0x44, (byte) 0x08, (byte) 0x86, (byte) 0xE7, - (byte) 0xA1, (byte) 0x1D, (byte) 0xAA, (byte) 0xED, - (byte) 0x06, (byte) 0x70, (byte) 0xB2, (byte) 0xD2, - (byte) 0x41, (byte) 0x7B, (byte) 0xA0, (byte) 0x11, - (byte) 0x31, (byte) 0xC2, (byte) 0x27, (byte) 0x90, - (byte) 0x20, (byte) 0xF6, (byte) 0x60, (byte) 0xFF, - (byte) 0x96, (byte) 0x5C, (byte) 0xB1, (byte) 0xAB, - (byte) 0x9E, (byte) 0x9C, (byte) 0x52, (byte) 0x1B, - (byte) 0x5F, (byte) 0x93, (byte) 0x0A, (byte) 0xEF, - (byte) 0x91, (byte) 0x85, (byte) 0x49, (byte) 0xEE, - (byte) 0x2D, (byte) 0x4F, (byte) 0x8F, (byte) 0x3B, - (byte) 0x47, (byte) 0x87, (byte) 0x6D, (byte) 0x46, - (byte) 0xD6, (byte) 0x3E, (byte) 0x69, (byte) 0x64, - (byte) 0x2A, (byte) 0xCE, (byte) 0xCB, (byte) 0x2F, - (byte) 0xFC, (byte) 0x97, (byte) 0x05, (byte) 0x7A, - (byte) 0xAC, (byte) 0x7F, (byte) 0xD5, (byte) 0x1A, - (byte) 0x4B, (byte) 0x0E, (byte) 0xA7, (byte) 0x5A, - (byte) 0x28, (byte) 0x14, (byte) 0x3F, (byte) 0x29, - (byte) 0x88, (byte) 0x3C, (byte) 0x4C, (byte) 0x02, - (byte) 0xB8, (byte) 0xDA, (byte) 0xB0, (byte) 0x17, - (byte) 0x55, (byte) 0x1F, (byte) 0x8A, (byte) 0x7D, - (byte) 0x57, (byte) 0xC7, (byte) 0x8D, (byte) 0x74, - (byte) 0xB7, (byte) 0xC4, (byte) 0x9F, (byte) 0x72, - (byte) 0x7E, (byte) 0x15, (byte) 0x22, (byte) 0x12, - (byte) 0x58, (byte) 0x07, (byte) 0x99, (byte) 0x34, - (byte) 0x6E, (byte) 0x50, (byte) 0xDE, (byte) 0x68, - (byte) 0x65, (byte) 0xBC, (byte) 0xDB, (byte) 0xF8, - (byte) 0xC8, (byte) 0xA8, (byte) 0x2B, (byte) 0x40, - (byte) 0xDC, (byte) 0xFE, (byte) 0x32, (byte) 0xA4, - (byte) 0xCA, (byte) 0x10, (byte) 0x21, (byte) 0xF0, - (byte) 0xD3, (byte) 0x5D, (byte) 0x0F, (byte) 0x00, - (byte) 0x6F, (byte) 0x9D, (byte) 0x36, (byte) 0x42, - (byte) 0x4A, (byte) 0x5E, (byte) 0xC1, (byte) 0xE0 }, - { // p1 - (byte) 0x75, (byte) 0xF3, (byte) 0xC6, (byte) 0xF4, - (byte) 0xDB, (byte) 0x7B, (byte) 0xFB, (byte) 0xC8, - (byte) 0x4A, (byte) 0xD3, (byte) 0xE6, (byte) 0x6B, - (byte) 0x45, (byte) 0x7D, (byte) 0xE8, (byte) 0x4B, - (byte) 0xD6, (byte) 0x32, (byte) 0xD8, (byte) 0xFD, - (byte) 0x37, (byte) 0x71, (byte) 0xF1, (byte) 0xE1, - (byte) 0x30, (byte) 0x0F, (byte) 0xF8, (byte) 0x1B, - (byte) 0x87, (byte) 0xFA, (byte) 0x06, (byte) 0x3F, - (byte) 0x5E, (byte) 0xBA, (byte) 0xAE, (byte) 0x5B, - (byte) 0x8A, (byte) 0x00, (byte) 0xBC, (byte) 0x9D, - (byte) 0x6D, (byte) 0xC1, (byte) 0xB1, (byte) 0x0E, - (byte) 0x80, (byte) 0x5D, (byte) 0xD2, (byte) 0xD5, - (byte) 0xA0, (byte) 0x84, (byte) 0x07, (byte) 0x14, - (byte) 0xB5, (byte) 0x90, (byte) 0x2C, (byte) 0xA3, - (byte) 0xB2, (byte) 0x73, (byte) 0x4C, (byte) 0x54, - (byte) 0x92, (byte) 0x74, (byte) 0x36, (byte) 0x51, - (byte) 0x38, (byte) 0xB0, (byte) 0xBD, (byte) 0x5A, - (byte) 0xFC, (byte) 0x60, (byte) 0x62, (byte) 0x96, - (byte) 0x6C, (byte) 0x42, (byte) 0xF7, (byte) 0x10, - (byte) 0x7C, (byte) 0x28, (byte) 0x27, (byte) 0x8C, - (byte) 0x13, (byte) 0x95, (byte) 0x9C, (byte) 0xC7, - (byte) 0x24, (byte) 0x46, (byte) 0x3B, (byte) 0x70, - (byte) 0xCA, (byte) 0xE3, (byte) 0x85, (byte) 0xCB, - (byte) 0x11, (byte) 0xD0, (byte) 0x93, (byte) 0xB8, - (byte) 0xA6, (byte) 0x83, (byte) 0x20, (byte) 0xFF, - (byte) 0x9F, (byte) 0x77, (byte) 0xC3, (byte) 0xCC, - (byte) 0x03, (byte) 0x6F, (byte) 0x08, (byte) 0xBF, - (byte) 0x40, (byte) 0xE7, (byte) 0x2B, (byte) 0xE2, - (byte) 0x79, (byte) 0x0C, (byte) 0xAA, (byte) 0x82, - (byte) 0x41, (byte) 0x3A, (byte) 0xEA, (byte) 0xB9, - (byte) 0xE4, (byte) 0x9A, (byte) 0xA4, (byte) 0x97, - (byte) 0x7E, (byte) 0xDA, (byte) 0x7A, (byte) 0x17, - (byte) 0x66, (byte) 0x94, (byte) 0xA1, (byte) 0x1D, - (byte) 0x3D, (byte) 0xF0, (byte) 0xDE, (byte) 0xB3, - (byte) 0x0B, (byte) 0x72, (byte) 0xA7, (byte) 0x1C, - (byte) 0xEF, (byte) 0xD1, (byte) 0x53, (byte) 0x3E, - (byte) 0x8F, (byte) 0x33, (byte) 0x26, (byte) 0x5F, - (byte) 0xEC, (byte) 0x76, (byte) 0x2A, (byte) 0x49, - (byte) 0x81, (byte) 0x88, (byte) 0xEE, (byte) 0x21, - (byte) 0xC4, (byte) 0x1A, (byte) 0xEB, (byte) 0xD9, - (byte) 0xC5, (byte) 0x39, (byte) 0x99, (byte) 0xCD, - (byte) 0xAD, (byte) 0x31, (byte) 0x8B, (byte) 0x01, - (byte) 0x18, (byte) 0x23, (byte) 0xDD, (byte) 0x1F, - (byte) 0x4E, (byte) 0x2D, (byte) 0xF9, (byte) 0x48, - (byte) 0x4F, (byte) 0xF2, (byte) 0x65, (byte) 0x8E, - (byte) 0x78, (byte) 0x5C, (byte) 0x58, (byte) 0x19, - (byte) 0x8D, (byte) 0xE5, (byte) 0x98, (byte) 0x57, - (byte) 0x67, (byte) 0x7F, (byte) 0x05, (byte) 0x64, - (byte) 0xAF, (byte) 0x63, (byte) 0xB6, (byte) 0xFE, - (byte) 0xF5, (byte) 0xB7, (byte) 0x3C, (byte) 0xA5, - (byte) 0xCE, (byte) 0xE9, (byte) 0x68, (byte) 0x44, - (byte) 0xE0, (byte) 0x4D, (byte) 0x43, (byte) 0x69, - (byte) 0x29, (byte) 0x2E, (byte) 0xAC, (byte) 0x15, - (byte) 0x59, (byte) 0xA8, (byte) 0x0A, (byte) 0x9E, - (byte) 0x6E, (byte) 0x47, (byte) 0xDF, (byte) 0x34, - (byte) 0x35, (byte) 0x6A, (byte) 0xCF, (byte) 0xDC, - (byte) 0x22, (byte) 0xC9, (byte) 0xC0, (byte) 0x9B, - (byte) 0x89, (byte) 0xD4, (byte) 0xED, (byte) 0xAB, - (byte) 0x12, (byte) 0xA2, (byte) 0x0D, (byte) 0x52, - (byte) 0xBB, (byte) 0x02, (byte) 0x2F, (byte) 0xA9, - (byte) 0xD7, (byte) 0x61, (byte) 0x1E, (byte) 0xB4, - (byte) 0x50, (byte) 0x04, (byte) 0xF6, (byte) 0xC2, - (byte) 0x16, (byte) 0x25, (byte) 0x86, (byte) 0x56, - (byte) 0x55, (byte) 0x09, (byte) 0xBE, (byte) 0x91 } - }; - - /** - * Define the fixed p0/p1 permutations used in keyed S-box lookup. - * By changing the following constant definitions, the S-boxes will - * automatically get changed in the Twofish engine. - */ - private static final int P_00 = 1; - private static final int P_01 = 0; - private static final int P_02 = 0; - private static final int P_03 = P_01 ^ 1; - private static final int P_04 = 1; - - private static final int P_10 = 0; - private static final int P_11 = 0; - private static final int P_12 = 1; - private static final int P_13 = P_11 ^ 1; - private static final int P_14 = 0; - - private static final int P_20 = 1; - private static final int P_21 = 1; - private static final int P_22 = 0; - private static final int P_23 = P_21 ^ 1; - private static final int P_24 = 0; - - private static final int P_30 = 0; - private static final int P_31 = 1; - private static final int P_32 = 1; - private static final int P_33 = P_31 ^ 1; - private static final int P_34 = 1; - - /* Primitive polynomial for GF(256) */ - private static final int GF256_FDBK = 0x169; - private static final int GF256_FDBK_2 = GF256_FDBK / 2; - private static final int GF256_FDBK_4 = GF256_FDBK / 4; - - private static final int RS_GF_FDBK = 0x14D; // field generator - - //==================================== - // Useful constants - //==================================== - - private static final int ROUNDS = 16; - private static final int MAX_ROUNDS = 16; // bytes = 128 bits - private static final int BLOCK_SIZE = 16; // bytes = 128 bits - private static final int MAX_KEY_BITS = 256; - - private static final int INPUT_WHITEN=0; - private static final int OUTPUT_WHITEN=INPUT_WHITEN+BLOCK_SIZE/4; // 4 - private static final int ROUND_SUBKEYS=OUTPUT_WHITEN+BLOCK_SIZE/4;// 8 - - private static final int TOTAL_SUBKEYS=ROUND_SUBKEYS+2*MAX_ROUNDS;// 40 - - private static final int SK_STEP = 0x02020202; - private static final int SK_BUMP = 0x01010101; - private static final int SK_ROTL = 9; - - private boolean encrypting = false; - - private int[] gMDS0 = new int[MAX_KEY_BITS]; - private int[] gMDS1 = new int[MAX_KEY_BITS]; - private int[] gMDS2 = new int[MAX_KEY_BITS]; - private int[] gMDS3 = new int[MAX_KEY_BITS]; - - /** - * gSubKeys[] and gSBox[] are eventually used in the - * encryption and decryption methods. - */ - private int[] gSubKeys; - private int[] gSBox; - - private int k64Cnt = 0; - - private byte[] workingKey = null; - - public TwofishEngine() - { - // calculate the MDS matrix - int[] m1 = new int[2]; - int[] mX = new int[2]; - int[] mY = new int[2]; - int j; - - for (int i=0; i< MAX_KEY_BITS ; i++) - { - j = P[0][i] & 0xff; - m1[0] = j; - mX[0] = Mx_X(j) & 0xff; - mY[0] = Mx_Y(j) & 0xff; - - j = P[1][i] & 0xff; - m1[1] = j; - mX[1] = Mx_X(j) & 0xff; - mY[1] = Mx_Y(j) & 0xff; - - gMDS0[i] = m1[P_00] | mX[P_00] << 8 | - mY[P_00] << 16 | mY[P_00] << 24; - - gMDS1[i] = mY[P_10] | mY[P_10] << 8 | - mX[P_10] << 16 | m1[P_10] << 24; - - gMDS2[i] = mX[P_20] | mY[P_20] << 8 | - m1[P_20] << 16 | mY[P_20] << 24; - - gMDS3[i] = mX[P_30] | m1[P_30] << 8 | - mY[P_30] << 16 | mX[P_30] << 24; - } - } - - /** - * initialise a Twofish cipher. - * - * @param encrypting whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - { - if (params instanceof KeyParameter) - { - this.encrypting = encrypting; - this.workingKey = ((KeyParameter)params).getKey(); - this.k64Cnt = (this.workingKey.length / 8); // pre-padded ? - setKey(this.workingKey); - - return; - } - - throw new IllegalArgumentException("invalid parameter passed to Twofish init - " + params.getClass().getName()); - } - - public String getAlgorithmName() - { - return "Twofish"; - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (workingKey == null) - { - throw new IllegalStateException("Twofish not initialised"); - } - - if ((inOff + BLOCK_SIZE) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + BLOCK_SIZE) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - if (encrypting) - { - encryptBlock(in, inOff, out, outOff); - } - else - { - decryptBlock(in, inOff, out, outOff); - } - - return BLOCK_SIZE; - } - - public void reset() - { - if (this.workingKey != null) - { - setKey(this.workingKey); - } - } - - public int getBlockSize() - { - return BLOCK_SIZE; - } - - //================================== - // Private Implementation - //================================== - - private void setKey(byte[] key) - { - int[] k32e = new int[MAX_KEY_BITS/64]; // 4 - int[] k32o = new int[MAX_KEY_BITS/64]; // 4 - - int[] sBoxKeys = new int[MAX_KEY_BITS/64]; // 4 - gSubKeys = new int[TOTAL_SUBKEYS]; - - if (k64Cnt < 1) - { - throw new IllegalArgumentException("Key size less than 64 bits"); - } - - if (k64Cnt > 4) - { - throw new IllegalArgumentException("Key size larger than 256 bits"); - } - - /* - * k64Cnt is the number of 8 byte blocks (64 chunks) - * that are in the input key. The input key is a - * maximum of 32 bytes (256 bits), so the range - * for k64Cnt is 1..4 - */ - for (int i=0; i<k64Cnt ; i++) - { - int p = i* 8; - - k32e[i] = BytesTo32Bits(key, p); - k32o[i] = BytesTo32Bits(key, p+4); - - sBoxKeys[k64Cnt-1-i] = RS_MDS_Encode(k32e[i], k32o[i]); - } - - int q,A,B; - for (int i=0; i < TOTAL_SUBKEYS / 2 ; i++) - { - q = i*SK_STEP; - A = F32(q, k32e); - B = F32(q+SK_BUMP, k32o); - B = B << 8 | B >>> 24; - A += B; - gSubKeys[i*2] = A; - A += B; - gSubKeys[i*2 + 1] = A << SK_ROTL | A >>> (32-SK_ROTL); - } - - /* - * fully expand the table for speed - */ - int k0 = sBoxKeys[0]; - int k1 = sBoxKeys[1]; - int k2 = sBoxKeys[2]; - int k3 = sBoxKeys[3]; - int b0, b1, b2, b3; - gSBox = new int[4*MAX_KEY_BITS]; - for (int i=0; i<MAX_KEY_BITS; i++) - { - b0 = b1 = b2 = b3 = i; - switch (k64Cnt & 3) - { - case 1: - gSBox[i*2] = gMDS0[(P[P_01][b0] & 0xff) ^ b0(k0)]; - gSBox[i*2+1] = gMDS1[(P[P_11][b1] & 0xff) ^ b1(k0)]; - gSBox[i*2+0x200] = gMDS2[(P[P_21][b2] & 0xff) ^ b2(k0)]; - gSBox[i*2+0x201] = gMDS3[(P[P_31][b3] & 0xff) ^ b3(k0)]; - break; - case 0: // 256 bits of key - b0 = (P[P_04][b0] & 0xff) ^ b0(k3); - b1 = (P[P_14][b1] & 0xff) ^ b1(k3); - b2 = (P[P_24][b2] & 0xff) ^ b2(k3); - b3 = (P[P_34][b3] & 0xff) ^ b3(k3); - // fall through, having pre-processed b[0]..b[3] with k32[3] - case 3: // 192 bits of key - b0 = (P[P_03][b0] & 0xff) ^ b0(k2); - b1 = (P[P_13][b1] & 0xff) ^ b1(k2); - b2 = (P[P_23][b2] & 0xff) ^ b2(k2); - b3 = (P[P_33][b3] & 0xff) ^ b3(k2); - // fall through, having pre-processed b[0]..b[3] with k32[2] - case 2: // 128 bits of key - gSBox[i*2] = gMDS0[(P[P_01] - [(P[P_02][b0] & 0xff) ^ b0(k1)] & 0xff) ^ b0(k0)]; - gSBox[i*2+1] = gMDS1[(P[P_11] - [(P[P_12][b1] & 0xff) ^ b1(k1)] & 0xff) ^ b1(k0)]; - gSBox[i*2+0x200] = gMDS2[(P[P_21] - [(P[P_22][b2] & 0xff) ^ b2(k1)] & 0xff) ^ b2(k0)]; - gSBox[i*2+0x201] = gMDS3[(P[P_31] - [(P[P_32][b3] & 0xff) ^ b3(k1)] & 0xff) ^ b3(k0)]; - break; - } - } - - /* - * the function exits having setup the gSBox with the - * input key material. - */ - } - - /** - * Encrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * The input will be an exact multiple of our blocksize. - * - * encryptBlock uses the pre-calculated gSBox[] and subKey[] - * arrays. - */ - private void encryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int x0 = BytesTo32Bits(src, srcIndex) ^ gSubKeys[INPUT_WHITEN]; - int x1 = BytesTo32Bits(src, srcIndex + 4) ^ gSubKeys[INPUT_WHITEN + 1]; - int x2 = BytesTo32Bits(src, srcIndex + 8) ^ gSubKeys[INPUT_WHITEN + 2]; - int x3 = BytesTo32Bits(src, srcIndex + 12) ^ gSubKeys[INPUT_WHITEN + 3]; - - int k = ROUND_SUBKEYS; - int t0, t1; - for (int r = 0; r < ROUNDS; r +=2) - { - t0 = Fe32_0(x0); - t1 = Fe32_3(x1); - x2 ^= t0 + t1 + gSubKeys[k++]; - x2 = x2 >>>1 | x2 << 31; - x3 = (x3 << 1 | x3 >>> 31) ^ (t0 + 2*t1 + gSubKeys[k++]); - - t0 = Fe32_0(x2); - t1 = Fe32_3(x3); - x0 ^= t0 + t1 + gSubKeys[k++]; - x0 = x0 >>>1 | x0 << 31; - x1 = (x1 << 1 | x1 >>> 31) ^ (t0 + 2*t1 + gSubKeys[k++]); - } - - Bits32ToBytes(x2 ^ gSubKeys[OUTPUT_WHITEN], dst, dstIndex); - Bits32ToBytes(x3 ^ gSubKeys[OUTPUT_WHITEN + 1], dst, dstIndex + 4); - Bits32ToBytes(x0 ^ gSubKeys[OUTPUT_WHITEN + 2], dst, dstIndex + 8); - Bits32ToBytes(x1 ^ gSubKeys[OUTPUT_WHITEN + 3], dst, dstIndex + 12); - } - - /** - * Decrypt the given input starting at the given offset and place - * the result in the provided buffer starting at the given offset. - * The input will be an exact multiple of our blocksize. - */ - private void decryptBlock( - byte[] src, - int srcIndex, - byte[] dst, - int dstIndex) - { - int x2 = BytesTo32Bits(src, srcIndex) ^ gSubKeys[OUTPUT_WHITEN]; - int x3 = BytesTo32Bits(src, srcIndex+4) ^ gSubKeys[OUTPUT_WHITEN + 1]; - int x0 = BytesTo32Bits(src, srcIndex+8) ^ gSubKeys[OUTPUT_WHITEN + 2]; - int x1 = BytesTo32Bits(src, srcIndex+12) ^ gSubKeys[OUTPUT_WHITEN + 3]; - - int k = ROUND_SUBKEYS + 2 * ROUNDS -1 ; - int t0, t1; - for (int r = 0; r< ROUNDS ; r +=2) - { - t0 = Fe32_0(x2); - t1 = Fe32_3(x3); - x1 ^= t0 + 2*t1 + gSubKeys[k--]; - x0 = (x0 << 1 | x0 >>> 31) ^ (t0 + t1 + gSubKeys[k--]); - x1 = x1 >>>1 | x1 << 31; - - t0 = Fe32_0(x0); - t1 = Fe32_3(x1); - x3 ^= t0 + 2*t1 + gSubKeys[k--]; - x2 = (x2 << 1 | x2 >>> 31) ^ (t0 + t1 + gSubKeys[k--]); - x3 = x3 >>>1 | x3 << 31; - } - - Bits32ToBytes(x0 ^ gSubKeys[INPUT_WHITEN], dst, dstIndex); - Bits32ToBytes(x1 ^ gSubKeys[INPUT_WHITEN + 1], dst, dstIndex + 4); - Bits32ToBytes(x2 ^ gSubKeys[INPUT_WHITEN + 2], dst, dstIndex + 8); - Bits32ToBytes(x3 ^ gSubKeys[INPUT_WHITEN + 3], dst, dstIndex + 12); - } - - /* - * TODO: This can be optimised and made cleaner by combining - * the functionality in this function and applying it appropriately - * to the creation of the subkeys during key setup. - */ - private int F32(int x, int[] k32) - { - int b0 = b0(x); - int b1 = b1(x); - int b2 = b2(x); - int b3 = b3(x); - int k0 = k32[0]; - int k1 = k32[1]; - int k2 = k32[2]; - int k3 = k32[3]; - - int result = 0; - switch (k64Cnt & 3) - { - case 1: - result = gMDS0[(P[P_01][b0] & 0xff) ^ b0(k0)] ^ - gMDS1[(P[P_11][b1] & 0xff) ^ b1(k0)] ^ - gMDS2[(P[P_21][b2] & 0xff) ^ b2(k0)] ^ - gMDS3[(P[P_31][b3] & 0xff) ^ b3(k0)]; - break; - case 0: /* 256 bits of key */ - b0 = (P[P_04][b0] & 0xff) ^ b0(k3); - b1 = (P[P_14][b1] & 0xff) ^ b1(k3); - b2 = (P[P_24][b2] & 0xff) ^ b2(k3); - b3 = (P[P_34][b3] & 0xff) ^ b3(k3); - case 3: - b0 = (P[P_03][b0] & 0xff) ^ b0(k2); - b1 = (P[P_13][b1] & 0xff) ^ b1(k2); - b2 = (P[P_23][b2] & 0xff) ^ b2(k2); - b3 = (P[P_33][b3] & 0xff) ^ b3(k2); - case 2: - result = - gMDS0[(P[P_01][(P[P_02][b0]&0xff)^b0(k1)]&0xff)^b0(k0)] ^ - gMDS1[(P[P_11][(P[P_12][b1]&0xff)^b1(k1)]&0xff)^b1(k0)] ^ - gMDS2[(P[P_21][(P[P_22][b2]&0xff)^b2(k1)]&0xff)^b2(k0)] ^ - gMDS3[(P[P_31][(P[P_32][b3]&0xff)^b3(k1)]&0xff)^b3(k0)]; - break; - } - return result; - } - - /** - * Use (12, 8) Reed-Solomon code over GF(256) to produce - * a key S-box 32-bit entity from 2 key material 32-bit - * entities. - * - * @param k0 first 32-bit entity - * @param k1 second 32-bit entity - * @return Remainder polynomial generated using RS code - */ - private int RS_MDS_Encode(int k0, int k1) - { - int r = k1; - for (int i = 0 ; i < 4 ; i++) // shift 1 byte at a time - { - r = RS_rem(r); - } - r ^= k0; - for (int i=0 ; i < 4 ; i++) - { - r = RS_rem(r); - } - - return r; - } - - /** - * Reed-Solomon code parameters: (12,8) reversible code:<p> - * <pre> - * g(x) = x^4 + (a+1/a)x^3 + ax^2 + (a+1/a)x + 1 - * </pre> - * where a = primitive root of field generator 0x14D - */ - private int RS_rem(int x) - { - int b = (x >>> 24) & 0xff; - int g2 = ((b << 1) ^ - ((b & 0x80) != 0 ? RS_GF_FDBK : 0)) & 0xff; - int g3 = ((b >>> 1) ^ - ((b & 0x01) != 0 ? (RS_GF_FDBK >>> 1) : 0)) ^ g2 ; - return ((x << 8) ^ (g3 << 24) ^ (g2 << 16) ^ (g3 << 8) ^ b); - } - - private int LFSR1(int x) - { - return (x >> 1) ^ - (((x & 0x01) != 0) ? GF256_FDBK_2 : 0); - } - - private int LFSR2(int x) - { - return (x >> 2) ^ - (((x & 0x02) != 0) ? GF256_FDBK_2 : 0) ^ - (((x & 0x01) != 0) ? GF256_FDBK_4 : 0); - } - - private int Mx_X(int x) - { - return x ^ LFSR2(x); - } // 5B - - private int Mx_Y(int x) - { - return x ^ LFSR1(x) ^ LFSR2(x); - } // EF - - private int b0(int x) - { - return x & 0xff; - } - - private int b1(int x) - { - return (x >>> 8) & 0xff; - } - - private int b2(int x) - { - return (x >>> 16) & 0xff; - } - - private int b3(int x) - { - return (x >>> 24) & 0xff; - } - - private int Fe32_0(int x) - { - return gSBox[ 0x000 + 2*(x & 0xff) ] ^ - gSBox[ 0x001 + 2*((x >>> 8) & 0xff) ] ^ - gSBox[ 0x200 + 2*((x >>> 16) & 0xff) ] ^ - gSBox[ 0x201 + 2*((x >>> 24) & 0xff) ]; - } - - private int Fe32_3(int x) - { - return gSBox[ 0x000 + 2*((x >>> 24) & 0xff) ] ^ - gSBox[ 0x001 + 2*(x & 0xff) ] ^ - gSBox[ 0x200 + 2*((x >>> 8) & 0xff) ] ^ - gSBox[ 0x201 + 2*((x >>> 16) & 0xff) ]; - } - - private int BytesTo32Bits(byte[] b, int p) - { - return ((b[p] & 0xff)) | - ((b[p+1] & 0xff) << 8) | - ((b[p+2] & 0xff) << 16) | - ((b[p+3] & 0xff) << 24); - } - - private void Bits32ToBytes(int in, byte[] b, int offset) - { - b[offset] = (byte)in; - b[offset + 1] = (byte)(in >> 8); - b[offset + 2] = (byte)(in >> 16); - b[offset + 3] = (byte)(in >> 24); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/VMPCEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/VMPCEngine.java deleted file mode 100644 index 364c5d82..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/VMPCEngine.java +++ /dev/null @@ -1,142 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -public class VMPCEngine implements StreamCipher -{ - /* - * variables to hold the state of the VMPC engine during encryption and - * decryption - */ - protected byte n = 0; - protected byte[] P = null; - protected byte s = 0; - - protected byte[] workingIV; - protected byte[] workingKey; - - public String getAlgorithmName() - { - return "VMPC"; - } - - /** - * initialise a VMPC cipher. - * - * @param forEncryption - * whether or not we are for encryption. - * @param params - * the parameters required to set up the cipher. - * @exception IllegalArgumentException - * if the params argument is inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - { - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException( - "VMPC init parameters must include an IV"); - } - - ParametersWithIV ivParams = (ParametersWithIV) params; - - if (!(ivParams.getParameters() instanceof KeyParameter)) - { - throw new IllegalArgumentException( - "VMPC init parameters must include a key"); - } - - KeyParameter key = (KeyParameter) ivParams.getParameters(); - - this.workingIV = ivParams.getIV(); - - if (workingIV == null || workingIV.length < 1 || workingIV.length > 768) - { - throw new IllegalArgumentException("VMPC requires 1 to 768 bytes of IV"); - } - - this.workingKey = key.getKey(); - - initKey(this.workingKey, this.workingIV); - } - - protected void initKey(byte[] keyBytes, byte[] ivBytes) - { - s = 0; - P = new byte[256]; - for (int i = 0; i < 256; i++) - { - P[i] = (byte) i; - } - - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + keyBytes[m % keyBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + ivBytes[m % ivBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - n = 0; - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, - int outOff) - { - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + len) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - for (int i = 0; i < len; i++) - { - s = P[(s + P[n & 0xff]) & 0xff]; - byte z = P[(P[(P[s & 0xff]) & 0xff] + 1) & 0xff]; - // encryption - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - - // xor - out[i + outOff] = (byte) (in[i + inOff] ^ z); - } - - return len; - } - - public void reset() - { - initKey(this.workingKey, this.workingIV); - } - - public byte returnByte(byte in) - { - s = P[(s + P[n & 0xff]) & 0xff]; - byte z = P[(P[(P[s & 0xff]) & 0xff] + 1) & 0xff]; - // encryption - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - - // xor - return (byte) (in ^ z); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/VMPCKSA3Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/VMPCKSA3Engine.java deleted file mode 100644 index 9e40272b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/VMPCKSA3Engine.java +++ /dev/null @@ -1,45 +0,0 @@ -package org.bouncycastle.crypto.engines; - -public class VMPCKSA3Engine extends VMPCEngine -{ - public String getAlgorithmName() - { - return "VMPC-KSA3"; - } - - protected void initKey(byte[] keyBytes, byte[] ivBytes) - { - s = 0; - P = new byte[256]; - for (int i = 0; i < 256; i++) - { - P[i] = (byte) i; - } - - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + keyBytes[m % keyBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + ivBytes[m % ivBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + keyBytes[m % keyBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - - n = 0; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/XSalsa20Engine.java b/core/src/main/java/org/bouncycastle/crypto/engines/XSalsa20Engine.java deleted file mode 100644 index 45cc478e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/XSalsa20Engine.java +++ /dev/null @@ -1,65 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.util.Pack; - -/** - * Implementation of Daniel J. Bernstein's XSalsa20 stream cipher - Salsa20 with an extended nonce. - * <p> - * XSalsa20 requires a 256 bit key, and a 192 bit nonce. - */ -public class XSalsa20Engine extends Salsa20Engine -{ - public String getAlgorithmName() - { - return "XSalsa20"; - } - - protected int getNonceSize() - { - return 24; - } - - /** - * XSalsa20 key generation: process 256 bit input key and 128 bits of the input nonce - * using a core Salsa20 function without input addition to produce 256 bit working key - * and use that with the remaining 64 bits of nonce to initialize a standard Salsa20 engine state. - */ - protected void setKey(byte[] keyBytes, byte[] ivBytes) - { - if (keyBytes == null) - { - throw new IllegalArgumentException(getAlgorithmName() + " doesn't support re-init with null key"); - } - - if (keyBytes.length != 32) - { - throw new IllegalArgumentException(getAlgorithmName() + " requires a 256 bit key"); - } - - // Set key for HSalsa20 - super.setKey(keyBytes, ivBytes); - - // Pack next 64 bits of IV into engine state instead of counter - engineState[8] = Pack.littleEndianToInt(ivBytes, 8); - engineState[9] = Pack.littleEndianToInt(ivBytes, 12); - - // Process engine state to generate Salsa20 key - int[] hsalsa20Out = new int[engineState.length]; - salsaCore(20, engineState, hsalsa20Out); - - // Set new key, removing addition in last round of salsaCore - engineState[1] = hsalsa20Out[0] - engineState[0]; - engineState[2] = hsalsa20Out[5] - engineState[5]; - engineState[3] = hsalsa20Out[10] - engineState[10]; - engineState[4] = hsalsa20Out[15] - engineState[15]; - - engineState[11] = hsalsa20Out[6] - engineState[6]; - engineState[12] = hsalsa20Out[7] - engineState[7]; - engineState[13] = hsalsa20Out[8] - engineState[8]; - engineState[14] = hsalsa20Out[9] - engineState[9]; - - // Last 64 bits of input IV - engineState[6] = Pack.littleEndianToInt(ivBytes, 16); - engineState[7] = Pack.littleEndianToInt(ivBytes, 20); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/XTEAEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/XTEAEngine.java deleted file mode 100644 index fb21bbc2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/engines/XTEAEngine.java +++ /dev/null @@ -1,188 +0,0 @@ -package org.bouncycastle.crypto.engines; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * An XTEA engine. - */ -public class XTEAEngine - implements BlockCipher -{ - private static final int rounds = 32, - block_size = 8, -// key_size = 16, - delta = 0x9E3779B9; - - /* - * the expanded key array of 4 subkeys - */ - private int[] _S = new int[4], - _sum0 = new int[32], - _sum1 = new int[32]; - private boolean _initialised, - _forEncryption; - - /** - * Create an instance of the TEA encryption algorithm - * and set some defaults - */ - public XTEAEngine() - { - _initialised = false; - } - - public String getAlgorithmName() - { - return "XTEA"; - } - - public int getBlockSize() - { - return block_size; - } - - /** - * initialise - * - * @param forEncryption whether or not we are for encryption. - * @param params the parameters required to set up the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("invalid parameter passed to TEA init - " + params.getClass().getName()); - } - - _forEncryption = forEncryption; - _initialised = true; - - KeyParameter p = (KeyParameter)params; - - setKey(p.getKey()); - } - - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - if (!_initialised) - { - throw new IllegalStateException(getAlgorithmName()+" not initialised"); - } - - if ((inOff + block_size) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + block_size) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - - return (_forEncryption) ? encryptBlock(in, inOff, out, outOff) - : decryptBlock(in, inOff, out, outOff); - } - - public void reset() - { - } - - /** - * Re-key the cipher. - * <p> - * @param key the key to be used - */ - private void setKey( - byte[] key) - { - if (key.length != 16) - { - throw new IllegalArgumentException("Key size must be 128 bits."); - } - - int i, j; - for (i = j = 0; i < 4; i++,j+=4) - { - _S[i] = bytesToInt(key, j); - } - - for (i = j = 0; i < rounds; i++) - { - _sum0[i] = (j + _S[j & 3]); - j += delta; - _sum1[i] = (j + _S[j >>> 11 & 3]); - } - } - - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // Pack bytes into integers - int v0 = bytesToInt(in, inOff); - int v1 = bytesToInt(in, inOff + 4); - - for (int i = 0; i < rounds; i++) - { - v0 += ((v1 << 4 ^ v1 >>> 5) + v1) ^ _sum0[i]; - v1 += ((v0 << 4 ^ v0 >>> 5) + v0) ^ _sum1[i]; - } - - unpackInt(v0, out, outOff); - unpackInt(v1, out, outOff + 4); - - return block_size; - } - - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - { - // Pack bytes into integers - int v0 = bytesToInt(in, inOff); - int v1 = bytesToInt(in, inOff + 4); - - for (int i = rounds-1; i >= 0; i--) - { - v1 -= ((v0 << 4 ^ v0 >>> 5) + v0) ^ _sum1[i]; - v0 -= ((v1 << 4 ^ v1 >>> 5) + v1) ^ _sum0[i]; - } - - unpackInt(v0, out, outOff); - unpackInt(v1, out, outOff + 4); - - return block_size; - } - - private int bytesToInt(byte[] in, int inOff) - { - return ((in[inOff++]) << 24) | - ((in[inOff++] & 255) << 16) | - ((in[inOff++] & 255) << 8) | - ((in[inOff] & 255)); - } - - private void unpackInt(int v, byte[] out, int outOff) - { - out[outOff++] = (byte)(v >>> 24); - out[outOff++] = (byte)(v >>> 16); - out[outOff++] = (byte)(v >>> 8); - out[outOff ] = (byte)v; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/examples/DESExample.java b/core/src/main/java/org/bouncycastle/crypto/examples/DESExample.java deleted file mode 100644 index 90a21def..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/examples/DESExample.java +++ /dev/null @@ -1,421 +0,0 @@ -package org.bouncycastle.crypto.examples; - -import java.io.BufferedInputStream; -import java.io.BufferedOutputStream; -import java.io.BufferedReader; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.InputStreamReader; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.engines.DESedeEngine; -import org.bouncycastle.crypto.generators.DESedeKeyGenerator; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher; -import org.bouncycastle.crypto.params.DESedeParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.encoders.Hex; - -/** - * DESExample is a simple DES based encryptor/decryptor. - * <p> - * The program is command line driven, with the input - * and output files specified on the command line. - * <pre> - * java org.bouncycastle.crypto.examples.DESExample infile outfile [keyfile] - * </pre> - * A new key is generated for each encryption, if key is not specified, - * then the example will assume encryption is required, and as output - * create deskey.dat in the current directory. This key is a hex - * encoded byte-stream that is used for the decryption. The output - * file is Hex encoded, 60 characters wide text file. - * <p> - * When encrypting; - * <ul> - * <li>the infile is expected to be a byte stream (text or binary) - * <li>there is no keyfile specified on the input line - * </ul> - * <p> - * When decrypting; - * <ul> - * <li>the infile is expected to be the 60 character wide base64 - * encoded file - * <li>the keyfile is expected to be a base64 encoded file - * </ul> - * <p> - * This example shows how to use the light-weight API, DES and - * the filesystem for message encryption and decryption. - * - */ -public class DESExample extends Object -{ - // Encrypting or decrypting ? - private boolean encrypt = true; - - // To hold the initialised DESede cipher - private PaddedBufferedBlockCipher cipher = null; - - // The input stream of bytes to be processed for encryption - private BufferedInputStream in = null; - - // The output stream of bytes to be procssed - private BufferedOutputStream out = null; - - // The key - private byte[] key = null; - - /* - * start the application - */ - public static void main(String[] args) - { - boolean encrypt = true; - String infile = null; - String outfile = null; - String keyfile = null; - - if (args.length < 2) - { - DESExample de = new DESExample(); - System.err.println("Usage: java "+de.getClass().getName()+ - " infile outfile [keyfile]"); - System.exit(1); - } - - keyfile = "deskey.dat"; - infile = args[0]; - outfile = args[1]; - - if (args.length > 2) - { - encrypt = false; - keyfile = args[2]; - } - - DESExample de = new DESExample(infile, outfile, keyfile, encrypt); - de.process(); - } - - // Default constructor, used for the usage message - public DESExample() - { - } - - /* - * Constructor, that takes the arguments appropriate for - * processing the command line directives. - */ - public DESExample( - String infile, - String outfile, - String keyfile, - boolean encrypt) - { - /* - * First, determine that infile & keyfile exist as appropriate. - * - * This will also create the BufferedInputStream as required - * for reading the input file. All input files are treated - * as if they are binary, even if they contain text, it's the - * bytes that are encrypted. - */ - this.encrypt = encrypt; - try - { - in = new BufferedInputStream(new FileInputStream(infile)); - } - catch (FileNotFoundException fnf) - { - System.err.println("Input file not found ["+infile+"]"); - System.exit(1); - } - - try - { - out = new BufferedOutputStream(new FileOutputStream(outfile)); - } - catch (IOException fnf) - { - System.err.println("Output file not created ["+outfile+"]"); - System.exit(1); - } - - if (encrypt) - { - try - { - /* - * The process of creating a new key requires a - * number of steps. - * - * First, create the parameters for the key generator - * which are a secure random number generator, and - * the length of the key (in bits). - */ - SecureRandom sr = null; - try - { - sr = new SecureRandom(); - /* - * This following call to setSeed() makes the - * initialisation of the SecureRandom object - * _very_ fast, but not secure AT ALL. - * - * Remove the line, recreate the class file and - * then run DESExample again to see the difference. - * - * The initialisation of a SecureRandom object - * can take 5 or more seconds depending on the - * CPU that the program is running on. That can - * be annoying during unit testing. - * -- jon - */ - sr.setSeed("www.bouncycastle.org".getBytes()); - } - catch (Exception nsa) - { - System.err.println("Hmmm, no SHA1PRNG, you need the "+ - "Sun implementation"); - System.exit(1); - } - KeyGenerationParameters kgp = new KeyGenerationParameters( - sr, - DESedeParameters.DES_EDE_KEY_LENGTH*8); - - /* - * Second, initialise the key generator with the parameters - */ - DESedeKeyGenerator kg = new DESedeKeyGenerator(); - kg.init(kgp); - - /* - * Third, and finally, generate the key - */ - key = kg.generateKey(); - - /* - * We can now output the key to the file, but first - * hex encode the key so that we can have a look - * at it with a text editor if we so desire - */ - BufferedOutputStream keystream = - new BufferedOutputStream(new FileOutputStream(keyfile)); - byte[] keyhex = Hex.encode(key); - keystream.write(keyhex, 0, keyhex.length); - keystream.flush(); - keystream.close(); - } - catch (IOException createKey) - { - System.err.println("Could not decryption create key file "+ - "["+keyfile+"]"); - System.exit(1); - } - } - else - { - try - { - // read the key, and decode from hex encoding - BufferedInputStream keystream = - new BufferedInputStream(new FileInputStream(keyfile)); - int len = keystream.available(); - byte[] keyhex = new byte[len]; - keystream.read(keyhex, 0, len); - key = Hex.decode(keyhex); - } - catch (IOException ioe) - { - System.err.println("Decryption key file not found, "+ - "or not valid ["+keyfile+"]"); - System.exit(1); - } - } - } - - private void process() - { - /* - * Setup the DESede cipher engine, create a PaddedBufferedBlockCipher - * in CBC mode. - */ - cipher = new PaddedBufferedBlockCipher( - new CBCBlockCipher(new DESedeEngine())); - - /* - * The input and output streams are currently set up - * appropriately, and the key bytes are ready to be - * used. - * - */ - - if (encrypt) - { - performEncrypt(key); - } - else - { - performDecrypt(key); - } - - // after processing clean up the files - try - { - in.close(); - out.flush(); - out.close(); - } - catch (IOException closing) - { - - } - } - - /* - * This method performs all the encryption and writes - * the cipher text to the buffered output stream created - * previously. - */ - private void performEncrypt(byte[] key) - { - // initialise the cipher with the key bytes, for encryption - cipher.init(true, new KeyParameter(key)); - - /* - * Create some temporary byte arrays for use in - * encryption, make them a reasonable size so that - * we don't spend forever reading small chunks from - * a file. - * - * There is no particular reason for using getBlockSize() - * to determine the size of the input chunk. It just - * was a convenient number for the example. - */ - // int inBlockSize = cipher.getBlockSize() * 5; - int inBlockSize = 47; - int outBlockSize = cipher.getOutputSize(inBlockSize); - - byte[] inblock = new byte[inBlockSize]; - byte[] outblock = new byte[outBlockSize]; - - /* - * now, read the file, and output the chunks - */ - try - { - int inL; - int outL; - byte[] rv = null; - while ((inL=in.read(inblock, 0, inBlockSize)) > 0) - { - outL = cipher.processBytes(inblock, 0, inL, outblock, 0); - /* - * Before we write anything out, we need to make sure - * that we've got something to write out. - */ - if (outL > 0) - { - rv = Hex.encode(outblock, 0, outL); - out.write(rv, 0, rv.length); - out.write('\n'); - } - } - - try - { - /* - * Now, process the bytes that are still buffered - * within the cipher. - */ - outL = cipher.doFinal(outblock, 0); - if (outL > 0) - { - rv = Hex.encode(outblock, 0, outL); - out.write(rv, 0, rv.length); - out.write('\n'); - } - } - catch (CryptoException ce) - { - - } - } - catch (IOException ioeread) - { - ioeread.printStackTrace(); - } - } - - /* - * This method performs all the decryption and writes - * the plain text to the buffered output stream created - * previously. - */ - private void performDecrypt(byte[] key) - { - // initialise the cipher for decryption - cipher.init(false, new KeyParameter(key)); - - /* - * As the decryption is from our preformatted file, - * and we know that it's a hex encoded format, then - * we wrap the InputStream with a BufferedReader - * so that we can read it easily. - */ - BufferedReader br = new BufferedReader(new InputStreamReader(in)); - - /* - * now, read the file, and output the chunks - */ - try - { - int outL; - byte[] inblock = null; - byte[] outblock = null; - String rv = null; - while ((rv = br.readLine()) != null) - { - inblock = Hex.decode(rv); - outblock = new byte[cipher.getOutputSize(inblock.length)]; - - outL = cipher.processBytes(inblock, 0, inblock.length, - outblock, 0); - /* - * Before we write anything out, we need to make sure - * that we've got something to write out. - */ - if (outL > 0) - { - out.write(outblock, 0, outL); - } - } - - try - { - /* - * Now, process the bytes that are still buffered - * within the cipher. - */ - outL = cipher.doFinal(outblock, 0); - if (outL > 0) - { - out.write(outblock, 0, outL); - } - } - catch (CryptoException ce) - { - - } - } - catch (IOException ioeread) - { - ioeread.printStackTrace(); - } - } - -} - diff --git a/core/src/main/java/org/bouncycastle/crypto/examples/JPAKEExample.java b/core/src/main/java/org/bouncycastle/crypto/examples/JPAKEExample.java deleted file mode 100644 index f0065f4c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/examples/JPAKEExample.java +++ /dev/null @@ -1,214 +0,0 @@ -package org.bouncycastle.crypto.examples; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.agreement.jpake.JPAKEPrimeOrderGroup; -import org.bouncycastle.crypto.agreement.jpake.JPAKEPrimeOrderGroups; -import org.bouncycastle.crypto.agreement.jpake.JPAKEParticipant; -import org.bouncycastle.crypto.agreement.jpake.JPAKERound1Payload; -import org.bouncycastle.crypto.agreement.jpake.JPAKERound2Payload; -import org.bouncycastle.crypto.agreement.jpake.JPAKERound3Payload; -import org.bouncycastle.crypto.digests.SHA256Digest; - -/** - * An example of a J-PAKE exchange. - * <p> - * - * In this example, both Alice and Bob are on the same computer (in the same JVM, in fact). - * In reality, Alice and Bob would be in different locations, - * and would be sending their generated payloads to each other. - */ -public class JPAKEExample -{ - - public static void main(String args[]) throws CryptoException - { - /* - * Initialization - * - * Pick an appropriate prime order group to use throughout the exchange. - * Note that both participants must use the same group. - */ - JPAKEPrimeOrderGroup group = JPAKEPrimeOrderGroups.NIST_3072; - - BigInteger p = group.getP(); - BigInteger q = group.getQ(); - BigInteger g = group.getG(); - - String alicePassword = "password"; - String bobPassword = "password"; - - System.out.println("********* Initialization **********"); - System.out.println("Public parameters for the cyclic group:"); - System.out.println("p (" + p.bitLength() + " bits): " + p.toString(16)); - System.out.println("q (" + q.bitLength() + " bits): " + q.toString(16)); - System.out.println("g (" + p.bitLength() + " bits): " + g.toString(16)); - System.out.println("p mod q = " + p.mod(q).toString(16)); - System.out.println("g^{q} mod p = " + g.modPow(q, p).toString(16)); - System.out.println(""); - - System.out.println("(Secret passwords used by Alice and Bob: " + - "\"" + alicePassword + "\" and \"" + bobPassword + "\")\n"); - - /* - * Both participants must use the same hashing algorithm. - */ - Digest digest = new SHA256Digest(); - SecureRandom random = new SecureRandom(); - - JPAKEParticipant alice = new JPAKEParticipant("alice", alicePassword.toCharArray(), group, digest, random); - JPAKEParticipant bob = new JPAKEParticipant("bob", bobPassword.toCharArray(), group, digest, random); - - /* - * Round 1 - * - * Alice and Bob each generate a round 1 payload, and send it to each other. - */ - - JPAKERound1Payload aliceRound1Payload = alice.createRound1PayloadToSend(); - JPAKERound1Payload bobRound1Payload = bob.createRound1PayloadToSend(); - - System.out.println("************ Round 1 **************"); - System.out.println("Alice sends to Bob: "); - System.out.println("g^{x1}=" + aliceRound1Payload.getGx1().toString(16)); - System.out.println("g^{x2}=" + aliceRound1Payload.getGx2().toString(16)); - System.out.println("KP{x1}={" + aliceRound1Payload.getKnowledgeProofForX1()[0].toString(16) + "};{" + aliceRound1Payload.getKnowledgeProofForX1()[1].toString(16) + "}"); - System.out.println("KP{x2}={" + aliceRound1Payload.getKnowledgeProofForX2()[0].toString(16) + "};{" + aliceRound1Payload.getKnowledgeProofForX2()[1].toString(16) + "}"); - System.out.println(""); - - System.out.println("Bob sends to Alice: "); - System.out.println("g^{x3}=" + bobRound1Payload.getGx1().toString(16)); - System.out.println("g^{x4}=" + bobRound1Payload.getGx2().toString(16)); - System.out.println("KP{x3}={" + bobRound1Payload.getKnowledgeProofForX1()[0].toString(16) + "};{" + bobRound1Payload.getKnowledgeProofForX1()[1].toString(16) + "}"); - System.out.println("KP{x4}={" + bobRound1Payload.getKnowledgeProofForX2()[0].toString(16) + "};{" + bobRound1Payload.getKnowledgeProofForX2()[1].toString(16) + "}"); - System.out.println(""); - - /* - * Each participant must then validate the received payload for round 1 - */ - - alice.validateRound1PayloadReceived(bobRound1Payload); - System.out.println("Alice checks g^{x4}!=1: OK"); - System.out.println("Alice checks KP{x3}: OK"); - System.out.println("Alice checks KP{x4}: OK"); - System.out.println(""); - - bob.validateRound1PayloadReceived(aliceRound1Payload); - System.out.println("Bob checks g^{x2}!=1: OK"); - System.out.println("Bob checks KP{x1},: OK"); - System.out.println("Bob checks KP{x2},: OK"); - System.out.println(""); - - /* - * Round 2 - * - * Alice and Bob each generate a round 2 payload, and send it to each other. - */ - - JPAKERound2Payload aliceRound2Payload = alice.createRound2PayloadToSend(); - JPAKERound2Payload bobRound2Payload = bob.createRound2PayloadToSend(); - - System.out.println("************ Round 2 **************"); - System.out.println("Alice sends to Bob: "); - System.out.println("A=" + aliceRound2Payload.getA().toString(16)); - System.out.println("KP{x2*s}={" + aliceRound2Payload.getKnowledgeProofForX2s()[0].toString(16) + "},{" + aliceRound2Payload.getKnowledgeProofForX2s()[1].toString(16) + "}"); - System.out.println(""); - - System.out.println("Bob sends to Alice"); - System.out.println("B=" + bobRound2Payload.getA().toString(16)); - System.out.println("KP{x4*s}={" + bobRound2Payload.getKnowledgeProofForX2s()[0].toString(16) + "},{" + bobRound2Payload.getKnowledgeProofForX2s()[1].toString(16) + "}"); - System.out.println(""); - - /* - * Each participant must then validate the received payload for round 2 - */ - - alice.validateRound2PayloadReceived(bobRound2Payload); - System.out.println("Alice checks KP{x4*s}: OK\n"); - - bob.validateRound2PayloadReceived(aliceRound2Payload); - System.out.println("Bob checks KP{x2*s}: OK\n"); - - /* - * After round 2, each participant computes the keying material. - */ - - BigInteger aliceKeyingMaterial = alice.calculateKeyingMaterial(); - BigInteger bobKeyingMaterial = bob.calculateKeyingMaterial(); - - System.out.println("********* After round 2 ***********"); - System.out.println("Alice computes key material \t K=" + aliceKeyingMaterial.toString(16)); - System.out.println("Bob computes key material \t K=" + bobKeyingMaterial.toString(16)); - System.out.println(); - - - /* - * You must derive a session key from the keying material applicable - * to whatever encryption algorithm you want to use. - */ - - BigInteger aliceKey = deriveSessionKey(aliceKeyingMaterial); - BigInteger bobKey = deriveSessionKey(bobKeyingMaterial); - - /* - * At this point, you can stop and use the session keys if you want. - * This is implicit key confirmation. - * - * If you want to explicitly confirm that the key material matches, - * you can continue on and perform round 3. - */ - - /* - * Round 3 - * - * Alice and Bob each generate a round 3 payload, and send it to each other. - */ - - JPAKERound3Payload aliceRound3Payload = alice.createRound3PayloadToSend(aliceKeyingMaterial); - JPAKERound3Payload bobRound3Payload = bob.createRound3PayloadToSend(bobKeyingMaterial); - - System.out.println("************ Round 3 **************"); - System.out.println("Alice sends to Bob: "); - System.out.println("MacTag=" + aliceRound3Payload.getMacTag().toString(16)); - System.out.println(""); - System.out.println("Bob sends to Alice: "); - System.out.println("MacTag=" + bobRound3Payload.getMacTag().toString(16)); - System.out.println(""); - - /* - * Each participant must then validate the received payload for round 3 - */ - - alice.validateRound3PayloadReceived(bobRound3Payload, aliceKeyingMaterial); - System.out.println("Alice checks MacTag: OK\n"); - - bob.validateRound3PayloadReceived(aliceRound3Payload, bobKeyingMaterial); - System.out.println("Bob checks MacTag: OK\n"); - - System.out.println(); - System.out.println("MacTags validated, therefore the keying material matches."); - } - - private static BigInteger deriveSessionKey(BigInteger keyingMaterial) - { - /* - * You should use a secure key derivation function (KDF) to derive the session key. - * - * For the purposes of this example, I'm just going to use a hash of the keying material. - */ - SHA256Digest digest = new SHA256Digest(); - - byte[] keyByteArray = keyingMaterial.toByteArray(); - - byte[] output = new byte[digest.getDigestSize()]; - - digest.update(keyByteArray, 0, keyByteArray.length); - - digest.doFinal(output, 0); - - return new BigInteger(output); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/BaseKDFBytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/BaseKDFBytesGenerator.java deleted file mode 100644 index b284a931..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/BaseKDFBytesGenerator.java +++ /dev/null @@ -1,143 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.DigestDerivationFunction; -import org.bouncycastle.crypto.params.ISO18033KDFParameters; -import org.bouncycastle.crypto.params.KDFParameters; -import org.bouncycastle.util.Pack; - -/** - * Basic KDF generator for derived keys and ivs as defined by IEEE P1363a/ISO - * 18033 <br> - * This implementation is based on ISO 18033/P1363a. - */ -public class BaseKDFBytesGenerator - implements DigestDerivationFunction -{ - private int counterStart; - private Digest digest; - private byte[] shared; - private byte[] iv; - - /** - * Construct a KDF Parameters generator. - * <p> - * - * @param counterStart - * value of counter. - * @param digest - * the digest to be used as the source of derived keys. - */ - protected BaseKDFBytesGenerator(int counterStart, Digest digest) - { - this.counterStart = counterStart; - this.digest = digest; - } - - public void init(DerivationParameters param) - { - if (param instanceof KDFParameters) - { - KDFParameters p = (KDFParameters)param; - - shared = p.getSharedSecret(); - iv = p.getIV(); - } - else if (param instanceof ISO18033KDFParameters) - { - ISO18033KDFParameters p = (ISO18033KDFParameters)param; - - shared = p.getSeed(); - iv = null; - } - else - { - throw new IllegalArgumentException("KDF parameters required for KDF2Generator"); - } - } - - /** - * return the underlying digest. - */ - public Digest getDigest() - { - return digest; - } - - /** - * fill len bytes of the output buffer with bytes generated from the - * derivation function. - * - * @throws IllegalArgumentException - * if the size of the request will cause an overflow. - * @throws DataLengthException - * if the out buffer is too small. - */ - public int generateBytes(byte[] out, int outOff, int len) throws DataLengthException, - IllegalArgumentException - { - if ((out.length - len) < outOff) - { - throw new DataLengthException("output buffer too small"); - } - - long oBytes = len; - int outLen = digest.getDigestSize(); - - // - // this is at odds with the standard implementation, the - // maximum value should be hBits * (2^32 - 1) where hBits - // is the digest output size in bits. We can't have an - // array with a long index at the moment... - // - if (oBytes > ((2L << 32) - 1)) - { - throw new IllegalArgumentException("Output length too large"); - } - - int cThreshold = (int)((oBytes + outLen - 1) / outLen); - - byte[] dig = new byte[digest.getDigestSize()]; - - byte[] C = new byte[4]; - Pack.intToBigEndian(counterStart, C, 0); - - int counterBase = counterStart & ~0xFF; - - for (int i = 0; i < cThreshold; i++) - { - digest.update(shared, 0, shared.length); - digest.update(C, 0, C.length); - - if (iv != null) - { - digest.update(iv, 0, iv.length); - } - - digest.doFinal(dig, 0); - - if (len > outLen) - { - System.arraycopy(dig, 0, out, outOff, outLen); - outOff += outLen; - len -= outLen; - } - else - { - System.arraycopy(dig, 0, out, outOff, len); - } - - if (++C[3] == 0) - { - counterBase += 0x100; - Pack.intToBigEndian(counterBase, C, 0); - } - } - - digest.reset(); - - return (int)oBytes; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupKeyPairGenerator.java deleted file mode 100644 index 8fcdf858..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupKeyPairGenerator.java +++ /dev/null @@ -1,63 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.CramerShoupKeyGenerationParameters; -import org.bouncycastle.crypto.params.CramerShoupParameters; -import org.bouncycastle.crypto.params.CramerShoupPrivateKeyParameters; -import org.bouncycastle.crypto.params.CramerShoupPublicKeyParameters; -import org.bouncycastle.util.BigIntegers; - -/** - * a Cramer Shoup key pair generator - * - */ -public class CramerShoupKeyPairGenerator implements AsymmetricCipherKeyPairGenerator { - - private static final BigInteger ONE = BigInteger.valueOf(1); - - private CramerShoupKeyGenerationParameters param; - - public void init(KeyGenerationParameters param) { - this.param = (CramerShoupKeyGenerationParameters) param; - } - - public AsymmetricCipherKeyPair generateKeyPair() { - CramerShoupParameters csParams = param.getParameters(); - - CramerShoupPrivateKeyParameters sk = generatePrivateKey(param.getRandom(), csParams); - CramerShoupPublicKeyParameters pk = calculatePublicKey(csParams, sk); - sk.setPk(pk); - - return new AsymmetricCipherKeyPair(pk, sk); - } - - private BigInteger generateRandomElement(BigInteger p, SecureRandom random) { - return BigIntegers.createRandomInRange(ONE, p.subtract(ONE), random); - } - - private CramerShoupPrivateKeyParameters generatePrivateKey(SecureRandom random, CramerShoupParameters csParams){ - BigInteger p = csParams.getP(); - CramerShoupPrivateKeyParameters key = new CramerShoupPrivateKeyParameters(csParams, - generateRandomElement(p, random), generateRandomElement(p, random), - generateRandomElement(p, random), generateRandomElement(p, random), - generateRandomElement(p, random)); - return key; - } - - private CramerShoupPublicKeyParameters calculatePublicKey(CramerShoupParameters csParams, CramerShoupPrivateKeyParameters sk) { - BigInteger g1 = csParams.getG1(); - BigInteger g2 = csParams.getG2(); - BigInteger p = csParams.getP(); - - BigInteger c = g1.modPow(sk.getX1(), p).multiply(g2.modPow(sk.getX2(), p)); - BigInteger d = g1.modPow(sk.getY1(), p).multiply(g2.modPow(sk.getY2(), p)); - BigInteger h = g1.modPow(sk.getZ(), p); - - return new CramerShoupPublicKeyParameters(csParams, c, d, h); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupParametersGenerator.java deleted file mode 100644 index 4788a8ca..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/CramerShoupParametersGenerator.java +++ /dev/null @@ -1,123 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.params.CramerShoupParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.util.BigIntegers; - -public class CramerShoupParametersGenerator -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private int size; - private int certainty; - private SecureRandom random; - - /** - * Initialise the parameters generator. - * - * @param size bit length for the prime p - * @param certainty a measure of the uncertainty that the caller is willing to tolerate: - * the probability that the generated modulus is prime exceeds (1 - 1/2^certainty). - * The execution time of this method is proportional to the value of this parameter. - * @param random a source of randomness - */ - public void init(int size, int certainty, SecureRandom random) - { - this.size = size; - this.certainty = certainty; - this.random = random; - } - - /** - * which generates the p and g values from the given parameters, returning - * the CramerShoupParameters object. - * <p/> - * Note: can take a while... - */ - public CramerShoupParameters generateParameters() - { - // - // find a safe prime p where p = 2*q + 1, where p and q are prime. - // - BigInteger[] safePrimes = ParametersHelper.generateSafePrimes(size, certainty, random); - -// BigInteger p = safePrimes[0]; - BigInteger q = safePrimes[1]; - BigInteger g1 = ParametersHelper.selectGenerator(q, random); - BigInteger g2 = ParametersHelper.selectGenerator(q, random); - while (g1.equals(g2)) - { - g2 = ParametersHelper.selectGenerator(q, random); - } - - return new CramerShoupParameters(q, g1, g2, new SHA256Digest()); - } - - public CramerShoupParameters generateParameters(DHParameters dhParams) - { - BigInteger p = dhParams.getP(); - BigInteger g1 = dhParams.getG(); - - // now we just need a second generator - BigInteger g2 = ParametersHelper.selectGenerator(p, random); - while (g1.equals(g2)) - { - g2 = ParametersHelper.selectGenerator(p, random); - } - - return new CramerShoupParameters(p, g1, g2, new SHA256Digest()); - } - - private static class ParametersHelper - { - - private static final BigInteger TWO = BigInteger.valueOf(2); - - /* - * Finds a pair of prime BigInteger's {p, q: p = 2q + 1} - * - * (see: Handbook of Applied Cryptography 4.86) - */ - static BigInteger[] generateSafePrimes(int size, int certainty, SecureRandom random) - { - BigInteger p, q; - int qLength = size - 1; - - for (; ; ) - { - q = new BigInteger(qLength, 2, random); - p = q.shiftLeft(1).add(ONE); - if (p.isProbablePrime(certainty) && (certainty <= 2 || q.isProbablePrime(certainty))) - { - break; - } - } - - return new BigInteger[]{p, q}; - } - - static BigInteger selectGenerator(BigInteger p, SecureRandom random) - { - BigInteger pMinusTwo = p.subtract(TWO); - BigInteger g; - - /* - * RFC 2631 2.2.1.2 (and see: Handbook of Applied Cryptography 4.81) - */ - do - { - BigInteger h = BigIntegers.createRandomInRange(TWO, pMinusTwo, random); - - g = h.modPow(TWO, p); - } - while (g.equals(ONE)); - - return g; - } - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DESKeyGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DESKeyGenerator.java deleted file mode 100644 index 7111118b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DESKeyGenerator.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherKeyGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DESParameters; - -public class DESKeyGenerator - extends CipherKeyGenerator -{ - /** - * initialise the key generator - if strength is set to zero - * the key generated will be 64 bits in size, otherwise - * strength can be 64 or 56 bits (if you don't count the parity bits). - * - * @param param the parameters to be used for key generation - */ - public void init( - KeyGenerationParameters param) - { - super.init(param); - - if (strength == 0 || strength == (56 / 8)) - { - strength = DESParameters.DES_KEY_LENGTH; - } - else if (strength != DESParameters.DES_KEY_LENGTH) - { - throw new IllegalArgumentException("DES key must be " - + (DESParameters.DES_KEY_LENGTH * 8) - + " bits long."); - } - } - - public byte[] generateKey() - { - byte[] newKey = new byte[DESParameters.DES_KEY_LENGTH]; - - do - { - random.nextBytes(newKey); - - DESParameters.setOddParity(newKey); - } - while (DESParameters.isWeakKey(newKey, 0)); - - return newKey; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DESedeKeyGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DESedeKeyGenerator.java deleted file mode 100644 index 3cab983d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DESedeKeyGenerator.java +++ /dev/null @@ -1,56 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DESedeParameters; - -public class DESedeKeyGenerator - extends DESKeyGenerator -{ - /** - * initialise the key generator - if strength is set to zero - * the key generated will be 192 bits in size, otherwise - * strength can be 128 or 192 (or 112 or 168 if you don't count - * parity bits), depending on whether you wish to do 2-key or 3-key - * triple DES. - * - * @param param the parameters to be used for key generation - */ - public void init( - KeyGenerationParameters param) - { - this.random = param.getRandom(); - this.strength = (param.getStrength() + 7) / 8; - - if (strength == 0 || strength == (168 / 8)) - { - strength = DESedeParameters.DES_EDE_KEY_LENGTH; - } - else if (strength == (112 / 8)) - { - strength = 2 * DESedeParameters.DES_KEY_LENGTH; - } - else if (strength != DESedeParameters.DES_EDE_KEY_LENGTH - && strength != (2 * DESedeParameters.DES_KEY_LENGTH)) - { - throw new IllegalArgumentException("DESede key must be " - + (DESedeParameters.DES_EDE_KEY_LENGTH * 8) + " or " - + (2 * 8 * DESedeParameters.DES_KEY_LENGTH) - + " bits long."); - } - } - - public byte[] generateKey() - { - byte[] newKey = new byte[strength]; - - do - { - random.nextBytes(newKey); - - DESedeParameters.setOddParity(newKey); - } - while (DESedeParameters.isWeakKey(newKey, 0, newKey.length)); - - return newKey; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DHBasicKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DHBasicKeyPairGenerator.java deleted file mode 100644 index f93428ef..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DHBasicKeyPairGenerator.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DHKeyGenerationParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; - -import java.math.BigInteger; - -/** - * a basic Diffie-Hellman key pair generator. - * - * This generates keys consistent for use with the basic algorithm for - * Diffie-Hellman. - */ -public class DHBasicKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - private DHKeyGenerationParameters param; - - public void init( - KeyGenerationParameters param) - { - this.param = (DHKeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - DHKeyGeneratorHelper helper = DHKeyGeneratorHelper.INSTANCE; - DHParameters dhp = param.getParameters(); - - BigInteger x = helper.calculatePrivate(dhp, param.getRandom()); - BigInteger y = helper.calculatePublic(dhp, x); - - return new AsymmetricCipherKeyPair( - new DHPublicKeyParameters(y, dhp), - new DHPrivateKeyParameters(x, dhp)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyGeneratorHelper.java b/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyGeneratorHelper.java deleted file mode 100644 index 6795ec96..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyGeneratorHelper.java +++ /dev/null @@ -1,67 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.math.ec.WNafUtil; -import org.bouncycastle.util.BigIntegers; - -class DHKeyGeneratorHelper -{ - static final DHKeyGeneratorHelper INSTANCE = new DHKeyGeneratorHelper(); - - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - - private DHKeyGeneratorHelper() - { - } - - BigInteger calculatePrivate(DHParameters dhParams, SecureRandom random) - { - int limit = dhParams.getL(); - - if (limit != 0) - { - int minWeight = limit >>> 2; - for (;;) - { - BigInteger x = new BigInteger(limit, random).setBit(limit - 1); - if (WNafUtil.getNafWeight(x) >= minWeight) - { - return x; - } - } - } - - BigInteger min = TWO; - int m = dhParams.getM(); - if (m != 0) - { - min = ONE.shiftLeft(m - 1); - } - - BigInteger q = dhParams.getQ(); - if (q == null) - { - q = dhParams.getP(); - } - BigInteger max = q.subtract(TWO); - - int minWeight = max.bitLength() >>> 2; - for (;;) - { - BigInteger x = BigIntegers.createRandomInRange(min, max, random); - if (WNafUtil.getNafWeight(x) >= minWeight) - { - return x; - } - } - } - - BigInteger calculatePublic(DHParameters dhParams, BigInteger x) - { - return dhParams.getG().modPow(x, dhParams.getP()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyPairGenerator.java deleted file mode 100644 index d07ca80d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DHKeyPairGenerator.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DHKeyGenerationParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; - -import java.math.BigInteger; - -/** - * a Diffie-Hellman key pair generator. - * - * This generates keys consistent for use in the MTI/A0 key agreement protocol - * as described in "Handbook of Applied Cryptography", Pages 516-519. - */ -public class DHKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - private DHKeyGenerationParameters param; - - public void init( - KeyGenerationParameters param) - { - this.param = (DHKeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - DHKeyGeneratorHelper helper = DHKeyGeneratorHelper.INSTANCE; - DHParameters dhp = param.getParameters(); - - BigInteger x = helper.calculatePrivate(dhp, param.getRandom()); - BigInteger y = helper.calculatePublic(dhp, x); - - return new AsymmetricCipherKeyPair( - new DHPublicKeyParameters(y, dhp), - new DHPrivateKeyParameters(x, dhp)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersGenerator.java deleted file mode 100644 index f5d42642..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersGenerator.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.params.DHParameters; - -import java.math.BigInteger; -import java.security.SecureRandom; - -public class DHParametersGenerator -{ - private int size; - private int certainty; - private SecureRandom random; - - private static final BigInteger TWO = BigInteger.valueOf(2); - - /** - * Initialise the parameters generator. - * - * @param size bit length for the prime p - * @param certainty level of certainty for the prime number tests - * @param random a source of randomness - */ - public void init( - int size, - int certainty, - SecureRandom random) - { - this.size = size; - this.certainty = certainty; - this.random = random; - } - - /** - * which generates the p and g values from the given parameters, - * returning the DHParameters object. - * <p> - * Note: can take a while... - */ - public DHParameters generateParameters() - { - // - // find a safe prime p where p = 2*q + 1, where p and q are prime. - // - BigInteger[] safePrimes = DHParametersHelper.generateSafePrimes(size, certainty, random); - - BigInteger p = safePrimes[0]; - BigInteger q = safePrimes[1]; - BigInteger g = DHParametersHelper.selectGenerator(p, q, random); - - return new DHParameters(p, g, q, TWO, null); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersHelper.java b/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersHelper.java deleted file mode 100644 index dc0a5ae1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DHParametersHelper.java +++ /dev/null @@ -1,93 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.math.ec.WNafUtil; -import org.bouncycastle.util.BigIntegers; - -class DHParametersHelper -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - - /* - * Finds a pair of prime BigInteger's {p, q: p = 2q + 1} - * - * (see: Handbook of Applied Cryptography 4.86) - */ - static BigInteger[] generateSafePrimes(int size, int certainty, SecureRandom random) - { - BigInteger p, q; - int qLength = size - 1; - int minWeight = size >>> 2; - - for (;;) - { - q = new BigInteger(qLength, 2, random); - - // p <- 2q + 1 - p = q.shiftLeft(1).add(ONE); - - if (!p.isProbablePrime(certainty)) - { - continue; - } - - if (certainty > 2 && !q.isProbablePrime(certainty - 2)) - { - continue; - } - - /* - * Require a minimum weight of the NAF representation, since low-weight primes may be - * weak against a version of the number-field-sieve for the discrete-logarithm-problem. - * - * See "The number field sieve for integers of low weight", Oliver Schirokauer. - */ - if (WNafUtil.getNafWeight(p) < minWeight) - { - continue; - } - - break; - } - - return new BigInteger[] { p, q }; - } - - /* - * Select a high order element of the multiplicative group Zp* - * - * p and q must be s.t. p = 2*q + 1, where p and q are prime (see generateSafePrimes) - */ - static BigInteger selectGenerator(BigInteger p, BigInteger q, SecureRandom random) - { - BigInteger pMinusTwo = p.subtract(TWO); - BigInteger g; - - /* - * (see: Handbook of Applied Cryptography 4.80) - */ -// do -// { -// g = BigIntegers.createRandomInRange(TWO, pMinusTwo, random); -// } -// while (g.modPow(TWO, p).equals(ONE) || g.modPow(q, p).equals(ONE)); - - - /* - * RFC 2631 2.2.1.2 (and see: Handbook of Applied Cryptography 4.81) - */ - do - { - BigInteger h = BigIntegers.createRandomInRange(TWO, pMinusTwo, random); - - g = h.modPow(TWO, p); - } - while (g.equals(ONE)); - - - return g; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DSAKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DSAKeyPairGenerator.java deleted file mode 100644 index ff3df358..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DSAKeyPairGenerator.java +++ /dev/null @@ -1,69 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DSAKeyGenerationParameters; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.math.ec.WNafUtil; -import org.bouncycastle.util.BigIntegers; - -/** - * a DSA key pair generator. - * - * This generates DSA keys in line with the method described - * in <i>FIPS 186-3 B.1 FFC Key Pair Generation</i>. - */ -public class DSAKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private DSAKeyGenerationParameters param; - - public void init( - KeyGenerationParameters param) - { - this.param = (DSAKeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - DSAParameters dsaParams = param.getParameters(); - - BigInteger x = generatePrivateKey(dsaParams.getQ(), param.getRandom()); - BigInteger y = calculatePublicKey(dsaParams.getP(), dsaParams.getG(), x); - - return new AsymmetricCipherKeyPair( - new DSAPublicKeyParameters(y, dsaParams), - new DSAPrivateKeyParameters(x, dsaParams)); - } - - private static BigInteger generatePrivateKey(BigInteger q, SecureRandom random) - { - // B.1.2 Key Pair Generation by Testing Candidates - int minWeight = q.bitLength() >>> 2; - for (;;) - { - // TODO Prefer this method? (change test cases that used fixed random) - // B.1.1 Key Pair Generation Using Extra Random Bits -// BigInteger x = new BigInteger(q.bitLength() + 64, random).mod(q.subtract(ONE)).add(ONE); - - BigInteger x = BigIntegers.createRandomInRange(ONE, q.subtract(ONE), random); - if (WNafUtil.getNafWeight(x) >= minWeight) - { - return x; - } - } - } - - private static BigInteger calculatePublicKey(BigInteger p, BigInteger g, BigInteger x) - { - return g.modPow(x, p); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DSAParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DSAParametersGenerator.java deleted file mode 100644 index fe98b7c8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DSAParametersGenerator.java +++ /dev/null @@ -1,387 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.params.DSAParameterGenerationParameters; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAValidationParameters; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; -import org.bouncycastle.util.encoders.Hex; - -/** - * Generate suitable parameters for DSA, in line with FIPS 186-2, or FIPS 186-3. - */ -public class DSAParametersGenerator -{ - private Digest digest; - private int L, N; - private int certainty; - private SecureRandom random; - - private static final BigInteger ZERO = BigInteger.valueOf(0); - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - - private boolean use186_3; - private int usageIndex; - - public DSAParametersGenerator() - { - this(new SHA1Digest()); - } - - public DSAParametersGenerator(Digest digest) - { - this.digest = digest; - } - - /** - * initialise the key generator. - * - * @param size size of the key (range 2^512 -> 2^1024 - 64 bit increments) - * @param certainty measure of robustness of prime (for FIPS 186-2 compliance this should be at least 80). - * @param random random byte source. - */ - public void init( - int size, - int certainty, - SecureRandom random) - { - this.use186_3 = false; - this.L = size; - this.N = getDefaultN(size); - this.certainty = certainty; - this.random = random; - } - - /** - * Initialise the key generator for DSA 2. - * <p> - * Use this init method if you need to generate parameters for DSA 2 keys. - * </p> - * - * @param params DSA 2 key generation parameters. - */ - public void init( - DSAParameterGenerationParameters params) - { - // TODO Should we enforce the minimum 'certainty' values as per C.3 Table C.1? - this.use186_3 = true; - this.L = params.getL(); - this.N = params.getN(); - this.certainty = params.getCertainty(); - this.random = params.getRandom(); - this.usageIndex = params.getUsageIndex(); - - if ((L < 1024 || L > 3072) || L % 1024 != 0) - { - throw new IllegalArgumentException("L values must be between 1024 and 3072 and a multiple of 1024"); - } - else if (L == 1024 && N != 160) - { - throw new IllegalArgumentException("N must be 160 for L = 1024"); - } - else if (L == 2048 && (N != 224 && N != 256)) - { - throw new IllegalArgumentException("N must be 224 or 256 for L = 2048"); - } - else if (L == 3072 && N != 256) - { - throw new IllegalArgumentException("N must be 256 for L = 3072"); - } - - if (digest.getDigestSize() * 8 < N) - { - throw new IllegalStateException("Digest output size too small for value of N"); - } - } - - /** - * which generates the p and g values from the given parameters, - * returning the DSAParameters object. - * <p> - * Note: can take a while... - */ - public DSAParameters generateParameters() - { - return (use186_3) - ? generateParameters_FIPS186_3() - : generateParameters_FIPS186_2(); - } - - private DSAParameters generateParameters_FIPS186_2() - { - byte[] seed = new byte[20]; - byte[] part1 = new byte[20]; - byte[] part2 = new byte[20]; - byte[] u = new byte[20]; - int n = (L - 1) / 160; - byte[] w = new byte[L / 8]; - - if (!(digest instanceof SHA1Digest)) - { - throw new IllegalStateException("can only use SHA-1 for generating FIPS 186-2 parameters"); - } - - for (;;) - { - random.nextBytes(seed); - - hash(digest, seed, part1); - System.arraycopy(seed, 0, part2, 0, seed.length); - inc(part2); - hash(digest, part2, part2); - - for (int i = 0; i != u.length; i++) - { - u[i] = (byte)(part1[i] ^ part2[i]); - } - - u[0] |= (byte)0x80; - u[19] |= (byte)0x01; - - BigInteger q = new BigInteger(1, u); - - if (!q.isProbablePrime(certainty)) - { - continue; - } - - byte[] offset = Arrays.clone(seed); - inc(offset); - - for (int counter = 0; counter < 4096; ++counter) - { - for (int k = 0; k < n; k++) - { - inc(offset); - hash(digest, offset, part1); - System.arraycopy(part1, 0, w, w.length - (k + 1) * part1.length, part1.length); - } - - inc(offset); - hash(digest, offset, part1); - System.arraycopy(part1, part1.length - ((w.length - (n) * part1.length)), w, 0, w.length - n * part1.length); - - w[0] |= (byte)0x80; - - BigInteger x = new BigInteger(1, w); - - BigInteger c = x.mod(q.shiftLeft(1)); - - BigInteger p = x.subtract(c.subtract(ONE)); - - if (p.bitLength() != L) - { - continue; - } - - if (p.isProbablePrime(certainty)) - { - BigInteger g = calculateGenerator_FIPS186_2(p, q, random); - - return new DSAParameters(p, q, g, new DSAValidationParameters(seed, counter)); - } - } - } - } - - private static BigInteger calculateGenerator_FIPS186_2(BigInteger p, BigInteger q, SecureRandom r) - { - BigInteger e = p.subtract(ONE).divide(q); - BigInteger pSub2 = p.subtract(TWO); - - for (;;) - { - BigInteger h = BigIntegers.createRandomInRange(TWO, pSub2, r); - BigInteger g = h.modPow(e, p); - if (g.bitLength() > 1) - { - return g; - } - } - } - - /** - * generate suitable parameters for DSA, in line with - * <i>FIPS 186-3 A.1 Generation of the FFC Primes p and q</i>. - */ - private DSAParameters generateParameters_FIPS186_3() - { -// A.1.1.2 Generation of the Probable Primes p and q Using an Approved Hash Function - // FIXME This should be configurable (digest size in bits must be >= N) - Digest d = digest; - int outlen = d.getDigestSize() * 8; - -// 1. Check that the (L, N) pair is in the list of acceptable (L, N pairs) (see Section 4.2). If -// the pair is not in the list, then return INVALID. - // Note: checked at initialisation - -// 2. If (seedlen < N), then return INVALID. - // FIXME This should be configurable (must be >= N) - int seedlen = N; - byte[] seed = new byte[seedlen / 8]; - -// 3. n = ceiling(L / outlen) - 1. - int n = (L - 1) / outlen; - -// 4. b = L - 1 - (n * outlen). - int b = (L - 1) % outlen; - - byte[] output = new byte[d.getDigestSize()]; - for (;;) - { -// 5. Get an arbitrary sequence of seedlen bits as the domain_parameter_seed. - random.nextBytes(seed); - -// 6. U = Hash (domain_parameter_seed) mod 2^(N–1). - hash(d, seed, output); - - BigInteger U = new BigInteger(1, output).mod(ONE.shiftLeft(N - 1)); - -// 7. q = 2^(N–1) + U + 1 – ( U mod 2). - BigInteger q = ONE.shiftLeft(N - 1).add(U).add(ONE).subtract(U.mod(TWO)); - -// 8. Test whether or not q is prime as specified in Appendix C.3. - // TODO Review C.3 for primality checking - if (!q.isProbablePrime(certainty)) - { -// 9. If q is not a prime, then go to step 5. - continue; - } - -// 10. offset = 1. - // Note: 'offset' value managed incrementally - byte[] offset = Arrays.clone(seed); - -// 11. For counter = 0 to (4L – 1) do - int counterLimit = 4 * L; - for (int counter = 0; counter < counterLimit; ++counter) - { -// 11.1 For j = 0 to n do -// Vj = Hash ((domain_parameter_seed + offset + j) mod 2^seedlen). -// 11.2 W = V0 + (V1 ∗ 2^outlen) + ... + (V^(n–1) ∗ 2^((n–1) ∗ outlen)) + ((Vn mod 2^b) ∗ 2^(n ∗ outlen)). - // TODO Assemble w as a byte array - BigInteger W = ZERO; - for (int j = 0, exp = 0; j <= n; ++j, exp += outlen) - { - inc(offset); - hash(d, offset, output); - - BigInteger Vj = new BigInteger(1, output); - if (j == n) - { - Vj = Vj.mod(ONE.shiftLeft(b)); - } - - W = W.add(Vj.shiftLeft(exp)); - } - -// 11.3 X = W + 2^(L–1). Comment: 0 ≤ W < 2L–1; hence, 2L–1 ≤ X < 2L. - BigInteger X = W.add(ONE.shiftLeft(L - 1)); - -// 11.4 c = X mod 2q. - BigInteger c = X.mod(q.shiftLeft(1)); - -// 11.5 p = X - (c - 1). Comment: p ≡ 1 (mod 2q). - BigInteger p = X.subtract(c.subtract(ONE)); - -// 11.6 If (p < 2^(L - 1)), then go to step 11.9 - if (p.bitLength() != L) - { - continue; - } - -// 11.7 Test whether or not p is prime as specified in Appendix C.3. - // TODO Review C.3 for primality checking - if (p.isProbablePrime(certainty)) - { -// 11.8 If p is determined to be prime, then return VALID and the values of p, q and -// (optionally) the values of domain_parameter_seed and counter. - if (usageIndex >= 0) - { - BigInteger g = calculateGenerator_FIPS186_3_Verifiable(d, p, q, seed, usageIndex); - if (g != null) - { - return new DSAParameters(p, q, g, new DSAValidationParameters(seed, counter, usageIndex)); - } - } - - BigInteger g = calculateGenerator_FIPS186_3_Unverifiable(p, q, random); - - return new DSAParameters(p, q, g, new DSAValidationParameters(seed, counter)); - } - -// 11.9 offset = offset + n + 1. Comment: Increment offset; then, as part of -// the loop in step 11, increment counter; if -// counter < 4L, repeat steps 11.1 through 11.8. - // Note: 'offset' value already incremented in inner loop - } -// 12. Go to step 5. - } - } - - private static BigInteger calculateGenerator_FIPS186_3_Unverifiable(BigInteger p, BigInteger q, - SecureRandom r) - { - return calculateGenerator_FIPS186_2(p, q, r); - } - - private static BigInteger calculateGenerator_FIPS186_3_Verifiable(Digest d, BigInteger p, BigInteger q, - byte[] seed, int index) - { -// A.2.3 Verifiable Canonical Generation of the Generator g - BigInteger e = p.subtract(ONE).divide(q); - byte[] ggen = Hex.decode("6767656E"); - - // 7. U = domain_parameter_seed || "ggen" || index || count. - byte[] U = new byte[seed.length + ggen.length + 1 + 2]; - System.arraycopy(seed, 0, U, 0, seed.length); - System.arraycopy(ggen, 0, U, seed.length, ggen.length); - U[U.length - 3] = (byte)index; - - byte[] w = new byte[d.getDigestSize()]; - for (int count = 1; count < (1 << 16); ++count) - { - inc(U); - hash(d, U, w); - BigInteger W = new BigInteger(1, w); - BigInteger g = W.modPow(e, p); - if (g.compareTo(TWO) >= 0) - { - return g; - } - } - - return null; - } - - private static void hash(Digest d, byte[] input, byte[] output) - { - d.update(input, 0, input.length); - d.doFinal(output, 0); - } - - private static int getDefaultN(int L) - { - return L > 1024 ? 256 : 160; - } - - private static void inc(byte[] buf) - { - for (int i = buf.length - 1; i >= 0; --i) - { - byte b = (byte)((buf[i] + 1) & 0xff); - buf[i] = b; - - if (b != 0) - { - break; - } - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/DSTU4145KeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/DSTU4145KeyPairGenerator.java deleted file mode 100644 index 3f931b2c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/DSTU4145KeyPairGenerator.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; - -public class DSTU4145KeyPairGenerator - extends ECKeyPairGenerator -{ - public AsymmetricCipherKeyPair generateKeyPair() - { - AsymmetricCipherKeyPair pair = super.generateKeyPair(); - - ECPublicKeyParameters pub = (ECPublicKeyParameters)pair.getPublic(); - ECPrivateKeyParameters priv = (ECPrivateKeyParameters)pair.getPrivate(); - - pub = new ECPublicKeyParameters(pub.getQ().negate(), pub.getParameters()); - - return new AsymmetricCipherKeyPair(pub, priv); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/ECKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/ECKeyPairGenerator.java deleted file mode 100644 index 4f46a38d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/ECKeyPairGenerator.java +++ /dev/null @@ -1,84 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyGenerationParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; -import org.bouncycastle.math.ec.WNafUtil; - -public class ECKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator, ECConstants -{ - ECDomainParameters params; - SecureRandom random; - - public void init( - KeyGenerationParameters param) - { - ECKeyGenerationParameters ecP = (ECKeyGenerationParameters)param; - - this.random = ecP.getRandom(); - this.params = ecP.getDomainParameters(); - - if (this.random == null) - { - this.random = new SecureRandom(); - } - } - - /** - * Given the domain parameters this routine generates an EC key - * pair in accordance with X9.62 section 5.2.1 pages 26, 27. - */ - public AsymmetricCipherKeyPair generateKeyPair() - { - BigInteger n = params.getN(); - int nBitLength = n.bitLength(); - int minWeight = nBitLength >>> 2; - - BigInteger d; - for (;;) - { - d = new BigInteger(nBitLength, random); - - if (d.compareTo(TWO) < 0 || (d.compareTo(n) >= 0)) - { - continue; - } - - /* - * Require a minimum weight of the NAF representation, since low-weight primes may be - * weak against a version of the number-field-sieve for the discrete-logarithm-problem. - * - * See "The number field sieve for integers of low weight", Oliver Schirokauer. - */ - if (WNafUtil.getNafWeight(d) < minWeight) - { - continue; - } - - break; - } - - ECPoint Q = createBasePointMultiplier().multiply(params.getG(), d); - - return new AsymmetricCipherKeyPair( - new ECPublicKeyParameters(Q, params), - new ECPrivateKeyParameters(d, params)); - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalKeyPairGenerator.java deleted file mode 100644 index f23b6976..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalKeyPairGenerator.java +++ /dev/null @@ -1,44 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.ElGamalKeyGenerationParameters; -import org.bouncycastle.crypto.params.ElGamalParameters; -import org.bouncycastle.crypto.params.ElGamalPrivateKeyParameters; -import org.bouncycastle.crypto.params.ElGamalPublicKeyParameters; - -/** - * a ElGamal key pair generator. - * <p> - * This generates keys consistent for use with ElGamal as described in - * page 164 of "Handbook of Applied Cryptography". - */ -public class ElGamalKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - private ElGamalKeyGenerationParameters param; - - public void init( - KeyGenerationParameters param) - { - this.param = (ElGamalKeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - DHKeyGeneratorHelper helper = DHKeyGeneratorHelper.INSTANCE; - ElGamalParameters egp = param.getParameters(); - DHParameters dhp = new DHParameters(egp.getP(), egp.getG(), null, egp.getL()); - - BigInteger x = helper.calculatePrivate(dhp, param.getRandom()); - BigInteger y = helper.calculatePublic(dhp, x); - - return new AsymmetricCipherKeyPair( - new ElGamalPublicKeyParameters(y, egp), - new ElGamalPrivateKeyParameters(x, egp)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalParametersGenerator.java deleted file mode 100644 index 21e8c2a0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/ElGamalParametersGenerator.java +++ /dev/null @@ -1,43 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.params.ElGamalParameters; - -import java.math.BigInteger; -import java.security.SecureRandom; - -public class ElGamalParametersGenerator -{ - private int size; - private int certainty; - private SecureRandom random; - - public void init( - int size, - int certainty, - SecureRandom random) - { - this.size = size; - this.certainty = certainty; - this.random = random; - } - - /** - * which generates the p and g values from the given parameters, - * returning the ElGamalParameters object. - * <p> - * Note: can take a while... - */ - public ElGamalParameters generateParameters() - { - // - // find a safe prime p where p = 2*q + 1, where p and q are prime. - // - BigInteger[] safePrimes = DHParametersHelper.generateSafePrimes(size, certainty, random); - - BigInteger p = safePrimes[0]; - BigInteger q = safePrimes[1]; - BigInteger g = DHParametersHelper.selectGenerator(p, q, random); - - return new ElGamalParameters(p, g); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/EphemeralKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/EphemeralKeyPairGenerator.java deleted file mode 100644 index 1004f23e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/EphemeralKeyPairGenerator.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.EphemeralKeyPair; -import org.bouncycastle.crypto.KeyEncoder; - -public class EphemeralKeyPairGenerator -{ - private AsymmetricCipherKeyPairGenerator gen; - private KeyEncoder keyEncoder; - - public EphemeralKeyPairGenerator(AsymmetricCipherKeyPairGenerator gen, KeyEncoder keyEncoder) - { - this.gen = gen; - this.keyEncoder = keyEncoder; - } - - public EphemeralKeyPair generate() - { - AsymmetricCipherKeyPair eph = gen.generateKeyPair(); - - // Encode the ephemeral public key - return new EphemeralKeyPair(eph, keyEncoder); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410KeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410KeyPairGenerator.java deleted file mode 100644 index 8948f931..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410KeyPairGenerator.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.GOST3410KeyGenerationParameters; -import org.bouncycastle.crypto.params.GOST3410Parameters; -import org.bouncycastle.crypto.params.GOST3410PrivateKeyParameters; -import org.bouncycastle.crypto.params.GOST3410PublicKeyParameters; -import org.bouncycastle.math.ec.WNafUtil; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * a GOST3410 key pair generator. - * This generates GOST3410 keys in line with the method described - * in GOST R 34.10-94. - */ -public class GOST3410KeyPairGenerator - implements AsymmetricCipherKeyPairGenerator - { - private GOST3410KeyGenerationParameters param; - - public void init( - KeyGenerationParameters param) - { - this.param = (GOST3410KeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - BigInteger p, q, a, x, y; - GOST3410Parameters GOST3410Params = param.getParameters(); - SecureRandom random = param.getRandom(); - - q = GOST3410Params.getQ(); - p = GOST3410Params.getP(); - a = GOST3410Params.getA(); - - int minWeight = 64; - for (;;) - { - x = new BigInteger(256, random); - - if (x.signum() < 1 || x.compareTo(q) >= 0) - { - continue; - } - - /* - * Require a minimum weight of the NAF representation, since low-weight primes may be - * weak against a version of the number-field-sieve for the discrete-logarithm-problem. - * - * See "The number field sieve for integers of low weight", Oliver Schirokauer. - */ - if (WNafUtil.getNafWeight(x) < minWeight) - { - continue; - } - - break; - } - - // - // calculate the public key. - // - y = a.modPow(x, p); - - return new AsymmetricCipherKeyPair( - new GOST3410PublicKeyParameters(y, GOST3410Params), - new GOST3410PrivateKeyParameters(x, GOST3410Params)); - } - } diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410ParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410ParametersGenerator.java deleted file mode 100644 index 1c7cecf8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/GOST3410ParametersGenerator.java +++ /dev/null @@ -1,541 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.params.GOST3410Parameters; -import org.bouncycastle.crypto.params.GOST3410ValidationParameters; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * generate suitable parameters for GOST3410. - */ -public class GOST3410ParametersGenerator -{ - private int size; - private int typeproc; - private SecureRandom init_random; - - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - - /** - * initialise the key generator. - * - * @param size size of the key - * @param typeproc type procedure A,B = 1; A',B' - else - * @param random random byte source. - */ - public void init( - int size, - int typeproc, - SecureRandom random) - { - this.size = size; - this.typeproc = typeproc; - this.init_random = random; - } - - //Procedure A - private int procedure_A(int x0, int c, BigInteger[] pq, int size) - { - //Verify and perform condition: 0<x<2^16; 0<c<2^16; c - odd. - while(x0<0 || x0>65536) - { - x0 = init_random.nextInt()/32768; - } - - while((c<0 || c>65536) || (c/2==0)) - { - c = init_random.nextInt()/32768 + 1; - } - - BigInteger C = new BigInteger(Integer.toString(c)); - BigInteger constA16 = new BigInteger("19381"); - - //step1 - BigInteger[] y = new BigInteger[1]; // begin length = 1 - y[0] = new BigInteger(Integer.toString(x0)); - - //step 2 - int[] t = new int[1]; // t - orders; begin length = 1 - t[0] = size; - int s = 0; - for (int i=0; t[i]>=17; i++) - { - // extension array t - int tmp_t[] = new int[t.length + 1]; /////////////// - System.arraycopy(t,0,tmp_t,0,t.length); // extension - t = new int[tmp_t.length]; // array t - System.arraycopy(tmp_t, 0, t, 0, tmp_t.length); /////////////// - - t[i+1] = t[i]/2; - s = i+1; - } - - //step3 - BigInteger p[] = new BigInteger[s+1]; - p[s] = new BigInteger("8003",16); //set min prime number length 16 bit - - int m = s-1; //step4 - - for (int i=0; i<s; i++) - { - int rm = t[m]/16; //step5 - - step6: for(;;) - { - //step 6 - BigInteger tmp_y[] = new BigInteger[y.length]; //////////////// - System.arraycopy(y,0,tmp_y,0,y.length); // extension - y = new BigInteger[rm+1]; // array y - System.arraycopy(tmp_y,0,y,0,tmp_y.length); //////////////// - - for (int j=0; j<rm; j++) - { - y[j+1] = (y[j].multiply(constA16).add(C)).mod(TWO.pow(16)); - } - - //step 7 - BigInteger Ym = new BigInteger("0"); - for (int j=0; j<rm; j++) - { - Ym = Ym.add(y[j].multiply(TWO.pow(16*j))); - } - - y[0] = y[rm]; //step 8 - - //step 9 - BigInteger N = TWO.pow(t[m]-1).divide(p[m+1]). - add((TWO.pow(t[m]-1).multiply(Ym)). - divide(p[m+1].multiply(TWO.pow(16*rm)))); - - if (N.mod(TWO).compareTo(ONE)==0) - { - N = N.add(ONE); - } - - int k = 0; //step 10 - - step11: for(;;) - { - //step 11 - p[m] = p[m+1].multiply(N.add(BigInteger.valueOf(k))).add(ONE); - - if (p[m].compareTo(TWO.pow(t[m]))==1) - { - continue step6; //step 12 - } - - //step13 - if ((TWO.modPow(p[m+1].multiply(N.add(BigInteger.valueOf(k))),p[m]).compareTo(ONE)==0) && - (TWO.modPow(N.add(BigInteger.valueOf(k)),p[m]).compareTo(ONE)!=0)) - { - m -= 1; - break; - } - else - { - k += 2; - continue step11; - } - } - - if (m>=0) - { - break; //step 14 - } - else - { - pq[0] = p[0]; - pq[1] = p[1]; - return y[0].intValue(); //return for procedure B step 2 - } - } - } - return y[0].intValue(); - } - - //Procedure A' - private long procedure_Aa(long x0, long c, BigInteger[] pq, int size) - { - //Verify and perform condition: 0<x<2^32; 0<c<2^32; c - odd. - while(x0<0 || x0>4294967296L) - { - x0 = init_random.nextInt()*2; - } - - while((c<0 || c>4294967296L) || (c/2==0)) - { - c = init_random.nextInt()*2+1; - } - - BigInteger C = new BigInteger(Long.toString(c)); - BigInteger constA32 = new BigInteger("97781173"); - - //step1 - BigInteger[] y = new BigInteger[1]; // begin length = 1 - y[0] = new BigInteger(Long.toString(x0)); - - //step 2 - int[] t = new int[1]; // t - orders; begin length = 1 - t[0] = size; - int s = 0; - for (int i=0; t[i]>=33; i++) - { - // extension array t - int tmp_t[] = new int[t.length + 1]; /////////////// - System.arraycopy(t,0,tmp_t,0,t.length); // extension - t = new int[tmp_t.length]; // array t - System.arraycopy(tmp_t, 0, t, 0, tmp_t.length); /////////////// - - t[i+1] = t[i]/2; - s = i+1; - } - - //step3 - BigInteger p[] = new BigInteger[s+1]; - p[s] = new BigInteger("8000000B",16); //set min prime number length 32 bit - - int m = s-1; //step4 - - for (int i=0; i<s; i++) - { - int rm = t[m]/32; //step5 - - step6: for(;;) - { - //step 6 - BigInteger tmp_y[] = new BigInteger[y.length]; //////////////// - System.arraycopy(y,0,tmp_y,0,y.length); // extension - y = new BigInteger[rm+1]; // array y - System.arraycopy(tmp_y,0,y,0,tmp_y.length); //////////////// - - for (int j=0; j<rm; j++) - { - y[j+1] = (y[j].multiply(constA32).add(C)).mod(TWO.pow(32)); - } - - //step 7 - BigInteger Ym = new BigInteger("0"); - for (int j=0; j<rm; j++) - { - Ym = Ym.add(y[j].multiply(TWO.pow(32*j))); - } - - y[0] = y[rm]; //step 8 - - //step 9 - BigInteger N = TWO.pow(t[m]-1).divide(p[m+1]). - add((TWO.pow(t[m]-1).multiply(Ym)). - divide(p[m+1].multiply(TWO.pow(32*rm)))); - - if (N.mod(TWO).compareTo(ONE)==0) - { - N = N.add(ONE); - } - - int k = 0; //step 10 - - step11: for(;;) - { - //step 11 - p[m] = p[m+1].multiply(N.add(BigInteger.valueOf(k))).add(ONE); - - if (p[m].compareTo(TWO.pow(t[m]))==1) - { - continue step6; //step 12 - } - - //step13 - if ((TWO.modPow(p[m+1].multiply(N.add(BigInteger.valueOf(k))),p[m]).compareTo(ONE)==0) && - (TWO.modPow(N.add(BigInteger.valueOf(k)),p[m]).compareTo(ONE)!=0)) - { - m -= 1; - break; - } - else - { - k += 2; - continue step11; - } - } - - if (m>=0) - { - break; //step 14 - } - else - { - pq[0] = p[0]; - pq[1] = p[1]; - return y[0].longValue(); //return for procedure B' step 2 - } - } - } - return y[0].longValue(); - } - - //Procedure B - private void procedure_B(int x0, int c, BigInteger[] pq) - { - //Verify and perform condition: 0<x<2^16; 0<c<2^16; c - odd. - while(x0<0 || x0>65536) - { - x0 = init_random.nextInt()/32768; - } - - while((c<0 || c>65536) || (c/2==0)) - { - c = init_random.nextInt()/32768 + 1; - } - - BigInteger [] qp = new BigInteger[2]; - BigInteger q = null, Q = null, p = null; - BigInteger C = new BigInteger(Integer.toString(c)); - BigInteger constA16 = new BigInteger("19381"); - - //step1 - x0 = procedure_A(x0, c, qp, 256); - q = qp[0]; - - //step2 - x0 = procedure_A(x0, c, qp, 512); - Q = qp[0]; - - BigInteger[] y = new BigInteger[65]; - y[0] = new BigInteger(Integer.toString(x0)); - - int tp = 1024; - - step3: for(;;) - { - //step 3 - for (int j=0; j<64; j++) - { - y[j+1] = (y[j].multiply(constA16).add(C)).mod(TWO.pow(16)); - } - - //step 4 - BigInteger Y = new BigInteger("0"); - - for (int j=0; j<64; j++) - { - Y = Y.add(y[j].multiply(TWO.pow(16*j))); - } - - y[0] = y[64]; //step 5 - - //step 6 - BigInteger N = TWO.pow(tp-1).divide(q.multiply(Q)). - add((TWO.pow(tp-1).multiply(Y)). - divide(q.multiply(Q).multiply(TWO.pow(1024)))); - - if (N.mod(TWO).compareTo(ONE)==0) - { - N = N.add(ONE); - } - - int k = 0; //step 7 - - step8: for(;;) - { - //step 11 - p = q.multiply(Q).multiply(N.add(BigInteger.valueOf(k))).add(ONE); - - if (p.compareTo(TWO.pow(tp))==1) - { - continue step3; //step 9 - } - - //step10 - if ((TWO.modPow(q.multiply(Q).multiply(N.add(BigInteger.valueOf(k))),p).compareTo(ONE)==0) && - (TWO.modPow(q.multiply(N.add(BigInteger.valueOf(k))),p).compareTo(ONE)!=0)) - { - pq[0] = p; - pq[1] = q; - return; - } - else - { - k += 2; - continue step8; - } - } - } - } - - //Procedure B' - private void procedure_Bb(long x0, long c, BigInteger[] pq) - { - //Verify and perform condition: 0<x<2^32; 0<c<2^32; c - odd. - while(x0<0 || x0>4294967296L) - { - x0 = init_random.nextInt()*2; - } - - while((c<0 || c>4294967296L) || (c/2==0)) - { - c = init_random.nextInt()*2+1; - } - - BigInteger [] qp = new BigInteger[2]; - BigInteger q = null, Q = null, p = null; - BigInteger C = new BigInteger(Long.toString(c)); - BigInteger constA32 = new BigInteger("97781173"); - - //step1 - x0 = procedure_Aa(x0, c, qp, 256); - q = qp[0]; - - //step2 - x0 = procedure_Aa(x0, c, qp, 512); - Q = qp[0]; - - BigInteger[] y = new BigInteger[33]; - y[0] = new BigInteger(Long.toString(x0)); - - int tp = 1024; - - step3: for(;;) - { - //step 3 - for (int j=0; j<32; j++) - { - y[j+1] = (y[j].multiply(constA32).add(C)).mod(TWO.pow(32)); - } - - //step 4 - BigInteger Y = new BigInteger("0"); - for (int j=0; j<32; j++) - { - Y = Y.add(y[j].multiply(TWO.pow(32*j))); - } - - y[0] = y[32]; //step 5 - - //step 6 - BigInteger N = TWO.pow(tp-1).divide(q.multiply(Q)). - add((TWO.pow(tp-1).multiply(Y)). - divide(q.multiply(Q).multiply(TWO.pow(1024)))); - - if (N.mod(TWO).compareTo(ONE)==0) - { - N = N.add(ONE); - } - - int k = 0; //step 7 - - step8: for(;;) - { - //step 11 - p = q.multiply(Q).multiply(N.add(BigInteger.valueOf(k))).add(ONE); - - if (p.compareTo(TWO.pow(tp))==1) - { - continue step3; //step 9 - } - - //step10 - if ((TWO.modPow(q.multiply(Q).multiply(N.add(BigInteger.valueOf(k))),p).compareTo(ONE)==0) && - (TWO.modPow(q.multiply(N.add(BigInteger.valueOf(k))),p).compareTo(ONE)!=0)) - { - pq[0] = p; - pq[1] = q; - return; - } - else - { - k += 2; - continue step8; - } - } - } - } - - - /** - * Procedure C - * procedure generates the a value from the given p,q, - * returning the a value. - */ - private BigInteger procedure_C(BigInteger p, BigInteger q) - { - BigInteger pSub1 = p.subtract(ONE); - BigInteger pSub1DivQ = pSub1.divide(q); - int length = p.bitLength(); - - for(;;) - { - BigInteger d = new BigInteger(length, init_random); - - // 1 < d < p-1 - if (d.compareTo(ONE) > 0 && d.compareTo(pSub1) < 0) - { - BigInteger a = d.modPow(pSub1DivQ, p); - - if (a.compareTo(ONE) != 0) - { - return a; - } - } - } - } - - /** - * which generates the p , q and a values from the given parameters, - * returning the GOST3410Parameters object. - */ - public GOST3410Parameters generateParameters() - { - BigInteger [] pq = new BigInteger[2]; - BigInteger q = null, p = null, a = null; - - int x0, c; - long x0L, cL; - - if (typeproc==1) - { - x0 = init_random.nextInt(); - c = init_random.nextInt(); - - switch(size) - { - case 512: - procedure_A(x0, c, pq, 512); - break; - case 1024: - procedure_B(x0, c, pq); - break; - default: - throw new IllegalArgumentException("Ooops! key size 512 or 1024 bit."); - } - p = pq[0]; q = pq[1]; - a = procedure_C(p, q); - //System.out.println("p:"+p.toString(16)+"\n"+"q:"+q.toString(16)+"\n"+"a:"+a.toString(16)); - //System.out.println("p:"+p+"\n"+"q:"+q+"\n"+"a:"+a); - return new GOST3410Parameters(p, q, a, new GOST3410ValidationParameters(x0, c)); - } - else - { - x0L = init_random.nextLong(); - cL = init_random.nextLong(); - - switch(size) - { - case 512: - procedure_Aa(x0L, cL, pq, 512); - break; - case 1024: - procedure_Bb(x0L, cL, pq); - break; - default: - throw new IllegalStateException("Ooops! key size 512 or 1024 bit."); - } - p = pq[0]; q = pq[1]; - a = procedure_C(p, q); - //System.out.println("p:"+p.toString(16)+"\n"+"q:"+q.toString(16)+"\n"+"a:"+a.toString(16)); - //System.out.println("p:"+p+"\n"+"q:"+q+"\n"+"a:"+a); - return new GOST3410Parameters(p, q, a, new GOST3410ValidationParameters(x0L, cL)); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/HKDFBytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/HKDFBytesGenerator.java deleted file mode 100644 index 75915cf2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/HKDFBytesGenerator.java +++ /dev/null @@ -1,161 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.HKDFParameters; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented - * according to IETF RFC 5869, May 2010 as specified by H. Krawczyk, IBM - * Research & P. Eronen, Nokia. It uses a HMac internally to compute de OKM - * (output keying material) and is likely to have better security properties - * than KDF's based on just a hash function. - */ -public class HKDFBytesGenerator - implements DerivationFunction -{ - - private HMac hMacHash; - private int hashLen; - - private byte[] info; - private byte[] currentT; - - private int generatedBytes; - - /** - * Creates a HKDFBytesGenerator based on the given hash function. - * - * @param hash the digest to be used as the source of generatedBytes bytes - */ - public HKDFBytesGenerator(Digest hash) - { - this.hMacHash = new HMac(hash); - this.hashLen = hash.getDigestSize(); - } - - public void init(DerivationParameters param) - { - if (!(param instanceof HKDFParameters)) - { - throw new IllegalArgumentException( - "HKDF parameters required for HKDFBytesGenerator"); - } - - HKDFParameters params = (HKDFParameters)param; - if (params.skipExtract()) - { - // use IKM directly as PRK - hMacHash.init(new KeyParameter(params.getIKM())); - } - else - { - hMacHash.init(extract(params.getSalt(), params.getIKM())); - } - - info = params.getInfo(); - - generatedBytes = 0; - currentT = new byte[hashLen]; - } - - /** - * Performs the extract part of the key derivation function. - * - * @param salt the salt to use - * @param ikm the input keying material - * @return the PRK as KeyParameter - */ - private KeyParameter extract(byte[] salt, byte[] ikm) - { - hMacHash.init(new KeyParameter(ikm)); - if (salt == null) - { - // TODO check if hashLen is indeed same as HMAC size - hMacHash.init(new KeyParameter(new byte[hashLen])); - } - else - { - hMacHash.init(new KeyParameter(salt)); - } - - hMacHash.update(ikm, 0, ikm.length); - - byte[] prk = new byte[hashLen]; - hMacHash.doFinal(prk, 0); - return new KeyParameter(prk); - } - - /** - * Performs the expand part of the key derivation function, using currentT - * as input and output buffer. - * - * @throws DataLengthException if the total number of bytes generated is larger than the one - * specified by RFC 5869 (255 * HashLen) - */ - private void expandNext() - throws DataLengthException - { - int n = generatedBytes / hashLen + 1; - if (n >= 256) - { - throw new DataLengthException( - "HKDF cannot generate more than 255 blocks of HashLen size"); - } - // special case for T(0): T(0) is empty, so no update - if (generatedBytes != 0) - { - hMacHash.update(currentT, 0, hashLen); - } - hMacHash.update(info, 0, info.length); - hMacHash.update((byte)n); - hMacHash.doFinal(currentT, 0); - } - - public Digest getDigest() - { - return hMacHash.getUnderlyingDigest(); - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - - if (generatedBytes + len > 255 * hashLen) - { - throw new DataLengthException( - "HKDF may only be used for 255 * HashLen bytes of output"); - } - - if (generatedBytes % hashLen == 0) - { - expandNext(); - } - - // copy what is left in the currentT (1..hash - int toGenerate = len; - int posInT = generatedBytes % hashLen; - int leftInT = hashLen - generatedBytes % hashLen; - int toCopy = Math.min(leftInT, toGenerate); - System.arraycopy(currentT, posInT, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - - while (toGenerate > 0) - { - expandNext(); - toCopy = Math.min(hashLen, toGenerate); - System.arraycopy(currentT, 0, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - return len; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/KDF1BytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/KDF1BytesGenerator.java deleted file mode 100644 index 7789b7b5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/KDF1BytesGenerator.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.Digest; - -/** - * KDF1 generator for derived keys and ivs as defined by IEEE P1363a/ISO 18033 - * <br> - * This implementation is based on ISO 18033/IEEE P1363a. - */ -public class KDF1BytesGenerator - extends BaseKDFBytesGenerator -{ - /** - * Construct a KDF1 byte generator. - * <p> - * @param digest the digest to be used as the source of derived keys. - */ - public KDF1BytesGenerator( - Digest digest) - { - super(0, digest); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/KDF2BytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/KDF2BytesGenerator.java deleted file mode 100644 index ac0c64a4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/KDF2BytesGenerator.java +++ /dev/null @@ -1,24 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.Digest; - -/** - * KDF2 generator for derived keys and ivs as defined by IEEE P1363a/ISO 18033 - * <br> - * This implementation is based on IEEE P1363/ISO 18033. - */ -public class KDF2BytesGenerator - extends BaseKDFBytesGenerator -{ - /** - * Construct a KDF2 bytes generator. Generates key material - * according to IEEE P1363 or ISO 18033 depending on the initialisation. - * <p> - * @param digest the digest to be used as the source of derived keys. - */ - public KDF2BytesGenerator( - Digest digest) - { - super(1, digest); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/KDFCounterBytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/KDFCounterBytesGenerator.java deleted file mode 100644 index 7147add7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/KDFCounterBytesGenerator.java +++ /dev/null @@ -1,180 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.MacDerivationFunction; -import org.bouncycastle.crypto.params.KDFCounterParameters; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * This KDF has been defined by the publicly available NIST SP 800-108 specification. - * NIST SP800-108 allows for alternative orderings of the input fields, meaning that the input can be formated in multiple ways. - * There are 3 supported formats: - Below [i]_2 is a counter of r-bits length concatenated to the fixedInputData. - * <ul> - * <li>1: K(i) := PRF( KI, [i]_2 || Label || 0x00 || Context || [L]_2 ) with the counter at the very beginning of the fixedInputData (The default implementation has this format)</li> - * <li>2: K(i) := PRF( KI, Label || 0x00 || Context || [L]_2 || [i]_2 ) with the counter at the very end of the fixedInputData</li> - * <li>3a: K(i) := PRF( KI, Label || 0x00 || [i]_2 || Context || [L]_2 ) OR:</li> - * <li>3b: K(i) := PRF( KI, Label || 0x00 || [i]_2 || [L]_2 || Context ) OR:</li> - * <li>3c: K(i) := PRF( KI, Label || [i]_2 || 0x00 || Context || [L]_2 ) etc... with the counter somewhere in the 'middle' of the fixedInputData.</li> - * </ul> - * </p> - * <p> - * This function must be called with the following KDFCounterParameters(): - * - KI <br/> - * - The part of the fixedInputData that comes BEFORE the counter OR null <br/> - * - the part of the fixedInputData that comes AFTER the counter OR null <br/> - * - the length of the counter in bits (not bytes) - * </p> - * Resulting function calls assuming an 8 bit counter. - * <ul> - * <li>1. KDFCounterParameters(ki, null, "Label || 0x00 || Context || [L]_2]", 8);</li> - * <li>2. KDFCounterParameters(ki, "Label || 0x00 || Context || [L]_2]", null, 8);</li> - * <li>3a. KDFCounterParameters(ki, "Label || 0x00", "Context || [L]_2]", 8);</li> - * <li>3b. KDFCounterParameters(ki, "Label || 0x00", "[L]_2] || Context", 8);</li> - * <li>3c. KDFCounterParameters(ki, "Label", "0x00 || Context || [L]_2]", 8);</li> - * </ul> - */ -public class KDFCounterBytesGenerator - implements MacDerivationFunction -{ - - private static final BigInteger INTEGER_MAX = BigInteger.valueOf(Integer.MAX_VALUE); - private static final BigInteger TWO = BigInteger.valueOf(2); - - // please refer to the standard for the meaning of the variable names - // all field lengths are in bytes, not in bits as specified by the standard - - // fields set by the constructor - private final Mac prf; - private final int h; - - // fields set by init - private byte[] fixedInputDataCtrPrefix; - private byte[] fixedInputData_afterCtr; - private int maxSizeExcl; - // ios is i defined as an octet string (the binary representation) - private byte[] ios; - - // operational - private int generatedBytes; - // k is used as buffer for all K(i) values - private byte[] k; - - - public KDFCounterBytesGenerator(Mac prf) - { - this.prf = prf; - this.h = prf.getMacSize(); - this.k = new byte[h]; - } - - - public void init(DerivationParameters param) - { - if (!(param instanceof KDFCounterParameters)) - { - throw new IllegalArgumentException("Wrong type of arguments given"); - } - - KDFCounterParameters kdfParams = (KDFCounterParameters)param; - - // --- init mac based PRF --- - - this.prf.init(new KeyParameter(kdfParams.getKI())); - - // --- set arguments --- - - this.fixedInputDataCtrPrefix = kdfParams.getFixedInputDataCounterPrefix(); - this.fixedInputData_afterCtr = kdfParams.getFixedInputDataCounterSuffix(); - - int r = kdfParams.getR(); - this.ios = new byte[r / 8]; - - BigInteger maxSize = TWO.pow(r).multiply(BigInteger.valueOf(h)); - this.maxSizeExcl = maxSize.compareTo(INTEGER_MAX) == 1 ? - Integer.MAX_VALUE : maxSize.intValue(); - - // --- set operational state --- - - generatedBytes = 0; - } - - - public Mac getMac() - { - return prf; - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - - int generatedBytesAfter = generatedBytes + len; - if (generatedBytesAfter < 0 || generatedBytesAfter >= maxSizeExcl) - { - throw new DataLengthException( - "Current KDFCTR may only be used for " + maxSizeExcl + " bytes"); - } - - if (generatedBytes % h == 0) - { - generateNext(); - } - - // copy what is left in the currentT (1..hash - int toGenerate = len; - int posInK = generatedBytes % h; - int leftInK = h - generatedBytes % h; - int toCopy = Math.min(leftInK, toGenerate); - System.arraycopy(k, posInK, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - - while (toGenerate > 0) - { - generateNext(); - toCopy = Math.min(h, toGenerate); - System.arraycopy(k, 0, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - return len; - } - - private void generateNext() - { - int i = generatedBytes / h + 1; - - // encode i into counter buffer - switch (ios.length) - { - case 4: - ios[0] = (byte)(i >>> 24); - // fall through - case 3: - ios[ios.length - 3] = (byte)(i >>> 16); - // fall through - case 2: - ios[ios.length - 2] = (byte)(i >>> 8); - // fall through - case 1: - ios[ios.length - 1] = (byte)i; - break; - default: - throw new IllegalStateException("Unsupported size of counter i"); - } - - - // special case for K(0): K(0) is empty, so no update - prf.update(fixedInputDataCtrPrefix, 0, fixedInputDataCtrPrefix.length); - prf.update(ios, 0, ios.length); - prf.update(fixedInputData_afterCtr, 0, fixedInputData_afterCtr.length); - prf.doFinal(k, 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/KDFDoublePipelineIterationBytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/KDFDoublePipelineIterationBytesGenerator.java deleted file mode 100644 index 6115a1a3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/KDFDoublePipelineIterationBytesGenerator.java +++ /dev/null @@ -1,181 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.MacDerivationFunction; -import org.bouncycastle.crypto.params.KDFDoublePipelineIterationParameters; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * This KDF has been defined by the publicly available NIST SP 800-108 specification. - */ -public class KDFDoublePipelineIterationBytesGenerator - implements MacDerivationFunction -{ - - private static final BigInteger INTEGER_MAX = BigInteger.valueOf(Integer.MAX_VALUE); - private static final BigInteger TWO = BigInteger.valueOf(2); - - // please refer to the standard for the meaning of the variable names - // all field lengths are in bytes, not in bits as specified by the standard - - // fields set by the constructor - private final Mac prf; - private final int h; - - // fields set by init - private byte[] fixedInputData; - private int maxSizeExcl; - // ios is i defined as an octet string (the binary representation) - private byte[] ios; - private boolean useCounter; - - // operational - private int generatedBytes; - // k is used as buffer for all K(i) values - private byte[] a; - private byte[] k; - - - public KDFDoublePipelineIterationBytesGenerator(Mac prf) - { - this.prf = prf; - this.h = prf.getMacSize(); - this.a = new byte[h]; - this.k = new byte[h]; - } - - public void init(DerivationParameters params) - { - if (!(params instanceof KDFDoublePipelineIterationParameters)) - { - throw new IllegalArgumentException("Wrong type of arguments given"); - } - - KDFDoublePipelineIterationParameters dpiParams = (KDFDoublePipelineIterationParameters)params; - - // --- init mac based PRF --- - - this.prf.init(new KeyParameter(dpiParams.getKI())); - - // --- set arguments --- - - this.fixedInputData = dpiParams.getFixedInputData(); - - int r = dpiParams.getR(); - this.ios = new byte[r / 8]; - - if (dpiParams.useCounter()) - { - // this is more conservative than the spec - BigInteger maxSize = TWO.pow(r).multiply(BigInteger.valueOf(h)); - this.maxSizeExcl = maxSize.compareTo(INTEGER_MAX) == 1 ? - Integer.MAX_VALUE : maxSize.intValue(); - } - else - { - this.maxSizeExcl = Integer.MAX_VALUE; - } - - this.useCounter = dpiParams.useCounter(); - - // --- set operational state --- - - generatedBytes = 0; - } - - public Mac getMac() - { - return prf; - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - - int generatedBytesAfter = generatedBytes + len; - if (generatedBytesAfter < 0 || generatedBytesAfter >= maxSizeExcl) - { - throw new DataLengthException( - "Current KDFCTR may only be used for " + maxSizeExcl + " bytes"); - } - - if (generatedBytes % h == 0) - { - generateNext(); - } - - // copy what is left in the currentT (1..hash - int toGenerate = len; - int posInK = generatedBytes % h; - int leftInK = h - generatedBytes % h; - int toCopy = Math.min(leftInK, toGenerate); - System.arraycopy(k, posInK, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - - while (toGenerate > 0) - { - generateNext(); - toCopy = Math.min(h, toGenerate); - System.arraycopy(k, 0, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - return len; - } - - private void generateNext() - { - - if (generatedBytes == 0) - { - // --- step 4 --- - prf.update(fixedInputData, 0, fixedInputData.length); - prf.doFinal(a, 0); - } - else - { - // --- step 5a --- - prf.update(a, 0, a.length); - prf.doFinal(a, 0); - } - - // --- step 5b --- - prf.update(a, 0, a.length); - - if (useCounter) - { - int i = generatedBytes / h + 1; - - // encode i into counter buffer - switch (ios.length) - { - case 4: - ios[0] = (byte)(i >>> 24); - // fall through - case 3: - ios[ios.length - 3] = (byte)(i >>> 16); - // fall through - case 2: - ios[ios.length - 2] = (byte)(i >>> 8); - // fall through - case 1: - ios[ios.length - 1] = (byte)i; - break; - default: - throw new IllegalStateException("Unsupported size of counter i"); - } - prf.update(ios, 0, ios.length); - } - - prf.update(fixedInputData, 0, fixedInputData.length); - prf.doFinal(k, 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/KDFFeedbackBytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/KDFFeedbackBytesGenerator.java deleted file mode 100644 index 60030376..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/KDFFeedbackBytesGenerator.java +++ /dev/null @@ -1,175 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.MacDerivationFunction; -import org.bouncycastle.crypto.params.KDFFeedbackParameters; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * This KDF has been defined by the publicly available NIST SP 800-108 specification. - */ -public class KDFFeedbackBytesGenerator - implements MacDerivationFunction -{ - - private static final BigInteger INTEGER_MAX = BigInteger.valueOf(Integer.MAX_VALUE); - private static final BigInteger TWO = BigInteger.valueOf(2); - - // please refer to the standard for the meaning of the variable names - // all field lengths are in bytes, not in bits as specified by the standard - - // fields set by the constructor - private final Mac prf; - private final int h; - - // fields set by init - private byte[] fixedInputData; - private int maxSizeExcl; - // ios is i defined as an octet string (the binary representation) - private byte[] ios; - private byte[] iv; - private boolean useCounter; - - // operational - private int generatedBytes; - // k is used as buffer for all K(i) values - private byte[] k; - - - public KDFFeedbackBytesGenerator(Mac prf) - { - this.prf = prf; - this.h = prf.getMacSize(); - this.k = new byte[h]; - } - - public void init(DerivationParameters params) - { - if (!(params instanceof KDFFeedbackParameters)) - { - throw new IllegalArgumentException("Wrong type of arguments given"); - } - - KDFFeedbackParameters feedbackParams = (KDFFeedbackParameters)params; - - // --- init mac based PRF --- - - this.prf.init(new KeyParameter(feedbackParams.getKI())); - - // --- set arguments --- - - this.fixedInputData = feedbackParams.getFixedInputData(); - - int r = feedbackParams.getR(); - this.ios = new byte[r / 8]; - - if (feedbackParams.useCounter()) - { - // this is more conservative than the spec - BigInteger maxSize = TWO.pow(r).multiply(BigInteger.valueOf(h)); - this.maxSizeExcl = maxSize.compareTo(INTEGER_MAX) == 1 ? - Integer.MAX_VALUE : maxSize.intValue(); - } - else - { - this.maxSizeExcl = Integer.MAX_VALUE; - } - - this.iv = feedbackParams.getIV(); - this.useCounter = feedbackParams.useCounter(); - - // --- set operational state --- - - generatedBytes = 0; - } - - public Mac getMac() - { - return prf; - } - - public int generateBytes(byte[] out, int outOff, int len) - throws DataLengthException, IllegalArgumentException - { - - int generatedBytesAfter = generatedBytes + len; - if (generatedBytesAfter < 0 || generatedBytesAfter >= maxSizeExcl) - { - throw new DataLengthException( - "Current KDFCTR may only be used for " + maxSizeExcl + " bytes"); - } - - if (generatedBytes % h == 0) - { - generateNext(); - } - - // copy what is left in the currentT (1..hash - int toGenerate = len; - int posInK = generatedBytes % h; - int leftInK = h - generatedBytes % h; - int toCopy = Math.min(leftInK, toGenerate); - System.arraycopy(k, posInK, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - - while (toGenerate > 0) - { - generateNext(); - toCopy = Math.min(h, toGenerate); - System.arraycopy(k, 0, out, outOff, toCopy); - generatedBytes += toCopy; - toGenerate -= toCopy; - outOff += toCopy; - } - - return len; - } - - private void generateNext() - { - - // TODO enable IV - if (generatedBytes == 0) - { - prf.update(iv, 0, iv.length); - } - else - { - prf.update(k, 0, k.length); - } - - if (useCounter) - { - int i = generatedBytes / h + 1; - - // encode i into counter buffer - switch (ios.length) - { - case 4: - ios[0] = (byte)(i >>> 24); - // fall through - case 3: - ios[ios.length - 3] = (byte)(i >>> 16); - // fall through - case 2: - ios[ios.length - 2] = (byte)(i >>> 8); - // fall through - case 1: - ios[ios.length - 1] = (byte)i; - break; - default: - throw new IllegalStateException("Unsupported size of counter i"); - } - prf.update(ios, 0, ios.length); - } - - prf.update(fixedInputData, 0, fixedInputData.length); - prf.doFinal(k, 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/MGF1BytesGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/MGF1BytesGenerator.java deleted file mode 100644 index e93c0d73..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/MGF1BytesGenerator.java +++ /dev/null @@ -1,114 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.params.MGFParameters; - -/** - * Generator for MGF1 as defined in PKCS 1v2 - */ -public class MGF1BytesGenerator - implements DerivationFunction -{ - private Digest digest; - private byte[] seed; - private int hLen; - - /** - * @param digest the digest to be used as the source of generated bytes - */ - public MGF1BytesGenerator( - Digest digest) - { - this.digest = digest; - this.hLen = digest.getDigestSize(); - } - - public void init( - DerivationParameters param) - { - if (!(param instanceof MGFParameters)) - { - throw new IllegalArgumentException("MGF parameters required for MGF1Generator"); - } - - MGFParameters p = (MGFParameters)param; - - seed = p.getSeed(); - } - - /** - * return the underlying digest. - */ - public Digest getDigest() - { - return digest; - } - - /** - * int to octet string. - */ - private void ItoOSP( - int i, - byte[] sp) - { - sp[0] = (byte)(i >>> 24); - sp[1] = (byte)(i >>> 16); - sp[2] = (byte)(i >>> 8); - sp[3] = (byte)(i >>> 0); - } - - /** - * fill len bytes of the output buffer with bytes generated from - * the derivation function. - * - * @throws DataLengthException if the out buffer is too small. - */ - public int generateBytes( - byte[] out, - int outOff, - int len) - throws DataLengthException, IllegalArgumentException - { - if ((out.length - len) < outOff) - { - throw new DataLengthException("output buffer too small"); - } - - byte[] hashBuf = new byte[hLen]; - byte[] C = new byte[4]; - int counter = 0; - - digest.reset(); - - if (len > hLen) - { - do - { - ItoOSP(counter, C); - - digest.update(seed, 0, seed.length); - digest.update(C, 0, C.length); - digest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, out, outOff + counter * hLen, hLen); - } - while (++counter < (len / hLen)); - } - - if ((counter * hLen) < len) - { - ItoOSP(counter, C); - - digest.update(seed, 0, seed.length); - digest.update(C, 0, C.length); - digest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, out, outOff + counter * hLen, len - (counter * hLen)); - } - - return len; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java deleted file mode 100644 index ceb39407..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java +++ /dev/null @@ -1,365 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.NaccacheSternKeyGenerationParameters; -import org.bouncycastle.crypto.params.NaccacheSternKeyParameters; -import org.bouncycastle.crypto.params.NaccacheSternPrivateKeyParameters; - -import java.math.BigInteger; -import java.security.SecureRandom; -import java.util.Vector; - -/** - * Key generation parameters for NaccacheStern cipher. For details on this cipher, please see - * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf - */ -public class NaccacheSternKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - - private static int[] smallPrimes = - { - 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, - 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, - 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, - 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313, 317, 331, - 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, - 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, 521, 523, - 541, 547, 557 - }; - - private NaccacheSternKeyGenerationParameters param; - - private static final BigInteger ONE = BigInteger.valueOf(1); // JDK 1.1 compatibility - - /* - * (non-Javadoc) - * - * @see org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator#init(org.bouncycastle.crypto.KeyGenerationParameters) - */ - public void init(KeyGenerationParameters param) - { - this.param = (NaccacheSternKeyGenerationParameters)param; - } - - /* - * (non-Javadoc) - * - * @see org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator#generateKeyPair() - */ - public AsymmetricCipherKeyPair generateKeyPair() - { - int strength = param.getStrength(); - SecureRandom rand = param.getRandom(); - int certainty = param.getCertainty(); - boolean debug = param.isDebug(); - - if (debug) - { - System.out.println("Fetching first " + param.getCntSmallPrimes() + " primes."); - } - - Vector smallPrimes = findFirstPrimes(param.getCntSmallPrimes()); - smallPrimes = permuteList(smallPrimes, rand); - - BigInteger u = ONE; - BigInteger v = ONE; - - for (int i = 0; i < smallPrimes.size() / 2; i++) - { - u = u.multiply((BigInteger)smallPrimes.elementAt(i)); - } - for (int i = smallPrimes.size() / 2; i < smallPrimes.size(); i++) - { - v = v.multiply((BigInteger)smallPrimes.elementAt(i)); - } - - BigInteger sigma = u.multiply(v); - - // n = (2 a u p_ + 1 ) ( 2 b v q_ + 1) - // -> |n| = strength - // |2| = 1 in bits - // -> |a| * |b| = |n| - |u| - |v| - |p_| - |q_| - |2| -|2| - // remainingStrength = strength - sigma.bitLength() - p_.bitLength() - - // q_.bitLength() - 1 -1 - int remainingStrength = strength - sigma.bitLength() - 48; - BigInteger a = generatePrime(remainingStrength / 2 + 1, certainty, rand); - BigInteger b = generatePrime(remainingStrength / 2 + 1, certainty, rand); - - BigInteger p_; - BigInteger q_; - BigInteger p; - BigInteger q; - long tries = 0; - if (debug) - { - System.out.println("generating p and q"); - } - - BigInteger _2au = a.multiply(u).shiftLeft(1); - BigInteger _2bv = b.multiply(v).shiftLeft(1); - - for (;;) - { - tries++; - - p_ = generatePrime(24, certainty, rand); - - p = p_.multiply(_2au).add(ONE); - - if (!p.isProbablePrime(certainty)) - { - continue; - } - - for (;;) - { - q_ = generatePrime(24, certainty, rand); - - if (p_.equals(q_)) - { - continue; - } - - q = q_.multiply(_2bv).add(ONE); - - if (q.isProbablePrime(certainty)) - { - break; - } - } - - if (!sigma.gcd(p_.multiply(q_)).equals(ONE)) - { - // System.out.println("sigma.gcd(p_.mult(q_)) != 1!\n p_: " + p_ - // +"\n q_: "+ q_ ); - continue; - } - - if (p.multiply(q).bitLength() < strength) - { - if (debug) - { - System.out.println("key size too small. Should be " + strength + " but is actually " - + p.multiply(q).bitLength()); - } - continue; - } - break; - } - - if (debug) - { - System.out.println("needed " + tries + " tries to generate p and q."); - } - - BigInteger n = p.multiply(q); - BigInteger phi_n = p.subtract(ONE).multiply(q.subtract(ONE)); - BigInteger g; - tries = 0; - if (debug) - { - System.out.println("generating g"); - } - for (;;) - { - - Vector gParts = new Vector(); - for (int ind = 0; ind != smallPrimes.size(); ind++) - { - BigInteger i = (BigInteger)smallPrimes.elementAt(ind); - BigInteger e = phi_n.divide(i); - - for (;;) - { - tries++; - g = new BigInteger(strength, certainty, rand); - if (g.modPow(e, n).equals(ONE)) - { - continue; - } - gParts.addElement(g); - break; - } - } - g = ONE; - for (int i = 0; i < smallPrimes.size(); i++) - { - g = g.multiply(((BigInteger)gParts.elementAt(i)).modPow(sigma.divide((BigInteger)smallPrimes.elementAt(i)), n)).mod(n); - } - - // make sure that g is not divisible by p_i or q_i - boolean divisible = false; - for (int i = 0; i < smallPrimes.size(); i++) - { - if (g.modPow(phi_n.divide((BigInteger)smallPrimes.elementAt(i)), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/" + smallPrimes.elementAt(i) + "\n g: " + g); - } - divisible = true; - break; - } - } - - if (divisible) - { - continue; - } - - // make sure that g has order > phi_n/4 - - if (g.modPow(phi_n.divide(BigInteger.valueOf(4)), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/4\n g:" + g); - } - continue; - } - - if (g.modPow(phi_n.divide(p_), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/p'\n g: " + g); - } - continue; - } - if (g.modPow(phi_n.divide(q_), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/q'\n g: " + g); - } - continue; - } - if (g.modPow(phi_n.divide(a), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/a\n g: " + g); - } - continue; - } - if (g.modPow(phi_n.divide(b), n).equals(ONE)) - { - if (debug) - { - System.out.println("g has order phi(n)/b\n g: " + g); - } - continue; - } - break; - } - if (debug) - { - System.out.println("needed " + tries + " tries to generate g"); - System.out.println(); - System.out.println("found new NaccacheStern cipher variables:"); - System.out.println("smallPrimes: " + smallPrimes); - System.out.println("sigma:...... " + sigma + " (" + sigma.bitLength() + " bits)"); - System.out.println("a:.......... " + a); - System.out.println("b:.......... " + b); - System.out.println("p':......... " + p_); - System.out.println("q':......... " + q_); - System.out.println("p:.......... " + p); - System.out.println("q:.......... " + q); - System.out.println("n:.......... " + n); - System.out.println("phi(n):..... " + phi_n); - System.out.println("g:.......... " + g); - System.out.println(); - } - - return new AsymmetricCipherKeyPair(new NaccacheSternKeyParameters(false, g, n, sigma.bitLength()), - new NaccacheSternPrivateKeyParameters(g, n, sigma.bitLength(), smallPrimes, phi_n)); - } - - private static BigInteger generatePrime( - int bitLength, - int certainty, - SecureRandom rand) - { - BigInteger p_ = new BigInteger(bitLength, certainty, rand); - while (p_.bitLength() != bitLength) - { - p_ = new BigInteger(bitLength, certainty, rand); - } - return p_; - } - - /** - * Generates a permuted ArrayList from the original one. The original List - * is not modified - * - * @param arr - * the ArrayList to be permuted - * @param rand - * the source of Randomness for permutation - * @return a new ArrayList with the permuted elements. - */ - private static Vector permuteList( - Vector arr, - SecureRandom rand) - { - Vector retval = new Vector(); - Vector tmp = new Vector(); - for (int i = 0; i < arr.size(); i++) - { - tmp.addElement(arr.elementAt(i)); - } - retval.addElement(tmp.elementAt(0)); - tmp.removeElementAt(0); - while (tmp.size() != 0) - { - retval.insertElementAt(tmp.elementAt(0), getInt(rand, retval.size() + 1)); - tmp.removeElementAt(0); - } - return retval; - } - - private static int getInt( - SecureRandom rand, - int n) - { - if ((n & -n) == n) - { - return (int)((n * (long)(rand.nextInt() & 0x7fffffff)) >> 31); - } - - int bits, val; - do - { - bits = rand.nextInt() & 0x7fffffff; - val = bits % n; - } - while (bits - val + (n-1) < 0); - - return val; - } - - /** - * Finds the first 'count' primes starting with 3 - * - * @param count - * the number of primes to find - * @return a vector containing the found primes as Integer - */ - private static Vector findFirstPrimes( - int count) - { - Vector primes = new Vector(count); - - for (int i = 0; i != count; i++) - { - primes.addElement(BigInteger.valueOf(smallPrimes[i])); - } - - return primes; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/OpenSSLPBEParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/OpenSSLPBEParametersGenerator.java deleted file mode 100644 index 8a4d28ab..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/OpenSSLPBEParametersGenerator.java +++ /dev/null @@ -1,131 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.digests.MD5Digest; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Generator for PBE derived keys and ivs as usd by OpenSSL. - * <p> - * The scheme is a simple extension of PKCS 5 V2.0 Scheme 1 using MD5 with an - * iteration count of 1. - * <p> - */ -public class OpenSSLPBEParametersGenerator - extends PBEParametersGenerator -{ - private Digest digest = new MD5Digest(); - - /** - * Construct a OpenSSL Parameters generator. - */ - public OpenSSLPBEParametersGenerator() - { - } - - /** - * Initialise - note the iteration count for this algorithm is fixed at 1. - * - * @param password password to use. - * @param salt salt to use. - */ - public void init( - byte[] password, - byte[] salt) - { - super.init(password, salt, 1); - } - - /** - * the derived key function, the ith hash of the password and the salt. - */ - private byte[] generateDerivedKey( - int bytesNeeded) - { - byte[] buf = new byte[digest.getDigestSize()]; - byte[] key = new byte[bytesNeeded]; - int offset = 0; - - for (;;) - { - digest.update(password, 0, password.length); - digest.update(salt, 0, salt.length); - - digest.doFinal(buf, 0); - - int len = (bytesNeeded > buf.length) ? buf.length : bytesNeeded; - System.arraycopy(buf, 0, key, offset, len); - offset += len; - - // check if we need any more - bytesNeeded -= len; - if (bytesNeeded == 0) - { - break; - } - - // do another round - digest.reset(); - digest.update(buf, 0, buf.length); - } - - return key; - } - - /** - * Generate a key parameter derived from the password, salt, and iteration - * count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - * @exception IllegalArgumentException if the key length larger than the base hash size. - */ - public CipherParameters generateDerivedParameters( - int keySize) - { - keySize = keySize / 8; - - byte[] dKey = generateDerivedKey(keySize); - - return new KeyParameter(dKey, 0, keySize); - } - - /** - * Generate a key with initialisation vector parameter derived from - * the password, salt, and iteration count we are currently initialised - * with. - * - * @param keySize the size of the key we want (in bits) - * @param ivSize the size of the iv we want (in bits) - * @return a ParametersWithIV object. - * @exception IllegalArgumentException if keySize + ivSize is larger than the base hash size. - */ - public CipherParameters generateDerivedParameters( - int keySize, - int ivSize) - { - keySize = keySize / 8; - ivSize = ivSize / 8; - - byte[] dKey = generateDerivedKey(keySize + ivSize); - - return new ParametersWithIV(new KeyParameter(dKey, 0, keySize), dKey, keySize, ivSize); - } - - /** - * Generate a key parameter for use with a MAC derived from the password, - * salt, and iteration count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - * @exception IllegalArgumentException if the key length larger than the base hash size. - */ - public CipherParameters generateDerivedMacParameters( - int keySize) - { - return generateDerivedParameters(keySize); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java deleted file mode 100644 index d9b82c32..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java +++ /dev/null @@ -1,220 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Generator for PBE derived keys and ivs as defined by PKCS 12 V1.0. - * <p> - * The document this implementation is based on can be found at - * <a href=http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html> - * RSA's PKCS12 Page</a> - */ -public class PKCS12ParametersGenerator - extends PBEParametersGenerator -{ - public static final int KEY_MATERIAL = 1; - public static final int IV_MATERIAL = 2; - public static final int MAC_MATERIAL = 3; - - private Digest digest; - - private int u; - private int v; - - /** - * Construct a PKCS 12 Parameters generator. This constructor will - * accept any digest which also implements ExtendedDigest. - * - * @param digest the digest to be used as the source of derived keys. - * @exception IllegalArgumentException if an unknown digest is passed in. - */ - public PKCS12ParametersGenerator( - Digest digest) - { - this.digest = digest; - if (digest instanceof ExtendedDigest) - { - u = digest.getDigestSize(); - v = ((ExtendedDigest)digest).getByteLength(); - } - else - { - throw new IllegalArgumentException("Digest " + digest.getAlgorithmName() + " unsupported"); - } - } - - /** - * add a + b + 1, returning the result in a. The a value is treated - * as a BigInteger of length (b.length * 8) bits. The result is - * modulo 2^b.length in case of overflow. - */ - private void adjust( - byte[] a, - int aOff, - byte[] b) - { - int x = (b[b.length - 1] & 0xff) + (a[aOff + b.length - 1] & 0xff) + 1; - - a[aOff + b.length - 1] = (byte)x; - x >>>= 8; - - for (int i = b.length - 2; i >= 0; i--) - { - x += (b[i] & 0xff) + (a[aOff + i] & 0xff); - a[aOff + i] = (byte)x; - x >>>= 8; - } - } - - /** - * generation of a derived key ala PKCS12 V1.0. - */ - private byte[] generateDerivedKey( - int idByte, - int n) - { - byte[] D = new byte[v]; - byte[] dKey = new byte[n]; - - for (int i = 0; i != D.length; i++) - { - D[i] = (byte)idByte; - } - - byte[] S; - - if ((salt != null) && (salt.length != 0)) - { - S = new byte[v * ((salt.length + v - 1) / v)]; - - for (int i = 0; i != S.length; i++) - { - S[i] = salt[i % salt.length]; - } - } - else - { - S = new byte[0]; - } - - byte[] P; - - if ((password != null) && (password.length != 0)) - { - P = new byte[v * ((password.length + v - 1) / v)]; - - for (int i = 0; i != P.length; i++) - { - P[i] = password[i % password.length]; - } - } - else - { - P = new byte[0]; - } - - byte[] I = new byte[S.length + P.length]; - - System.arraycopy(S, 0, I, 0, S.length); - System.arraycopy(P, 0, I, S.length, P.length); - - byte[] B = new byte[v]; - int c = (n + u - 1) / u; - byte[] A = new byte[u]; - - for (int i = 1; i <= c; i++) - { - digest.update(D, 0, D.length); - digest.update(I, 0, I.length); - digest.doFinal(A, 0); - for (int j = 1; j < iterationCount; j++) - { - digest.update(A, 0, A.length); - digest.doFinal(A, 0); - } - - for (int j = 0; j != B.length; j++) - { - B[j] = A[j % A.length]; - } - - for (int j = 0; j != I.length / v; j++) - { - adjust(I, j * v, B); - } - - if (i == c) - { - System.arraycopy(A, 0, dKey, (i - 1) * u, dKey.length - ((i - 1) * u)); - } - else - { - System.arraycopy(A, 0, dKey, (i - 1) * u, A.length); - } - } - - return dKey; - } - - /** - * Generate a key parameter derived from the password, salt, and iteration - * count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - */ - public CipherParameters generateDerivedParameters( - int keySize) - { - keySize = keySize / 8; - - byte[] dKey = generateDerivedKey(KEY_MATERIAL, keySize); - - return new KeyParameter(dKey, 0, keySize); - } - - /** - * Generate a key with initialisation vector parameter derived from - * the password, salt, and iteration count we are currently initialised - * with. - * - * @param keySize the size of the key we want (in bits) - * @param ivSize the size of the iv we want (in bits) - * @return a ParametersWithIV object. - */ - public CipherParameters generateDerivedParameters( - int keySize, - int ivSize) - { - keySize = keySize / 8; - ivSize = ivSize / 8; - - byte[] dKey = generateDerivedKey(KEY_MATERIAL, keySize); - - byte[] iv = generateDerivedKey(IV_MATERIAL, ivSize); - - return new ParametersWithIV(new KeyParameter(dKey, 0, keySize), iv, 0, ivSize); - } - - /** - * Generate a key parameter for use with a MAC derived from the password, - * salt, and iteration count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - */ - public CipherParameters generateDerivedMacParameters( - int keySize) - { - keySize = keySize / 8; - - byte[] dKey = generateDerivedKey(MAC_MATERIAL, keySize); - - return new KeyParameter(dKey, 0, keySize); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java deleted file mode 100644 index 1c62eccc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java +++ /dev/null @@ -1,119 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Generator for PBE derived keys and ivs as defined by PKCS 5 V2.0 Scheme 1. - * Note this generator is limited to the size of the hash produced by the - * digest used to drive it. - * <p> - * The document this implementation is based on can be found at - * <a href=http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html> - * RSA's PKCS5 Page</a> - */ -public class PKCS5S1ParametersGenerator - extends PBEParametersGenerator -{ - private Digest digest; - - /** - * Construct a PKCS 5 Scheme 1 Parameters generator. - * - * @param digest the digest to be used as the source of derived keys. - */ - public PKCS5S1ParametersGenerator( - Digest digest) - { - this.digest = digest; - } - - /** - * the derived key function, the ith hash of the password and the salt. - */ - private byte[] generateDerivedKey() - { - byte[] digestBytes = new byte[digest.getDigestSize()]; - - digest.update(password, 0, password.length); - digest.update(salt, 0, salt.length); - - digest.doFinal(digestBytes, 0); - for (int i = 1; i < iterationCount; i++) - { - digest.update(digestBytes, 0, digestBytes.length); - digest.doFinal(digestBytes, 0); - } - - return digestBytes; - } - - /** - * Generate a key parameter derived from the password, salt, and iteration - * count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - * @exception IllegalArgumentException if the key length larger than the base hash size. - */ - public CipherParameters generateDerivedParameters( - int keySize) - { - keySize = keySize / 8; - - if (keySize > digest.getDigestSize()) - { - throw new IllegalArgumentException( - "Can't generate a derived key " + keySize + " bytes long."); - } - - byte[] dKey = generateDerivedKey(); - - return new KeyParameter(dKey, 0, keySize); - } - - /** - * Generate a key with initialisation vector parameter derived from - * the password, salt, and iteration count we are currently initialised - * with. - * - * @param keySize the size of the key we want (in bits) - * @param ivSize the size of the iv we want (in bits) - * @return a ParametersWithIV object. - * @exception IllegalArgumentException if keySize + ivSize is larger than the base hash size. - */ - public CipherParameters generateDerivedParameters( - int keySize, - int ivSize) - { - keySize = keySize / 8; - ivSize = ivSize / 8; - - if ((keySize + ivSize) > digest.getDigestSize()) - { - throw new IllegalArgumentException( - "Can't generate a derived key " + (keySize + ivSize) + " bytes long."); - } - - byte[] dKey = generateDerivedKey(); - - return new ParametersWithIV(new KeyParameter(dKey, 0, keySize), dKey, keySize, ivSize); - } - - /** - * Generate a key parameter for use with a MAC derived from the password, - * salt, and iteration count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - * @exception IllegalArgumentException if the key length larger than the base hash size. - */ - public CipherParameters generateDerivedMacParameters( - int keySize) - { - return generateDerivedParameters(keySize); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java deleted file mode 100644 index 0954d481..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java +++ /dev/null @@ -1,153 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Generator for PBE derived keys and ivs as defined by PKCS 5 V2.0 Scheme 2. - * This generator uses a SHA-1 HMac as the calculation function. - * <p> - * The document this implementation is based on can be found at - * <a href=http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html> - * RSA's PKCS5 Page</a> - */ -public class PKCS5S2ParametersGenerator - extends PBEParametersGenerator -{ - private Mac hMac; - private byte[] state; - - /** - * construct a PKCS5 Scheme 2 Parameters generator. - */ - public PKCS5S2ParametersGenerator() - { - this(new SHA1Digest()); - } - - public PKCS5S2ParametersGenerator(Digest digest) - { - hMac = new HMac(digest); - state = new byte[hMac.getMacSize()]; - } - - private void F( - byte[] S, - int c, - byte[] iBuf, - byte[] out, - int outOff) - { - if (c == 0) - { - throw new IllegalArgumentException("iteration count must be at least 1."); - } - - if (S != null) - { - hMac.update(S, 0, S.length); - } - - hMac.update(iBuf, 0, iBuf.length); - hMac.doFinal(state, 0); - - System.arraycopy(state, 0, out, outOff, state.length); - - for (int count = 1; count < c; count++) - { - hMac.update(state, 0, state.length); - hMac.doFinal(state, 0); - - for (int j = 0; j != state.length; j++) - { - out[outOff + j] ^= state[j]; - } - } - } - - private byte[] generateDerivedKey( - int dkLen) - { - int hLen = hMac.getMacSize(); - int l = (dkLen + hLen - 1) / hLen; - byte[] iBuf = new byte[4]; - byte[] outBytes = new byte[l * hLen]; - int outPos = 0; - - CipherParameters param = new KeyParameter(password); - - hMac.init(param); - - for (int i = 1; i <= l; i++) - { - // Increment the value in 'iBuf' - int pos = 3; - while (++iBuf[pos] == 0) - { - --pos; - } - - F(salt, iterationCount, iBuf, outBytes, outPos); - outPos += hLen; - } - - return outBytes; - } - - /** - * Generate a key parameter derived from the password, salt, and iteration - * count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - */ - public CipherParameters generateDerivedParameters( - int keySize) - { - keySize = keySize / 8; - - byte[] dKey = generateDerivedKey(keySize); - - return new KeyParameter(dKey, 0, keySize); - } - - /** - * Generate a key with initialisation vector parameter derived from - * the password, salt, and iteration count we are currently initialised - * with. - * - * @param keySize the size of the key we want (in bits) - * @param ivSize the size of the iv we want (in bits) - * @return a ParametersWithIV object. - */ - public CipherParameters generateDerivedParameters( - int keySize, - int ivSize) - { - keySize = keySize / 8; - ivSize = ivSize / 8; - - byte[] dKey = generateDerivedKey(keySize + ivSize); - - return new ParametersWithIV(new KeyParameter(dKey, 0, keySize), dKey, keySize, ivSize); - } - - /** - * Generate a key parameter for use with a MAC derived from the password, - * salt, and iteration count we are currently initialised with. - * - * @param keySize the size of the key we want (in bits) - * @return a KeyParameter object. - */ - public CipherParameters generateDerivedMacParameters( - int keySize) - { - return generateDerivedParameters(keySize); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/Poly1305KeyGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/Poly1305KeyGenerator.java deleted file mode 100644 index 59eee39e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/Poly1305KeyGenerator.java +++ /dev/null @@ -1,117 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherKeyGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.macs.Poly1305; - -/** - * Generates keys for the Poly1305 MAC. - * <p> - * Poly1305 keys are 256 bit keys consisting of a 128 bit secret key used for the underlying block - * cipher followed by a 128 bit {@code r} value used for the polynomial portion of the Mac. <br> - * The {@code r} value has a specific format with some bits required to be cleared, resulting in an - * effective 106 bit key. <br> - * A separately generated 256 bit key can be modified to fit the Poly1305 key format by using the - * {@link #clamp(byte[])} method to clear the required bits. - * - * @see Poly1305 - */ -public class Poly1305KeyGenerator - extends CipherKeyGenerator -{ - private static final byte R_MASK_LOW_2 = (byte)0xFC; - private static final byte R_MASK_HIGH_4 = (byte)0x0F; - - /** - * Initialises the key generator.<br> - * Poly1305 keys are always 256 bits, so the key length in the provided parameters is ignored. - */ - public void init(KeyGenerationParameters param) - { - // Poly1305 keys are always 256 bits - super.init(new KeyGenerationParameters(param.getRandom(), 256)); - } - - /** - * Generates a 256 bit key in the format required for Poly1305 - e.g. - * <code>k[0] ... k[15], r[0] ... r[15]</code> with the required bits in <code>r</code> cleared - * as per {@link #clamp(byte[])}. - */ - public byte[] generateKey() - { - final byte[] key = super.generateKey(); - clamp(key); - return key; - } - - /** - * Modifies an existing 32 byte key value to comply with the requirements of the Poly1305 key by - * clearing required bits in the <code>r</code> (second 16 bytes) portion of the key.<br> - * Specifically: - * <ul> - * <li>r[3], r[7], r[11], r[15] have top four bits clear (i.e., are {0, 1, . . . , 15})</li> - * <li>r[4], r[8], r[12] have bottom two bits clear (i.e., are in {0, 4, 8, . . . , 252})</li> - * </ul> - * - * @param key a 32 byte key value <code>k[0] ... k[15], r[0] ... r[15]</code> - */ - public static void clamp(byte[] key) - { - /* - * Key is k[0] ... k[15], r[0] ... r[15] as per poly1305_aes_clamp in ref impl. - */ - if (key.length != 32) - { - throw new IllegalArgumentException("Poly1305 key must be 256 bits."); - } - - /* - * r[3], r[7], r[11], r[15] have top four bits clear (i.e., are {0, 1, . . . , 15}) - */ - key[19] &= R_MASK_HIGH_4; - key[23] &= R_MASK_HIGH_4; - key[27] &= R_MASK_HIGH_4; - key[31] &= R_MASK_HIGH_4; - - /* - * r[4], r[8], r[12] have bottom two bits clear (i.e., are in {0, 4, 8, . . . , 252}). - */ - key[20] &= R_MASK_LOW_2; - key[24] &= R_MASK_LOW_2; - key[28] &= R_MASK_LOW_2; - } - - /** - * Checks a 32 byte key for compliance with the Poly1305 key requirements, e.g. - * <code>k[0] ... k[15], r[0] ... r[15]</code> with the required bits in <code>r</code> cleared - * as per {@link #clamp(byte[])}. - * - * @throws IllegalArgumentException if the key is of the wrong length, or has invalid bits set - * in the <code>r</code> portion of the key. - */ - public static void checkKey(byte[] key) - { - if (key.length != 32) - { - throw new IllegalArgumentException("Poly1305 key must be 256 bits."); - } - - checkMask(key[19], R_MASK_HIGH_4); - checkMask(key[23], R_MASK_HIGH_4); - checkMask(key[27], R_MASK_HIGH_4); - checkMask(key[31], R_MASK_HIGH_4); - - checkMask(key[20], R_MASK_LOW_2); - checkMask(key[24], R_MASK_LOW_2); - checkMask(key[28], R_MASK_LOW_2); - } - - private static void checkMask(byte b, byte mask) - { - if ((b & (~mask)) != 0) - { - throw new IllegalArgumentException("Invalid format for r portion of Poly1305 key."); - } - } - -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/RSABlindingFactorGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/RSABlindingFactorGenerator.java deleted file mode 100644 index add67143..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/RSABlindingFactorGenerator.java +++ /dev/null @@ -1,77 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * Generate a random factor suitable for use with RSA blind signatures - * as outlined in Chaum's blinding and unblinding as outlined in - * "Handbook of Applied Cryptography", page 475. - */ -public class RSABlindingFactorGenerator -{ - private static BigInteger ZERO = BigInteger.valueOf(0); - private static BigInteger ONE = BigInteger.valueOf(1); - - private RSAKeyParameters key; - private SecureRandom random; - - /** - * Initialise the factor generator - * - * @param param the necessary RSA key parameters. - */ - public void init( - CipherParameters param) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - key = (RSAKeyParameters)rParam.getParameters(); - random = rParam.getRandom(); - } - else - { - key = (RSAKeyParameters)param; - random = new SecureRandom(); - } - - if (key instanceof RSAPrivateCrtKeyParameters) - { - throw new IllegalArgumentException("generator requires RSA public key"); - } - } - - /** - * Generate a suitable blind factor for the public key the generator was initialised with. - * - * @return a random blind factor - */ - public BigInteger generateBlindingFactor() - { - if (key == null) - { - throw new IllegalStateException("generator not initialised"); - } - - BigInteger m = key.getModulus(); - int length = m.bitLength() - 1; // must be less than m.bitLength() - BigInteger factor; - BigInteger gcd; - - do - { - factor = new BigInteger(length, random); - gcd = factor.gcd(m); - } - while (factor.equals(ZERO) || factor.equals(ONE) || !gcd.equals(ONE)); - - return factor; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java deleted file mode 100644 index 928c6a6e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/RSAKeyPairGenerator.java +++ /dev/null @@ -1,153 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator; -import org.bouncycastle.crypto.KeyGenerationParameters; -import org.bouncycastle.crypto.params.RSAKeyGenerationParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; -import org.bouncycastle.math.ec.WNafUtil; - -import java.math.BigInteger; - -/** - * an RSA key pair generator. - */ -public class RSAKeyPairGenerator - implements AsymmetricCipherKeyPairGenerator -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private RSAKeyGenerationParameters param; - - public void init(KeyGenerationParameters param) - { - this.param = (RSAKeyGenerationParameters)param; - } - - public AsymmetricCipherKeyPair generateKeyPair() - { - BigInteger p, q, n, d, e, pSub1, qSub1, phi; - - // - // p and q values should have a length of half the strength in bits - // - int strength = param.getStrength(); - int qBitlength = strength >>> 1; - int pBitlength = strength - qBitlength; - int mindiffbits = strength / 3; - int minWeight = strength >>> 2; - - e = param.getPublicExponent(); - - // TODO Consider generating safe primes for p, q (see DHParametersHelper.generateSafePrimes) - // (then p-1 and q-1 will not consist of only small factors - see "Pollard's algorithm") - - p = chooseRandomPrime(pBitlength, e); - - // - // generate a modulus of the required length - // - for (;;) - { - q = chooseRandomPrime(qBitlength, e); - - // p and q should not be too close together (or equal!) - BigInteger diff = q.subtract(p).abs(); - if (diff.bitLength() < mindiffbits) - { - continue; - } - - // - // calculate the modulus - // - n = p.multiply(q); - - if (n.bitLength() != strength) - { - // - // if we get here our primes aren't big enough, make the largest - // of the two p and try again - // - p = p.max(q); - continue; - } - - /* - * Require a minimum weight of the NAF representation, since low-weight composites may - * be weak against a version of the number-field-sieve for factoring. - * - * See "The number field sieve for integers of low weight", Oliver Schirokauer. - */ - if (WNafUtil.getNafWeight(n) < minWeight) - { - p = chooseRandomPrime(pBitlength, e); - continue; - } - - break; - } - - if (p.compareTo(q) < 0) - { - phi = p; - p = q; - q = phi; - } - - pSub1 = p.subtract(ONE); - qSub1 = q.subtract(ONE); - phi = pSub1.multiply(qSub1); - - // - // calculate the private exponent - // - d = e.modInverse(phi); - - // - // calculate the CRT factors - // - BigInteger dP, dQ, qInv; - - dP = d.remainder(pSub1); - dQ = d.remainder(qSub1); - qInv = q.modInverse(p); - - return new AsymmetricCipherKeyPair( - new RSAKeyParameters(false, n, e), - new RSAPrivateCrtKeyParameters(n, e, d, p, q, dP, dQ, qInv)); - } - - /** - * Choose a random prime value for use with RSA - * - * @param bitlength the bit-length of the returned prime - * @param e the RSA public exponent - * @return a prime p, with (p-1) relatively prime to e - */ - protected BigInteger chooseRandomPrime(int bitlength, BigInteger e) - { - for (;;) - { - BigInteger p = new BigInteger(bitlength, 1, param.getRandom()); - - if (p.mod(e).equals(ONE)) - { - continue; - } - - if (!p.isProbablePrime(param.getCertainty())) - { - continue; - } - - if (!e.gcd(p.subtract(ONE)).equals(ONE)) - { - continue; - } - - return p; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/SCrypt.java b/core/src/main/java/org/bouncycastle/crypto/generators/SCrypt.java deleted file mode 100644 index 0b3dc147..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/generators/SCrypt.java +++ /dev/null @@ -1,198 +0,0 @@ -package org.bouncycastle.crypto.generators; - -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.engines.Salsa20Engine; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -/** - * Implementation of the scrypt a password-based key derivation function. - * <p> - * Scrypt was created by Colin Percival and is specified in <a - * href="http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01">draft-josefsson-scrypt-kd</a> - * - */ -public class SCrypt -{ - /** - * Generate a key using the scrypt key derivation function. - * - * @param P the bytes of the pass phrase. - * @param S the salt to use for this invocation. - * @param N CPU/Memory cost parameter. Must be larger than 1, a power of 2 and less than - * <code>2^(128 * r / 8)</code>. - * @param r the block size, must be >= 1. - * @param p Parallelization parameter. Must be a positive integer less than or equal to - * <code>Integer.MAX_VALUE / (128 * r * 8)</code>. - * - * @param dkLen the length of the key to generate. - * @return the generated key. - */ - public static byte[] generate(byte[] P, byte[] S, int N, int r, int p, int dkLen) - { - if (P== null) - { - throw new IllegalArgumentException("Passphrase P must be provided."); - } - if (S == null) - { - throw new IllegalArgumentException("Salt S must be provided."); - } - if (N <= 1) - { - throw new IllegalArgumentException("Cost parameter N must be > 1."); - } - // Only value of r that cost (as an int) could be exceeded for is 1 - if (r == 1 && N > 65536) - { - throw new IllegalArgumentException("Cost parameter N must be > 1 and < 65536."); - } - if (r < 1) - { - throw new IllegalArgumentException("Block size r must be >= 1."); - } - int maxParallel = Integer.MAX_VALUE / (128 * r * 8); - if (p < 1 || p > maxParallel) - { - throw new IllegalArgumentException("Parallelisation parameter p must be >= 1 and <= " + maxParallel - + " (based on block size r of " + r + ")"); - } - if (dkLen < 1) - { - throw new IllegalArgumentException("Generated key length dkLen must be >= 1."); - } - return MFcrypt(P, S, N, r, p, dkLen); - } - - private static byte[] MFcrypt(byte[] P, byte[] S, int N, int r, int p, int dkLen) - { - int MFLenBytes = r * 128; - byte[] bytes = SingleIterationPBKDF2(P, S, p * MFLenBytes); - - int[] B = null; - - try - { - int BLen = bytes.length >>> 2; - B = new int[BLen]; - - Pack.littleEndianToInt(bytes, 0, B); - - int MFLenWords = MFLenBytes >>> 2; - for (int BOff = 0; BOff < BLen; BOff += MFLenWords) - { - // TODO These can be done in parallel threads - SMix(B, BOff, N, r); - } - - Pack.intToLittleEndian(B, bytes, 0); - - return SingleIterationPBKDF2(P, bytes, dkLen); - } - finally - { - Clear(bytes); - Clear(B); - } - } - - private static byte[] SingleIterationPBKDF2(byte[] P, byte[] S, int dkLen) - { - PBEParametersGenerator pGen = new PKCS5S2ParametersGenerator(new SHA256Digest()); - pGen.init(P, S, 1); - KeyParameter key = (KeyParameter) pGen.generateDerivedMacParameters(dkLen * 8); - return key.getKey(); - } - - private static void SMix(int[] B, int BOff, int N, int r) - { - int BCount = r * 32; - - int[] blockX1 = new int[16]; - int[] blockX2 = new int[16]; - int[] blockY = new int[BCount]; - - int[] X = new int[BCount]; - int[][] V = new int[N][]; - - try - { - System.arraycopy(B, BOff, X, 0, BCount); - - for (int i = 0; i < N; ++i) - { - V[i] = Arrays.clone(X); - BlockMix(X, blockX1, blockX2, blockY, r); - } - - int mask = N - 1; - for (int i = 0; i < N; ++i) - { - int j = X[BCount - 16] & mask; - Xor(X, V[j], 0, X); - BlockMix(X, blockX1, blockX2, blockY, r); - } - - System.arraycopy(X, 0, B, BOff, BCount); - } - finally - { - ClearAll(V); - ClearAll(new int[][]{ X, blockX1, blockX2, blockY }); - } - } - - private static void BlockMix(int[] B, int[] X1, int[] X2, int[] Y, int r) - { - System.arraycopy(B, B.length - 16, X1, 0, 16); - - int BOff = 0, YOff = 0, halfLen = B.length >>> 1; - - for (int i = 2 * r; i > 0; --i) - { - Xor(X1, B, BOff, X2); - - Salsa20Engine.salsaCore(8, X2, X1); - System.arraycopy(X1, 0, Y, YOff, 16); - - YOff = halfLen + BOff - YOff; - BOff += 16; - } - - System.arraycopy(Y, 0, B, 0, Y.length); - } - - private static void Xor(int[] a, int[] b, int bOff, int[] output) - { - for (int i = output.length - 1; i >= 0; --i) - { - output[i] = a[i] ^ b[bOff + i]; - } - } - - private static void Clear(byte[] array) - { - if (array != null) - { - Arrays.fill(array, (byte)0); - } - } - - private static void Clear(int[] array) - { - if (array != null) - { - Arrays.fill(array, 0); - } - } - - private static void ClearAll(int[][] arrays) - { - for (int i = 0; i < arrays.length; ++i) - { - Clear(arrays[i]); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/CipherIOException.java b/core/src/main/java/org/bouncycastle/crypto/io/CipherIOException.java deleted file mode 100644 index beeb60bc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/CipherIOException.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.IOException; - -/** - * {@link IOException} wrapper around an exception indicating a problem with the use of a cipher. - */ -public class CipherIOException - extends IOException -{ - private static final long serialVersionUID = 1L; - - private final Throwable cause; - - public CipherIOException(String message, Throwable cause) - { - super(message); - - this.cause = cause; - } - - public Throwable getCause() - { - return cause; - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/io/CipherInputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/CipherInputStream.java deleted file mode 100644 index b06d1f53..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/CipherInputStream.java +++ /dev/null @@ -1,477 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.FilterInputStream; -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.SkippingCipher; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.modes.AEADBlockCipher; -import org.bouncycastle.util.Arrays; - -/** - * A CipherInputStream is composed of an InputStream and a cipher so that read() methods return data - * that are read in from the underlying InputStream but have been additionally processed by the - * Cipher. The cipher must be fully initialized before being used by a CipherInputStream. - * <p> - * For example, if the Cipher is initialized for decryption, the - * CipherInputStream will attempt to read in data and decrypt them, - * before returning the decrypted data. - */ -public class CipherInputStream - extends FilterInputStream -{ - private static final int INPUT_BUF_SIZE = 2048; - - private SkippingCipher skippingCipher; - private byte[] inBuf; - - private BufferedBlockCipher bufferedBlockCipher; - private StreamCipher streamCipher; - private AEADBlockCipher aeadBlockCipher; - - private byte[] buf; - private byte[] markBuf; - - - private int bufOff; - private int maxBuf; - private boolean finalized; - private long markPosition; - private int markBufOff; - - /** - * Constructs a CipherInputStream from an InputStream and a - * BufferedBlockCipher. - */ - public CipherInputStream( - InputStream is, - BufferedBlockCipher cipher) - { - this(is, cipher, INPUT_BUF_SIZE); - } - - /** - * Constructs a CipherInputStream from an InputStream and a StreamCipher. - */ - public CipherInputStream( - InputStream is, - StreamCipher cipher) - { - this(is, cipher, INPUT_BUF_SIZE); - } - - /** - * Constructs a CipherInputStream from an InputStream and an AEADBlockCipher. - */ - public CipherInputStream( - InputStream is, - AEADBlockCipher cipher) - { - this(is, cipher, INPUT_BUF_SIZE); - } - - /** - * Constructs a CipherInputStream from an InputStream, a - * BufferedBlockCipher, and a specified internal buffer size. - */ - public CipherInputStream( - InputStream is, - BufferedBlockCipher cipher, - int bufSize) - { - super(is); - - this.bufferedBlockCipher = cipher; - this.inBuf = new byte[bufSize]; - this.skippingCipher = (cipher instanceof SkippingCipher) ? (SkippingCipher)cipher : null; - } - - /** - * Constructs a CipherInputStream from an InputStream, a StreamCipher, and a specified internal buffer size. - */ - public CipherInputStream( - InputStream is, - StreamCipher cipher, - int bufSize) - { - super(is); - - this.streamCipher = cipher; - this.inBuf = new byte[bufSize]; - this.skippingCipher = (cipher instanceof SkippingCipher) ? (SkippingCipher)cipher : null; - } - - /** - * Constructs a CipherInputStream from an InputStream, an AEADBlockCipher, and a specified internal buffer size. - */ - public CipherInputStream( - InputStream is, - AEADBlockCipher cipher, - int bufSize) - { - super(is); - - this.aeadBlockCipher = cipher; - this.inBuf = new byte[bufSize]; - this.skippingCipher = (cipher instanceof SkippingCipher) ? (SkippingCipher)cipher : null; - } - - /** - * Read data from underlying stream and process with cipher until end of stream or some data is - * available after cipher processing. - * - * @return -1 to indicate end of stream, or the number of bytes (> 0) available. - */ - private int nextChunk() - throws IOException - { - if (finalized) - { - return -1; - } - - bufOff = 0; - maxBuf = 0; - - // Keep reading until EOF or cipher processing produces data - while (maxBuf == 0) - { - int read = in.read(inBuf); - if (read == -1) - { - finaliseCipher(); - if (maxBuf == 0) - { - return -1; - } - return maxBuf; - } - - try - { - ensureCapacity(read, false); - if (bufferedBlockCipher != null) - { - maxBuf = bufferedBlockCipher.processBytes(inBuf, 0, read, buf, 0); - } - else if (aeadBlockCipher != null) - { - maxBuf = aeadBlockCipher.processBytes(inBuf, 0, read, buf, 0); - } - else - { - streamCipher.processBytes(inBuf, 0, read, buf, 0); - maxBuf = read; - } - } - catch (Exception e) - { - throw new CipherIOException("Error processing stream ", e); - } - } - return maxBuf; - } - - private void finaliseCipher() - throws IOException - { - try - { - finalized = true; - ensureCapacity(0, true); - if (bufferedBlockCipher != null) - { - maxBuf = bufferedBlockCipher.doFinal(buf, 0); - } - else if (aeadBlockCipher != null) - { - maxBuf = aeadBlockCipher.doFinal(buf, 0); - } - else - { - maxBuf = 0; // a stream cipher - } - } - catch (final InvalidCipherTextException e) - { - throw new InvalidCipherTextIOException("Error finalising cipher", e); - } - catch (Exception e) - { - throw new IOException("Error finalising cipher " + e); - } - } - - /** - * Reads data from the underlying stream and processes it with the cipher until the cipher - * outputs data, and returns the next available byte. - * <p> - * If the underlying stream is exhausted by this call, the cipher will be finalised. - * </p> - * @throws IOException if there was an error closing the input stream. - * @throws InvalidCipherTextIOException if the data read from the stream was invalid ciphertext - * (e.g. the cipher is an AEAD cipher and the ciphertext tag check fails). - */ - public int read() - throws IOException - { - if (bufOff >= maxBuf) - { - if (nextChunk() < 0) - { - return -1; - } - } - - return buf[bufOff++] & 0xff; - } - - /** - * Reads data from the underlying stream and processes it with the cipher until the cipher - * outputs data, and then returns up to <code>b.length</code> bytes in the provided array. - * <p> - * If the underlying stream is exhausted by this call, the cipher will be finalised. - * </p> - * @param b the buffer into which the data is read. - * @return the total number of bytes read into the buffer, or <code>-1</code> if there is no - * more data because the end of the stream has been reached. - * @throws IOException if there was an error closing the input stream. - * @throws InvalidCipherTextIOException if the data read from the stream was invalid ciphertext - * (e.g. the cipher is an AEAD cipher and the ciphertext tag check fails). - */ - public int read( - byte[] b) - throws IOException - { - return read(b, 0, b.length); - } - - /** - * Reads data from the underlying stream and processes it with the cipher until the cipher - * outputs data, and then returns up to <code>len</code> bytes in the provided array. - * <p> - * If the underlying stream is exhausted by this call, the cipher will be finalised. - * </p> - * @param b the buffer into which the data is read. - * @param off the start offset in the destination array <code>b</code> - * @param len the maximum number of bytes read. - * @return the total number of bytes read into the buffer, or <code>-1</code> if there is no - * more data because the end of the stream has been reached. - * @throws IOException if there was an error closing the input stream. - * @throws InvalidCipherTextIOException if the data read from the stream was invalid ciphertext - * (e.g. the cipher is an AEAD cipher and the ciphertext tag check fails). - */ - public int read( - byte[] b, - int off, - int len) - throws IOException - { - if (bufOff >= maxBuf) - { - if (nextChunk() < 0) - { - return -1; - } - } - - int toSupply = Math.min(len, available()); - System.arraycopy(buf, bufOff, b, off, toSupply); - bufOff += toSupply; - return toSupply; - } - - public long skip( - long n) - throws IOException - { - if (n <= 0) - { - return 0; - } - - if (skippingCipher != null) - { - int avail = available(); - if (n <= avail) - { - bufOff += n; - - return n; - } - - bufOff = maxBuf; - - long skip = in.skip(n - avail); - - long cSkip = skippingCipher.skip(skip); - - if (skip != cSkip) - { - throw new IOException("Unable to skip cipher " + skip + " bytes."); - } - - return skip + avail; - } - else - { - int skip = (int)Math.min(n, available()); - bufOff += skip; - - return skip; - } - } - - public int available() - throws IOException - { - return maxBuf - bufOff; - } - - /** - * Ensure the cipher text buffer has space sufficient to accept an upcoming output. - * - * @param updateSize the size of the pending update. - * @param finalOutput <code>true</code> iff this the cipher is to be finalised. - */ - private void ensureCapacity(int updateSize, boolean finalOutput) - { - int bufLen = updateSize; - if (finalOutput) - { - if (bufferedBlockCipher != null) - { - bufLen = bufferedBlockCipher.getOutputSize(updateSize); - } - else if (aeadBlockCipher != null) - { - bufLen = aeadBlockCipher.getOutputSize(updateSize); - } - } - else - { - if (bufferedBlockCipher != null) - { - bufLen = bufferedBlockCipher.getUpdateOutputSize(updateSize); - } - else if (aeadBlockCipher != null) - { - bufLen = aeadBlockCipher.getUpdateOutputSize(updateSize); - } - } - - if ((buf == null) || (buf.length < bufLen)) - { - buf = new byte[bufLen]; - } - } - - /** - * Closes the underlying input stream and finalises the processing of the data by the cipher. - * - * @throws IOException if there was an error closing the input stream. - * @throws InvalidCipherTextIOException if the data read from the stream was invalid ciphertext - * (e.g. the cipher is an AEAD cipher and the ciphertext tag check fails). - */ - public void close() - throws IOException - { - try - { - in.close(); - } - finally - { - if (!finalized) - { - // Reset the cipher, discarding any data buffered in it - // Errors in cipher finalisation trump I/O error closing input - finaliseCipher(); - } - } - maxBuf = bufOff = 0; - markBufOff = 0; - markPosition = 0; - if (markBuf != null) - { - Arrays.fill(markBuf, (byte)0); - markBuf = null; - } - if (buf != null) - { - Arrays.fill(buf, (byte)0); - buf = null; - } - Arrays.fill(inBuf, (byte)0); - } - - /** - * Mark the current position. - * <p> - * This method only works if markSupported() returns true - which means the underlying stream supports marking, and the cipher passed - * in to this stream's constructor is a SkippingCipher (so capable of being reset to an arbitrary point easily). - * </p> - * @param readlimit the maximum read ahead required before a reset() may be called. - */ - public void mark(int readlimit) - { - in.mark(readlimit); - if (skippingCipher != null) - { - markPosition = skippingCipher.getPosition(); - } - - if (buf != null) - { - markBuf = new byte[buf.length]; - System.arraycopy(buf, 0, markBuf, 0, buf.length); - } - - markBufOff = bufOff; - } - - /** - * Reset to the last marked position, if supported. - * - * @throws IOException if marking not supported by the cipher used, or the underlying stream. - */ - public void reset() - throws IOException - { - if (skippingCipher == null) - { - throw new IOException("cipher must implement SkippingCipher to be used with reset()"); - } - - in.reset(); - - skippingCipher.seekTo(markPosition); - - if (markBuf != null) - { - buf = markBuf; - } - - bufOff = markBufOff; - } - - /** - * Return true if mark(readlimit) is supported. This will be true if the underlying stream supports marking and the - * cipher used is a SkippingCipher, - * - * @return true if mark(readlimit) supported, false otherwise. - */ - public boolean markSupported() - { - if (skippingCipher != null) - { - return in.markSupported(); - } - - return false; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/CipherOutputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/CipherOutputStream.java deleted file mode 100644 index 5d5f0d11..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/CipherOutputStream.java +++ /dev/null @@ -1,276 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.FilterOutputStream; -import java.io.IOException; -import java.io.OutputStream; - -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.modes.AEADBlockCipher; - -/** - * A CipherOutputStream is composed of an OutputStream and a cipher so that write() methods process - * the written data with the cipher, and the output of the cipher is in turn written to the - * underlying OutputStream. The cipher must be fully initialized before being used by a - * CipherInputStream. - * <p> - * For example, if the cipher is initialized for encryption, the CipherOutputStream will encrypt the - * data before writing the encrypted data to the underlying stream. - */ -public class CipherOutputStream - extends FilterOutputStream -{ - private BufferedBlockCipher bufferedBlockCipher; - private StreamCipher streamCipher; - private AEADBlockCipher aeadBlockCipher; - - private final byte[] oneByte = new byte[1]; - private byte[] buf; - - /** - * Constructs a CipherOutputStream from an OutputStream and a - * BufferedBlockCipher. - */ - public CipherOutputStream( - OutputStream os, - BufferedBlockCipher cipher) - { - super(os); - this.bufferedBlockCipher = cipher; - } - - /** - * Constructs a CipherOutputStream from an OutputStream and a - * BufferedBlockCipher. - */ - public CipherOutputStream( - OutputStream os, - StreamCipher cipher) - { - super(os); - this.streamCipher = cipher; - } - - /** - * Constructs a CipherOutputStream from an OutputStream and a AEADBlockCipher. - */ - public CipherOutputStream(OutputStream os, AEADBlockCipher cipher) - { - super(os); - this.aeadBlockCipher = cipher; - } - - /** - * Writes the specified byte to this output stream. - * - * @param b the <code>byte</code>. - * @throws java.io.IOException if an I/O error occurs. - */ - public void write( - int b) - throws IOException - { - oneByte[0] = (byte)b; - - if (streamCipher != null) - { - out.write(streamCipher.returnByte((byte)b)); - } - else - { - write(oneByte, 0, 1); - } - } - - /** - * Writes <code>b.length</code> bytes from the specified byte array - * to this output stream. - * <p> - * The <code>write</code> method of - * <code>CipherOutputStream</code> calls the <code>write</code> - * method of three arguments with the three arguments - * <code>b</code>, <code>0</code>, and <code>b.length</code>. - * - * @param b the data. - * @throws java.io.IOException if an I/O error occurs. - * @see #write(byte[], int, int) - */ - public void write( - byte[] b) - throws IOException - { - write(b, 0, b.length); - } - - /** - * Writes <code>len</code> bytes from the specified byte array - * starting at offset <code>off</code> to this output stream. - * - * @param b the data. - * @param off the start offset in the data. - * @param len the number of bytes to write. - * @throws java.io.IOException if an I/O error occurs. - */ - public void write( - byte[] b, - int off, - int len) - throws IOException - { - ensureCapacity(len, false); - - if (bufferedBlockCipher != null) - { - int outLen = bufferedBlockCipher.processBytes(b, off, len, buf, 0); - - if (outLen != 0) - { - out.write(buf, 0, outLen); - } - } - else if (aeadBlockCipher != null) - { - int outLen = aeadBlockCipher.processBytes(b, off, len, buf, 0); - - if (outLen != 0) - { - out.write(buf, 0, outLen); - } - } - else - { - streamCipher.processBytes(b, off, len, buf, 0); - - out.write(buf, 0, len); - } - } - - /** - * Ensure the ciphertext buffer has space sufficient to accept an upcoming output. - * - * @param updateSize the size of the pending update. - * @param finalOutput <code>true</code> iff this the cipher is to be finalised. - */ - private void ensureCapacity(int updateSize, boolean finalOutput) - { - int bufLen = updateSize; - if (finalOutput) - { - if (bufferedBlockCipher != null) - { - bufLen = bufferedBlockCipher.getOutputSize(updateSize); - } - else if (aeadBlockCipher != null) - { - bufLen = aeadBlockCipher.getOutputSize(updateSize); - } - } - else - { - if (bufferedBlockCipher != null) - { - bufLen = bufferedBlockCipher.getUpdateOutputSize(updateSize); - } - else if (aeadBlockCipher != null) - { - bufLen = aeadBlockCipher.getUpdateOutputSize(updateSize); - } - } - - if ((buf == null) || (buf.length < bufLen)) - { - buf = new byte[bufLen]; - } - } - - /** - * Flushes this output stream by forcing any buffered output bytes - * that have already been processed by the encapsulated cipher object - * to be written out. - * <p> - * Any bytes buffered by the encapsulated cipher - * and waiting to be processed by it will not be written out. For example, - * if the encapsulated cipher is a block cipher, and the total number of - * bytes written using one of the <code>write</code> methods is less than - * the cipher's block size, no bytes will be written out. - * - * @throws java.io.IOException if an I/O error occurs. - */ - public void flush() - throws IOException - { - out.flush(); - } - - /** - * Closes this output stream and releases any system resources - * associated with this stream. - * <p> - * This method invokes the <code>doFinal</code> method of the encapsulated - * cipher object, which causes any bytes buffered by the encapsulated - * cipher to be processed. The result is written out by calling the - * <code>flush</code> method of this output stream. - * <p> - * This method resets the encapsulated cipher object to its initial state - * and calls the <code>close</code> method of the underlying output - * stream. - * - * @throws java.io.IOException if an I/O error occurs. - * @throws InvalidCipherTextIOException if the data written to this stream was invalid ciphertext - * (e.g. the cipher is an AEAD cipher and the ciphertext tag check fails). - */ - public void close() - throws IOException - { - ensureCapacity(0, true); - IOException error = null; - try - { - if (bufferedBlockCipher != null) - { - int outLen = bufferedBlockCipher.doFinal(buf, 0); - - if (outLen != 0) - { - out.write(buf, 0, outLen); - } - } - else if (aeadBlockCipher != null) - { - int outLen = aeadBlockCipher.doFinal(buf, 0); - - if (outLen != 0) - { - out.write(buf, 0, outLen); - } - } - } - catch (final InvalidCipherTextException e) - { - error = new InvalidCipherTextIOException("Error finalising cipher data", e); - } - catch (Exception e) - { - error = new CipherIOException("Error closing stream: ", e); - } - - try - { - flush(); - out.close(); - } - catch (IOException e) - { - // Invalid ciphertext takes precedence over close error - if (error == null) - { - error = e; - } - } - if (error != null) - { - throw error; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/DigestInputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/DigestInputStream.java deleted file mode 100644 index ef0b03e2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/DigestInputStream.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.FilterInputStream; -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.Digest; - -public class DigestInputStream - extends FilterInputStream -{ - protected Digest digest; - - public DigestInputStream( - InputStream stream, - Digest digest) - { - super(stream); - this.digest = digest; - } - - public int read() - throws IOException - { - int b = in.read(); - - if (b >= 0) - { - digest.update((byte)b); - } - return b; - } - - public int read( - byte[] b, - int off, - int len) - throws IOException - { - int n = in.read(b, off, len); - if (n > 0) - { - digest.update(b, off, n); - } - return n; - } - - public Digest getDigest() - { - return digest; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/DigestOutputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/DigestOutputStream.java deleted file mode 100644 index 23c7e539..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/DigestOutputStream.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.IOException; -import java.io.OutputStream; - -import org.bouncycastle.crypto.Digest; - -public class DigestOutputStream - extends OutputStream -{ - protected Digest digest; - - public DigestOutputStream( - Digest Digest) - { - this.digest = Digest; - } - - public void write(int b) - throws IOException - { - digest.update((byte)b); - } - - public void write( - byte[] b, - int off, - int len) - throws IOException - { - digest.update(b, off, len); - } - - public byte[] getDigest() - { - byte[] res = new byte[digest.getDigestSize()]; - - digest.doFinal(res, 0); - - return res; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/InvalidCipherTextIOException.java b/core/src/main/java/org/bouncycastle/crypto/io/InvalidCipherTextIOException.java deleted file mode 100644 index 46561c67..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/InvalidCipherTextIOException.java +++ /dev/null @@ -1,19 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.IOException; - -/** - * {@link IOException} wrapper around an exception indicating an invalid ciphertext, such as in - * authentication failure during finalisation of an AEAD cipher. For use in streams that need to - * expose invalid ciphertext errors. - */ -public class InvalidCipherTextIOException - extends CipherIOException -{ - private static final long serialVersionUID = 1L; - - public InvalidCipherTextIOException(String message, Throwable cause) - { - super(message, cause); - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/io/MacInputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/MacInputStream.java deleted file mode 100644 index b78548c6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/MacInputStream.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.FilterInputStream; -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.Mac; - -public class MacInputStream - extends FilterInputStream -{ - protected Mac mac; - - public MacInputStream( - InputStream stream, - Mac mac) - { - super(stream); - this.mac = mac; - } - - public int read() - throws IOException - { - int b = in.read(); - - if (b >= 0) - { - mac.update((byte)b); - } - return b; - } - - public int read( - byte[] b, - int off, - int len) - throws IOException - { - int n = in.read(b, off, len); - if (n >= 0) - { - mac.update(b, off, n); - } - return n; - } - - public Mac getMac() - { - return mac; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/MacOutputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/MacOutputStream.java deleted file mode 100644 index 0f0e7dbe..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/MacOutputStream.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.IOException; -import java.io.OutputStream; - -import org.bouncycastle.crypto.Mac; - -public class MacOutputStream - extends OutputStream -{ - protected Mac mac; - - public MacOutputStream( - Mac mac) - { - this.mac = mac; - } - - public void write(int b) - throws IOException - { - mac.update((byte)b); - } - - public void write( - byte[] b, - int off, - int len) - throws IOException - { - mac.update(b, off, len); - } - - public byte[] getMac() - { - byte[] res = new byte[mac.getMacSize()]; - - mac.doFinal(res, 0); - - return res; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/SignerInputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/SignerInputStream.java deleted file mode 100644 index 9583e4cf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/SignerInputStream.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.FilterInputStream; -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.Signer; - -public class SignerInputStream - extends FilterInputStream -{ - protected Signer signer; - - public SignerInputStream( - InputStream stream, - Signer signer) - { - super(stream); - this.signer = signer; - } - - public int read() - throws IOException - { - int b = in.read(); - - if (b >= 0) - { - signer.update((byte)b); - } - return b; - } - - public int read( - byte[] b, - int off, - int len) - throws IOException - { - int n = in.read(b, off, len); - if (n > 0) - { - signer.update(b, off, n); - } - return n; - } - - public Signer getSigner() - { - return signer; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/io/SignerOutputStream.java b/core/src/main/java/org/bouncycastle/crypto/io/SignerOutputStream.java deleted file mode 100644 index 1c21b5dc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/io/SignerOutputStream.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.bouncycastle.crypto.io; - -import java.io.IOException; -import java.io.OutputStream; - -import org.bouncycastle.crypto.Signer; - -public class SignerOutputStream - extends OutputStream -{ - protected Signer signer; - - public SignerOutputStream( - Signer Signer) - { - this.signer = Signer; - } - - public void write(int b) - throws IOException - { - signer.update((byte)b); - } - - public void write( - byte[] b, - int off, - int len) - throws IOException - { - signer.update(b, off, len); - } - - public Signer getSigner() - { - return signer; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/kems/ECIESKeyEncapsulation.java b/core/src/main/java/org/bouncycastle/crypto/kems/ECIESKeyEncapsulation.java deleted file mode 100755 index 517acfb1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/kems/ECIESKeyEncapsulation.java +++ /dev/null @@ -1,244 +0,0 @@ -package org.bouncycastle.crypto.kems; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.KeyEncapsulation; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.KDFParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; - -/** - * The ECIES Key Encapsulation Mechanism (ECIES-KEM) from ISO 18033-2. - */ -public class ECIESKeyEncapsulation - implements KeyEncapsulation -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private DerivationFunction kdf; - private SecureRandom rnd; - private ECKeyParameters key; - private boolean CofactorMode; - private boolean OldCofactorMode; - private boolean SingleHashMode; - - /** - * Set up the ECIES-KEM. - * - * @param kdf the key derivation function to be used. - * @param rnd the random source for the session key. - */ - public ECIESKeyEncapsulation( - DerivationFunction kdf, - SecureRandom rnd) - { - this.kdf = kdf; - this.rnd = rnd; - this.CofactorMode = false; - this.OldCofactorMode = false; - this.SingleHashMode = false; - } - - /** - * Set up the ECIES-KEM. - * - * @param kdf the key derivation function to be used. - * @param rnd the random source for the session key. - * @param cofactorMode true to use the new cofactor ECDH. - * @param oldCofactorMode true to use the old cofactor ECDH. - * @param singleHashMode true to use single hash mode. - */ - public ECIESKeyEncapsulation( - DerivationFunction kdf, - SecureRandom rnd, - boolean cofactorMode, - boolean oldCofactorMode, - boolean singleHashMode) - { - this.kdf = kdf; - this.rnd = rnd; - - // If both cofactorMode and oldCofactorMode are set to true - // then the implementation will use the new cofactor ECDH - this.CofactorMode = cofactorMode; - this.OldCofactorMode = oldCofactorMode; - this.SingleHashMode = singleHashMode; - } - - /** - * Initialise the ECIES-KEM. - * - * @param key the recipient's public (for encryption) or private (for decryption) key. - */ - public void init(CipherParameters key) - throws IllegalArgumentException - { - if (!(key instanceof ECKeyParameters)) - { - throw new IllegalArgumentException("EC key required"); - } - else - { - this.key = (ECKeyParameters)key; - } - } - - /** - * Generate and encapsulate a random session key. - * - * @param out the output buffer for the encapsulated key. - * @param outOff the offset for the output buffer. - * @param keyLen the length of the session key. - * @return the random session key. - */ - public CipherParameters encrypt(byte[] out, int outOff, int keyLen) - throws IllegalArgumentException - { - if (!(key instanceof ECPublicKeyParameters)) - { - throw new IllegalArgumentException("Public key required for encryption"); - } - - ECPublicKeyParameters ecPubKey = (ECPublicKeyParameters)key; - ECDomainParameters ecParams = ecPubKey.getParameters(); - ECCurve curve = ecParams.getCurve(); - BigInteger n = ecParams.getN(); - BigInteger h = ecParams.getH(); - - // Generate the ephemeral key pair - BigInteger r = BigIntegers.createRandomInRange(ONE, n, rnd); - - // Compute the static-ephemeral key agreement - BigInteger rPrime = CofactorMode ? r.multiply(h).mod(n) : r; - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - - ECPoint[] ghTilde = new ECPoint[]{ - basePointMultiplier.multiply(ecParams.getG(), r), - ecPubKey.getQ().multiply(rPrime) - }; - - // NOTE: More efficient than normalizing each individually - curve.normalizeAll(ghTilde); - - ECPoint gTilde = ghTilde[0], hTilde = ghTilde[1]; - - // Encode the ephemeral public key - byte[] C = gTilde.getEncoded(); - System.arraycopy(C, 0, out, outOff, C.length); - - // Encode the shared secret value - byte[] PEH = hTilde.getAffineXCoord().getEncoded(); - - // Initialise the KDF - byte[] kdfInput = SingleHashMode ? Arrays.concatenate(C, PEH) : PEH; - kdf.init(new KDFParameters(kdfInput, null)); - - // Generate the secret key - byte[] K = new byte[keyLen]; - kdf.generateBytes(K, 0, K.length); - - // Return the ciphertext - return new KeyParameter(K); - } - - /** - * Generate and encapsulate a random session key. - * - * @param out the output buffer for the encapsulated key. - * @param keyLen the length of the session key. - * @return the random session key. - */ - public CipherParameters encrypt(byte[] out, int keyLen) - { - return encrypt(out, 0, keyLen); - } - - /** - * Decrypt an encapsulated session key. - * - * @param in the input buffer for the encapsulated key. - * @param inOff the offset for the input buffer. - * @param inLen the length of the encapsulated key. - * @param keyLen the length of the session key. - * @return the session key. - */ - public CipherParameters decrypt(byte[] in, int inOff, int inLen, int keyLen) - throws IllegalArgumentException - { - if (!(key instanceof ECPrivateKeyParameters)) - { - throw new IllegalArgumentException("Private key required for encryption"); - } - - ECPrivateKeyParameters ecPrivKey = (ECPrivateKeyParameters)key; - ECDomainParameters ecParams = ecPrivKey.getParameters(); - ECCurve curve = ecParams.getCurve(); - BigInteger n = ecParams.getN(); - BigInteger h = ecParams.getH(); - - // Decode the ephemeral public key - byte[] C = new byte[inLen]; - System.arraycopy(in, inOff, C, 0, inLen); - - // NOTE: Decoded points are already normalized (i.e in affine form) - ECPoint gTilde = curve.decodePoint(C); - - // Compute the static-ephemeral key agreement - ECPoint gHat = gTilde; - if ((CofactorMode) || (OldCofactorMode)) - { - gHat = gHat.multiply(h); - } - - BigInteger xHat = ecPrivKey.getD(); - if (CofactorMode) - { - xHat = xHat.multiply(h.modInverse(n)).mod(n); - } - - ECPoint hTilde = gHat.multiply(xHat).normalize(); - - // Encode the shared secret value - byte[] PEH = hTilde.getAffineXCoord().getEncoded(); - - // Initialise the KDF - byte[] kdfInput = SingleHashMode ? Arrays.concatenate(C, PEH) : PEH; - kdf.init(new KDFParameters(kdfInput, null)); - - // Generate the secret key - byte[] K = new byte[keyLen]; - kdf.generateBytes(K, 0, K.length); - - return new KeyParameter(K); - } - - /** - * Decrypt an encapsulated session key. - * - * @param in the input buffer for the encapsulated key. - * @param keyLen the length of the session key. - * @return the session key. - */ - public CipherParameters decrypt(byte[] in, int keyLen) - { - return decrypt(in, 0, in.length, keyLen); - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/kems/RSAKeyEncapsulation.java b/core/src/main/java/org/bouncycastle/crypto/kems/RSAKeyEncapsulation.java deleted file mode 100755 index 42fc2353..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/kems/RSAKeyEncapsulation.java +++ /dev/null @@ -1,155 +0,0 @@ -package org.bouncycastle.crypto.kems; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DerivationFunction; -import org.bouncycastle.crypto.KeyEncapsulation; -import org.bouncycastle.crypto.params.KDFParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.util.BigIntegers; - -/** - * The RSA Key Encapsulation Mechanism (RSA-KEM) from ISO 18033-2. - */ -public class RSAKeyEncapsulation - implements KeyEncapsulation -{ - private static final BigInteger ZERO = BigInteger.valueOf(0); - private static final BigInteger ONE = BigInteger.valueOf(1); - - private DerivationFunction kdf; - private SecureRandom rnd; - private RSAKeyParameters key; - - /** - * Set up the RSA-KEM. - * - * @param kdf the key derivation function to be used. - * @param rnd the random source for the session key. - */ - public RSAKeyEncapsulation( - DerivationFunction kdf, - SecureRandom rnd) - { - this.kdf = kdf; - this.rnd = rnd; - } - - /** - * Initialise the RSA-KEM. - * - * @param key the recipient's public (for encryption) or private (for decryption) key. - */ - public void init(CipherParameters key) - throws IllegalArgumentException - { - if (!(key instanceof RSAKeyParameters)) - { - throw new IllegalArgumentException("RSA key required"); - } - - this.key = (RSAKeyParameters)key; - } - - /** - * Generate and encapsulate a random session key. - * - * @param out the output buffer for the encapsulated key. - * @param outOff the offset for the output buffer. - * @param keyLen the length of the random session key. - * @return the random session key. - */ - public CipherParameters encrypt(byte[] out, int outOff, int keyLen) - throws IllegalArgumentException - { - if (key.isPrivate()) - { - throw new IllegalArgumentException("Public key required for encryption"); - } - - BigInteger n = key.getModulus(); - BigInteger e = key.getExponent(); - - // Generate the ephemeral random and encode it - BigInteger r = BigIntegers.createRandomInRange(ZERO, n.subtract(ONE), rnd); - - // Encrypt the random and encode it - BigInteger c = r.modPow(e, n); - byte[] C = BigIntegers.asUnsignedByteArray((n.bitLength() + 7) / 8, c); - System.arraycopy(C, 0, out, outOff, C.length); - - return generateKey(n, r, keyLen); - } - - /** - * Generate and encapsulate a random session key. - * - * @param out the output buffer for the encapsulated key. - * @param keyLen the length of the random session key. - * @return the random session key. - */ - public CipherParameters encrypt(byte[] out, int keyLen) - { - return encrypt(out, 0, keyLen); - } - - /** - * Decrypt an encapsulated session key. - * - * @param in the input buffer for the encapsulated key. - * @param inOff the offset for the input buffer. - * @param inLen the length of the encapsulated key. - * @param keyLen the length of the session key. - * @return the session key. - */ - public CipherParameters decrypt(byte[] in, int inOff, int inLen, int keyLen) - throws IllegalArgumentException - { - if (!key.isPrivate()) - { - throw new IllegalArgumentException("Private key required for decryption"); - } - - BigInteger n = key.getModulus(); - BigInteger d = key.getExponent(); - - // Decode the input - byte[] C = new byte[inLen]; - System.arraycopy(in, inOff, C, 0, C.length); - BigInteger c = new BigInteger(1, C); - - // Decrypt the ephemeral random and encode it - BigInteger r = c.modPow(d, n); - - return generateKey(n, r, keyLen); - } - - /** - * Decrypt an encapsulated session key. - * - * @param in the input buffer for the encapsulated key. - * @param keyLen the length of the session key. - * @return the session key. - */ - public CipherParameters decrypt(byte[] in, int keyLen) - { - return decrypt(in, 0, in.length, keyLen); - } - - protected KeyParameter generateKey(BigInteger n, BigInteger r, int keyLen) - { - byte[] R = BigIntegers.asUnsignedByteArray((n.bitLength() + 7) / 8, r); - - // Initialise the KDF - kdf.init(new KDFParameters(R, null)); - - // Generate the secret key - byte[] K = new byte[keyLen]; - kdf.generateBytes(K, 0, K.length); - - return new KeyParameter(K); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/BlockCipherMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/BlockCipherMac.java deleted file mode 100644 index 6de39a85..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/BlockCipherMac.java +++ /dev/null @@ -1,174 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.modes.CBCBlockCipher; - -public class BlockCipherMac - implements Mac -{ - private byte[] mac; - - private byte[] buf; - private int bufOff; - private BlockCipher cipher; - - private int macSize; - - /** - * create a standard MAC based on a block cipher. This will produce an - * authentication code half the length of the block size of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @deprecated use CBCBlockCipherMac - */ - public BlockCipherMac( - BlockCipher cipher) - { - this(cipher, (cipher.getBlockSize() * 8) / 2); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. - * <p> - * Note: the size of the MAC must be at least 16 bits (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - * @deprecated use CBCBlockCipherMac - */ - public BlockCipherMac( - BlockCipher cipher, - int macSizeInBits) - { - if ((macSizeInBits % 8) != 0) - { - throw new IllegalArgumentException("MAC size must be multiple of 8"); - } - - this.cipher = new CBCBlockCipher(cipher); - this.macSize = macSizeInBits / 8; - - mac = new byte[cipher.getBlockSize()]; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName(); - } - - public void init( - CipherParameters params) - { - reset(); - - cipher.init(true, params); - } - - public int getMacSize() - { - return macSize; - } - - public void update( - byte in) - { - if (bufOff == buf.length) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - public void update( - byte[] in, - int inOff, - int len) - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = cipher.getBlockSize(); - int resultLen = 0; - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - resultLen += cipher.processBlock(in, inOff, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal( - byte[] out, - int outOff) - { - int blockSize = cipher.getBlockSize(); - - // - // pad with zeroes - // - while (bufOff < blockSize) - { - buf[bufOff] = 0; - bufOff++; - } - - cipher.processBlock(buf, 0, mac, 0); - - System.arraycopy(mac, 0, out, outOff, macSize); - - reset(); - - return macSize; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - /* - * reset the underlying cipher. - */ - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/CBCBlockCipherMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/CBCBlockCipherMac.java deleted file mode 100644 index 9bf6cb0e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/CBCBlockCipherMac.java +++ /dev/null @@ -1,229 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.paddings.BlockCipherPadding; - -/** - * standard CBC Block Cipher MAC - if no padding is specified the default of - * pad of zeroes is used. - */ -public class CBCBlockCipherMac - implements Mac -{ - private byte[] mac; - - private byte[] buf; - private int bufOff; - private BlockCipher cipher; - private BlockCipherPadding padding; - - private int macSize; - - /** - * create a standard MAC based on a CBC block cipher. This will produce an - * authentication code half the length of the block size of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - */ - public CBCBlockCipherMac( - BlockCipher cipher) - { - this(cipher, (cipher.getBlockSize() * 8) / 2, null); - } - - /** - * create a standard MAC based on a CBC block cipher. This will produce an - * authentication code half the length of the block size of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param padding the padding to be used to complete the last block. - */ - public CBCBlockCipherMac( - BlockCipher cipher, - BlockCipherPadding padding) - { - this(cipher, (cipher.getBlockSize() * 8) / 2, padding); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses CBC mode as the basis for the - * MAC generation. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - */ - public CBCBlockCipherMac( - BlockCipher cipher, - int macSizeInBits) - { - this(cipher, macSizeInBits, null); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses CBC mode as the basis for the - * MAC generation. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - * @param padding the padding to be used to complete the last block. - */ - public CBCBlockCipherMac( - BlockCipher cipher, - int macSizeInBits, - BlockCipherPadding padding) - { - if ((macSizeInBits % 8) != 0) - { - throw new IllegalArgumentException("MAC size must be multiple of 8"); - } - - this.cipher = new CBCBlockCipher(cipher); - this.padding = padding; - this.macSize = macSizeInBits / 8; - - mac = new byte[cipher.getBlockSize()]; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName(); - } - - public void init( - CipherParameters params) - { - reset(); - - cipher.init(true, params); - } - - public int getMacSize() - { - return macSize; - } - - public void update( - byte in) - { - if (bufOff == buf.length) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - public void update( - byte[] in, - int inOff, - int len) - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = cipher.getBlockSize(); - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - cipher.processBlock(buf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - cipher.processBlock(in, inOff, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal( - byte[] out, - int outOff) - { - int blockSize = cipher.getBlockSize(); - - if (padding == null) - { - // - // pad with zeroes - // - while (bufOff < blockSize) - { - buf[bufOff] = 0; - bufOff++; - } - } - else - { - if (bufOff == blockSize) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - padding.addPadding(buf, bufOff); - } - - cipher.processBlock(buf, 0, mac, 0); - - System.arraycopy(mac, 0, out, outOff, macSize); - - reset(); - - return macSize; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - /* - * reset the underlying cipher. - */ - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/CFBBlockCipherMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/CFBBlockCipherMac.java deleted file mode 100644 index d7ad6126..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/CFBBlockCipherMac.java +++ /dev/null @@ -1,388 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.paddings.BlockCipherPadding; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * implements a Cipher-FeedBack (CFB) mode on top of a simple cipher. - */ -class MacCFBBlockCipher -{ - private byte[] IV; - private byte[] cfbV; - private byte[] cfbOutV; - - private int blockSize; - private BlockCipher cipher = null; - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * feedback mode. - * @param blockSize the block size in bits (note: a multiple of 8) - */ - public MacCFBBlockCipher( - BlockCipher cipher, - int bitBlockSize) - { - this.cipher = cipher; - this.blockSize = bitBlockSize / 8; - - this.IV = new byte[cipher.getBlockSize()]; - this.cfbV = new byte[cipher.getBlockSize()]; - this.cfbOutV = new byte[cipher.getBlockSize()]; - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param param the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - CipherParameters params) - throws IllegalArgumentException - { - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length < IV.length) - { - System.arraycopy(iv, 0, IV, IV.length - iv.length, iv.length); - } - else - { - System.arraycopy(iv, 0, IV, 0, IV.length); - } - - reset(); - - cipher.init(true, ivParam.getParameters()); - } - else - { - reset(); - - cipher.init(true, params); - } - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/CFB" - * and the block size in bits. - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/CFB" + (blockSize * 8); - } - - /** - * return the block size we are operating at. - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return blockSize; - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - cipher.processBlock(cfbV, 0, cfbOutV, 0); - - // - // XOR the cfbV with the plaintext producing the cipher text - // - for (int i = 0; i < blockSize; i++) - { - out[outOff + i] = (byte)(cfbOutV[i] ^ in[inOff + i]); - } - - // - // change over the input block. - // - System.arraycopy(cfbV, blockSize, cfbV, 0, cfbV.length - blockSize); - System.arraycopy(out, outOff, cfbV, cfbV.length - blockSize, blockSize); - - return blockSize; - } - - /** - * reset the chaining vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - System.arraycopy(IV, 0, cfbV, 0, IV.length); - - cipher.reset(); - } - - void getMacBlock( - byte[] mac) - { - cipher.processBlock(cfbV, 0, mac, 0); - } -} - -public class CFBBlockCipherMac - implements Mac -{ - private byte[] mac; - - private byte[] buf; - private int bufOff; - private MacCFBBlockCipher cipher; - private BlockCipherPadding padding = null; - - - private int macSize; - - /** - * create a standard MAC based on a CFB block cipher. This will produce an - * authentication code half the length of the block size of the cipher, with - * the CFB mode set to 8 bits. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - */ - public CFBBlockCipherMac( - BlockCipher cipher) - { - this(cipher, 8, (cipher.getBlockSize() * 8) / 2, null); - } - - /** - * create a standard MAC based on a CFB block cipher. This will produce an - * authentication code half the length of the block size of the cipher, with - * the CFB mode set to 8 bits. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param padding the padding to be used. - */ - public CFBBlockCipherMac( - BlockCipher cipher, - BlockCipherPadding padding) - { - this(cipher, 8, (cipher.getBlockSize() * 8) / 2, padding); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses CFB mode as the basis for the - * MAC generation. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param cfbBitSize the size of an output block produced by the CFB mode. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - */ - public CFBBlockCipherMac( - BlockCipher cipher, - int cfbBitSize, - int macSizeInBits) - { - this(cipher, cfbBitSize, macSizeInBits, null); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses CFB mode as the basis for the - * MAC generation. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param cfbBitSize the size of an output block produced by the CFB mode. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - * @param padding a padding to be used. - */ - public CFBBlockCipherMac( - BlockCipher cipher, - int cfbBitSize, - int macSizeInBits, - BlockCipherPadding padding) - { - if ((macSizeInBits % 8) != 0) - { - throw new IllegalArgumentException("MAC size must be multiple of 8"); - } - - mac = new byte[cipher.getBlockSize()]; - - this.cipher = new MacCFBBlockCipher(cipher, cfbBitSize); - this.padding = padding; - this.macSize = macSizeInBits / 8; - - buf = new byte[this.cipher.getBlockSize()]; - bufOff = 0; - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName(); - } - - public void init( - CipherParameters params) - { - reset(); - - cipher.init(params); - } - - public int getMacSize() - { - return macSize; - } - - public void update( - byte in) - { - if (bufOff == buf.length) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - public void update( - byte[] in, - int inOff, - int len) - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = cipher.getBlockSize(); - int resultLen = 0; - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - resultLen += cipher.processBlock(in, inOff, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal( - byte[] out, - int outOff) - { - int blockSize = cipher.getBlockSize(); - - // - // pad with zeroes - // - if (this.padding == null) - { - while (bufOff < blockSize) - { - buf[bufOff] = 0; - bufOff++; - } - } - else - { - padding.addPadding(buf, bufOff); - } - - cipher.processBlock(buf, 0, mac, 0); - - cipher.getMacBlock(mac); - - System.arraycopy(mac, 0, out, outOff, macSize); - - reset(); - - return macSize; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - /* - * reset the underlying cipher. - */ - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/CMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/CMac.java deleted file mode 100644 index 0492ae69..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/CMac.java +++ /dev/null @@ -1,261 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.paddings.ISO7816d4Padding; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * CMAC - as specified at www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html - * <p> - * CMAC is analogous to OMAC1 - see also en.wikipedia.org/wiki/CMAC - * </p><p> - * CMAC is a NIST recomendation - see - * csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38B.pdf - * </p><p> - * CMAC/OMAC1 is a blockcipher-based message authentication code designed and - * analyzed by Tetsu Iwata and Kaoru Kurosawa. - * </p><p> - * CMAC/OMAC1 is a simple variant of the CBC MAC (Cipher Block Chaining Message - * Authentication Code). OMAC stands for One-Key CBC MAC. - * </p><p> - * It supports 128- or 64-bits block ciphers, with any key size, and returns - * a MAC with dimension less or equal to the block size of the underlying - * cipher. - * </p> - */ -public class CMac implements Mac -{ - private static final byte CONSTANT_128 = (byte)0x87; - private static final byte CONSTANT_64 = (byte)0x1b; - - private byte[] ZEROES; - - private byte[] mac; - - private byte[] buf; - private int bufOff; - private BlockCipher cipher; - - private int macSize; - - private byte[] L, Lu, Lu2; - - /** - * create a standard MAC based on a CBC block cipher (64 or 128 bit block). - * This will produce an authentication code the length of the block size - * of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - */ - public CMac(BlockCipher cipher) - { - this(cipher, cipher.getBlockSize() * 8); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8 and <= 128. - */ - public CMac(BlockCipher cipher, int macSizeInBits) - { - if ((macSizeInBits % 8) != 0) - { - throw new IllegalArgumentException("MAC size must be multiple of 8"); - } - - if (macSizeInBits > (cipher.getBlockSize() * 8)) - { - throw new IllegalArgumentException( - "MAC size must be less or equal to " - + (cipher.getBlockSize() * 8)); - } - - if (cipher.getBlockSize() != 8 && cipher.getBlockSize() != 16) - { - throw new IllegalArgumentException( - "Block size must be either 64 or 128 bits"); - } - - this.cipher = new CBCBlockCipher(cipher); - this.macSize = macSizeInBits / 8; - - mac = new byte[cipher.getBlockSize()]; - - buf = new byte[cipher.getBlockSize()]; - - ZEROES = new byte[cipher.getBlockSize()]; - - bufOff = 0; - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName(); - } - - private static int shiftLeft(byte[] block, byte[] output) - { - int i = block.length; - int bit = 0; - while (--i >= 0) - { - int b = block[i] & 0xff; - output[i] = (byte)((b << 1) | bit); - bit = (b >>> 7) & 1; - } - return bit; - } - - private static byte[] doubleLu(byte[] in) - { - byte[] ret = new byte[in.length]; - int carry = shiftLeft(in, ret); - int xor = 0xff & (in.length == 16 ? CONSTANT_128 : CONSTANT_64); - - /* - * NOTE: This construction is an attempt at a constant-time implementation. - */ - ret[in.length - 1] ^= (xor >>> ((1 - carry) << 3)); - - return ret; - } - - public void init(CipherParameters params) - { - validate(params); - - cipher.init(true, params); - - //initializes the L, Lu, Lu2 numbers - L = new byte[ZEROES.length]; - cipher.processBlock(ZEROES, 0, L, 0); - Lu = doubleLu(L); - Lu2 = doubleLu(Lu); - - reset(); - } - - void validate(CipherParameters params) - { - if (params != null) - { - if (!(params instanceof KeyParameter)) - { - // CMAC mode does not permit IV to underlying CBC mode - throw new IllegalArgumentException("CMac mode only permits key to be set."); - } - } - } - - public int getMacSize() - { - return macSize; - } - - public void update(byte in) - { - if (bufOff == buf.length) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - public void update(byte[] in, int inOff, int len) - { - if (len < 0) - { - throw new IllegalArgumentException( - "Can't have a negative input length!"); - } - - int blockSize = cipher.getBlockSize(); - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - cipher.processBlock(buf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - cipher.processBlock(in, inOff, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal(byte[] out, int outOff) - { - int blockSize = cipher.getBlockSize(); - - byte[] lu; - if (bufOff == blockSize) - { - lu = Lu; - } - else - { - new ISO7816d4Padding().addPadding(buf, bufOff); - lu = Lu2; - } - - for (int i = 0; i < mac.length; i++) - { - buf[i] ^= lu[i]; - } - - cipher.processBlock(buf, 0, mac, 0); - - System.arraycopy(mac, 0, out, outOff, macSize); - - reset(); - - return macSize; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - /* - * reset the underlying cipher. - */ - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/CMacWithIV.java b/core/src/main/java/org/bouncycastle/crypto/macs/CMacWithIV.java deleted file mode 100644 index a0371d95..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/CMacWithIV.java +++ /dev/null @@ -1,27 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; - -/** - * A non-NIST variant which allows passing of an IV to the underlying CBC cipher. - * <p>Note: there isn't really a good reason to use an IV here, use the regular CMac where possible.</p> - */ -public class CMacWithIV - extends CMac -{ - public CMacWithIV(BlockCipher cipher) - { - super(cipher); - } - - public CMacWithIV(BlockCipher cipher, int macSizeInBits) - { - super(cipher, macSizeInBits); - } - - void validate(CipherParameters params) - { - // accept all - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java deleted file mode 100644 index b34f9ea5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/GMac.java +++ /dev/null @@ -1,115 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.modes.GCMBlockCipher; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * The GMAC specialisation of Galois/Counter mode (GCM) detailed in NIST Special Publication - * 800-38D. - * <p> - * GMac is an invocation of the GCM mode where no data is encrypted (i.e. all input data to the Mac - * is processed as additional authenticated data with the underlying GCM block cipher). - */ -public class GMac implements Mac -{ - private final GCMBlockCipher cipher; - private final int macSizeBits; - - /** - * Creates a GMAC based on the operation of a block cipher in GCM mode. - * <p> - * This will produce an authentication code the length of the block size of the cipher. - * - * @param cipher - * the cipher to be used in GCM mode to generate the MAC. - */ - public GMac(final GCMBlockCipher cipher) - { - // use of this confused flow analyser in some earlier JDKs - this.cipher = cipher; - this.macSizeBits = 128; - } - - /** - * Creates a GMAC based on the operation of a 128 bit block cipher in GCM mode. - * - * @param macSizeBits - * the mac size to generate, in bits. Must be a multiple of 8 and >= 32 and <= 128. - * Sizes less than 96 are not recommended, but are supported for specialized applications. - * @param cipher - * the cipher to be used in GCM mode to generate the MAC. - */ - public GMac(final GCMBlockCipher cipher, final int macSizeBits) - { - this.cipher = cipher; - this.macSizeBits = macSizeBits; - } - - /** - * Initialises the GMAC - requires a {@link ParametersWithIV} providing a {@link KeyParameter} - * and a nonce. - */ - public void init(final CipherParameters params) throws IllegalArgumentException - { - if (params instanceof ParametersWithIV) - { - final ParametersWithIV param = (ParametersWithIV)params; - - final byte[] iv = param.getIV(); - final KeyParameter keyParam = (KeyParameter)param.getParameters(); - - // GCM is always operated in encrypt mode to calculate MAC - cipher.init(true, new AEADParameters(keyParam, macSizeBits, iv)); - } - else - { - throw new IllegalArgumentException("GMAC requires ParametersWithIV"); - } - } - - public String getAlgorithmName() - { - return cipher.getUnderlyingCipher().getAlgorithmName() + "-GMAC"; - } - - public int getMacSize() - { - return macSizeBits / 8; - } - - public void update(byte in) throws IllegalStateException - { - cipher.processAADByte(in); - } - - public void update(byte[] in, int inOff, int len) - throws DataLengthException, IllegalStateException - { - cipher.processAADBytes(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - try - { - return cipher.doFinal(out, outOff); - } - catch (InvalidCipherTextException e) - { - // Impossible in encrypt mode - throw new IllegalStateException(e.toString()); - } - } - - public void reset() - { - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/GOST28147Mac.java b/core/src/main/java/org/bouncycastle/crypto/macs/GOST28147Mac.java deleted file mode 100644 index b71975b8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/GOST28147Mac.java +++ /dev/null @@ -1,298 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithSBox; - -/** - * implementation of GOST 28147-89 MAC - */ -public class GOST28147Mac - implements Mac -{ - private int blockSize = 8; - private int macSize = 4; - private int bufOff; - private byte[] buf; - private byte[] mac; - private boolean firstStep = true; - private int[] workingKey = null; - - // - // This is default S-box - E_A. - private byte S[] = { - 0x9,0x6,0x3,0x2,0x8,0xB,0x1,0x7,0xA,0x4,0xE,0xF,0xC,0x0,0xD,0x5, - 0x3,0x7,0xE,0x9,0x8,0xA,0xF,0x0,0x5,0x2,0x6,0xC,0xB,0x4,0xD,0x1, - 0xE,0x4,0x6,0x2,0xB,0x3,0xD,0x8,0xC,0xF,0x5,0xA,0x0,0x7,0x1,0x9, - 0xE,0x7,0xA,0xC,0xD,0x1,0x3,0x9,0x0,0x2,0xB,0x4,0xF,0x8,0x5,0x6, - 0xB,0x5,0x1,0x9,0x8,0xD,0xF,0x0,0xE,0x4,0x2,0x3,0xC,0x7,0xA,0x6, - 0x3,0xA,0xD,0xC,0x1,0x2,0x0,0xB,0x7,0x5,0x9,0x4,0x8,0xF,0xE,0x6, - 0x1,0xD,0x2,0x9,0x7,0xA,0x6,0x0,0x8,0xC,0x4,0x5,0xF,0x3,0xB,0xE, - 0xB,0xA,0xF,0x5,0x0,0xC,0xE,0x8,0x6,0x2,0x3,0x9,0x1,0x7,0xD,0x4 - }; - - public GOST28147Mac() - { - mac = new byte[blockSize]; - - buf = new byte[blockSize]; - bufOff = 0; - } - - private int[] generateWorkingKey( - byte[] userKey) - { - if (userKey.length != 32) - { - throw new IllegalArgumentException("Key length invalid. Key needs to be 32 byte - 256 bit!!!"); - } - - int key[] = new int[8]; - for(int i=0; i!=8; i++) - { - key[i] = bytesToint(userKey,i*4); - } - - return key; - } - - public void init( - CipherParameters params) - throws IllegalArgumentException - { - reset(); - buf = new byte[blockSize]; - if (params instanceof ParametersWithSBox) - { - ParametersWithSBox param = (ParametersWithSBox)params; - - // - // Set the S-Box - // - System.arraycopy(param.getSBox(), 0, this.S, 0, param.getSBox().length); - - // - // set key if there is one - // - if (param.getParameters() != null) - { - workingKey = generateWorkingKey(((KeyParameter)param.getParameters()).getKey()); - } - } - else if (params instanceof KeyParameter) - { - workingKey = generateWorkingKey(((KeyParameter)params).getKey()); - } - else - { - throw new IllegalArgumentException("invalid parameter passed to GOST28147 init - " + params.getClass().getName()); - } - } - - public String getAlgorithmName() - { - return "GOST28147Mac"; - } - - public int getMacSize() - { - return macSize; - } - - private int gost28147_mainStep(int n1, int key) - { - int cm = (key + n1); // CM1 - - // S-box replacing - - int om = S[ 0 + ((cm >> (0 * 4)) & 0xF)] << (0 * 4); - om += S[ 16 + ((cm >> (1 * 4)) & 0xF)] << (1 * 4); - om += S[ 32 + ((cm >> (2 * 4)) & 0xF)] << (2 * 4); - om += S[ 48 + ((cm >> (3 * 4)) & 0xF)] << (3 * 4); - om += S[ 64 + ((cm >> (4 * 4)) & 0xF)] << (4 * 4); - om += S[ 80 + ((cm >> (5 * 4)) & 0xF)] << (5 * 4); - om += S[ 96 + ((cm >> (6 * 4)) & 0xF)] << (6 * 4); - om += S[112 + ((cm >> (7 * 4)) & 0xF)] << (7 * 4); - - return om << 11 | om >>> (32-11); // 11-leftshift - } - - private void gost28147MacFunc( - int[] workingKey, - byte[] in, - int inOff, - byte[] out, - int outOff) - { - int N1, N2, tmp; //tmp -> for saving N1 - N1 = bytesToint(in, inOff); - N2 = bytesToint(in, inOff + 4); - - for(int k = 0; k < 2; k++) // 1-16 steps - { - for(int j = 0; j < 8; j++) - { - tmp = N1; - N1 = N2 ^ gost28147_mainStep(N1, workingKey[j]); // CM2 - N2 = tmp; - } - } - - intTobytes(N1, out, outOff); - intTobytes(N2, out, outOff + 4); - } - - //array of bytes to type int - private int bytesToint( - byte[] in, - int inOff) - { - return ((in[inOff + 3] << 24) & 0xff000000) + ((in[inOff + 2] << 16) & 0xff0000) + - ((in[inOff + 1] << 8) & 0xff00) + (in[inOff] & 0xff); - } - - //int to array of bytes - private void intTobytes( - int num, - byte[] out, - int outOff) - { - out[outOff + 3] = (byte)(num >>> 24); - out[outOff + 2] = (byte)(num >>> 16); - out[outOff + 1] = (byte)(num >>> 8); - out[outOff] = (byte)num; - } - - private byte[] CM5func(byte[] buf, int bufOff, byte[] mac) - { - byte[] sum = new byte[buf.length - bufOff]; - - System.arraycopy(buf, bufOff, sum, 0, mac.length); - - for (int i = 0; i != mac.length; i++) - { - sum[i] = (byte)(sum[i] ^ mac[i]); - } - - return sum; - } - - public void update(byte in) - throws IllegalStateException - { - if (bufOff == buf.length) - { - byte[] sumbuf = new byte[buf.length]; - System.arraycopy(buf, 0, sumbuf, 0, mac.length); - - if (firstStep) - { - firstStep = false; - } - else - { - sumbuf = CM5func(buf, 0, mac); - } - - gost28147MacFunc(workingKey, sumbuf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - public void update(byte[] in, int inOff, int len) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - byte[] sumbuf = new byte[buf.length]; - System.arraycopy(buf, 0, sumbuf, 0, mac.length); - - if (firstStep) - { - firstStep = false; - } - else - { - sumbuf = CM5func(buf, 0, mac); - } - - gost28147MacFunc(workingKey, sumbuf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - sumbuf = CM5func(in, inOff, mac); - gost28147MacFunc(workingKey, sumbuf, 0, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal(byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - //padding with zero - while (bufOff < blockSize) - { - buf[bufOff] = 0; - bufOff++; - } - - byte[] sumbuf = new byte[buf.length]; - System.arraycopy(buf, 0, sumbuf, 0, mac.length); - - if (firstStep) - { - firstStep = false; - } - else - { - sumbuf = CM5func(buf, 0, mac); - } - - gost28147MacFunc(workingKey, sumbuf, 0, mac, 0); - - System.arraycopy(mac, (mac.length/2)-macSize, out, outOff, macSize); - - reset(); - - return macSize; - } - - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - firstStep = true; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/HMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/HMac.java deleted file mode 100644 index d4345d9b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/HMac.java +++ /dev/null @@ -1,231 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import java.util.Hashtable; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.ExtendedDigest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Integers; -import org.bouncycastle.util.Memoable; - -/** - * HMAC implementation based on RFC2104 - * - * H(K XOR opad, H(K XOR ipad, text)) - */ -public class HMac - implements Mac -{ - private final static byte IPAD = (byte)0x36; - private final static byte OPAD = (byte)0x5C; - - private Digest digest; - private int digestSize; - private int blockLength; - private Memoable ipadState; - private Memoable opadState; - - private byte[] inputPad; - private byte[] outputBuf; - - private static Hashtable blockLengths; - - static - { - blockLengths = new Hashtable(); - - blockLengths.put("GOST3411", Integers.valueOf(32)); - - blockLengths.put("MD2", Integers.valueOf(16)); - blockLengths.put("MD4", Integers.valueOf(64)); - blockLengths.put("MD5", Integers.valueOf(64)); - - blockLengths.put("RIPEMD128", Integers.valueOf(64)); - blockLengths.put("RIPEMD160", Integers.valueOf(64)); - - blockLengths.put("SHA-1", Integers.valueOf(64)); - blockLengths.put("SHA-224", Integers.valueOf(64)); - blockLengths.put("SHA-256", Integers.valueOf(64)); - blockLengths.put("SHA-384", Integers.valueOf(128)); - blockLengths.put("SHA-512", Integers.valueOf(128)); - - blockLengths.put("Tiger", Integers.valueOf(64)); - blockLengths.put("Whirlpool", Integers.valueOf(64)); - } - - private static int getByteLength( - Digest digest) - { - if (digest instanceof ExtendedDigest) - { - return ((ExtendedDigest)digest).getByteLength(); - } - - Integer b = (Integer)blockLengths.get(digest.getAlgorithmName()); - - if (b == null) - { - throw new IllegalArgumentException("unknown digest passed: " + digest.getAlgorithmName()); - } - - return b.intValue(); - } - - /** - * Base constructor for one of the standard digest algorithms that the - * byteLength of the algorithm is know for. - * - * @param digest the digest. - */ - public HMac( - Digest digest) - { - this(digest, getByteLength(digest)); - } - - private HMac( - Digest digest, - int byteLength) - { - this.digest = digest; - this.digestSize = digest.getDigestSize(); - this.blockLength = byteLength; - this.inputPad = new byte[blockLength]; - this.outputBuf = new byte[blockLength + digestSize]; - } - - public String getAlgorithmName() - { - return digest.getAlgorithmName() + "/HMAC"; - } - - public Digest getUnderlyingDigest() - { - return digest; - } - - public void init( - CipherParameters params) - { - digest.reset(); - - byte[] key = ((KeyParameter)params).getKey(); - int keyLength = key.length; - - if (keyLength > blockLength) - { - digest.update(key, 0, keyLength); - digest.doFinal(inputPad, 0); - - keyLength = digestSize; - } - else - { - System.arraycopy(key, 0, inputPad, 0, keyLength); - } - - for (int i = keyLength; i < inputPad.length; i++) - { - inputPad[i] = 0; - } - - System.arraycopy(inputPad, 0, outputBuf, 0, blockLength); - - xorPad(inputPad, blockLength, IPAD); - xorPad(outputBuf, blockLength, OPAD); - - if (digest instanceof Memoable) - { - opadState = ((Memoable)digest).copy(); - - ((Digest)opadState).update(outputBuf, 0, blockLength); - } - - digest.update(inputPad, 0, inputPad.length); - - if (digest instanceof Memoable) - { - ipadState = ((Memoable)digest).copy(); - } - } - - public int getMacSize() - { - return digestSize; - } - - public void update( - byte in) - { - digest.update(in); - } - - public void update( - byte[] in, - int inOff, - int len) - { - digest.update(in, inOff, len); - } - - public int doFinal( - byte[] out, - int outOff) - { - digest.doFinal(outputBuf, blockLength); - - if (opadState != null) - { - ((Memoable)digest).reset(opadState); - digest.update(outputBuf, blockLength, digest.getDigestSize()); - } - else - { - digest.update(outputBuf, 0, outputBuf.length); - } - - int len = digest.doFinal(out, outOff); - - for (int i = blockLength; i < outputBuf.length; i++) - { - outputBuf[i] = 0; - } - - if (ipadState != null) - { - ((Memoable)digest).reset(ipadState); - } - else - { - digest.update(inputPad, 0, inputPad.length); - } - - return len; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * reset the underlying digest. - */ - digest.reset(); - - /* - * reinitialize the digest. - */ - digest.update(inputPad, 0, inputPad.length); - } - - private static void xorPad(byte[] pad, int len, byte n) - { - for (int i = 0; i < len; ++i) - { - pad[i] ^= n; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/ISO9797Alg3Mac.java b/core/src/main/java/org/bouncycastle/crypto/macs/ISO9797Alg3Mac.java deleted file mode 100644 index 330b39e7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/ISO9797Alg3Mac.java +++ /dev/null @@ -1,305 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.engines.DESEngine; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.paddings.BlockCipherPadding; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * DES based CBC Block Cipher MAC according to ISO9797, algorithm 3 (ANSI X9.19 Retail MAC) - * - * This could as well be derived from CBCBlockCipherMac, but then the property mac in the base - * class must be changed to protected - */ - -public class ISO9797Alg3Mac - implements Mac -{ - private byte[] mac; - - private byte[] buf; - private int bufOff; - private BlockCipher cipher; - private BlockCipherPadding padding; - - private int macSize; - private KeyParameter lastKey2; - private KeyParameter lastKey3; - - /** - * create a Retail-MAC based on a CBC block cipher. This will produce an - * authentication code of the length of the block size of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. This must - * be DESEngine. - */ - public ISO9797Alg3Mac( - BlockCipher cipher) - { - this(cipher, cipher.getBlockSize() * 8, null); - } - - /** - * create a Retail-MAC based on a CBC block cipher. This will produce an - * authentication code of the length of the block size of the cipher. - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param padding the padding to be used to complete the last block. - */ - public ISO9797Alg3Mac( - BlockCipher cipher, - BlockCipherPadding padding) - { - this(cipher, cipher.getBlockSize() * 8, padding); - } - - /** - * create a Retail-MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses single DES CBC mode as the basis for the - * MAC generation. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - */ - public ISO9797Alg3Mac( - BlockCipher cipher, - int macSizeInBits) - { - this(cipher, macSizeInBits, null); - } - - /** - * create a standard MAC based on a block cipher with the size of the - * MAC been given in bits. This class uses single DES CBC mode as the basis for the - * MAC generation. The final block is decrypted and then encrypted using the - * middle and right part of the key. - * <p> - * Note: the size of the MAC must be at least 24 bits (FIPS Publication 81), - * or 16 bits if being used as a data authenticator (FIPS Publication 113), - * and in general should be less than the size of the block cipher as it reduces - * the chance of an exhaustive attack (see Handbook of Applied Cryptography). - * - * @param cipher the cipher to be used as the basis of the MAC generation. - * @param macSizeInBits the size of the MAC in bits, must be a multiple of 8. - * @param padding the padding to be used to complete the last block. - */ - public ISO9797Alg3Mac( - BlockCipher cipher, - int macSizeInBits, - BlockCipherPadding padding) - { - if ((macSizeInBits % 8) != 0) - { - throw new IllegalArgumentException("MAC size must be multiple of 8"); - } - - if (!(cipher instanceof DESEngine)) - { - throw new IllegalArgumentException("cipher must be instance of DESEngine"); - } - - this.cipher = new CBCBlockCipher(cipher); - this.padding = padding; - this.macSize = macSizeInBits / 8; - - mac = new byte[cipher.getBlockSize()]; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - } - - public String getAlgorithmName() - { - return "ISO9797Alg3"; - } - - public void init(CipherParameters params) - { - reset(); - - if (!(params instanceof KeyParameter || params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException( - "params must be an instance of KeyParameter or ParametersWithIV"); - } - - // KeyParameter must contain a double or triple length DES key, - // however the underlying cipher is a single DES. The middle and - // right key are used only in the final step. - - KeyParameter kp; - - if (params instanceof KeyParameter) - { - kp = (KeyParameter)params; - } - else - { - kp = (KeyParameter)((ParametersWithIV)params).getParameters(); - } - - KeyParameter key1; - byte[] keyvalue = kp.getKey(); - - if (keyvalue.length == 16) - { // Double length DES key - key1 = new KeyParameter(keyvalue, 0, 8); - this.lastKey2 = new KeyParameter(keyvalue, 8, 8); - this.lastKey3 = key1; - } - else if (keyvalue.length == 24) - { // Triple length DES key - key1 = new KeyParameter(keyvalue, 0, 8); - this.lastKey2 = new KeyParameter(keyvalue, 8, 8); - this.lastKey3 = new KeyParameter(keyvalue, 16, 8); - } - else - { - throw new IllegalArgumentException( - "Key must be either 112 or 168 bit long"); - } - - if (params instanceof ParametersWithIV) - { - cipher.init(true, new ParametersWithIV(key1, ((ParametersWithIV)params).getIV())); - } - else - { - cipher.init(true, key1); - } - } - - public int getMacSize() - { - return macSize; - } - - public void update( - byte in) - { - if (bufOff == buf.length) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - buf[bufOff++] = in; - } - - - public void update( - byte[] in, - int inOff, - int len) - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = cipher.getBlockSize(); - int resultLen = 0; - int gapLen = blockSize - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, mac, 0); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - resultLen += cipher.processBlock(in, inOff, mac, 0); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - } - - public int doFinal( - byte[] out, - int outOff) - { - int blockSize = cipher.getBlockSize(); - - if (padding == null) - { - // - // pad with zeroes - // - while (bufOff < blockSize) - { - buf[bufOff] = 0; - bufOff++; - } - } - else - { - if (bufOff == blockSize) - { - cipher.processBlock(buf, 0, mac, 0); - bufOff = 0; - } - - padding.addPadding(buf, bufOff); - } - - cipher.processBlock(buf, 0, mac, 0); - - // Added to code from base class - DESEngine deseng = new DESEngine(); - - deseng.init(false, this.lastKey2); - deseng.processBlock(mac, 0, mac, 0); - - deseng.init(true, this.lastKey3); - deseng.processBlock(mac, 0, mac, 0); - // **** - - System.arraycopy(mac, 0, out, outOff, macSize); - - reset(); - - return macSize; - } - - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * clean the buffer. - */ - for (int i = 0; i < buf.length; i++) - { - buf[i] = 0; - } - - bufOff = 0; - - /* - * reset the underlying cipher. - */ - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/OldHMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/OldHMac.java deleted file mode 100644 index 7463afd3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/OldHMac.java +++ /dev/null @@ -1,138 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * HMAC implementation based on RFC2104 - * - * H(K XOR opad, H(K XOR ipad, text)) - */ -public class OldHMac -implements Mac -{ - private final static int BLOCK_LENGTH = 64; - - private final static byte IPAD = (byte)0x36; - private final static byte OPAD = (byte)0x5C; - - private Digest digest; - private int digestSize; - private byte[] inputPad = new byte[BLOCK_LENGTH]; - private byte[] outputPad = new byte[BLOCK_LENGTH]; - - /** - * @deprecated uses incorrect pad for SHA-512 and SHA-384 use HMac. - */ - public OldHMac( - Digest digest) - { - this.digest = digest; - digestSize = digest.getDigestSize(); - } - - public String getAlgorithmName() - { - return digest.getAlgorithmName() + "/HMAC"; - } - - public Digest getUnderlyingDigest() - { - return digest; - } - - public void init( - CipherParameters params) - { - digest.reset(); - - byte[] key = ((KeyParameter)params).getKey(); - - if (key.length > BLOCK_LENGTH) - { - digest.update(key, 0, key.length); - digest.doFinal(inputPad, 0); - for (int i = digestSize; i < inputPad.length; i++) - { - inputPad[i] = 0; - } - } - else - { - System.arraycopy(key, 0, inputPad, 0, key.length); - for (int i = key.length; i < inputPad.length; i++) - { - inputPad[i] = 0; - } - } - - outputPad = new byte[inputPad.length]; - System.arraycopy(inputPad, 0, outputPad, 0, inputPad.length); - - for (int i = 0; i < inputPad.length; i++) - { - inputPad[i] ^= IPAD; - } - - for (int i = 0; i < outputPad.length; i++) - { - outputPad[i] ^= OPAD; - } - - digest.update(inputPad, 0, inputPad.length); - } - - public int getMacSize() - { - return digestSize; - } - - public void update( - byte in) - { - digest.update(in); - } - - public void update( - byte[] in, - int inOff, - int len) - { - digest.update(in, inOff, len); - } - - public int doFinal( - byte[] out, - int outOff) - { - byte[] tmp = new byte[digestSize]; - digest.doFinal(tmp, 0); - - digest.update(outputPad, 0, outputPad.length); - digest.update(tmp, 0, tmp.length); - - int len = digest.doFinal(out, outOff); - - reset(); - - return len; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - /* - * reset the underlying digest. - */ - digest.reset(); - - /* - * reinitialize the digest. - */ - digest.update(inputPad, 0, inputPad.length); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/Poly1305.java b/core/src/main/java/org/bouncycastle/crypto/macs/Poly1305.java deleted file mode 100644 index 7a346f1e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/Poly1305.java +++ /dev/null @@ -1,306 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.generators.Poly1305KeyGenerator; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Pack; - -/** - * Poly1305 message authentication code, designed by D. J. Bernstein. - * <p> - * Poly1305 computes a 128-bit (16 bytes) authenticator, using a 128 bit nonce and a 256 bit key - * consisting of a 128 bit key applied to an underlying cipher, and a 128 bit key (with 106 - * effective key bits) used in the authenticator. - * <p> - * The polynomial calculation in this implementation is adapted from the public domain <a - * href="https://github.com/floodyberry/poly1305-donna">poly1305-donna-unrolled</a> C implementation - * by Andrew M (@floodyberry). - * @see Poly1305KeyGenerator - */ -public class Poly1305 - implements Mac -{ - private static final int BLOCK_SIZE = 16; - - private final BlockCipher cipher; - - private final byte[] singleByte = new byte[1]; - - // Initialised state - - /** Polynomial key */ - private int r0, r1, r2, r3, r4; - - /** Precomputed 5 * r[1..4] */ - private int s1, s2, s3, s4; - - /** Encrypted nonce */ - private int k0, k1, k2, k3; - - // Accumulating state - - /** Current block of buffered input */ - private final byte[] currentBlock = new byte[BLOCK_SIZE]; - - /** Current offset in input buffer */ - private int currentBlockOffset = 0; - - /** Polynomial accumulator */ - private int h0, h1, h2, h3, h4; - - /** - * Constructs a Poly1305 MAC, where the key passed to init() will be used directly. - */ - public Poly1305() - { - this.cipher = null; - } - - /** - * Constructs a Poly1305 MAC, using a 128 bit block cipher. - */ - public Poly1305(final BlockCipher cipher) - { - if (cipher.getBlockSize() != BLOCK_SIZE) - { - throw new IllegalArgumentException("Poly1305 requires a 128 bit block cipher."); - } - this.cipher = cipher; - } - - /** - * Initialises the Poly1305 MAC. - * - * @param params if used with a block cipher, then a {@link ParametersWithIV} containing a 128 bit - * nonce and a {@link KeyParameter} with a 256 bit key complying to the - * {@link Poly1305KeyGenerator Poly1305 key format}, otherwise just the - * {@link KeyParameter}. - */ - public void init(CipherParameters params) - throws IllegalArgumentException - { - byte[] nonce = null; - - if (cipher != null) - { - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException("Poly1305 requires an IV when used with a block cipher."); - } - - ParametersWithIV ivParams = (ParametersWithIV)params; - nonce = ivParams.getIV(); - params = ivParams.getParameters(); - } - - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("Poly1305 requires a key."); - } - - KeyParameter keyParams = (KeyParameter)params; - - setKey(keyParams.getKey(), nonce); - - reset(); - } - - private void setKey(final byte[] key, final byte[] nonce) - { - if (cipher != null && (nonce == null || nonce.length != BLOCK_SIZE)) - { - throw new IllegalArgumentException("Poly1305 requires a 128 bit IV."); - } - - Poly1305KeyGenerator.checkKey(key); - - // Extract r portion of key - int t0 = Pack.littleEndianToInt(key, BLOCK_SIZE + 0); - int t1 = Pack.littleEndianToInt(key, BLOCK_SIZE + 4); - int t2 = Pack.littleEndianToInt(key, BLOCK_SIZE + 8); - int t3 = Pack.littleEndianToInt(key, BLOCK_SIZE + 12); - - r0 = t0 & 0x3ffffff; t0 >>>= 26; t0 |= t1 << 6; - r1 = t0 & 0x3ffff03; t1 >>>= 20; t1 |= t2 << 12; - r2 = t1 & 0x3ffc0ff; t2 >>>= 14; t2 |= t3 << 18; - r3 = t2 & 0x3f03fff; t3 >>>= 8; - r4 = t3 & 0x00fffff; - - // Precompute multipliers - s1 = r1 * 5; - s2 = r2 * 5; - s3 = r3 * 5; - s4 = r4 * 5; - - final byte[] kBytes; - if (cipher == null) - { - kBytes = key; - } - else - { - // Compute encrypted nonce - kBytes = new byte[BLOCK_SIZE]; - cipher.init(true, new KeyParameter(key, 0, BLOCK_SIZE)); - cipher.processBlock(nonce, 0, kBytes, 0); - } - - k0 = Pack.littleEndianToInt(kBytes, 0); - k1 = Pack.littleEndianToInt(kBytes, 4); - k2 = Pack.littleEndianToInt(kBytes, 8); - k3 = Pack.littleEndianToInt(kBytes, 12); - } - - public String getAlgorithmName() - { - return cipher == null ? "Poly1305" : "Poly1305-" + cipher.getAlgorithmName(); - } - - public int getMacSize() - { - return BLOCK_SIZE; - } - - public void update(final byte in) - throws IllegalStateException - { - singleByte[0] = in; - update(singleByte, 0, 1); - } - - public void update(final byte[] in, final int inOff, final int len) - throws DataLengthException, - IllegalStateException - { - int copied = 0; - while (len > copied) - { - if (currentBlockOffset == BLOCK_SIZE) - { - processBlock(); - currentBlockOffset = 0; - } - - int toCopy = Math.min((len - copied), BLOCK_SIZE - currentBlockOffset); - System.arraycopy(in, copied + inOff, currentBlock, currentBlockOffset, toCopy); - copied += toCopy; - currentBlockOffset += toCopy; - } - - } - - private void processBlock() - { - if (currentBlockOffset < BLOCK_SIZE) - { - currentBlock[currentBlockOffset] = 1; - for (int i = currentBlockOffset + 1; i < BLOCK_SIZE; i++) - { - currentBlock[i] = 0; - } - } - - final long t0 = 0xffffffffL & Pack.littleEndianToInt(currentBlock, 0); - final long t1 = 0xffffffffL & Pack.littleEndianToInt(currentBlock, 4); - final long t2 = 0xffffffffL & Pack.littleEndianToInt(currentBlock, 8); - final long t3 = 0xffffffffL & Pack.littleEndianToInt(currentBlock, 12); - - h0 += t0 & 0x3ffffff; - h1 += (((t1 << 32) | t0) >>> 26) & 0x3ffffff; - h2 += (((t2 << 32) | t1) >>> 20) & 0x3ffffff; - h3 += (((t3 << 32) | t2) >>> 14) & 0x3ffffff; - h4 += (t3 >>> 8); - - if (currentBlockOffset == BLOCK_SIZE) - { - h4 += (1 << 24); - } - - long tp0 = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1); - long tp1 = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2); - long tp2 = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3); - long tp3 = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4); - long tp4 = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0); - - long b; - h0 = (int)tp0 & 0x3ffffff; b = (tp0 >>> 26); - tp1 += b; h1 = (int)tp1 & 0x3ffffff; b = ((tp1 >>> 26) & 0xffffffff); - tp2 += b; h2 = (int)tp2 & 0x3ffffff; b = ((tp2 >>> 26) & 0xffffffff); - tp3 += b; h3 = (int)tp3 & 0x3ffffff; b = (tp3 >>> 26); - tp4 += b; h4 = (int)tp4 & 0x3ffffff; b = (tp4 >>> 26); - h0 += b * 5; - } - - public int doFinal(final byte[] out, final int outOff) - throws DataLengthException, - IllegalStateException - { - if (outOff + BLOCK_SIZE > out.length) - { - throw new DataLengthException("Output buffer is too short."); - } - - if (currentBlockOffset > 0) - { - // Process padded final block - processBlock(); - } - - long f0, f1, f2, f3; - - int b = h0 >>> 26; - h0 = h0 & 0x3ffffff; - h1 += b; b = h1 >>> 26; h1 = h1 & 0x3ffffff; - h2 += b; b = h2 >>> 26; h2 = h2 & 0x3ffffff; - h3 += b; b = h3 >>> 26; h3 = h3 & 0x3ffffff; - h4 += b; b = h4 >>> 26; h4 = h4 & 0x3ffffff; - h0 += b * 5; - - int g0, g1, g2, g3, g4; - g0 = h0 + 5; b = g0 >>> 26; g0 &= 0x3ffffff; - g1 = h1 + b; b = g1 >>> 26; g1 &= 0x3ffffff; - g2 = h2 + b; b = g2 >>> 26; g2 &= 0x3ffffff; - g3 = h3 + b; b = g3 >>> 26; g3 &= 0x3ffffff; - g4 = h4 + b - (1 << 26); - - b = (g4 >>> 31) - 1; - int nb = ~b; - h0 = (h0 & nb) | (g0 & b); - h1 = (h1 & nb) | (g1 & b); - h2 = (h2 & nb) | (g2 & b); - h3 = (h3 & nb) | (g3 & b); - h4 = (h4 & nb) | (g4 & b); - - f0 = (((h0 ) | (h1 << 26)) & 0xffffffffl) + (0xffffffffL & k0); - f1 = (((h1 >>> 6 ) | (h2 << 20)) & 0xffffffffl) + (0xffffffffL & k1); - f2 = (((h2 >>> 12) | (h3 << 14)) & 0xffffffffl) + (0xffffffffL & k2); - f3 = (((h3 >>> 18) | (h4 << 8 )) & 0xffffffffl) + (0xffffffffL & k3); - - Pack.intToLittleEndian((int)f0, out, outOff); - f1 += (f0 >>> 32); - Pack.intToLittleEndian((int)f1, out, outOff + 4); - f2 += (f1 >>> 32); - Pack.intToLittleEndian((int)f2, out, outOff + 8); - f3 += (f2 >>> 32); - Pack.intToLittleEndian((int)f3, out, outOff + 12); - - reset(); - return BLOCK_SIZE; - } - - public void reset() - { - currentBlockOffset = 0; - - h0 = h1 = h2 = h3 = h4 = 0; - } - - private static final long mul32x32_64(int i1, int i2) - { - return ((long)i1) * i2; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/SipHash.java b/core/src/main/java/org/bouncycastle/crypto/macs/SipHash.java deleted file mode 100644 index d6b9dbb8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/SipHash.java +++ /dev/null @@ -1,216 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Pack; - -/** - * Implementation of SipHash as specified in "SipHash: a fast short-input PRF", by Jean-Philippe - * Aumasson and Daniel J. Bernstein (https://131002.net/siphash/siphash.pdf). - * <p> - * "SipHash is a family of PRFs SipHash-c-d where the integer parameters c and d are the number of - * compression rounds and the number of finalization rounds. A compression round is identical to a - * finalization round and this round function is called SipRound. Given a 128-bit key k and a - * (possibly empty) byte string m, SipHash-c-d returns a 64-bit value..." - */ -public class SipHash - implements Mac -{ - protected final int c, d; - - protected long k0, k1; - protected long v0, v1, v2, v3; - - protected long m = 0; - protected int wordPos = 0; - protected int wordCount = 0; - - /** - * SipHash-2-4 - */ - public SipHash() - { - // use of 'this' confuses the flow analyser on earlier JDKs. - this.c = 2; - this.d = 4; - } - - /** - * SipHash-c-d - * - * @param c the number of compression rounds - * @param d the number of finalization rounds - */ - public SipHash(int c, int d) - { - this.c = c; - this.d = d; - } - - public String getAlgorithmName() - { - return "SipHash-" + c + "-" + d; - } - - public int getMacSize() - { - return 8; - } - - public void init(CipherParameters params) - throws IllegalArgumentException - { - if (!(params instanceof KeyParameter)) - { - throw new IllegalArgumentException("'params' must be an instance of KeyParameter"); - } - KeyParameter keyParameter = (KeyParameter)params; - byte[] key = keyParameter.getKey(); - if (key.length != 16) - { - throw new IllegalArgumentException("'params' must be a 128-bit key"); - } - - this.k0 = Pack.littleEndianToLong(key, 0); - this.k1 = Pack.littleEndianToLong(key, 8); - - reset(); - } - - public void update(byte input) - throws IllegalStateException - { - m >>>= 8; - m |= (input & 0xffL) << 56; - - if (++wordPos == 8) - { - processMessageWord(); - wordPos = 0; - } - } - - public void update(byte[] input, int offset, int length) - throws DataLengthException, - IllegalStateException - { - int i = 0, fullWords = length & ~7; - if (wordPos == 0) - { - for (; i < fullWords; i += 8) - { - m = Pack.littleEndianToLong(input, offset + i); - processMessageWord(); - } - for (; i < length; ++i) - { - m >>>= 8; - m |= (input[offset + i] & 0xffL) << 56; - } - wordPos = length - fullWords; - } - else - { - int bits = wordPos << 3; - for (; i < fullWords; i += 8) - { - long n = Pack.littleEndianToLong(input, offset + i); - m = (n << bits) | (m >>> -bits); - processMessageWord(); - m = n; - } - for (; i < length; ++i) - { - m >>>= 8; - m |= (input[offset + i] & 0xffL) << 56; - - if (++wordPos == 8) - { - processMessageWord(); - wordPos = 0; - } - } - } - } - - public long doFinal() - throws DataLengthException, IllegalStateException - { - // NOTE: 2 distinct shifts to avoid "64-bit shift" when wordPos == 0 - m >>>= ((7 - wordPos) << 3); - m >>>= 8; - m |= (((wordCount << 3) + wordPos) & 0xffL) << 56; - - processMessageWord(); - - v2 ^= 0xffL; - - applySipRounds(d); - - long result = v0 ^ v1 ^ v2 ^ v3; - - reset(); - - return result; - } - - public int doFinal(byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - long result = doFinal(); - Pack.longToLittleEndian(result, out, outOff); - return 8; - } - - public void reset() - { - v0 = k0 ^ 0x736f6d6570736575L; - v1 = k1 ^ 0x646f72616e646f6dL; - v2 = k0 ^ 0x6c7967656e657261L; - v3 = k1 ^ 0x7465646279746573L; - - m = 0; - wordPos = 0; - wordCount = 0; - } - - protected void processMessageWord() - { - ++wordCount; - v3 ^= m; - applySipRounds(c); - v0 ^= m; - } - - protected void applySipRounds(int n) - { - long r0 = v0, r1 = v1, r2 = v2, r3 = v3; - - for (int r = 0; r < n; ++r) - { - r0 += r1; - r2 += r3; - r1 = rotateLeft(r1, 13); - r3 = rotateLeft(r3, 16); - r1 ^= r0; - r3 ^= r2; - r0 = rotateLeft(r0, 32); - r2 += r1; - r0 += r3; - r1 = rotateLeft(r1, 17); - r3 = rotateLeft(r3, 21); - r1 ^= r2; - r3 ^= r0; - r2 = rotateLeft(r2, 32); - } - - v0 = r0; v1 = r1; v2 = r2; v3 = r3; - } - - protected static long rotateLeft(long x, int n) - { - return (x << n) | (x >>> -n); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/SkeinMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/SkeinMac.java deleted file mode 100644 index 7115b510..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/SkeinMac.java +++ /dev/null @@ -1,118 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.digests.SkeinEngine; -import org.bouncycastle.crypto.engines.ThreefishEngine; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.SkeinParameters; - -/** - * Implementation of the Skein parameterised MAC function in 256, 512 and 1024 bit block sizes, - * based on the {@link ThreefishEngine Threefish} tweakable block cipher. - * <p> - * This is the 1.3 version of Skein defined in the Skein hash function submission to the NIST SHA-3 - * competition in October 2010. - * <p> - * Skein was designed by Niels Ferguson - Stefan Lucks - Bruce Schneier - Doug Whiting - Mihir - * Bellare - Tadayoshi Kohno - Jon Callas - Jesse Walker. - * - * @see SkeinEngine - * @see SkeinParameters - */ -public class SkeinMac - implements Mac -{ - /** - * 256 bit block size - Skein MAC-256 - */ - public static final int SKEIN_256 = SkeinEngine.SKEIN_256; - /** - * 512 bit block size - Skein MAC-512 - */ - public static final int SKEIN_512 = SkeinEngine.SKEIN_512; - /** - * 1024 bit block size - Skein MAC-1024 - */ - public static final int SKEIN_1024 = SkeinEngine.SKEIN_1024; - - private SkeinEngine engine; - - /** - * Constructs a Skein MAC with an internal state size and output size. - * - * @param stateSizeBits the internal state size in bits - one of {@link #SKEIN_256}, {@link #SKEIN_512} or - * {@link #SKEIN_1024}. - * @param digestSizeBits the output/MAC size to produce in bits, which must be an integral number of bytes. - */ - public SkeinMac(int stateSizeBits, int digestSizeBits) - { - this.engine = new SkeinEngine(stateSizeBits, digestSizeBits); - } - - public SkeinMac(SkeinMac mac) - { - this.engine = new SkeinEngine(mac.engine); - } - - public String getAlgorithmName() - { - return "Skein-MAC-" + (engine.getBlockSize() * 8) + "-" + (engine.getOutputSize() * 8); - } - - /** - * Initialises the Skein digest with the provided parameters.<br> - * See {@link SkeinParameters} for details on the parameterisation of the Skein hash function. - * - * @param params an instance of {@link SkeinParameters} or {@link KeyParameter}. - */ - public void init(CipherParameters params) - throws IllegalArgumentException - { - SkeinParameters skeinParameters; - if (params instanceof SkeinParameters) - { - skeinParameters = (SkeinParameters)params; - } - else if (params instanceof KeyParameter) - { - skeinParameters = new SkeinParameters.Builder().setKey(((KeyParameter)params).getKey()).build(); - } - else - { - throw new IllegalArgumentException("Invalid parameter passed to Skein MAC init - " - + params.getClass().getName()); - } - if (skeinParameters.getKey() == null) - { - throw new IllegalArgumentException("Skein MAC requires a key parameter."); - } - engine.init(skeinParameters); - } - - public int getMacSize() - { - return engine.getOutputSize(); - } - - public void reset() - { - engine.reset(); - } - - public void update(byte in) - { - engine.update(in); - } - - public void update(byte[] in, int inOff, int len) - { - engine.update(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - return engine.doFinal(out, outOff); - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/VMPCMac.java b/core/src/main/java/org/bouncycastle/crypto/macs/VMPCMac.java deleted file mode 100644 index 58d06d08..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/macs/VMPCMac.java +++ /dev/null @@ -1,186 +0,0 @@ -package org.bouncycastle.crypto.macs; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; - -public class VMPCMac implements Mac -{ - private byte g; - - private byte n = 0; - private byte[] P = null; - private byte s = 0; - - private byte[] T; - private byte[] workingIV; - - private byte[] workingKey; - - private byte x1, x2, x3, x4; - - public int doFinal(byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - // Execute the Post-Processing Phase - for (int r = 1; r < 25; r++) - { - s = P[(s + P[n & 0xff]) & 0xff]; - - x4 = P[(x4 + x3 + r) & 0xff]; - x3 = P[(x3 + x2 + r) & 0xff]; - x2 = P[(x2 + x1 + r) & 0xff]; - x1 = P[(x1 + s + r) & 0xff]; - T[g & 0x1f] = (byte) (T[g & 0x1f] ^ x1); - T[(g + 1) & 0x1f] = (byte) (T[(g + 1) & 0x1f] ^ x2); - T[(g + 2) & 0x1f] = (byte) (T[(g + 2) & 0x1f] ^ x3); - T[(g + 3) & 0x1f] = (byte) (T[(g + 3) & 0x1f] ^ x4); - g = (byte) ((g + 4) & 0x1f); - - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - } - - // Input T to the IV-phase of the VMPC KSA - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + T[m & 0x1f]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - - // Store 20 new outputs of the VMPC Stream Cipher in table M - byte[] M = new byte[20]; - for (int i = 0; i < 20; i++) - { - s = P[(s + P[i & 0xff]) & 0xff]; - M[i] = P[(P[(P[s & 0xff]) & 0xff] + 1) & 0xff]; - - byte temp = P[i & 0xff]; - P[i & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - - System.arraycopy(M, 0, out, outOff, M.length); - reset(); - - return M.length; - } - - public String getAlgorithmName() - { - return "VMPC-MAC"; - } - - public int getMacSize() - { - return 20; - } - - public void init(CipherParameters params) throws IllegalArgumentException - { - if (!(params instanceof ParametersWithIV)) - { - throw new IllegalArgumentException( - "VMPC-MAC Init parameters must include an IV"); - } - - ParametersWithIV ivParams = (ParametersWithIV) params; - KeyParameter key = (KeyParameter) ivParams.getParameters(); - - if (!(ivParams.getParameters() instanceof KeyParameter)) - { - throw new IllegalArgumentException( - "VMPC-MAC Init parameters must include a key"); - } - - this.workingIV = ivParams.getIV(); - - if (workingIV == null || workingIV.length < 1 || workingIV.length > 768) - { - throw new IllegalArgumentException( - "VMPC-MAC requires 1 to 768 bytes of IV"); - } - - this.workingKey = key.getKey(); - - reset(); - - } - - private void initKey(byte[] keyBytes, byte[] ivBytes) - { - s = 0; - P = new byte[256]; - for (int i = 0; i < 256; i++) - { - P[i] = (byte) i; - } - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + keyBytes[m % keyBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - for (int m = 0; m < 768; m++) - { - s = P[(s + P[m & 0xff] + ivBytes[m % ivBytes.length]) & 0xff]; - byte temp = P[m & 0xff]; - P[m & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - } - n = 0; - } - - public void reset() - { - initKey(this.workingKey, this.workingIV); - g = x1 = x2 = x3 = x4 = n = 0; - T = new byte[32]; - for (int i = 0; i < 32; i++) - { - T[i] = 0; - } - } - - public void update(byte in) throws IllegalStateException - { - s = P[(s + P[n & 0xff]) & 0xff]; - byte c = (byte) (in ^ P[(P[(P[s & 0xff]) & 0xff] + 1) & 0xff]); - - x4 = P[(x4 + x3) & 0xff]; - x3 = P[(x3 + x2) & 0xff]; - x2 = P[(x2 + x1) & 0xff]; - x1 = P[(x1 + s + c) & 0xff]; - T[g & 0x1f] = (byte) (T[g & 0x1f] ^ x1); - T[(g + 1) & 0x1f] = (byte) (T[(g + 1) & 0x1f] ^ x2); - T[(g + 2) & 0x1f] = (byte) (T[(g + 2) & 0x1f] ^ x3); - T[(g + 3) & 0x1f] = (byte) (T[(g + 3) & 0x1f] ^ x4); - g = (byte) ((g + 4) & 0x1f); - - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - } - - public void update(byte[] in, int inOff, int len) - throws DataLengthException, IllegalStateException - { - if ((inOff + len) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - for (int i = 0; i < len; i++) - { - update(in[i]); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/AEADBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/AEADBlockCipher.java deleted file mode 100644 index fe461196..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/AEADBlockCipher.java +++ /dev/null @@ -1,146 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A block cipher mode that includes authenticated encryption with a streaming mode and optional associated data. - * <p> - * Implementations of this interface may operate in a packet mode (where all input data is buffered and - * processed dugin the call to {@link #doFinal(byte[], int)}), or in a streaming mode (where output data is - * incrementally produced with each call to {@link #processByte(byte, byte[], int)} or - * {@link #processBytes(byte[], int, int, byte[], int)}. - * </p> - * This is important to consider during decryption: in a streaming mode, unauthenticated plaintext data - * may be output prior to the call to {@link #doFinal(byte[], int)} that results in an authentication - * failure. The higher level protocol utilising this cipher must ensure the plaintext data is handled - * appropriately until the end of data is reached and the entire ciphertext is authenticated. - * @see org.bouncycastle.crypto.params.AEADParameters - */ -public interface AEADBlockCipher -{ - /** - * initialise the underlying cipher. Parameter can either be an AEADParameters or a ParametersWithIV object. - * - * @param forEncryption true if we are setting up for encryption, false otherwise. - * @param params the necessary parameters for the underlying cipher to be initialised. - * @exception IllegalArgumentException if the params argument is inappropriate. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException; - - /** - * Return the name of the algorithm. - * - * @return the algorithm name. - */ - public String getAlgorithmName(); - - /** - * return the cipher this object wraps. - * - * @return the cipher this object wraps. - */ - public BlockCipher getUnderlyingCipher(); - - /** - * Add a single byte to the associated data check. - * <br>If the implementation supports it, this will be an online operation and will not retain the associated data. - * - * @param in the byte to be processed. - */ - public void processAADByte(byte in); - - /** - * Add a sequence of bytes to the associated data check. - * <br>If the implementation supports it, this will be an online operation and will not retain the associated data. - * - * @param in the input byte array. - * @param inOff the offset into the in array where the data to be processed starts. - * @param len the number of bytes to be processed. - */ - public void processAADBytes(byte[] in, int inOff, int len); - - /** - * encrypt/decrypt a single byte. - * - * @param in the byte to be processed. - * @param out the output buffer the processed byte goes into. - * @param outOff the offset into the output byte array the processed data starts at. - * @return the number of bytes written to out. - * @exception DataLengthException if the output buffer is too small. - */ - public int processByte(byte in, byte[] out, int outOff) - throws DataLengthException; - - /** - * process a block of bytes from in putting the result into out. - * - * @param in the input byte array. - * @param inOff the offset into the in array where the data to be processed starts. - * @param len the number of bytes to be processed. - * @param out the output buffer the processed bytes go into. - * @param outOff the offset into the output byte array the processed data starts at. - * @return the number of bytes written to out. - * @exception DataLengthException if the output buffer is too small. - */ - public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) - throws DataLengthException; - - /** - * Finish the operation either appending or verifying the MAC at the end of the data. - * - * @param out space for any resulting output data. - * @param outOff offset into out to start copying the data at. - * @return number of bytes written into out. - * @throws IllegalStateException if the cipher is in an inappropriate state. - * @throws org.bouncycastle.crypto.InvalidCipherTextException if the MAC fails to match. - */ - public int doFinal(byte[] out, int outOff) - throws IllegalStateException, InvalidCipherTextException; - - /** - * Return the value of the MAC associated with the last stream processed. - * - * @return MAC for plaintext data. - */ - public byte[] getMac(); - - /** - * return the size of the output buffer required for a processBytes - * an input of len bytes. - * <p> - * The returned size may be dependent on the initialisation of this cipher - * and may not be accurate once subsequent input data is processed - this method - * should be invoked immediately prior to input data being processed. - * </p> - * - * @param len the length of the input. - * @return the space required to accommodate a call to processBytes - * with len bytes of input. - */ - public int getUpdateOutputSize(int len); - - /** - * return the size of the output buffer required for a processBytes plus a - * doFinal with an input of len bytes. - * <p> - * The returned size may be dependent on the initialisation of this cipher - * and may not be accurate once subsequent input data is processed - this method - * should be invoked immediately prior to a call to final processing of input data - * and a call to {@link #doFinal(byte[], int)}. - * </p> - * @param len the length of the input. - * @return the space required to accommodate a call to processBytes and doFinal - * with len bytes of input. - */ - public int getOutputSize(int len); - - /** - * Reset the cipher. After resetting the cipher is in the same state - * as it was after the last init (if there was one). - */ - public void reset(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CBCBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CBCBlockCipher.java deleted file mode 100644 index d4800e62..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/CBCBlockCipher.java +++ /dev/null @@ -1,253 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * implements Cipher-Block-Chaining (CBC) mode on top of a simple cipher. - */ -public class CBCBlockCipher - implements BlockCipher -{ - private byte[] IV; - private byte[] cbcV; - private byte[] cbcNextV; - - private int blockSize; - private BlockCipher cipher = null; - private boolean encrypting; - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of chaining. - */ - public CBCBlockCipher( - BlockCipher cipher) - { - this.cipher = cipher; - this.blockSize = cipher.getBlockSize(); - - this.IV = new byte[blockSize]; - this.cbcV = new byte[blockSize]; - this.cbcNextV = new byte[blockSize]; - } - - /** - * return the underlying block cipher that we are wrapping. - * - * @return the underlying block cipher that we are wrapping. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * - * @param encrypting if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - throws IllegalArgumentException - { - boolean oldEncrypting = this.encrypting; - - this.encrypting = encrypting; - - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length != blockSize) - { - throw new IllegalArgumentException("initialisation vector must be the same length as block size"); - } - - System.arraycopy(iv, 0, IV, 0, iv.length); - - reset(); - - // if null it's an IV changed only. - if (ivParam.getParameters() != null) - { - cipher.init(encrypting, ivParam.getParameters()); - } - else if (oldEncrypting != encrypting) - { - throw new IllegalArgumentException("cannot change encrypting state without providing key."); - } - } - else - { - reset(); - - // if it's null, key is to be reused. - if (params != null) - { - cipher.init(encrypting, params); - } - else if (oldEncrypting != encrypting) - { - throw new IllegalArgumentException("cannot change encrypting state without providing key."); - } - } - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/CBC". - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/CBC"; - } - - /** - * return the block size of the underlying cipher. - * - * @return the block size of the underlying cipher. - */ - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - return (encrypting) ? encryptBlock(in, inOff, out, outOff) : decryptBlock(in, inOff, out, outOff); - } - - /** - * reset the chaining vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - System.arraycopy(IV, 0, cbcV, 0, IV.length); - Arrays.fill(cbcNextV, (byte)0); - - cipher.reset(); - } - - /** - * Do the appropriate chaining step for CBC mode encryption. - * - * @param in the array containing the data to be encrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - /* - * XOR the cbcV and the input, - * then encrypt the cbcV - */ - for (int i = 0; i < blockSize; i++) - { - cbcV[i] ^= in[inOff + i]; - } - - int length = cipher.processBlock(cbcV, 0, out, outOff); - - /* - * copy ciphertext to cbcV - */ - System.arraycopy(out, outOff, cbcV, 0, cbcV.length); - - return length; - } - - /** - * Do the appropriate chaining step for CBC mode decryption. - * - * @param in the array containing the data to be decrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the decrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - System.arraycopy(in, inOff, cbcNextV, 0, blockSize); - - int length = cipher.processBlock(in, inOff, out, outOff); - - /* - * XOR the cbcV and the output - */ - for (int i = 0; i < blockSize; i++) - { - out[outOff + i] ^= cbcV[i]; - } - - /* - * swap the back up buffer into next position - */ - byte[] tmp; - - tmp = cbcV; - cbcV = cbcNextV; - cbcNextV = tmp; - - return length; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java deleted file mode 100644 index 7f870ca2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/CCMBlockCipher.java +++ /dev/null @@ -1,457 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import java.io.ByteArrayOutputStream; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.macs.CBCBlockCipherMac; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * Implements the Counter with Cipher Block Chaining mode (CCM) detailed in - * NIST Special Publication 800-38C. - * <p> - * <b>Note</b>: this mode is a packet mode - it needs all the data up front. - */ -public class CCMBlockCipher - implements AEADBlockCipher -{ - private BlockCipher cipher; - private int blockSize; - private boolean forEncryption; - private byte[] nonce; - private byte[] initialAssociatedText; - private int macSize; - private CipherParameters keyParam; - private byte[] macBlock; - private ExposedByteArrayOutputStream associatedText = new ExposedByteArrayOutputStream(); - private ExposedByteArrayOutputStream data = new ExposedByteArrayOutputStream(); - - /** - * Basic constructor. - * - * @param c the block cipher to be used. - */ - public CCMBlockCipher(BlockCipher c) - { - this.cipher = c; - this.blockSize = c.getBlockSize(); - this.macBlock = new byte[blockSize]; - - if (blockSize != 16) - { - throw new IllegalArgumentException("cipher required with a block size of 16."); - } - } - - /** - * return the underlying block cipher that we are wrapping. - * - * @return the underlying block cipher that we are wrapping. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - CipherParameters cipherParameters; - if (params instanceof AEADParameters) - { - AEADParameters param = (AEADParameters)params; - - nonce = param.getNonce(); - initialAssociatedText = param.getAssociatedText(); - macSize = param.getMacSize() / 8; - cipherParameters = param.getKey(); - } - else if (params instanceof ParametersWithIV) - { - ParametersWithIV param = (ParametersWithIV)params; - - nonce = param.getIV(); - initialAssociatedText = null; - macSize = macBlock.length / 2; - cipherParameters = param.getParameters(); - } - else - { - throw new IllegalArgumentException("invalid parameters passed to CCM"); - } - - // NOTE: Very basic support for key re-use, but no performance gain from it - if (cipherParameters != null) - { - keyParam = cipherParameters; - } - - if (nonce == null || nonce.length < 7 || nonce.length > 13) - { - throw new IllegalArgumentException("nonce must have length from 7 to 13 octets"); - } - - reset(); - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/CCM"; - } - - public void processAADByte(byte in) - { - associatedText.write(in); - } - - public void processAADBytes(byte[] in, int inOff, int len) - { - // TODO: Process AAD online - associatedText.write(in, inOff, len); - } - - public int processByte(byte in, byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - data.write(in); - - return 0; - } - - public int processBytes(byte[] in, int inOff, int inLen, byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - if (in.length < (inOff + inLen)) - { - throw new DataLengthException("Input buffer too short"); - } - data.write(in, inOff, inLen); - - return 0; - } - - public int doFinal(byte[] out, int outOff) - throws IllegalStateException, InvalidCipherTextException - { - int len = processPacket(data.getBuffer(), 0, data.size(), out, outOff); - - reset(); - - return len; - } - - public void reset() - { - cipher.reset(); - associatedText.reset(); - data.reset(); - } - - /** - * Returns a byte array containing the mac calculated as part of the - * last encrypt or decrypt operation. - * - * @return the last mac calculated. - */ - public byte[] getMac() - { - byte[] mac = new byte[macSize]; - - System.arraycopy(macBlock, 0, mac, 0, mac.length); - - return mac; - } - - public int getUpdateOutputSize(int len) - { - return 0; - } - - public int getOutputSize(int len) - { - int totalData = len + data.size(); - - if (forEncryption) - { - return totalData + macSize; - } - - return totalData < macSize ? 0 : totalData - macSize; - } - - /** - * Process a packet of data for either CCM decryption or encryption. - * - * @param in data for processing. - * @param inOff offset at which data starts in the input array. - * @param inLen length of the data in the input array. - * @return a byte array containing the processed input.. - * @throws IllegalStateException if the cipher is not appropriately set up. - * @throws InvalidCipherTextException if the input data is truncated or the mac check fails. - */ - public byte[] processPacket(byte[] in, int inOff, int inLen) - throws IllegalStateException, InvalidCipherTextException - { - byte[] output; - - if (forEncryption) - { - output = new byte[inLen + macSize]; - } - else - { - if (inLen < macSize) - { - throw new InvalidCipherTextException("data too short"); - } - output = new byte[inLen - macSize]; - } - - processPacket(in, inOff, inLen, output, 0); - - return output; - } - - /** - * Process a packet of data for either CCM decryption or encryption. - * - * @param in data for processing. - * @param inOff offset at which data starts in the input array. - * @param inLen length of the data in the input array. - * @param output output array. - * @param outOff offset into output array to start putting processed bytes. - * @return the number of bytes added to output. - * @throws IllegalStateException if the cipher is not appropriately set up. - * @throws InvalidCipherTextException if the input data is truncated or the mac check fails. - * @throws DataLengthException if output buffer too short. - */ - public int processPacket(byte[] in, int inOff, int inLen, byte[] output, int outOff) - throws IllegalStateException, InvalidCipherTextException, DataLengthException - { - // TODO: handle null keyParam (e.g. via RepeatedKeySpec) - // Need to keep the CTR and CBC Mac parts around and reset - if (keyParam == null) - { - throw new IllegalStateException("CCM cipher unitialized."); - } - - int n = nonce.length; - int q = 15 - n; - if (q < 4) - { - int limitLen = 1 << (8 * q); - if (inLen >= limitLen) - { - throw new IllegalStateException("CCM packet too large for choice of q."); - } - } - - byte[] iv = new byte[blockSize]; - iv[0] = (byte)((q - 1) & 0x7); - System.arraycopy(nonce, 0, iv, 1, nonce.length); - - BlockCipher ctrCipher = new SICBlockCipher(cipher); - ctrCipher.init(forEncryption, new ParametersWithIV(keyParam, iv)); - - int outputLen; - int inIndex = inOff; - int outIndex = outOff; - - if (forEncryption) - { - outputLen = inLen + macSize; - if (output.length < (outputLen + outOff)) - { - throw new OutputLengthException("Output buffer too short."); - } - - calculateMac(in, inOff, inLen, macBlock); - - ctrCipher.processBlock(macBlock, 0, macBlock, 0); // S0 - - while (inIndex < (inOff + inLen - blockSize)) // S1... - { - ctrCipher.processBlock(in, inIndex, output, outIndex); - outIndex += blockSize; - inIndex += blockSize; - } - - byte[] block = new byte[blockSize]; - - System.arraycopy(in, inIndex, block, 0, inLen + inOff - inIndex); - - ctrCipher.processBlock(block, 0, block, 0); - - System.arraycopy(block, 0, output, outIndex, inLen + inOff - inIndex); - - System.arraycopy(macBlock, 0, output, outOff + inLen, macSize); - } - else - { - if (inLen < macSize) - { - throw new InvalidCipherTextException("data too short"); - } - outputLen = inLen - macSize; - if (output.length < (outputLen + outOff)) - { - throw new OutputLengthException("Output buffer too short."); - } - - System.arraycopy(in, inOff + outputLen, macBlock, 0, macSize); - - ctrCipher.processBlock(macBlock, 0, macBlock, 0); - - for (int i = macSize; i != macBlock.length; i++) - { - macBlock[i] = 0; - } - - while (inIndex < (inOff + outputLen - blockSize)) - { - ctrCipher.processBlock(in, inIndex, output, outIndex); - outIndex += blockSize; - inIndex += blockSize; - } - - byte[] block = new byte[blockSize]; - - System.arraycopy(in, inIndex, block, 0, outputLen - (inIndex - inOff)); - - ctrCipher.processBlock(block, 0, block, 0); - - System.arraycopy(block, 0, output, outIndex, outputLen - (inIndex - inOff)); - - byte[] calculatedMacBlock = new byte[blockSize]; - - calculateMac(output, outOff, outputLen, calculatedMacBlock); - - if (!Arrays.constantTimeAreEqual(macBlock, calculatedMacBlock)) - { - throw new InvalidCipherTextException("mac check in CCM failed"); - } - } - - return outputLen; - } - - private int calculateMac(byte[] data, int dataOff, int dataLen, byte[] macBlock) - { - Mac cMac = new CBCBlockCipherMac(cipher, macSize * 8); - - cMac.init(keyParam); - - // - // build b0 - // - byte[] b0 = new byte[16]; - - if (hasAssociatedText()) - { - b0[0] |= 0x40; - } - - b0[0] |= (((cMac.getMacSize() - 2) / 2) & 0x7) << 3; - - b0[0] |= ((15 - nonce.length) - 1) & 0x7; - - System.arraycopy(nonce, 0, b0, 1, nonce.length); - - int q = dataLen; - int count = 1; - while (q > 0) - { - b0[b0.length - count] = (byte)(q & 0xff); - q >>>= 8; - count++; - } - - cMac.update(b0, 0, b0.length); - - // - // process associated text - // - if (hasAssociatedText()) - { - int extra; - - int textLength = getAssociatedTextLength(); - if (textLength < ((1 << 16) - (1 << 8))) - { - cMac.update((byte)(textLength >> 8)); - cMac.update((byte)textLength); - - extra = 2; - } - else // can't go any higher than 2^32 - { - cMac.update((byte)0xff); - cMac.update((byte)0xfe); - cMac.update((byte)(textLength >> 24)); - cMac.update((byte)(textLength >> 16)); - cMac.update((byte)(textLength >> 8)); - cMac.update((byte)textLength); - - extra = 6; - } - - if (initialAssociatedText != null) - { - cMac.update(initialAssociatedText, 0, initialAssociatedText.length); - } - if (associatedText.size() > 0) - { - cMac.update(associatedText.getBuffer(), 0, associatedText.size()); - } - - extra = (extra + textLength) % 16; - if (extra != 0) - { - for (int i = extra; i != 16; i++) - { - cMac.update((byte)0x00); - } - } - } - - // - // add the text - // - cMac.update(data, dataOff, dataLen); - - return cMac.doFinal(macBlock, 0); - } - - private int getAssociatedTextLength() - { - return associatedText.size() + ((initialAssociatedText == null) ? 0 : initialAssociatedText.length); - } - - private boolean hasAssociatedText() - { - return getAssociatedTextLength() > 0; - } - - private class ExposedByteArrayOutputStream - extends ByteArrayOutputStream - { - public ExposedByteArrayOutputStream() - { - } - - public byte[] getBuffer() - { - return this.buf; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CFBBlockCipher.java deleted file mode 100644 index 6167d256..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/CFBBlockCipher.java +++ /dev/null @@ -1,269 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.StreamBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * implements a Cipher-FeedBack (CFB) mode on top of a simple cipher. - */ -public class CFBBlockCipher - extends StreamBlockCipher -{ - private byte[] IV; - private byte[] cfbV; - private byte[] cfbOutV; - private byte[] inBuf; - - private int blockSize; - private BlockCipher cipher = null; - private boolean encrypting; - private int byteCount; - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * feedback mode. - * @param bitBlockSize the block size in bits (note: a multiple of 8) - */ - public CFBBlockCipher( - BlockCipher cipher, - int bitBlockSize) - { - super(cipher); - - this.cipher = cipher; - this.blockSize = bitBlockSize / 8; - - this.IV = new byte[cipher.getBlockSize()]; - this.cfbV = new byte[cipher.getBlockSize()]; - this.cfbOutV = new byte[cipher.getBlockSize()]; - this.inBuf = new byte[blockSize]; - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param encrypting if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, - CipherParameters params) - throws IllegalArgumentException - { - this.encrypting = encrypting; - - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length < IV.length) - { - // prepend the supplied IV with zeros (per FIPS PUB 81) - System.arraycopy(iv, 0, IV, IV.length - iv.length, iv.length); - for (int i = 0; i < IV.length - iv.length; i++) - { - IV[i] = 0; - } - } - else - { - System.arraycopy(iv, 0, IV, 0, IV.length); - } - - reset(); - - // if null it's an IV changed only. - if (ivParam.getParameters() != null) - { - cipher.init(true, ivParam.getParameters()); - } - } - else - { - reset(); - - // if it's null, key is to be reused. - if (params != null) - { - cipher.init(true, params); - } - } - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/CFB" - * and the block size in bits. - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/CFB" + (blockSize * 8); - } - - protected byte calculateByte(byte in) - throws DataLengthException, IllegalStateException - { - return (encrypting) ? encryptByte(in) : decryptByte(in); - } - - private byte encryptByte(byte in) - { - if (byteCount == 0) - { - cipher.processBlock(cfbV, 0, cfbOutV, 0); - } - - byte rv = (byte)(cfbOutV[byteCount] ^ in); - inBuf[byteCount++] = rv; - - if (byteCount == blockSize) - { - byteCount = 0; - - System.arraycopy(cfbV, blockSize, cfbV, 0, cfbV.length - blockSize); - System.arraycopy(inBuf, 0, cfbV, cfbV.length - blockSize, blockSize); - } - - return rv; - } - - private byte decryptByte(byte in) - { - if (byteCount == 0) - { - cipher.processBlock(cfbV, 0, cfbOutV, 0); - } - - inBuf[byteCount] = in; - byte rv = (byte)(cfbOutV[byteCount++] ^ in); - - if (byteCount == blockSize) - { - byteCount = 0; - - System.arraycopy(cfbV, blockSize, cfbV, 0, cfbV.length - blockSize); - System.arraycopy(inBuf, 0, cfbV, cfbV.length - blockSize, blockSize); - } - - return rv; - } - - /** - * return the block size we are operating at. - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return blockSize; - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - /** - * Do the appropriate processing for CFB mode encryption. - * - * @param in the array containing the data to be encrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - /** - * Do the appropriate processing for CFB mode decryption. - * - * @param in the array containing the data to be decrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - /** - * Return the current state of the initialisation vector. - * - * @return current IV - */ - public byte[] getCurrentIV() - { - return Arrays.clone(cfbV); - } - - /** - * reset the chaining vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - System.arraycopy(IV, 0, cfbV, 0, IV.length); - Arrays.fill(inBuf, (byte)0); - byteCount = 0; - - cipher.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/CTSBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/CTSBlockCipher.java deleted file mode 100644 index 5388b407..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/CTSBlockCipher.java +++ /dev/null @@ -1,287 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A Cipher Text Stealing (CTS) mode cipher. CTS allows block ciphers to - * be used to produce cipher text which is the same length as the plain text. - */ -public class CTSBlockCipher - extends BufferedBlockCipher -{ - private int blockSize; - - /** - * Create a buffered block cipher that uses Cipher Text Stealing - * - * @param cipher the underlying block cipher this buffering object wraps. - */ - public CTSBlockCipher( - BlockCipher cipher) - { - if ((cipher instanceof OFBBlockCipher) || (cipher instanceof CFBBlockCipher) || (cipher instanceof SICBlockCipher)) - { - // TODO: This is broken - need to introduce marker interface to differentiate block cipher primitive from mode? - throw new IllegalArgumentException("CTSBlockCipher can only accept ECB, or CBC ciphers"); - } - - this.cipher = cipher; - - blockSize = cipher.getBlockSize(); - - buf = new byte[blockSize * 2]; - bufOff = 0; - } - - /** - * return the size of the output buffer required for an update - * an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update - * with len bytes of input. - */ - public int getUpdateOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - return total - buf.length; - } - - return total - leftOver; - } - - /** - * return the size of the output buffer required for an update plus a - * doFinal with an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update and doFinal - * with len bytes of input. - */ - public int getOutputSize( - int len) - { - return len + bufOff; - } - - /** - * process a single byte, producing an output block if necessary. - * - * @param in the input byte. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processByte( - byte in, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - int resultLen = 0; - - if (bufOff == buf.length) - { - resultLen = cipher.processBlock(buf, 0, out, outOff); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - bufOff = blockSize; - } - - buf[bufOff++] = in; - - return resultLen; - } - - /** - * process an array of bytes, producing output if necessary. - * - * @param in the input byte array. - * @param inOff the offset at which the input data starts. - * @param len the number of bytes to be copied out of the input array. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = getBlockSize(); - int length = getUpdateOutputSize(len); - - if (length > 0) - { - if ((outOff + length) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - } - - int resultLen = 0; - int gapLen = buf.length - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, out, outOff); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - bufOff = blockSize; - - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - System.arraycopy(in, inOff, buf, bufOff, blockSize); - resultLen += cipher.processBlock(buf, 0, out, outOff + resultLen); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - - return resultLen; - } - - /** - * Process the last block in the buffer. - * - * @param out the array the block currently being held is copied into. - * @param outOff the offset at which the copying starts. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there is insufficient space in out for - * the output. - * @exception IllegalStateException if the underlying cipher is not - * initialised. - * @exception InvalidCipherTextException if cipher text decrypts wrongly (in - * case the exception will never get thrown). - */ - public int doFinal( - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException, InvalidCipherTextException - { - if (bufOff + outOff > out.length) - { - throw new DataLengthException("output buffer to small in doFinal"); - } - - int blockSize = cipher.getBlockSize(); - int len = bufOff - blockSize; - byte[] block = new byte[blockSize]; - - if (forEncryption) - { - if (bufOff < blockSize) - { - throw new DataLengthException("need at least one block of input for CTS"); - } - - cipher.processBlock(buf, 0, block, 0); - - if (bufOff > blockSize) - { - for (int i = bufOff; i != buf.length; i++) - { - buf[i] = block[i - blockSize]; - } - - for (int i = blockSize; i != bufOff; i++) - { - buf[i] ^= block[i - blockSize]; - } - - if (cipher instanceof CBCBlockCipher) - { - BlockCipher c = ((CBCBlockCipher)cipher).getUnderlyingCipher(); - - c.processBlock(buf, blockSize, out, outOff); - } - else - { - cipher.processBlock(buf, blockSize, out, outOff); - } - - System.arraycopy(block, 0, out, outOff + blockSize, len); - } - else - { - System.arraycopy(block, 0, out, outOff, blockSize); - } - } - else - { - if (bufOff < blockSize) - { - throw new DataLengthException("need at least one block of input for CTS"); - } - - byte[] lastBlock = new byte[blockSize]; - - if (bufOff > blockSize) - { - if (cipher instanceof CBCBlockCipher) - { - BlockCipher c = ((CBCBlockCipher)cipher).getUnderlyingCipher(); - - c.processBlock(buf, 0, block, 0); - } - else - { - cipher.processBlock(buf, 0, block, 0); - } - - for (int i = blockSize; i != bufOff; i++) - { - lastBlock[i - blockSize] = (byte)(block[i - blockSize] ^ buf[i]); - } - - System.arraycopy(buf, blockSize, block, 0, len); - - cipher.processBlock(block, 0, out, outOff); - System.arraycopy(lastBlock, 0, out, outOff + blockSize, len); - } - else - { - cipher.processBlock(buf, 0, block, 0); - - System.arraycopy(block, 0, out, outOff, blockSize); - } - } - - int offset = bufOff; - - reset(); - - return offset; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/EAXBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/EAXBlockCipher.java deleted file mode 100644 index 209d5cdb..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/EAXBlockCipher.java +++ /dev/null @@ -1,387 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.macs.CMac; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and - * Efficiency - by M. Bellare, P. Rogaway, D. Wagner. - * - * http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf - * - * EAX is an AEAD scheme based on CTR and OMAC1/CMAC, that uses a single block - * cipher to encrypt and authenticate data. It's on-line (the length of a - * message isn't needed to begin processing it), has good performances, it's - * simple and provably secure (provided the underlying block cipher is secure). - * - * Of course, this implementations is NOT thread-safe. - */ -public class EAXBlockCipher - implements AEADBlockCipher -{ - private static final byte nTAG = 0x0; - - private static final byte hTAG = 0x1; - - private static final byte cTAG = 0x2; - - private SICBlockCipher cipher; - - private boolean forEncryption; - - private int blockSize; - - private Mac mac; - - private byte[] nonceMac; - private byte[] associatedTextMac; - private byte[] macBlock; - - private int macSize; - private byte[] bufBlock; - private int bufOff; - - private boolean cipherInitialized; - private byte[] initialAssociatedText; - - /** - * Constructor that accepts an instance of a block cipher engine. - * - * @param cipher the engine to use - */ - public EAXBlockCipher(BlockCipher cipher) - { - blockSize = cipher.getBlockSize(); - mac = new CMac(cipher); - macBlock = new byte[blockSize]; - associatedTextMac = new byte[mac.getMacSize()]; - nonceMac = new byte[mac.getMacSize()]; - this.cipher = new SICBlockCipher(cipher); - } - - public String getAlgorithmName() - { - return cipher.getUnderlyingCipher().getAlgorithmName() + "/EAX"; - } - - public BlockCipher getUnderlyingCipher() - { - return cipher.getUnderlyingCipher(); - } - - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - byte[] nonce; - CipherParameters keyParam; - - if (params instanceof AEADParameters) - { - AEADParameters param = (AEADParameters)params; - - nonce = param.getNonce(); - initialAssociatedText = param.getAssociatedText(); - macSize = param.getMacSize() / 8; - keyParam = param.getKey(); - } - else if (params instanceof ParametersWithIV) - { - ParametersWithIV param = (ParametersWithIV)params; - - nonce = param.getIV(); - initialAssociatedText = null; - macSize = mac.getMacSize() / 2; - keyParam = param.getParameters(); - } - else - { - throw new IllegalArgumentException("invalid parameters passed to EAX"); - } - - bufBlock = new byte[forEncryption ? blockSize : (blockSize + macSize)]; - - byte[] tag = new byte[blockSize]; - - // Key reuse implemented in CBC mode of underlying CMac - mac.init(keyParam); - - tag[blockSize - 1] = nTAG; - mac.update(tag, 0, blockSize); - mac.update(nonce, 0, nonce.length); - mac.doFinal(nonceMac, 0); - - // Same BlockCipher underlies this and the mac, so reuse last key on cipher - cipher.init(true, new ParametersWithIV(null, nonceMac)); - - reset(); - } - - private void initCipher() - { - if (cipherInitialized) - { - return; - } - - cipherInitialized = true; - - mac.doFinal(associatedTextMac, 0); - - byte[] tag = new byte[blockSize]; - tag[blockSize - 1] = cTAG; - mac.update(tag, 0, blockSize); - } - - private void calculateMac() - { - byte[] outC = new byte[blockSize]; - mac.doFinal(outC, 0); - - for (int i = 0; i < macBlock.length; i++) - { - macBlock[i] = (byte)(nonceMac[i] ^ associatedTextMac[i] ^ outC[i]); - } - } - - public void reset() - { - reset(true); - } - - private void reset( - boolean clearMac) - { - cipher.reset(); // TODO Redundant since the mac will reset it? - mac.reset(); - - bufOff = 0; - Arrays.fill(bufBlock, (byte)0); - - if (clearMac) - { - Arrays.fill(macBlock, (byte)0); - } - - byte[] tag = new byte[blockSize]; - tag[blockSize - 1] = hTAG; - mac.update(tag, 0, blockSize); - - cipherInitialized = false; - - if (initialAssociatedText != null) - { - processAADBytes(initialAssociatedText, 0, initialAssociatedText.length); - } - } - - public void processAADByte(byte in) - { - if (cipherInitialized) - { - throw new IllegalStateException("AAD data cannot be added after encryption/decription processing has begun."); - } - mac.update(in); - } - - public void processAADBytes(byte[] in, int inOff, int len) - { - if (cipherInitialized) - { - throw new IllegalStateException("AAD data cannot be added after encryption/decryption processing has begun."); - } - mac.update(in, inOff, len); - } - - public int processByte(byte in, byte[] out, int outOff) - throws DataLengthException - { - initCipher(); - - return process(in, out, outOff); - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) - throws DataLengthException - { - initCipher(); - - if (in.length < (inOff + len)) - { - throw new DataLengthException("Input buffer too short"); - } - - int resultLen = 0; - - for (int i = 0; i != len; i++) - { - resultLen += process(in[inOff + i], out, outOff + resultLen); - } - - return resultLen; - } - - public int doFinal(byte[] out, int outOff) - throws IllegalStateException, InvalidCipherTextException - { - initCipher(); - - int extra = bufOff; - byte[] tmp = new byte[bufBlock.length]; - - bufOff = 0; - - if (forEncryption) - { - if (out.length < (outOff + extra + macSize)) - { - throw new OutputLengthException("Output buffer too short"); - } - cipher.processBlock(bufBlock, 0, tmp, 0); - - System.arraycopy(tmp, 0, out, outOff, extra); - - mac.update(tmp, 0, extra); - - calculateMac(); - - System.arraycopy(macBlock, 0, out, outOff + extra, macSize); - - reset(false); - - return extra + macSize; - } - else - { - if (out.length < (outOff + extra - macSize)) - { - throw new OutputLengthException("Output buffer too short"); - } - if (extra < macSize) - { - throw new InvalidCipherTextException("data too short"); - } - if (extra > macSize) - { - mac.update(bufBlock, 0, extra - macSize); - - cipher.processBlock(bufBlock, 0, tmp, 0); - - System.arraycopy(tmp, 0, out, outOff, extra - macSize); - } - - calculateMac(); - - if (!verifyMac(bufBlock, extra - macSize)) - { - throw new InvalidCipherTextException("mac check in EAX failed"); - } - - reset(false); - - return extra - macSize; - } - } - - public byte[] getMac() - { - byte[] mac = new byte[macSize]; - - System.arraycopy(macBlock, 0, mac, 0, macSize); - - return mac; - } - - public int getUpdateOutputSize(int len) - { - int totalData = len + bufOff; - if (!forEncryption) - { - if (totalData < macSize) - { - return 0; - } - totalData -= macSize; - } - return totalData - totalData % blockSize; - } - - public int getOutputSize(int len) - { - int totalData = len + bufOff; - - if (forEncryption) - { - return totalData + macSize; - } - - return totalData < macSize ? 0 : totalData - macSize; - } - - private int process(byte b, byte[] out, int outOff) - { - bufBlock[bufOff++] = b; - - if (bufOff == bufBlock.length) - { - if (out.length < (outOff + blockSize)) - { - throw new OutputLengthException("Output buffer is too short"); - } - // TODO Could move the processByte(s) calls to here -// initCipher(); - - int size; - - if (forEncryption) - { - size = cipher.processBlock(bufBlock, 0, out, outOff); - - mac.update(out, outOff, blockSize); - } - else - { - mac.update(bufBlock, 0, blockSize); - - size = cipher.processBlock(bufBlock, 0, out, outOff); - } - - bufOff = 0; - if (!forEncryption) - { - System.arraycopy(bufBlock, blockSize, bufBlock, 0, macSize); - bufOff = macSize; - } - - return size; - } - - return 0; - } - - private boolean verifyMac(byte[] mac, int off) - { - int nonEqual = 0; - - for (int i = 0; i < macSize; i++) - { - nonEqual |= (macBlock[i] ^ mac[off + i]); - } - - return nonEqual == 0; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/GCFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/GCFBBlockCipher.java deleted file mode 100644 index 5791e89c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/GCFBBlockCipher.java +++ /dev/null @@ -1,120 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.StreamBlockCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.ParametersWithSBox; - -/** - * An implementation of the GOST CFB mode with CryptoPro key meshing as described in RFC 4357. - */ -public class GCFBBlockCipher - extends StreamBlockCipher -{ - private static final byte[] C = - { - 0x69, 0x00, 0x72, 0x22, 0x64, (byte)0xC9, 0x04, 0x23, - (byte)0x8D, 0x3A, (byte)0xDB, (byte)0x96, 0x46, (byte)0xE9, 0x2A, (byte)0xC4, - 0x18, (byte)0xFE, (byte)0xAC, (byte)0x94, 0x00, (byte)0xED, 0x07, 0x12, - (byte)0xC0, (byte)0x86, (byte)0xDC, (byte)0xC2, (byte)0xEF, 0x4C, (byte)0xA9, 0x2B - }; - - private final CFBBlockCipher cfbEngine; - - private KeyParameter key; - private long counter = 0; - private boolean forEncryption; - - public GCFBBlockCipher(BlockCipher engine) - { - super(engine); - - this.cfbEngine = new CFBBlockCipher(engine, engine.getBlockSize() * 8); - } - - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - counter = 0; - cfbEngine.init(forEncryption, params); - - this.forEncryption = forEncryption; - - if (params instanceof ParametersWithIV) - { - params = ((ParametersWithIV)params).getParameters(); - } - - if (params instanceof ParametersWithRandom) - { - params = ((ParametersWithRandom)params).getParameters(); - } - - if (params instanceof ParametersWithSBox) - { - params = ((ParametersWithSBox)params).getParameters(); - } - - key = (KeyParameter)params; - } - - public String getAlgorithmName() - { - String name = cfbEngine.getAlgorithmName(); - return name.substring(0, name.indexOf('/') - 1) + "/G" + name.substring(name.indexOf('/') + 1); - } - - public int getBlockSize() - { - return cfbEngine.getBlockSize(); - } - - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - this.processBytes(in, inOff, cfbEngine.getBlockSize(), out, outOff); - - return cfbEngine.getBlockSize(); - } - - protected byte calculateByte(byte b) - { - if (counter > 0 && counter % 1024 == 0) - { - BlockCipher base = cfbEngine.getUnderlyingCipher(); - - base.init(false, key); - - byte[] nextKey = new byte[32]; - - base.processBlock(C, 0, nextKey, 0); - base.processBlock(C, 8, nextKey, 8); - base.processBlock(C, 16, nextKey, 16); - base.processBlock(C, 24, nextKey, 24); - - key = new KeyParameter(nextKey); - - base.init(true, key); - - byte[] iv = cfbEngine.getCurrentIV(); - - base.processBlock(iv, 0, iv, 0); - - cfbEngine.init(forEncryption, new ParametersWithIV(key, iv)); - } - - counter++; - - return cfbEngine.calculateByte(b); - } - - public void reset() - { - counter = 0; - cfbEngine.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java deleted file mode 100644 index 024eb860..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/GCMBlockCipher.java +++ /dev/null @@ -1,596 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.modes.gcm.GCMExponentiator; -import org.bouncycastle.crypto.modes.gcm.GCMMultiplier; -import org.bouncycastle.crypto.modes.gcm.Tables1kGCMExponentiator; -import org.bouncycastle.crypto.modes.gcm.Tables8kGCMMultiplier; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -/** - * Implements the Galois/Counter mode (GCM) detailed in - * NIST Special Publication 800-38D. - */ -public class GCMBlockCipher - implements AEADBlockCipher -{ - private static final int BLOCK_SIZE = 16; - - // not final due to a compiler bug - private BlockCipher cipher; - private GCMMultiplier multiplier; - private GCMExponentiator exp; - - // These fields are set by init and not modified by processing - private boolean forEncryption; - private int macSize; - private byte[] nonce; - private byte[] initialAssociatedText; - private byte[] H; - private byte[] J0; - - // These fields are modified during processing - private byte[] bufBlock; - private byte[] macBlock; - private byte[] S, S_at, S_atPre; - private byte[] counter; - private int bufOff; - private long totalLength; - private byte[] atBlock; - private int atBlockPos; - private long atLength; - private long atLengthPre; - - public GCMBlockCipher(BlockCipher c) - { - this(c, null); - } - - public GCMBlockCipher(BlockCipher c, GCMMultiplier m) - { - if (c.getBlockSize() != BLOCK_SIZE) - { - throw new IllegalArgumentException( - "cipher required with a block size of " + BLOCK_SIZE + "."); - } - - if (m == null) - { - // TODO Consider a static property specifying default multiplier - m = new Tables8kGCMMultiplier(); - } - - this.cipher = c; - this.multiplier = m; - } - - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/GCM"; - } - - /** - * NOTE: MAC sizes from 32 bits to 128 bits (must be a multiple of 8) are supported. The default is 128 bits. - * Sizes less than 96 are not recommended, but are supported for specialized applications. - */ - public void init(boolean forEncryption, CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - this.macBlock = null; - - KeyParameter keyParam; - - if (params instanceof AEADParameters) - { - AEADParameters param = (AEADParameters)params; - - nonce = param.getNonce(); - initialAssociatedText = param.getAssociatedText(); - - int macSizeBits = param.getMacSize(); - if (macSizeBits < 32 || macSizeBits > 128 || macSizeBits % 8 != 0) - { - throw new IllegalArgumentException("Invalid value for MAC size: " + macSizeBits); - } - - macSize = macSizeBits / 8; - keyParam = param.getKey(); - } - else if (params instanceof ParametersWithIV) - { - ParametersWithIV param = (ParametersWithIV)params; - - nonce = param.getIV(); - initialAssociatedText = null; - macSize = 16; - keyParam = (KeyParameter)param.getParameters(); - } - else - { - throw new IllegalArgumentException("invalid parameters passed to GCM"); - } - - int bufLength = forEncryption ? BLOCK_SIZE : (BLOCK_SIZE + macSize); - this.bufBlock = new byte[bufLength]; - - if (nonce == null || nonce.length < 1) - { - throw new IllegalArgumentException("IV must be at least 1 byte"); - } - - // TODO Restrict macSize to 16 if nonce length not 12? - - // Cipher always used in forward mode - // if keyParam is null we're reusing the last key. - if (keyParam != null) - { - cipher.init(true, keyParam); - - this.H = new byte[BLOCK_SIZE]; - cipher.processBlock(H, 0, H, 0); - - // GCMMultiplier tables don't change unless the key changes (and are expensive to init) - multiplier.init(H); - exp = null; - } - else if (this.H == null) - { - throw new IllegalArgumentException("Key must be specified in initial init"); - } - - this.J0 = new byte[BLOCK_SIZE]; - - if (nonce.length == 12) - { - System.arraycopy(nonce, 0, J0, 0, nonce.length); - this.J0[BLOCK_SIZE - 1] = 0x01; - } - else - { - gHASH(J0, nonce, nonce.length); - byte[] X = new byte[BLOCK_SIZE]; - Pack.longToBigEndian((long)nonce.length * 8, X, 8); - gHASHBlock(J0, X); - } - - this.S = new byte[BLOCK_SIZE]; - this.S_at = new byte[BLOCK_SIZE]; - this.S_atPre = new byte[BLOCK_SIZE]; - this.atBlock = new byte[BLOCK_SIZE]; - this.atBlockPos = 0; - this.atLength = 0; - this.atLengthPre = 0; - this.counter = Arrays.clone(J0); - this.bufOff = 0; - this.totalLength = 0; - - if (initialAssociatedText != null) - { - processAADBytes(initialAssociatedText, 0, initialAssociatedText.length); - } - } - - public byte[] getMac() - { - return Arrays.clone(macBlock); - } - - public int getOutputSize(int len) - { - int totalData = len + bufOff; - - if (forEncryption) - { - return totalData + macSize; - } - - return totalData < macSize ? 0 : totalData - macSize; - } - - public int getUpdateOutputSize(int len) - { - int totalData = len + bufOff; - if (!forEncryption) - { - if (totalData < macSize) - { - return 0; - } - totalData -= macSize; - } - return totalData - totalData % BLOCK_SIZE; - } - - public void processAADByte(byte in) - { - atBlock[atBlockPos] = in; - if (++atBlockPos == BLOCK_SIZE) - { - // Hash each block as it fills - gHASHBlock(S_at, atBlock); - atBlockPos = 0; - atLength += BLOCK_SIZE; - } - } - - public void processAADBytes(byte[] in, int inOff, int len) - { - for (int i = 0; i < len; ++i) - { - atBlock[atBlockPos] = in[inOff + i]; - if (++atBlockPos == BLOCK_SIZE) - { - // Hash each block as it fills - gHASHBlock(S_at, atBlock); - atBlockPos = 0; - atLength += BLOCK_SIZE; - } - } - } - - private void initCipher() - { - if (atLength > 0) - { - System.arraycopy(S_at, 0, S_atPre, 0, BLOCK_SIZE); - atLengthPre = atLength; - } - - // Finish hash for partial AAD block - if (atBlockPos > 0) - { - gHASHPartial(S_atPre, atBlock, 0, atBlockPos); - atLengthPre += atBlockPos; - } - - if (atLengthPre > 0) - { - System.arraycopy(S_atPre, 0, S, 0, BLOCK_SIZE); - } - } - - public int processByte(byte in, byte[] out, int outOff) - throws DataLengthException - { - bufBlock[bufOff] = in; - if (++bufOff == bufBlock.length) - { - outputBlock(out, outOff); - return BLOCK_SIZE; - } - return 0; - } - - public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) - throws DataLengthException - { - if (in.length < (inOff + len)) - { - throw new DataLengthException("Input buffer too short"); - } - int resultLen = 0; - - for (int i = 0; i < len; ++i) - { - bufBlock[bufOff] = in[inOff + i]; - if (++bufOff == bufBlock.length) - { - outputBlock(out, outOff + resultLen); - resultLen += BLOCK_SIZE; - } - } - - return resultLen; - } - - private void outputBlock(byte[] output, int offset) - { - if (output.length < (offset + BLOCK_SIZE)) - { - throw new OutputLengthException("Output buffer too short"); - } - if (totalLength == 0) - { - initCipher(); - } - gCTRBlock(bufBlock, output, offset); - if (forEncryption) - { - bufOff = 0; - } - else - { - System.arraycopy(bufBlock, BLOCK_SIZE, bufBlock, 0, macSize); - bufOff = macSize; - } - } - - public int doFinal(byte[] out, int outOff) - throws IllegalStateException, InvalidCipherTextException - { - if (totalLength == 0) - { - initCipher(); - } - - int extra = bufOff; - if (!forEncryption) - { - if (extra < macSize) - { - throw new InvalidCipherTextException("data too short"); - } - extra -= macSize; - } - - if (extra > 0) - { - if (out.length < (outOff + extra)) - { - throw new OutputLengthException("Output buffer too short"); - } - gCTRPartial(bufBlock, 0, extra, out, outOff); - } - - atLength += atBlockPos; - - if (atLength > atLengthPre) - { - /* - * Some AAD was sent after the cipher started. We determine the difference b/w the hash value - * we actually used when the cipher started (S_atPre) and the final hash value calculated (S_at). - * Then we carry this difference forward by multiplying by H^c, where c is the number of (full or - * partial) cipher-text blocks produced, and adjust the current hash. - */ - - // Finish hash for partial AAD block - if (atBlockPos > 0) - { - gHASHPartial(S_at, atBlock, 0, atBlockPos); - } - - // Find the difference between the AAD hashes - if (atLengthPre > 0) - { - xor(S_at, S_atPre); - } - - // Number of cipher-text blocks produced - long c = ((totalLength * 8) + 127) >>> 7; - - // Calculate the adjustment factor - byte[] H_c = new byte[16]; - if (exp == null) - { - exp = new Tables1kGCMExponentiator(); - exp.init(H); - } - exp.exponentiateX(c, H_c); - - // Carry the difference forward - multiply(S_at, H_c); - - // Adjust the current hash - xor(S, S_at); - } - - // Final gHASH - byte[] X = new byte[BLOCK_SIZE]; - Pack.longToBigEndian(atLength * 8, X, 0); - Pack.longToBigEndian(totalLength * 8, X, 8); - - gHASHBlock(S, X); - - // T = MSBt(GCTRk(J0,S)) - byte[] tag = new byte[BLOCK_SIZE]; - cipher.processBlock(J0, 0, tag, 0); - xor(tag, S); - - int resultLen = extra; - - // We place into macBlock our calculated value for T - this.macBlock = new byte[macSize]; - System.arraycopy(tag, 0, macBlock, 0, macSize); - - if (forEncryption) - { - if (out.length < (outOff + extra + macSize)) - { - throw new OutputLengthException("Output buffer too short"); - } - // Append T to the message - System.arraycopy(macBlock, 0, out, outOff + bufOff, macSize); - resultLen += macSize; - } - else - { - // Retrieve the T value from the message and compare to calculated one - byte[] msgMac = new byte[macSize]; - System.arraycopy(bufBlock, extra, msgMac, 0, macSize); - if (!Arrays.constantTimeAreEqual(this.macBlock, msgMac)) - { - throw new InvalidCipherTextException("mac check in GCM failed"); - } - } - - reset(false); - - return resultLen; - } - - public void reset() - { - reset(true); - } - - private void reset( - boolean clearMac) - { - cipher.reset(); - - S = new byte[BLOCK_SIZE]; - S_at = new byte[BLOCK_SIZE]; - S_atPre = new byte[BLOCK_SIZE]; - atBlock = new byte[BLOCK_SIZE]; - atBlockPos = 0; - atLength = 0; - atLengthPre = 0; - counter = Arrays.clone(J0); - bufOff = 0; - totalLength = 0; - - if (bufBlock != null) - { - Arrays.fill(bufBlock, (byte)0); - } - - if (clearMac) - { - macBlock = null; - } - - if (initialAssociatedText != null) - { - processAADBytes(initialAssociatedText, 0, initialAssociatedText.length); - } - } - - private void gCTRBlock(byte[] block, byte[] out, int outOff) - { - byte[] tmp = getNextCounterBlock(); - - xor(tmp, block); - System.arraycopy(tmp, 0, out, outOff, BLOCK_SIZE); - - gHASHBlock(S, forEncryption ? tmp : block); - - totalLength += BLOCK_SIZE; - } - - private void gCTRPartial(byte[] buf, int off, int len, byte[] out, int outOff) - { - byte[] tmp = getNextCounterBlock(); - - xor(tmp, buf, off, len); - System.arraycopy(tmp, 0, out, outOff, len); - - gHASHPartial(S, forEncryption ? tmp : buf, 0, len); - - totalLength += len; - } - - private void gHASH(byte[] Y, byte[] b, int len) - { - for (int pos = 0; pos < len; pos += BLOCK_SIZE) - { - int num = Math.min(len - pos, BLOCK_SIZE); - gHASHPartial(Y, b, pos, num); - } - } - - private void gHASHBlock(byte[] Y, byte[] b) - { - xor(Y, b); - multiplier.multiplyH(Y); - } - - private void gHASHPartial(byte[] Y, byte[] b, int off, int len) - { - xor(Y, b, off, len); - multiplier.multiplyH(Y); - } - - private byte[] getNextCounterBlock() - { - for (int i = 15; i >= 12; --i) - { - byte b = (byte)((counter[i] + 1) & 0xff); - counter[i] = b; - - if (b != 0) - { - break; - } - } - - byte[] tmp = new byte[BLOCK_SIZE]; - // TODO Sure would be nice if ciphers could operate on int[] - cipher.processBlock(counter, 0, tmp, 0); - return tmp; - } - - private static void multiply(byte[] block, byte[] val) - { - byte[] tmp = Arrays.clone(block); - byte[] c = new byte[16]; - - for (int i = 0; i < 16; ++i) - { - byte bits = val[i]; - for (int j = 7; j >= 0; --j) - { - if ((bits & (1 << j)) != 0) - { - xor(c, tmp); - } - - boolean lsb = (tmp[15] & 1) != 0; - shiftRight(tmp); - if (lsb) - { - // R = new byte[]{ 0xe1, ... }; -// xor(v, R); - tmp[0] ^= (byte)0xe1; - } - } - } - - System.arraycopy(c, 0, block, 0, 16); - } - - private static void shiftRight(byte[] block) - { - int i = 0; - int bit = 0; - for (;;) - { - int b = block[i] & 0xff; - block[i] = (byte) ((b >>> 1) | bit); - if (++i == 16) - { - break; - } - bit = (b & 1) << 7; - } - } - - private static void xor(byte[] block, byte[] val) - { - for (int i = 15; i >= 0; --i) - { - block[i] ^= val[i]; - } - } - - private static void xor(byte[] block, byte[] val, int off, int len) - { - while (len-- > 0) - { - block[len] ^= val[off + len]; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/GOFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/GOFBBlockCipher.java deleted file mode 100644 index b025a1b8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/GOFBBlockCipher.java +++ /dev/null @@ -1,228 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.StreamBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * implements the GOST 28147 OFB counter mode (GCTR). - */ -public class GOFBBlockCipher - extends StreamBlockCipher -{ - private byte[] IV; - private byte[] ofbV; - private byte[] ofbOutV; - private int byteCount; - - private final int blockSize; - private final BlockCipher cipher; - - boolean firstStep = true; - int N3; - int N4; - static final int C1 = 16843012; //00000001000000010000000100000100 - static final int C2 = 16843009; //00000001000000010000000100000001 - - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * counter mode (must have a 64 bit block size). - */ - public GOFBBlockCipher( - BlockCipher cipher) - { - super(cipher); - - this.cipher = cipher; - this.blockSize = cipher.getBlockSize(); - - if (blockSize != 8) - { - throw new IllegalArgumentException("GCTR only for 64 bit block ciphers"); - } - - this.IV = new byte[cipher.getBlockSize()]; - this.ofbV = new byte[cipher.getBlockSize()]; - this.ofbOutV = new byte[cipher.getBlockSize()]; - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param encrypting if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, //ignored by this CTR mode - CipherParameters params) - throws IllegalArgumentException - { - firstStep = true; - N3 = 0; - N4 = 0; - - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length < IV.length) - { - // prepend the supplied IV with zeros (per FIPS PUB 81) - System.arraycopy(iv, 0, IV, IV.length - iv.length, iv.length); - for (int i = 0; i < IV.length - iv.length; i++) - { - IV[i] = 0; - } - } - else - { - System.arraycopy(iv, 0, IV, 0, IV.length); - } - - reset(); - - // if params is null we reuse the current working key. - if (ivParam.getParameters() != null) - { - cipher.init(true, ivParam.getParameters()); - } - } - else - { - reset(); - - // if params is null we reuse the current working key. - if (params != null) - { - cipher.init(true, params); - } - } - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/GCTR" - * and the block size in bits - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/GCTR"; - } - - /** - * return the block size we are operating at (in bytes). - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return blockSize; - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - /** - * reset the feedback vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - firstStep = true; - N3 = 0; - N4 = 0; - System.arraycopy(IV, 0, ofbV, 0, IV.length); - byteCount = 0; - cipher.reset(); - } - - //array of bytes to type int - private int bytesToint( - byte[] in, - int inOff) - { - return ((in[inOff + 3] << 24) & 0xff000000) + ((in[inOff + 2] << 16) & 0xff0000) + - ((in[inOff + 1] << 8) & 0xff00) + (in[inOff] & 0xff); - } - - //int to array of bytes - private void intTobytes( - int num, - byte[] out, - int outOff) - { - out[outOff + 3] = (byte)(num >>> 24); - out[outOff + 2] = (byte)(num >>> 16); - out[outOff + 1] = (byte)(num >>> 8); - out[outOff] = (byte)num; - } - - protected byte calculateByte(byte b) - { - if (byteCount == 0) - { - if (firstStep) - { - firstStep = false; - cipher.processBlock(ofbV, 0, ofbOutV, 0); - N3 = bytesToint(ofbOutV, 0); - N4 = bytesToint(ofbOutV, 4); - } - N3 += C2; - N4 += C1; - intTobytes(N3, ofbV, 0); - intTobytes(N4, ofbV, 4); - - cipher.processBlock(ofbV, 0, ofbOutV, 0); - } - - byte rv = (byte)(ofbOutV[byteCount++] ^ b); - - if (byteCount == blockSize) - { - byteCount = 0; - - // - // change over the input block. - // - System.arraycopy(ofbV, blockSize, ofbV, 0, ofbV.length - blockSize); - System.arraycopy(ofbOutV, 0, ofbV, ofbV.length - blockSize, blockSize); - } - - return rv; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/OCBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/OCBBlockCipher.java deleted file mode 100644 index 86263914..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/OCBBlockCipher.java +++ /dev/null @@ -1,598 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import java.util.Vector; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * An implementation of <a href="http://tools.ietf.org/html/rfc7253">RFC 7253 on The OCB - * Authenticated-Encryption Algorithm</a>, licensed per: - * <p> - * <blockquote> <a href="http://www.cs.ucdavis.edu/~rogaway/ocb/license1.pdf">License for - * Open-Source Software Implementations of OCB</a> (Jan 9, 2013) — “License 1” <br> - * Under this license, you are authorized to make, use, and distribute open-source software - * implementations of OCB. This license terminates for you if you sue someone over their open-source - * software implementation of OCB claiming that you have a patent covering their implementation. - * <p> - * This is a non-binding summary of a legal document (the link above). The parameters of the license - * are specified in the license document and that document is controlling. </blockquote> - */ -public class OCBBlockCipher - implements AEADBlockCipher -{ - private static final int BLOCK_SIZE = 16; - - private BlockCipher hashCipher; - private BlockCipher mainCipher; - - /* - * CONFIGURATION - */ - private boolean forEncryption; - private int macSize; - private byte[] initialAssociatedText; - - /* - * KEY-DEPENDENT - */ - // NOTE: elements are lazily calculated - private Vector L; - private byte[] L_Asterisk, L_Dollar; - - /* - * NONCE-DEPENDENT - */ - private byte[] KtopInput = null; - private byte[] Stretch = new byte[24]; - private byte[] OffsetMAIN_0 = new byte[16]; - - /* - * PER-ENCRYPTION/DECRYPTION - */ - private byte[] hashBlock, mainBlock; - private int hashBlockPos, mainBlockPos; - private long hashBlockCount, mainBlockCount; - private byte[] OffsetHASH; - private byte[] Sum; - private byte[] OffsetMAIN = new byte[16]; - private byte[] Checksum; - - // NOTE: The MAC value is preserved after doFinal - private byte[] macBlock; - - public OCBBlockCipher(BlockCipher hashCipher, BlockCipher mainCipher) - { - if (hashCipher == null) - { - throw new IllegalArgumentException("'hashCipher' cannot be null"); - } - if (hashCipher.getBlockSize() != BLOCK_SIZE) - { - throw new IllegalArgumentException("'hashCipher' must have a block size of " - + BLOCK_SIZE); - } - if (mainCipher == null) - { - throw new IllegalArgumentException("'mainCipher' cannot be null"); - } - if (mainCipher.getBlockSize() != BLOCK_SIZE) - { - throw new IllegalArgumentException("'mainCipher' must have a block size of " - + BLOCK_SIZE); - } - - if (!hashCipher.getAlgorithmName().equals(mainCipher.getAlgorithmName())) - { - throw new IllegalArgumentException( - "'hashCipher' and 'mainCipher' must be the same algorithm"); - } - - this.hashCipher = hashCipher; - this.mainCipher = mainCipher; - } - - public BlockCipher getUnderlyingCipher() - { - return mainCipher; - } - - public String getAlgorithmName() - { - return mainCipher.getAlgorithmName() + "/OCB"; - } - - public void init(boolean forEncryption, CipherParameters parameters) - throws IllegalArgumentException - { - boolean oldForEncryption = this.forEncryption; - this.forEncryption = forEncryption; - this.macBlock = null; - - KeyParameter keyParameter; - - byte[] N; - if (parameters instanceof AEADParameters) - { - AEADParameters aeadParameters = (AEADParameters)parameters; - - N = aeadParameters.getNonce(); - initialAssociatedText = aeadParameters.getAssociatedText(); - - int macSizeBits = aeadParameters.getMacSize(); - if (macSizeBits < 64 || macSizeBits > 128 || macSizeBits % 8 != 0) - { - throw new IllegalArgumentException("Invalid value for MAC size: " + macSizeBits); - } - - macSize = macSizeBits / 8; - keyParameter = aeadParameters.getKey(); - } - else if (parameters instanceof ParametersWithIV) - { - ParametersWithIV parametersWithIV = (ParametersWithIV)parameters; - - N = parametersWithIV.getIV(); - initialAssociatedText = null; - macSize = 16; - keyParameter = (KeyParameter)parametersWithIV.getParameters(); - } - else - { - throw new IllegalArgumentException("invalid parameters passed to OCB"); - } - - this.hashBlock = new byte[16]; - this.mainBlock = new byte[forEncryption ? BLOCK_SIZE : (BLOCK_SIZE + macSize)]; - - if (N == null) - { - N = new byte[0]; - } - - if (N.length > 15) - { - throw new IllegalArgumentException("IV must be no more than 15 bytes"); - } - - /* - * KEY-DEPENDENT INITIALISATION - */ - - if (keyParameter != null) - { - // hashCipher always used in forward mode - hashCipher.init(true, keyParameter); - mainCipher.init(forEncryption, keyParameter); - KtopInput = null; - } - else if (oldForEncryption != forEncryption) - { - throw new IllegalArgumentException("cannot change encrypting state without providing key."); - } - - this.L_Asterisk = new byte[16]; - hashCipher.processBlock(L_Asterisk, 0, L_Asterisk, 0); - - this.L_Dollar = OCB_double(L_Asterisk); - - this.L = new Vector(); - this.L.addElement(OCB_double(L_Dollar)); - - /* - * NONCE-DEPENDENT AND PER-ENCRYPTION/DECRYPTION INITIALISATION - */ - - int bottom = processNonce(N); - - int bits = bottom % 8, bytes = bottom / 8; - if (bits == 0) - { - System.arraycopy(Stretch, bytes, OffsetMAIN_0, 0, 16); - } - else - { - for (int i = 0; i < 16; ++i) - { - int b1 = Stretch[bytes] & 0xff; - int b2 = Stretch[++bytes] & 0xff; - this.OffsetMAIN_0[i] = (byte)((b1 << bits) | (b2 >>> (8 - bits))); - } - } - - this.hashBlockPos = 0; - this.mainBlockPos = 0; - - this.hashBlockCount = 0; - this.mainBlockCount = 0; - - this.OffsetHASH = new byte[16]; - this.Sum = new byte[16]; - System.arraycopy(this.OffsetMAIN_0, 0, this.OffsetMAIN, 0, 16); - this.Checksum = new byte[16]; - - if (initialAssociatedText != null) - { - processAADBytes(initialAssociatedText, 0, initialAssociatedText.length); - } - } - - protected int processNonce(byte[] N) - { - byte[] nonce = new byte[16]; - System.arraycopy(N, 0, nonce, nonce.length - N.length, N.length); - nonce[0] = (byte)(macSize << 4); - nonce[15 - N.length] |= 1; - - int bottom = nonce[15] & 0x3F; - nonce[15] &= 0xC0; - - /* - * When used with incrementing nonces, the cipher is only applied once every 64 inits. - */ - if (KtopInput == null || !Arrays.areEqual(nonce, KtopInput)) - { - byte[] Ktop = new byte[16]; - KtopInput = nonce; - hashCipher.processBlock(KtopInput, 0, Ktop, 0); - System.arraycopy(Ktop, 0, Stretch, 0, 16); - for (int i = 0; i < 8; ++i) - { - Stretch[16 + i] = (byte)(Ktop[i] ^ Ktop[i + 1]); - } - } - - return bottom; - } - - public byte[] getMac() - { - return Arrays.clone(macBlock); - } - - public int getOutputSize(int len) - { - int totalData = len + mainBlockPos; - if (forEncryption) - { - return totalData + macSize; - } - return totalData < macSize ? 0 : totalData - macSize; - } - - public int getUpdateOutputSize(int len) - { - int totalData = len + mainBlockPos; - if (!forEncryption) - { - if (totalData < macSize) - { - return 0; - } - totalData -= macSize; - } - return totalData - totalData % BLOCK_SIZE; - } - - public void processAADByte(byte input) - { - hashBlock[hashBlockPos] = input; - if (++hashBlockPos == hashBlock.length) - { - processHashBlock(); - } - } - - public void processAADBytes(byte[] input, int off, int len) - { - for (int i = 0; i < len; ++i) - { - hashBlock[hashBlockPos] = input[off + i]; - if (++hashBlockPos == hashBlock.length) - { - processHashBlock(); - } - } - } - - public int processByte(byte input, byte[] output, int outOff) - throws DataLengthException - { - mainBlock[mainBlockPos] = input; - if (++mainBlockPos == mainBlock.length) - { - processMainBlock(output, outOff); - return BLOCK_SIZE; - } - return 0; - } - - public int processBytes(byte[] input, int inOff, int len, byte[] output, int outOff) - throws DataLengthException - { - if (input.length < (inOff + len)) - { - throw new DataLengthException("Input buffer too short"); - } - int resultLen = 0; - - for (int i = 0; i < len; ++i) - { - mainBlock[mainBlockPos] = input[inOff + i]; - if (++mainBlockPos == mainBlock.length) - { - processMainBlock(output, outOff + resultLen); - resultLen += BLOCK_SIZE; - } - } - - return resultLen; - } - - public int doFinal(byte[] output, int outOff) - throws IllegalStateException, - InvalidCipherTextException - { - /* - * For decryption, get the tag from the end of the message - */ - byte[] tag = null; - if (!forEncryption) - { - if (mainBlockPos < macSize) - { - throw new InvalidCipherTextException("data too short"); - } - mainBlockPos -= macSize; - tag = new byte[macSize]; - System.arraycopy(mainBlock, mainBlockPos, tag, 0, macSize); - } - - /* - * HASH: Process any final partial block; compute final hash value - */ - if (hashBlockPos > 0) - { - OCB_extend(hashBlock, hashBlockPos); - updateHASH(L_Asterisk); - } - - /* - * OCB-ENCRYPT/OCB-DECRYPT: Process any final partial block - */ - if (mainBlockPos > 0) - { - if (forEncryption) - { - OCB_extend(mainBlock, mainBlockPos); - xor(Checksum, mainBlock); - } - - xor(OffsetMAIN, L_Asterisk); - - byte[] Pad = new byte[16]; - hashCipher.processBlock(OffsetMAIN, 0, Pad, 0); - - xor(mainBlock, Pad); - - if (output.length < (outOff + mainBlockPos)) - { - throw new OutputLengthException("Output buffer too short"); - } - System.arraycopy(mainBlock, 0, output, outOff, mainBlockPos); - - if (!forEncryption) - { - OCB_extend(mainBlock, mainBlockPos); - xor(Checksum, mainBlock); - } - } - - /* - * OCB-ENCRYPT/OCB-DECRYPT: Compute raw tag - */ - xor(Checksum, OffsetMAIN); - xor(Checksum, L_Dollar); - hashCipher.processBlock(Checksum, 0, Checksum, 0); - xor(Checksum, Sum); - - this.macBlock = new byte[macSize]; - System.arraycopy(Checksum, 0, macBlock, 0, macSize); - - /* - * Validate or append tag and reset this cipher for the next run - */ - int resultLen = mainBlockPos; - - if (forEncryption) - { - if (output.length < (outOff + resultLen + macSize)) - { - throw new OutputLengthException("Output buffer too short"); - } - // Append tag to the message - System.arraycopy(macBlock, 0, output, outOff + resultLen, macSize); - resultLen += macSize; - } - else - { - // Compare the tag from the message with the calculated one - if (!Arrays.constantTimeAreEqual(macBlock, tag)) - { - throw new InvalidCipherTextException("mac check in OCB failed"); - } - } - - reset(false); - - return resultLen; - } - - public void reset() - { - reset(true); - } - - protected void clear(byte[] bs) - { - if (bs != null) - { - Arrays.fill(bs, (byte)0); - } - } - - protected byte[] getLSub(int n) - { - while (n >= L.size()) - { - L.addElement(OCB_double((byte[])L.lastElement())); - } - return (byte[])L.elementAt(n); - } - - protected void processHashBlock() - { - /* - * HASH: Process any whole blocks - */ - updateHASH(getLSub(OCB_ntz(++hashBlockCount))); - hashBlockPos = 0; - } - - protected void processMainBlock(byte[] output, int outOff) - { - if (output.length < (outOff + BLOCK_SIZE)) - { - throw new OutputLengthException("Output buffer too short"); - } - - /* - * OCB-ENCRYPT/OCB-DECRYPT: Process any whole blocks - */ - - if (forEncryption) - { - xor(Checksum, mainBlock); - mainBlockPos = 0; - } - - xor(OffsetMAIN, getLSub(OCB_ntz(++mainBlockCount))); - - xor(mainBlock, OffsetMAIN); - mainCipher.processBlock(mainBlock, 0, mainBlock, 0); - xor(mainBlock, OffsetMAIN); - - System.arraycopy(mainBlock, 0, output, outOff, 16); - - if (!forEncryption) - { - xor(Checksum, mainBlock); - System.arraycopy(mainBlock, BLOCK_SIZE, mainBlock, 0, macSize); - mainBlockPos = macSize; - } - } - - protected void reset(boolean clearMac) - { - hashCipher.reset(); - mainCipher.reset(); - - clear(hashBlock); - clear(mainBlock); - - hashBlockPos = 0; - mainBlockPos = 0; - - hashBlockCount = 0; - mainBlockCount = 0; - - clear(OffsetHASH); - clear(Sum); - System.arraycopy(OffsetMAIN_0, 0, OffsetMAIN, 0, 16); - clear(Checksum); - - if (clearMac) - { - macBlock = null; - } - - if (initialAssociatedText != null) - { - processAADBytes(initialAssociatedText, 0, initialAssociatedText.length); - } - } - - protected void updateHASH(byte[] LSub) - { - xor(OffsetHASH, LSub); - xor(hashBlock, OffsetHASH); - hashCipher.processBlock(hashBlock, 0, hashBlock, 0); - xor(Sum, hashBlock); - } - - protected static byte[] OCB_double(byte[] block) - { - byte[] result = new byte[16]; - int carry = shiftLeft(block, result); - - /* - * NOTE: This construction is an attempt at a constant-time implementation. - */ - result[15] ^= (0x87 >>> ((1 - carry) << 3)); - - return result; - } - - protected static void OCB_extend(byte[] block, int pos) - { - block[pos] = (byte)0x80; - while (++pos < 16) - { - block[pos] = 0; - } - } - - protected static int OCB_ntz(long x) - { - if (x == 0) - { - return 64; - } - - int n = 0; - while ((x & 1L) == 0L) - { - ++n; - x >>>= 1; - } - return n; - } - - protected static int shiftLeft(byte[] block, byte[] output) - { - int i = 16; - int bit = 0; - while (--i >= 0) - { - int b = block[i] & 0xff; - output[i] = (byte)((b << 1) | bit); - bit = (b >>> 7) & 1; - } - return bit; - } - - protected static void xor(byte[] block, byte[] val) - { - for (int i = 15; i >= 0; --i) - { - block[i] ^= val[i]; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/OFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/OFBBlockCipher.java deleted file mode 100644 index d9ff428f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/OFBBlockCipher.java +++ /dev/null @@ -1,178 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.StreamBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * implements a Output-FeedBack (OFB) mode on top of a simple cipher. - */ -public class OFBBlockCipher - extends StreamBlockCipher -{ - private int byteCount; - private byte[] IV; - private byte[] ofbV; - private byte[] ofbOutV; - - private final int blockSize; - private final BlockCipher cipher; - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * feedback mode. - * @param blockSize the block size in bits (note: a multiple of 8) - */ - public OFBBlockCipher( - BlockCipher cipher, - int blockSize) - { - super(cipher); - - this.cipher = cipher; - this.blockSize = blockSize / 8; - - this.IV = new byte[cipher.getBlockSize()]; - this.ofbV = new byte[cipher.getBlockSize()]; - this.ofbOutV = new byte[cipher.getBlockSize()]; - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param encrypting if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean encrypting, //ignored by this OFB mode - CipherParameters params) - throws IllegalArgumentException - { - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length < IV.length) - { - // prepend the supplied IV with zeros (per FIPS PUB 81) - System.arraycopy(iv, 0, IV, IV.length - iv.length, iv.length); - for (int i = 0; i < IV.length - iv.length; i++) - { - IV[i] = 0; - } - } - else - { - System.arraycopy(iv, 0, IV, 0, IV.length); - } - - reset(); - - // if null it's an IV changed only. - if (ivParam.getParameters() != null) - { - cipher.init(true, ivParam.getParameters()); - } - } - else - { - reset(); - - // if it's null, key is to be reused. - if (params != null) - { - cipher.init(true, params); - } - } - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/OFB" - * and the block size in bits - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/OFB" + (blockSize * 8); - } - - - /** - * return the block size we are operating at (in bytes). - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return blockSize; - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - /** - * reset the feedback vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - System.arraycopy(IV, 0, ofbV, 0, IV.length); - byteCount = 0; - - cipher.reset(); - } - - protected byte calculateByte(byte in) - throws DataLengthException, IllegalStateException - { - if (byteCount == 0) - { - cipher.processBlock(ofbV, 0, ofbOutV, 0); - } - - byte rv = (byte)(ofbOutV[byteCount++] ^ in); - - if (byteCount == blockSize) - { - byteCount = 0; - - System.arraycopy(ofbV, blockSize, ofbV, 0, ofbV.length - blockSize); - System.arraycopy(ofbOutV, 0, ofbV, ofbV.length - blockSize, blockSize); - } - - return rv; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/OldCTSBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/OldCTSBlockCipher.java deleted file mode 100644 index b34432ac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/OldCTSBlockCipher.java +++ /dev/null @@ -1,269 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A Cipher Text Stealing (CTS) mode cipher. CTS allows block ciphers to - * be used to produce cipher text which is the same length as the plain text. - * <p> - * This version applies the CTS algorithm from one block up, rather than following the errata update issued in 2004, where CTS mode is applied - * from greater than 1 block up and the first block is processed using CBC mode. - * </p> - */ -public class OldCTSBlockCipher - extends BufferedBlockCipher -{ - private int blockSize; - - /** - * Create a buffered block cipher that uses Cipher Text Stealing - * - * @param cipher the underlying block cipher this buffering object wraps. - */ - public OldCTSBlockCipher( - BlockCipher cipher) - { - if ((cipher instanceof OFBBlockCipher) || (cipher instanceof CFBBlockCipher)) - { - throw new IllegalArgumentException("CTSBlockCipher can only accept ECB, or CBC ciphers"); - } - - this.cipher = cipher; - - blockSize = cipher.getBlockSize(); - - buf = new byte[blockSize * 2]; - bufOff = 0; - } - - /** - * return the size of the output buffer required for an update - * an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update - * with len bytes of input. - */ - public int getUpdateOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - return total - buf.length; - } - - return total - leftOver; - } - - /** - * return the size of the output buffer required for an update plus a - * doFinal with an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update and doFinal - * with len bytes of input. - */ - public int getOutputSize( - int len) - { - return len + bufOff; - } - - /** - * process a single byte, producing an output block if necessary. - * - * @param in the input byte. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception org.bouncycastle.crypto.DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processByte( - byte in, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - int resultLen = 0; - - if (bufOff == buf.length) - { - resultLen = cipher.processBlock(buf, 0, out, outOff); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - bufOff = blockSize; - } - - buf[bufOff++] = in; - - return resultLen; - } - - /** - * process an array of bytes, producing output if necessary. - * - * @param in the input byte array. - * @param inOff the offset at which the input data starts. - * @param len the number of bytes to be copied out of the input array. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception org.bouncycastle.crypto.DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = getBlockSize(); - int length = getUpdateOutputSize(len); - - if (length > 0) - { - if ((outOff + length) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - } - - int resultLen = 0; - int gapLen = buf.length - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, out, outOff); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - bufOff = blockSize; - - len -= gapLen; - inOff += gapLen; - - while (len > blockSize) - { - System.arraycopy(in, inOff, buf, bufOff, blockSize); - resultLen += cipher.processBlock(buf, 0, out, outOff + resultLen); - System.arraycopy(buf, blockSize, buf, 0, blockSize); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - - return resultLen; - } - - /** - * Process the last block in the buffer. - * - * @param out the array the block currently being held is copied into. - * @param outOff the offset at which the copying starts. - * @return the number of output bytes copied to out. - * @exception org.bouncycastle.crypto.DataLengthException if there is insufficient space in out for - * the output. - * @exception IllegalStateException if the underlying cipher is not - * initialised. - * @exception org.bouncycastle.crypto.InvalidCipherTextException if cipher text decrypts wrongly (in - * case the exception will never get thrown). - */ - public int doFinal( - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException, InvalidCipherTextException - { - if (bufOff + outOff > out.length) - { - throw new DataLengthException("output buffer to small in doFinal"); - } - - int blockSize = cipher.getBlockSize(); - int len = bufOff - blockSize; - byte[] block = new byte[blockSize]; - - if (forEncryption) - { - cipher.processBlock(buf, 0, block, 0); - - if (bufOff < blockSize) - { - throw new DataLengthException("need at least one block of input for CTS"); - } - - for (int i = bufOff; i != buf.length; i++) - { - buf[i] = block[i - blockSize]; - } - - for (int i = blockSize; i != bufOff; i++) - { - buf[i] ^= block[i - blockSize]; - } - - if (cipher instanceof CBCBlockCipher) - { - BlockCipher c = ((CBCBlockCipher)cipher).getUnderlyingCipher(); - - c.processBlock(buf, blockSize, out, outOff); - } - else - { - cipher.processBlock(buf, blockSize, out, outOff); - } - - System.arraycopy(block, 0, out, outOff + blockSize, len); - } - else - { - byte[] lastBlock = new byte[blockSize]; - - if (cipher instanceof CBCBlockCipher) - { - BlockCipher c = ((CBCBlockCipher)cipher).getUnderlyingCipher(); - - c.processBlock(buf, 0, block, 0); - } - else - { - cipher.processBlock(buf, 0, block, 0); - } - - for (int i = blockSize; i != bufOff; i++) - { - lastBlock[i - blockSize] = (byte)(block[i - blockSize] ^ buf[i]); - } - - System.arraycopy(buf, blockSize, block, 0, len); - - cipher.processBlock(block, 0, out, outOff); - System.arraycopy(lastBlock, 0, out, outOff + blockSize, len); - } - - int offset = bufOff; - - reset(); - - return offset; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java deleted file mode 100644 index e48731b3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java +++ /dev/null @@ -1,312 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; - -/** - * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode - * on top of a simple cipher. This class assumes the IV has been prepended - * to the data stream already, and just accomodates the reset after - * (blockSize + 2) bytes have been read. - * <p> - * For further info see <a href="http://www.ietf.org/rfc/rfc2440.html">RFC 2440</a>. - */ -public class OpenPGPCFBBlockCipher - implements BlockCipher -{ - private byte[] IV; - private byte[] FR; - private byte[] FRE; - - private BlockCipher cipher; - - private int count; - private int blockSize; - private boolean forEncryption; - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * feedback mode. - */ - public OpenPGPCFBBlockCipher( - BlockCipher cipher) - { - this.cipher = cipher; - - this.blockSize = cipher.getBlockSize(); - this.IV = new byte[blockSize]; - this.FR = new byte[blockSize]; - this.FRE = new byte[blockSize]; - } - - /** - * return the underlying block cipher that we are wrapping. - * - * @return the underlying block cipher that we are wrapping. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/PGPCFB" - * and the block size in bits. - */ - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/OpenPGPCFB"; - } - - /** - * return the block size we are operating at. - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - return (forEncryption) ? encryptBlock(in, inOff, out, outOff) : decryptBlock(in, inOff, out, outOff); - } - - /** - * reset the chaining vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - count = 0; - - System.arraycopy(IV, 0, FR, 0, FR.length); - - cipher.reset(); - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - reset(); - - cipher.init(true, params); - } - - /** - * Encrypt one byte of data according to CFB mode. - * @param data the byte to encrypt - * @param blockOff offset in the current block - * @return the encrypted byte - */ - private byte encryptByte(byte data, int blockOff) - { - return (byte)(FRE[blockOff] ^ data); - } - - /** - * Do the appropriate processing for CFB IV mode encryption. - * - * @param in the array containing the data to be encrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - if (count > blockSize) - { - FR[blockSize - 2] = out[outOff] = encryptByte(in[inOff], blockSize - 2); - FR[blockSize - 1] = out[outOff + 1] = encryptByte(in[inOff + 1], blockSize - 1); - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 2; n < blockSize; n++) - { - FR[n - 2] = out[outOff + n] = encryptByte(in[inOff + n], n - 2); - } - } - else if (count == 0) - { - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize; n++) - { - FR[n] = out[outOff + n] = encryptByte(in[inOff + n], n); - } - - count += blockSize; - } - else if (count == blockSize) - { - cipher.processBlock(FR, 0, FRE, 0); - - out[outOff] = encryptByte(in[inOff], 0); - out[outOff + 1] = encryptByte(in[inOff + 1], 1); - - // - // do reset - // - System.arraycopy(FR, 2, FR, 0, blockSize - 2); - System.arraycopy(out, outOff, FR, blockSize - 2, 2); - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 2; n < blockSize; n++) - { - FR[n - 2] = out[outOff + n] = encryptByte(in[inOff + n], n - 2); - } - - count += blockSize; - } - - return blockSize; - } - - /** - * Do the appropriate processing for CFB IV mode decryption. - * - * @param in the array containing the data to be decrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - if (count > blockSize) - { - byte inVal = in[inOff]; - FR[blockSize - 2] = inVal; - out[outOff] = encryptByte(inVal, blockSize - 2); - - inVal = in[inOff + 1]; - FR[blockSize - 1] = inVal; - out[outOff + 1] = encryptByte(inVal, blockSize - 1); - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 2; n < blockSize; n++) - { - inVal = in[inOff + n]; - FR[n - 2] = inVal; - out[outOff + n] = encryptByte(inVal, n - 2); - } - } - else if (count == 0) - { - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize; n++) - { - FR[n] = in[inOff + n]; - out[n] = encryptByte(in[inOff + n], n); - } - - count += blockSize; - } - else if (count == blockSize) - { - cipher.processBlock(FR, 0, FRE, 0); - - byte inVal1 = in[inOff]; - byte inVal2 = in[inOff + 1]; - out[outOff ] = encryptByte(inVal1, 0); - out[outOff + 1] = encryptByte(inVal2, 1); - - System.arraycopy(FR, 2, FR, 0, blockSize - 2); - - FR[blockSize - 2] = inVal1; - FR[blockSize - 1] = inVal2; - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 2; n < blockSize; n++) - { - byte inVal = in[inOff + n]; - FR[n - 2] = inVal; - out[outOff + n] = encryptByte(inVal, n - 2); - } - - count += blockSize; - } - - return blockSize; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java deleted file mode 100644 index 4dee63a5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java +++ /dev/null @@ -1,455 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.params.ParametersWithIV; - -/** - * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode on top of a simple cipher. For further info see <a href="http://www.ietf.org/rfc/rfc2440.html">RFC 2440</a>. - */ -public class PGPCFBBlockCipher - implements BlockCipher -{ - private byte[] IV; - private byte[] FR; - private byte[] FRE; - private byte[] tmp; - - private BlockCipher cipher; - - private int count; - private int blockSize; - private boolean forEncryption; - - private boolean inlineIv; // if false we don't need to prepend an IV - - /** - * Basic constructor. - * - * @param cipher the block cipher to be used as the basis of the - * feedback mode. - * @param inlineIv if true this is for PGP CFB with a prepended iv. - */ - public PGPCFBBlockCipher( - BlockCipher cipher, - boolean inlineIv) - { - this.cipher = cipher; - this.inlineIv = inlineIv; - - this.blockSize = cipher.getBlockSize(); - this.IV = new byte[blockSize]; - this.FR = new byte[blockSize]; - this.FRE = new byte[blockSize]; - this.tmp = new byte[blockSize]; - } - - /** - * return the underlying block cipher that we are wrapping. - * - * @return the underlying block cipher that we are wrapping. - */ - public BlockCipher getUnderlyingCipher() - { - return cipher; - } - - /** - * return the algorithm name and mode. - * - * @return the name of the underlying algorithm followed by "/PGPCFB" - * and the block size in bits. - */ - public String getAlgorithmName() - { - if (inlineIv) - { - return cipher.getAlgorithmName() + "/PGPCFBwithIV"; - } - else - { - return cipher.getAlgorithmName() + "/PGPCFB"; - } - } - - /** - * return the block size we are operating at. - * - * @return the block size we are operating at (in bytes). - */ - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - /** - * Process one block of input from the array in and write it to - * the out array. - * - * @param in the array containing the input data. - * @param inOff offset into the in array the data starts at. - * @param out the array the output data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - public int processBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (inlineIv) - { - return (forEncryption) ? encryptBlockWithIV(in, inOff, out, outOff) : decryptBlockWithIV(in, inOff, out, outOff); - } - else - { - return (forEncryption) ? encryptBlock(in, inOff, out, outOff) : decryptBlock(in, inOff, out, outOff); - } - } - - /** - * reset the chaining vector back to the IV and reset the underlying - * cipher. - */ - public void reset() - { - count = 0; - - for (int i = 0; i != FR.length; i++) - { - if (inlineIv) - { - FR[i] = 0; - } - else - { - FR[i] = IV[i]; // if simple mode, key is IV (even if this is zero) - } - } - - cipher.reset(); - } - - /** - * Initialise the cipher and, possibly, the initialisation vector (IV). - * If an IV isn't passed as part of the parameter, the IV will be all zeros. - * An IV which is too short is handled in FIPS compliant fashion. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - - if (iv.length < IV.length) - { - // prepend the supplied IV with zeros (per FIPS PUB 81) - System.arraycopy(iv, 0, IV, IV.length - iv.length, iv.length); - for (int i = 0; i < IV.length - iv.length; i++) - { - IV[i] = 0; - } - } - else - { - System.arraycopy(iv, 0, IV, 0, IV.length); - } - - reset(); - - cipher.init(true, ivParam.getParameters()); - } - else - { - reset(); - - cipher.init(true, params); - } - } - - /** - * Encrypt one byte of data according to CFB mode. - * @param data the byte to encrypt - * @param blockOff where am i in the current block, determines when to resync the block - * @returns the encrypted byte - */ - private byte encryptByte(byte data, int blockOff) - { - return (byte)(FRE[blockOff] ^ data); - } - - /** - * Do the appropriate processing for CFB IV mode encryption. - * - * @param in the array containing the data to be encrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int encryptBlockWithIV( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if (count == 0) - { - if ((outOff + 2 * blockSize + 2) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize; n++) - { - out[outOff + n] = encryptByte(IV[n], n); - } - - System.arraycopy(out, outOff, FR, 0, blockSize); - - cipher.processBlock(FR, 0, FRE, 0); - - out[outOff + blockSize] = encryptByte(IV[blockSize - 2], 0); - out[outOff + blockSize + 1] = encryptByte(IV[blockSize - 1], 1); - - System.arraycopy(out, outOff + 2, FR, 0, blockSize); - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize; n++) - { - out[outOff + blockSize + 2 + n] = encryptByte(in[inOff + n], n); - } - - System.arraycopy(out, outOff + blockSize + 2, FR, 0, blockSize); - - count += 2 * blockSize + 2; - - return 2 * blockSize + 2; - } - else if (count >= blockSize + 2) - { - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize; n++) - { - out[outOff + n] = encryptByte(in[inOff + n], n); - } - - System.arraycopy(out, outOff, FR, 0, blockSize); - } - - return blockSize; - } - - /** - * Do the appropriate processing for CFB IV mode decryption. - * - * @param in the array containing the data to be decrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int decryptBlockWithIV( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - if (count == 0) - { - for (int n = 0; n < blockSize; n++) - { - FR[n] = in[inOff + n]; - } - - cipher.processBlock(FR, 0, FRE, 0); - - count += blockSize; - - return 0; - } - else if (count == blockSize) - { - // copy in buffer so that this mode works if in and out are the same - System.arraycopy(in, inOff, tmp, 0, blockSize); - - System.arraycopy(FR, 2, FR, 0, blockSize - 2); - - FR[blockSize - 2] = tmp[0]; - FR[blockSize - 1] = tmp[1]; - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize - 2; n++) - { - out[outOff + n] = encryptByte(tmp[n + 2], n); - } - - System.arraycopy(tmp, 2, FR, 0, blockSize - 2); - - count += 2; - - return blockSize - 2; - } - else if (count >= blockSize + 2) - { - // copy in buffer so that this mode works if in and out are the same - System.arraycopy(in, inOff, tmp, 0, blockSize); - - out[outOff + 0] = encryptByte(tmp[0], blockSize - 2); - out[outOff + 1] = encryptByte(tmp[1], blockSize - 1); - - System.arraycopy(tmp, 0, FR, blockSize - 2, 2); - - cipher.processBlock(FR, 0, FRE, 0); - - for (int n = 0; n < blockSize - 2; n++) - { - out[outOff + n + 2] = encryptByte(tmp[n + 2], n); - } - - System.arraycopy(tmp, 2, FR, 0, blockSize - 2); - - } - - return blockSize; - } - - /** - * Do the appropriate processing for CFB mode encryption. - * - * @param in the array containing the data to be encrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int encryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - cipher.processBlock(FR, 0, FRE, 0); - for (int n = 0; n < blockSize; n++) - { - out[outOff + n] = encryptByte(in[inOff + n], n); - } - - for (int n = 0; n < blockSize; n++) - { - FR[n] = out[outOff + n]; - } - - return blockSize; - - } - - /** - * Do the appropriate processing for CFB mode decryption. - * - * @param in the array containing the data to be decrypted. - * @param inOff offset into the in array the data starts at. - * @param out the array the encrypted data will be copied into. - * @param outOff the offset into the out array the output will start at. - * @exception DataLengthException if there isn't enough data in in, or - * space in out. - * @exception IllegalStateException if the cipher isn't initialised. - * @return the number of bytes processed and produced. - */ - private int decryptBlock( - byte[] in, - int inOff, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if ((inOff + blockSize) > in.length) - { - throw new DataLengthException("input buffer too short"); - } - - if ((outOff + blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - cipher.processBlock(FR, 0, FRE, 0); - for (int n = 0; n < blockSize; n++) - { - out[outOff + n] = encryptByte(in[inOff + n], n); - } - - for (int n = 0; n < blockSize; n++) - { - FR[n] = in[inOff + n]; - } - - return blockSize; - - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/PaddedBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/PaddedBlockCipher.java deleted file mode 100644 index f15ed673..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/PaddedBlockCipher.java +++ /dev/null @@ -1,253 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A wrapper class that allows block ciphers to be used to process data in - * a piecemeal fashion with PKCS5/PKCS7 padding. The PaddedBlockCipher - * outputs a block only when the buffer is full and more data is being added, - * or on a doFinal (unless the current block in the buffer is a pad block). - * The padding mechanism used is the one outlined in PKCS5/PKCS7. - * - * @deprecated use org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher instead. - */ -public class PaddedBlockCipher - extends BufferedBlockCipher -{ - /** - * Create a buffered block cipher with, or without, padding. - * - * @param cipher the underlying block cipher this buffering object wraps. - */ - public PaddedBlockCipher( - BlockCipher cipher) - { - this.cipher = cipher; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - } - - /** - * return the size of the output buffer required for an update plus a - * doFinal with an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update and doFinal - * with len bytes of input. - */ - public int getOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - if (forEncryption) - { - return total + buf.length; - } - - return total; - } - - return total - leftOver + buf.length; - } - - /** - * return the size of the output buffer required for an update - * an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update - * with len bytes of input. - */ - public int getUpdateOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - return total - buf.length; - } - - return total - leftOver; - } - - /** - * process a single byte, producing an output block if neccessary. - * - * @param in the input byte. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processByte( - byte in, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - int resultLen = 0; - - if (bufOff == buf.length) - { - resultLen = cipher.processBlock(buf, 0, out, outOff); - bufOff = 0; - } - - buf[bufOff++] = in; - - return resultLen; - } - - /** - * process an array of bytes, producing output if necessary. - * - * @param in the input byte array. - * @param inOff the offset at which the input data starts. - * @param len the number of bytes to be copied out of the input array. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = getBlockSize(); - int length = getUpdateOutputSize(len); - - if (length > 0) - { - if ((outOff + length) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - } - - int resultLen = 0; - int gapLen = buf.length - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, out, outOff); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > buf.length) - { - resultLen += cipher.processBlock(in, inOff, out, outOff + resultLen); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - - return resultLen; - } - - /** - * Process the last block in the buffer. If the buffer is currently - * full and padding needs to be added a call to doFinal will produce - * 2 * getBlockSize() bytes. - * - * @param out the array the block currently being held is copied into. - * @param outOff the offset at which the copying starts. - * @exception DataLengthException if there is insufficient space in out for - * the output or we are decrypting and the input is not block size aligned. - * @exception IllegalStateException if the underlying cipher is not - * initialised. - * @exception InvalidCipherTextException if padding is expected and not found. - */ - public int doFinal( - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException, InvalidCipherTextException - { - int blockSize = cipher.getBlockSize(); - int resultLen = 0; - - if (forEncryption) - { - if (bufOff == blockSize) - { - if ((outOff + 2 * blockSize) > out.length) - { - throw new DataLengthException("output buffer too short"); - } - - resultLen = cipher.processBlock(buf, 0, out, outOff); - bufOff = 0; - } - - // - // add PKCS7 padding - // - byte code = (byte)(blockSize - bufOff); - - while (bufOff < blockSize) - { - buf[bufOff] = code; - bufOff++; - } - - resultLen += cipher.processBlock(buf, 0, out, outOff + resultLen); - } - else - { - if (bufOff == blockSize) - { - resultLen = cipher.processBlock(buf, 0, buf, 0); - bufOff = 0; - } - else - { - throw new DataLengthException("last block incomplete in decryption"); - } - - // - // remove PKCS7 padding - // - int count = buf[blockSize - 1] & 0xff; - - if ((count < 0) || (count > blockSize)) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - - resultLen -= count; - - System.arraycopy(buf, 0, out, outOff, resultLen); - } - - reset(); - - return resultLen; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/SICBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/modes/SICBlockCipher.java deleted file mode 100644 index 5dd47ae6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/SICBlockCipher.java +++ /dev/null @@ -1,225 +0,0 @@ -package org.bouncycastle.crypto.modes; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.SkippingStreamCipher; -import org.bouncycastle.crypto.StreamBlockCipher; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Pack; - -/** - * Implements the Segmented Integer Counter (SIC) mode on top of a simple - * block cipher. This mode is also known as CTR mode. - */ -public class SICBlockCipher - extends StreamBlockCipher - implements SkippingStreamCipher -{ - private final BlockCipher cipher; - private final int blockSize; - - private byte[] IV; - private byte[] counter; - private byte[] counterOut; - private int byteCount; - - /** - * Basic constructor. - * - * @param c the block cipher to be used. - */ - public SICBlockCipher(BlockCipher c) - { - super(c); - - this.cipher = c; - this.blockSize = cipher.getBlockSize(); - this.IV = new byte[blockSize]; - this.counter = new byte[blockSize]; - this.counterOut = new byte[blockSize]; - this.byteCount = 0; - } - - public void init( - boolean forEncryption, //ignored by this CTR mode - CipherParameters params) - throws IllegalArgumentException - { - if (params instanceof ParametersWithIV) - { - ParametersWithIV ivParam = (ParametersWithIV)params; - byte[] iv = ivParam.getIV(); - System.arraycopy(iv, 0, IV, 0, IV.length); - - // if null it's an IV changed only. - if (ivParam.getParameters() != null) - { - cipher.init(true, ivParam.getParameters()); - } - - reset(); - } - else - { - throw new IllegalArgumentException("SIC mode requires ParametersWithIV"); - } - } - - public String getAlgorithmName() - { - return cipher.getAlgorithmName() + "/SIC"; - } - - public int getBlockSize() - { - return cipher.getBlockSize(); - } - - public int processBlock(byte[] in, int inOff, byte[] out, int outOff) - throws DataLengthException, IllegalStateException - { - processBytes(in, inOff, blockSize, out, outOff); - - return blockSize; - } - - protected byte calculateByte(byte in) - throws DataLengthException, IllegalStateException - { - if (byteCount == 0) - { - cipher.processBlock(counter, 0, counterOut, 0); - - return (byte)(counterOut[byteCount++] ^ in); - } - - byte rv = (byte)(counterOut[byteCount++] ^ in); - - if (byteCount == counter.length) - { - byteCount = 0; - - incrementCounter(); - } - - return rv; - } - - private void incrementCounter() - { - // increment counter by 1. - for (int i = counter.length - 1; i >= 0 && ++counter[i] == 0; i--) - { - ; // do nothing - pre-increment and test for 0 in counter does the job. - } - } - - private void decrementCounter() - { - if (counter[0] == 0) - { - boolean nonZero = false; - - for (int i = counter.length - 1; i > 0; i--) - { - if (counter[i] != 0) - { - nonZero = true; - } - } - - if (!nonZero) - { - throw new IllegalStateException("attempt to reduce counter past zero."); - } - } - - // decrement counter by 1. - for (int i = counter.length - 1; i >= 0 && --counter[i] == -1; i--) - { - ; - } - } - - private void adjustCounter(long n) - { - if (n >= 0) - { - long numBlocks = (n + byteCount) / blockSize; - - for (long i = 0; i != numBlocks; i++) - { - incrementCounter(); - } - - byteCount = (int)((n + byteCount) - (blockSize * numBlocks)); - } - else - { - long numBlocks = (-n - byteCount) / blockSize; - - for (long i = 0; i != numBlocks; i++) - { - decrementCounter(); - } - - int gap = (int)(byteCount + n + (blockSize * numBlocks)); - - if (gap >= 0) - { - byteCount = 0; - } - else - { - decrementCounter(); - byteCount = blockSize + gap; - } - } - } - - public void reset() - { - System.arraycopy(IV, 0, counter, 0, counter.length); - cipher.reset(); - this.byteCount = 0; - } - - public long skip(long numberOfBytes) - { - adjustCounter(numberOfBytes); - - cipher.processBlock(counter, 0, counterOut, 0); - - return numberOfBytes; - } - - public long seekTo(long position) - { - reset(); - - return skip(position); - } - - public long getPosition() - { - byte[] res = new byte[IV.length]; - - System.arraycopy(counter, 0, res, 0, res.length); - - for (int i = res.length - 1; i >= 1; i--) - { - int v = (res[i] - IV[i]); - - if (v < 0) - { - res[i - 1]--; - v += 256; - } - - res[i] = (byte)v; - } - - return Pack.bigEndianToLong(res, res.length - 8) * blockSize + byteCount; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMExponentiator.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMExponentiator.java deleted file mode 100644 index fc25810d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMExponentiator.java +++ /dev/null @@ -1,36 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import org.bouncycastle.util.Arrays; - -public class BasicGCMExponentiator implements GCMExponentiator -{ - private int[] x; - - public void init(byte[] x) - { - this.x = GCMUtil.asInts(x); - } - - public void exponentiateX(long pow, byte[] output) - { - // Initial value is little-endian 1 - int[] y = GCMUtil.oneAsInts(); - - if (pow > 0) - { - int[] powX = Arrays.clone(x); - do - { - if ((pow & 1L) != 0) - { - GCMUtil.multiply(y, powX); - } - GCMUtil.multiply(powX, powX); - pow >>>= 1; - } - while (pow > 0); - } - - GCMUtil.asBytes(y, output); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMMultiplier.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMMultiplier.java deleted file mode 100644 index a98d5b2a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/BasicGCMMultiplier.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import org.bouncycastle.util.Arrays; - -public class BasicGCMMultiplier implements GCMMultiplier -{ - private byte[] H; - - public void init(byte[] H) - { - this.H = Arrays.clone(H); - } - - public void multiplyH(byte[] x) - { - GCMUtil.multiply(x, H); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMExponentiator.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMExponentiator.java deleted file mode 100644 index e1cc5c76..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMExponentiator.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -public interface GCMExponentiator -{ - void init(byte[] x); - void exponentiateX(long pow, byte[] output); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMMultiplier.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMMultiplier.java deleted file mode 100644 index f52f6105..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMMultiplier.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -public interface GCMMultiplier -{ - void init(byte[] H); - void multiplyH(byte[] x); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMUtil.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMUtil.java deleted file mode 100644 index f5ed7e4f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/GCMUtil.java +++ /dev/null @@ -1,457 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -abstract class GCMUtil -{ - private static final int E1 = 0xe1000000; - private static final byte E1B = (byte)0xe1; - private static final long E1L = (E1 & 0xFFFFFFFFL) << 24; - - private static int[] generateLookup() - { - int[] lookup = new int[256]; - - for (int c = 0; c < 256; ++c) - { - int v = 0; - for (int i = 7; i >= 0; --i) - { - if ((c & (1 << i)) != 0) - { - v ^= (E1 >>> (7 - i)); - } - } - lookup[c] = v; - } - - return lookup; - } - - private static final int[] LOOKUP = generateLookup(); - - static byte[] oneAsBytes() - { - byte[] tmp = new byte[16]; - tmp[0] = (byte)0x80; - return tmp; - } - - static int[] oneAsInts() - { - int[] tmp = new int[4]; - tmp[0] = 1 << 31; - return tmp; - } - - static long[] oneAsLongs() - { - long[] tmp = new long[2]; - tmp[0] = 1L << 63; - return tmp; - } - - static byte[] asBytes(int[] x) - { - byte[] z = new byte[16]; - Pack.intToBigEndian(x, z, 0); - return z; - } - - static void asBytes(int[] x, byte[] z) - { - Pack.intToBigEndian(x, z, 0); - } - - static byte[] asBytes(long[] x) - { - byte[] z = new byte[16]; - Pack.longToBigEndian(x, z, 0); - return z; - } - - static void asBytes(long[] x, byte[] z) - { - Pack.longToBigEndian(x, z, 0); - } - - static int[] asInts(byte[] x) - { - int[] z = new int[4]; - Pack.bigEndianToInt(x, 0, z); - return z; - } - - static void asInts(byte[] x, int[] z) - { - Pack.bigEndianToInt(x, 0, z); - } - - static long[] asLongs(byte[] x) - { - long[] z = new long[2]; - Pack.bigEndianToLong(x, 0, z); - return z; - } - - static void asLongs(byte[] x, long[] z) - { - Pack.bigEndianToLong(x, 0, z); - } - - static void multiply(byte[] x, byte[] y) - { - byte[] r0 = Arrays.clone(x); - byte[] r1 = new byte[16]; - - for (int i = 0; i < 16; ++i) - { - byte bits = y[i]; - for (int j = 7; j >= 0; --j) - { - if ((bits & (1 << j)) != 0) - { - xor(r1, r0); - } - - if (shiftRight(r0) != 0) - { - r0[0] ^= E1B; - } - } - } - - System.arraycopy(r1, 0, x, 0, 16); - } - - static void multiply(int[] x, int[] y) - { - int[] r0 = Arrays.clone(x); - int[] r1 = new int[4]; - - for (int i = 0; i < 4; ++i) - { - int bits = y[i]; - for (int j = 31; j >= 0; --j) - { - if ((bits & (1 << j)) != 0) - { - xor(r1, r0); - } - - if (shiftRight(r0) != 0) - { - r0[0] ^= E1; - } - } - } - - System.arraycopy(r1, 0, x, 0, 4); - } - - static void multiply(long[] x, long[] y) - { - long[] r0 = new long[]{ x[0], x[1] }; - long[] r1 = new long[2]; - - for (int i = 0; i < 2; ++i) - { - long bits = y[i]; - for (int j = 63; j >= 0; --j) - { - if ((bits & (1L << j)) != 0) - { - xor(r1, r0); - } - - if (shiftRight(r0) != 0) - { - r0[0] ^= E1L; - } - } - } - - x[0] = r1[0]; - x[1] = r1[1]; - } - - // P is the value with only bit i=1 set - static void multiplyP(int[] x) - { - if (shiftRight(x) != 0) - { - x[0] ^= E1; - } - } - - static void multiplyP(int[] x, int[] y) - { - if (shiftRight(x, y) != 0) - { - y[0] ^= E1; - } - } - - // P is the value with only bit i=1 set - static void multiplyP8(int[] x) - { -// for (int i = 8; i != 0; --i) -// { -// multiplyP(x); -// } - - int c = shiftRightN(x, 8); - x[0] ^= LOOKUP[c >>> 24]; - } - - static void multiplyP8(int[] x, int[] y) - { - int c = shiftRightN(x, 8, y); - y[0] ^= LOOKUP[c >>> 24]; - } - - static byte shiftRight(byte[] x) - { -// int c = 0; -// for (int i = 0; i < 16; ++i) -// { -// int b = x[i] & 0xff; -// x[i] = (byte)((b >>> 1) | c); -// c = (b & 1) << 7; -// } -// return (byte)c; - - int i = 0, c = 0; - do - { - int b = x[i] & 0xff; - x[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - x[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - x[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - x[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - } - while (i < 16); - return (byte)c; - } - - static byte shiftRight(byte[] x, byte[] z) - { -// int c = 0; -// for (int i = 0; i < 16; ++i) -// { -// int b = x[i] & 0xff; -// z[i] = (byte) ((b >>> 1) | c); -// c = (b & 1) << 7; -// } -// return (byte) c; - - int i = 0, c = 0; - do - { - int b = x[i] & 0xff; - z[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - z[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - z[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - b = x[i] & 0xff; - z[i++] = (byte)((b >>> 1) | c); - c = (b & 1) << 7; - } - while (i < 16); - return (byte)c; - } - - static int shiftRight(int[] x) - { -// int c = 0; -// for (int i = 0; i < 4; ++i) -// { -// int b = x[i]; -// x[i] = (b >>> 1) | c; -// c = b << 31; -// } -// return c; - - int b = x[0]; - x[0] = b >>> 1; - int c = b << 31; - b = x[1]; - x[1] = (b >>> 1) | c; - c = b << 31; - b = x[2]; - x[2] = (b >>> 1) | c; - c = b << 31; - b = x[3]; - x[3] = (b >>> 1) | c; - return b << 31; - } - - static int shiftRight(int[] x, int[] z) - { -// int c = 0; -// for (int i = 0; i < 4; ++i) -// { -// int b = x[i]; -// z[i] = (b >>> 1) | c; -// c = b << 31; -// } -// return c; - - int b = x[0]; - z[0] = b >>> 1; - int c = b << 31; - b = x[1]; - z[1] = (b >>> 1) | c; - c = b << 31; - b = x[2]; - z[2] = (b >>> 1) | c; - c = b << 31; - b = x[3]; - z[3] = (b >>> 1) | c; - return b << 31; - } - - static long shiftRight(long[] x) - { - long b = x[0]; - x[0] = b >>> 1; - long c = b << 63; - b = x[1]; - x[1] = (b >>> 1) | c; - return b << 63; - } - - static long shiftRight(long[] x, long[] z) - { - long b = x[0]; - z[0] = b >>> 1; - long c = b << 63; - b = x[1]; - z[1] = (b >>> 1) | c; - return b << 63; - } - - static int shiftRightN(int[] x, int n) - { -// int c = 0, nInv = 32 - n; -// for (int i = 0; i < 4; ++i) -// { -// int b = x[i]; -// x[i] = (b >>> n) | c; -// c = b << nInv; -// } -// return c; - - int b = x[0], nInv = 32 - n; - x[0] = b >>> n; - int c = b << nInv; - b = x[1]; - x[1] = (b >>> n) | c; - c = b << nInv; - b = x[2]; - x[2] = (b >>> n) | c; - c = b << nInv; - b = x[3]; - x[3] = (b >>> n) | c; - return b << nInv; - } - - static int shiftRightN(int[] x, int n, int[] z) - { -// int c = 0, nInv = 32 - n; -// for (int i = 0; i < 4; ++i) -// { -// int b = x[i]; -// z[i] = (b >>> n) | c; -// c = b << nInv; -// } -// return c; - - int b = x[0], nInv = 32 - n; - z[0] = b >>> n; - int c = b << nInv; - b = x[1]; - z[1] = (b >>> n) | c; - c = b << nInv; - b = x[2]; - z[2] = (b >>> n) | c; - c = b << nInv; - b = x[3]; - z[3] = (b >>> n) | c; - return b << nInv; - } - - static void xor(byte[] x, byte[] y) - { - int i = 0; - do - { - x[i] ^= y[i]; ++i; - x[i] ^= y[i]; ++i; - x[i] ^= y[i]; ++i; - x[i] ^= y[i]; ++i; - } - while (i < 16); - } - - static void xor(byte[] x, byte[] y, int yOff, int yLen) - { - while (yLen-- > 0) - { - x[yLen] ^= y[yOff + yLen]; - } - } - - static void xor(byte[] x, byte[] y, byte[] z) - { - int i = 0; - do - { - z[i] = (byte)(x[i] ^ y[i]); ++i; - z[i] = (byte)(x[i] ^ y[i]); ++i; - z[i] = (byte)(x[i] ^ y[i]); ++i; - z[i] = (byte)(x[i] ^ y[i]); ++i; - } - while (i < 16); - } - - static void xor(int[] x, int[] y) - { - x[0] ^= y[0]; - x[1] ^= y[1]; - x[2] ^= y[2]; - x[3] ^= y[3]; - } - - static void xor(int[] x, int[] y, int[] z) - { - z[0] = x[0] ^ y[0]; - z[1] = x[1] ^ y[1]; - z[2] = x[2] ^ y[2]; - z[3] = x[3] ^ y[3]; - } - - static void xor(long[] x, long[] y) - { - x[0] ^= y[0]; - x[1] ^= y[1]; - } - - static void xor(long[] x, long[] y, long[] z) - { - z[0] = x[0] ^ y[0]; - z[1] = x[1] ^ y[1]; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables1kGCMExponentiator.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables1kGCMExponentiator.java deleted file mode 100644 index 6eff4e3f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables1kGCMExponentiator.java +++ /dev/null @@ -1,58 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import java.util.Vector; - -import org.bouncycastle.util.Arrays; - -public class Tables1kGCMExponentiator implements GCMExponentiator -{ - // A lookup table of the power-of-two powers of 'x' - // - lookupPowX2[i] = x^(2^i) - private Vector lookupPowX2; - - public void init(byte[] x) - { - int[] y = GCMUtil.asInts(x); - if (lookupPowX2 != null && Arrays.areEqual(y, (int[])lookupPowX2.elementAt(0))) - { - return; - } - - lookupPowX2 = new Vector(8); - lookupPowX2.addElement(y); - } - - public void exponentiateX(long pow, byte[] output) - { - int[] y = GCMUtil.oneAsInts(); - int bit = 0; - while (pow > 0) - { - if ((pow & 1L) != 0) - { - ensureAvailable(bit); - GCMUtil.multiply(y, (int[])lookupPowX2.elementAt(bit)); - } - ++bit; - pow >>>= 1; - } - - GCMUtil.asBytes(y, output); - } - - private void ensureAvailable(int bit) - { - int count = lookupPowX2.size(); - if (count <= bit) - { - int[] tmp = (int[])lookupPowX2.elementAt(count - 1); - do - { - tmp = Arrays.clone(tmp); - GCMUtil.multiply(tmp, tmp); - lookupPowX2.addElement(tmp); - } - while (++count <= bit); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables64kGCMMultiplier.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables64kGCMMultiplier.java deleted file mode 100644 index 4f32a0d9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables64kGCMMultiplier.java +++ /dev/null @@ -1,73 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -public class Tables64kGCMMultiplier implements GCMMultiplier -{ - private byte[] H; - private int[][][] M; - - public void init(byte[] H) - { - if (M == null) - { - M = new int[16][256][4]; - } - else if (Arrays.areEqual(this.H, H)) - { - return; - } - - this.H = Arrays.clone(H); - - // M[0][0] is ZEROES; - GCMUtil.asInts(H, M[0][128]); - - for (int j = 64; j >= 1; j >>= 1) - { - GCMUtil.multiplyP(M[0][j + j], M[0][j]); - } - - int i = 0; - for (;;) - { - for (int j = 2; j < 256; j += j) - { - for (int k = 1; k < j; ++k) - { - GCMUtil.xor(M[i][j], M[i][k], M[i][j + k]); - } - } - - if (++i == 16) - { - return; - } - - // M[i][0] is ZEROES; - for (int j = 128; j > 0; j >>= 1) - { - GCMUtil.multiplyP8(M[i - 1][j], M[i][j]); - } - } - } - - public void multiplyH(byte[] x) - { -// assert x.Length == 16; - - int[] z = new int[4]; - for (int i = 15; i >= 0; --i) - { -// GCMUtil.xor(z, M[i][x[i] & 0xff]); - int[] m = M[i][x[i] & 0xff]; - z[0] ^= m[0]; - z[1] ^= m[1]; - z[2] ^= m[2]; - z[3] ^= m[3]; - } - - Pack.intToBigEndian(z, x, 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables8kGCMMultiplier.java b/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables8kGCMMultiplier.java deleted file mode 100644 index 69c1dce8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/modes/gcm/Tables8kGCMMultiplier.java +++ /dev/null @@ -1,90 +0,0 @@ -package org.bouncycastle.crypto.modes.gcm; - -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -public class Tables8kGCMMultiplier implements GCMMultiplier -{ - private byte[] H; - private int[][][] M; - - public void init(byte[] H) - { - if (M == null) - { - M = new int[32][16][4]; - } - else if (Arrays.areEqual(this.H, H)) - { - return; - } - - this.H = Arrays.clone(H); - - // M[0][0] is ZEROES; - // M[1][0] is ZEROES; - GCMUtil.asInts(H, M[1][8]); - - for (int j = 4; j >= 1; j >>= 1) - { - GCMUtil.multiplyP(M[1][j + j], M[1][j]); - } - - GCMUtil.multiplyP(M[1][1], M[0][8]); - - for (int j = 4; j >= 1; j >>= 1) - { - GCMUtil.multiplyP(M[0][j + j], M[0][j]); - } - - int i = 0; - for (;;) - { - for (int j = 2; j < 16; j += j) - { - for (int k = 1; k < j; ++k) - { - GCMUtil.xor(M[i][j], M[i][k], M[i][j + k]); - } - } - - if (++i == 32) - { - return; - } - - if (i > 1) - { - // M[i][0] is ZEROES; - for(int j = 8; j > 0; j >>= 1) - { - GCMUtil.multiplyP8(M[i - 2][j], M[i][j]); - } - } - } - } - - public void multiplyH(byte[] x) - { -// assert x.Length == 16; - - int[] z = new int[4]; - for (int i = 15; i >= 0; --i) - { -// GCMUtil.xor(z, M[i + i][x[i] & 0x0f]); - int[] m = M[i + i][x[i] & 0x0f]; - z[0] ^= m[0]; - z[1] ^= m[1]; - z[2] ^= m[2]; - z[3] ^= m[3]; -// GCMUtil.xor(z, M[i + i + 1][(x[i] & 0xf0) >>> 4]); - m = M[i + i + 1][(x[i] & 0xf0) >>> 4]; - z[0] ^= m[0]; - z[1] ^= m[1]; - z[2] ^= m[2]; - z[3] ^= m[3]; - } - - Pack.intToBigEndian(z, x, 0); - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/BlockCipherPadding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/BlockCipherPadding.java deleted file mode 100644 index 7c4f0aee..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/BlockCipherPadding.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * Block cipher padders are expected to conform to this interface - */ -public interface BlockCipherPadding -{ - /** - * Initialise the padder. - * - * @param random the source of randomness for the padding, if required. - */ - public void init(SecureRandom random) - throws IllegalArgumentException; - - /** - * Return the name of the algorithm the cipher implements. - * - * @return the name of the algorithm the cipher implements. - */ - public String getPaddingName(); - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - * <p> - * Note: this assumes that the last block of plain text is always - * passed to it inside in. i.e. if inOff is zero, indicating the - * entire block is to be overwritten with padding the value of in - * should be the same as the last block of plain text. The reason - * for this is that some modes such as "trailing bit compliment" - * base the padding on the last byte of plain text. - * </p> - */ - public int addPadding(byte[] in, int inOff); - - /** - * return the number of pad bytes present in the block. - * @exception InvalidCipherTextException if the padding is badly formed - * or invalid. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO10126d2Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ISO10126d2Padding.java deleted file mode 100644 index 63e29d84..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO10126d2Padding.java +++ /dev/null @@ -1,79 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds ISO10126-2 padding to a block. - */ -public class ISO10126d2Padding - implements BlockCipherPadding -{ - SecureRandom random; - - /** - * Initialise the padder. - * - * @param random a SecureRandom if available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - if (random != null) - { - this.random = random; - } - else - { - this.random = new SecureRandom(); - } - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "ISO10126-2"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - */ - public int addPadding( - byte[] in, - int inOff) - { - byte code = (byte)(in.length - inOff); - - while (inOff < (in.length - 1)) - { - in[inOff] = (byte)random.nextInt(); - inOff++; - } - - in[inOff] = code; - - return code; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - int count = in[in.length - 1] & 0xff; - - if (count > in.length) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - - return count; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO7816d4Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ISO7816d4Padding.java deleted file mode 100644 index 54c31a9b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO7816d4Padding.java +++ /dev/null @@ -1,77 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds the padding according to the scheme referenced in - * ISO 7814-4 - scheme 2 from ISO 9797-1. The first byte is 0x80, rest is 0x00 - */ -public class ISO7816d4Padding - implements BlockCipherPadding -{ - /** - * Initialise the padder. - * - * @param random - a SecureRandom if available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - // nothing to do. - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "ISO7816-4"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - */ - public int addPadding( - byte[] in, - int inOff) - { - int added = (in.length - inOff); - - in [inOff]= (byte) 0x80; - inOff ++; - - while (inOff < in.length) - { - in[inOff] = (byte) 0; - inOff++; - } - - return added; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - int count = in.length - 1; - - while (count > 0 && in[count] == 0) - { - count--; - } - - if (in[count] != (byte)0x80) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - - return in.length - count; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/PKCS7Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/PKCS7Padding.java deleted file mode 100644 index 93b149fa..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/PKCS7Padding.java +++ /dev/null @@ -1,76 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds PKCS7/PKCS5 padding to a block. - */ -public class PKCS7Padding - implements BlockCipherPadding -{ - /** - * Initialise the padder. - * - * @param random - a SecureRandom if available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - // nothing to do. - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "PKCS7"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - */ - public int addPadding( - byte[] in, - int inOff) - { - byte code = (byte)(in.length - inOff); - - while (inOff < in.length) - { - in[inOff] = code; - inOff++; - } - - return code; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - int count = in[in.length - 1] & 0xff; - - if (count > in.length || count == 0) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - - for (int i = 1; i <= count; i++) - { - if (in[in.length - i] != count) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - } - - return count; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/PaddedBufferedBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/paddings/PaddedBufferedBlockCipher.java deleted file mode 100644 index d5928f70..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/PaddedBufferedBlockCipher.java +++ /dev/null @@ -1,299 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.BufferedBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.OutputLengthException; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * A wrapper class that allows block ciphers to be used to process data in - * a piecemeal fashion with padding. The PaddedBufferedBlockCipher - * outputs a block only when the buffer is full and more data is being added, - * or on a doFinal (unless the current block in the buffer is a pad block). - * The default padding mechanism used is the one outlined in PKCS5/PKCS7. - */ -public class PaddedBufferedBlockCipher - extends BufferedBlockCipher -{ - BlockCipherPadding padding; - - /** - * Create a buffered block cipher with the desired padding. - * - * @param cipher the underlying block cipher this buffering object wraps. - * @param padding the padding type. - */ - public PaddedBufferedBlockCipher( - BlockCipher cipher, - BlockCipherPadding padding) - { - this.cipher = cipher; - this.padding = padding; - - buf = new byte[cipher.getBlockSize()]; - bufOff = 0; - } - - /** - * Create a buffered block cipher PKCS7 padding - * - * @param cipher the underlying block cipher this buffering object wraps. - */ - public PaddedBufferedBlockCipher( - BlockCipher cipher) - { - this(cipher, new PKCS7Padding()); - } - - /** - * initialise the cipher. - * - * @param forEncryption if true the cipher is initialised for - * encryption, if false for decryption. - * @param params the key and other data required by the cipher. - * @exception IllegalArgumentException if the params argument is - * inappropriate. - */ - public void init( - boolean forEncryption, - CipherParameters params) - throws IllegalArgumentException - { - this.forEncryption = forEncryption; - - reset(); - - if (params instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)params; - - padding.init(p.getRandom()); - - cipher.init(forEncryption, p.getParameters()); - } - else - { - padding.init(null); - - cipher.init(forEncryption, params); - } - } - - /** - * return the minimum size of the output buffer required for an update - * plus a doFinal with an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update and doFinal - * with len bytes of input. - */ - public int getOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - if (forEncryption) - { - return total + buf.length; - } - - return total; - } - - return total - leftOver + buf.length; - } - - /** - * return the size of the output buffer required for an update - * an input of len bytes. - * - * @param len the length of the input. - * @return the space required to accommodate a call to update - * with len bytes of input. - */ - public int getUpdateOutputSize( - int len) - { - int total = len + bufOff; - int leftOver = total % buf.length; - - if (leftOver == 0) - { - return Math.max(0, total - buf.length); - } - - return total - leftOver; - } - - /** - * process a single byte, producing an output block if neccessary. - * - * @param in the input byte. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processByte( - byte in, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - int resultLen = 0; - - if (bufOff == buf.length) - { - resultLen = cipher.processBlock(buf, 0, out, outOff); - bufOff = 0; - } - - buf[bufOff++] = in; - - return resultLen; - } - - /** - * process an array of bytes, producing output if necessary. - * - * @param in the input byte array. - * @param inOff the offset at which the input data starts. - * @param len the number of bytes to be copied out of the input array. - * @param out the space for any output that might be produced. - * @param outOff the offset from which the output will be copied. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there isn't enough space in out. - * @exception IllegalStateException if the cipher isn't initialised. - */ - public int processBytes( - byte[] in, - int inOff, - int len, - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException - { - if (len < 0) - { - throw new IllegalArgumentException("Can't have a negative input length!"); - } - - int blockSize = getBlockSize(); - int length = getUpdateOutputSize(len); - - if (length > 0) - { - if ((outOff + length) > out.length) - { - throw new OutputLengthException("output buffer too short"); - } - } - - int resultLen = 0; - int gapLen = buf.length - bufOff; - - if (len > gapLen) - { - System.arraycopy(in, inOff, buf, bufOff, gapLen); - - resultLen += cipher.processBlock(buf, 0, out, outOff); - - bufOff = 0; - len -= gapLen; - inOff += gapLen; - - while (len > buf.length) - { - resultLen += cipher.processBlock(in, inOff, out, outOff + resultLen); - - len -= blockSize; - inOff += blockSize; - } - } - - System.arraycopy(in, inOff, buf, bufOff, len); - - bufOff += len; - - return resultLen; - } - - /** - * Process the last block in the buffer. If the buffer is currently - * full and padding needs to be added a call to doFinal will produce - * 2 * getBlockSize() bytes. - * - * @param out the array the block currently being held is copied into. - * @param outOff the offset at which the copying starts. - * @return the number of output bytes copied to out. - * @exception DataLengthException if there is insufficient space in out for - * the output or we are decrypting and the input is not block size aligned. - * @exception IllegalStateException if the underlying cipher is not - * initialised. - * @exception InvalidCipherTextException if padding is expected and not found. - */ - public int doFinal( - byte[] out, - int outOff) - throws DataLengthException, IllegalStateException, InvalidCipherTextException - { - int blockSize = cipher.getBlockSize(); - int resultLen = 0; - - if (forEncryption) - { - if (bufOff == blockSize) - { - if ((outOff + 2 * blockSize) > out.length) - { - reset(); - - throw new OutputLengthException("output buffer too short"); - } - - resultLen = cipher.processBlock(buf, 0, out, outOff); - bufOff = 0; - } - - padding.addPadding(buf, bufOff); - - resultLen += cipher.processBlock(buf, 0, out, outOff + resultLen); - - reset(); - } - else - { - if (bufOff == blockSize) - { - resultLen = cipher.processBlock(buf, 0, buf, 0); - bufOff = 0; - } - else - { - reset(); - - throw new DataLengthException("last block incomplete in decryption"); - } - - try - { - resultLen -= padding.padCount(buf); - - System.arraycopy(buf, 0, out, outOff, resultLen); - } - finally - { - reset(); - } - } - - return resultLen; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/TBCPadding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/TBCPadding.java deleted file mode 100644 index 219912fe..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/TBCPadding.java +++ /dev/null @@ -1,89 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds Trailing-Bit-Compliment padding to a block. - * <p> - * This padding pads the block out with the compliment of the last bit - * of the plain text. - * </p> - */ -public class TBCPadding - implements BlockCipherPadding -{ - /** - * Initialise the padder. - * - * @param random - a SecureRandom if available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - // nothing to do. - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "TBC"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - * <p> - * Note: this assumes that the last block of plain text is always - * passed to it inside in. i.e. if inOff is zero, indicating the - * entire block is to be overwritten with padding the value of in - * should be the same as the last block of plain text. - * </p> - */ - public int addPadding( - byte[] in, - int inOff) - { - int count = in.length - inOff; - byte code; - - if (inOff > 0) - { - code = (byte)((in[inOff - 1] & 0x01) == 0 ? 0xff : 0x00); - } - else - { - code = (byte)((in[in.length - 1] & 0x01) == 0 ? 0xff : 0x00); - } - - while (inOff < in.length) - { - in[inOff] = code; - inOff++; - } - - return count; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - byte code = in[in.length - 1]; - - int index = in.length - 1; - while (index > 0 && in[index - 1] == code) - { - index--; - } - - return in.length - index; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/X923Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/X923Padding.java deleted file mode 100644 index d4d34aad..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/X923Padding.java +++ /dev/null @@ -1,80 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds X9.23 padding to a block - if a SecureRandom is - * passed in random padding is assumed, otherwise padding with zeros is used. - */ -public class X923Padding - implements BlockCipherPadding -{ - SecureRandom random = null; - - /** - * Initialise the padder. - * - * @param random a SecureRandom if one is available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - this.random = random; - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "X9.23"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - */ - public int addPadding( - byte[] in, - int inOff) - { - byte code = (byte)(in.length - inOff); - - while (inOff < in.length - 1) - { - if (random == null) - { - in[inOff] = 0; - } - else - { - in[inOff] = (byte)random.nextInt(); - } - inOff++; - } - - in[inOff] = code; - - return code; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - int count = in[in.length - 1] & 0xff; - - if (count > in.length) - { - throw new InvalidCipherTextException("pad block corrupted"); - } - - return count; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ZeroBytePadding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ZeroBytePadding.java deleted file mode 100644 index c7560286..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/paddings/ZeroBytePadding.java +++ /dev/null @@ -1,73 +0,0 @@ -package org.bouncycastle.crypto.paddings; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.InvalidCipherTextException; - -/** - * A padder that adds NULL byte padding to a block. - */ -public class ZeroBytePadding - implements BlockCipherPadding -{ - /** - * Initialise the padder. - * - * @param random - a SecureRandom if available. - */ - public void init(SecureRandom random) - throws IllegalArgumentException - { - // nothing to do. - } - - /** - * Return the name of the algorithm the padder implements. - * - * @return the name of the algorithm the padder implements. - */ - public String getPaddingName() - { - return "ZeroByte"; - } - - /** - * add the pad bytes to the passed in block, returning the - * number of bytes added. - */ - public int addPadding( - byte[] in, - int inOff) - { - int added = (in.length - inOff); - - while (inOff < in.length) - { - in[inOff] = (byte) 0; - inOff++; - } - - return added; - } - - /** - * return the number of pad bytes present in the block. - */ - public int padCount(byte[] in) - throws InvalidCipherTextException - { - int count = in.length; - - while (count > 0) - { - if (in[count - 1] != 0) - { - break; - } - - count--; - } - - return in.length - count; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/AEADParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/AEADParameters.java deleted file mode 100644 index 9a9272ba..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/AEADParameters.java +++ /dev/null @@ -1,60 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class AEADParameters - implements CipherParameters -{ - private byte[] associatedText; - private byte[] nonce; - private KeyParameter key; - private int macSize; - - /** - * Base constructor. - * - * @param key key to be used by underlying cipher - * @param macSize macSize in bits - * @param nonce nonce to be used - */ - public AEADParameters(KeyParameter key, int macSize, byte[] nonce) - { - this(key, macSize, nonce, null); - } - - /** - * Base constructor. - * - * @param key key to be used by underlying cipher - * @param macSize macSize in bits - * @param nonce nonce to be used - * @param associatedText initial associated text, if any - */ - public AEADParameters(KeyParameter key, int macSize, byte[] nonce, byte[] associatedText) - { - this.key = key; - this.nonce = nonce; - this.macSize = macSize; - this.associatedText = associatedText; - } - - public KeyParameter getKey() - { - return key; - } - - public int getMacSize() - { - return macSize; - } - - public byte[] getAssociatedText() - { - return associatedText; - } - - public byte[] getNonce() - { - return nonce; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/AsymmetricKeyParameter.java b/core/src/main/java/org/bouncycastle/crypto/params/AsymmetricKeyParameter.java deleted file mode 100644 index 03ba7253..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/AsymmetricKeyParameter.java +++ /dev/null @@ -1,20 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class AsymmetricKeyParameter - implements CipherParameters -{ - boolean privateKey; - - public AsymmetricKeyParameter( - boolean privateKey) - { - this.privateKey = privateKey; - } - - public boolean isPrivate() - { - return privateKey; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CCMParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CCMParameters.java deleted file mode 100644 index 4924dcca..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CCMParameters.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.params; - -/** - * @deprecated use AEADParameters - */ -public class CCMParameters - extends AEADParameters -{ - /** - * Base constructor. - * - * @param key key to be used by underlying cipher - * @param macSize macSize in bits - * @param nonce nonce to be used - * @param associatedText associated text, if any - */ - public CCMParameters(KeyParameter key, int macSize, byte[] nonce, byte[] associatedText) - { - super(key, macSize, nonce, associatedText); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyGenerationParameters.java deleted file mode 100644 index 15b6d6a5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyGenerationParameters.java +++ /dev/null @@ -1,24 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class CramerShoupKeyGenerationParameters extends KeyGenerationParameters { - - private CramerShoupParameters params; - - public CramerShoupKeyGenerationParameters(SecureRandom random, CramerShoupParameters params) { - super(random, getStrength(params)); - - this.params = params; - } - - public CramerShoupParameters getParameters() { - return params; - } - - static int getStrength(CramerShoupParameters params) { - return params.getP().bitLength(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyParameters.java deleted file mode 100644 index 9e4219c8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupKeyParameters.java +++ /dev/null @@ -1,40 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class CramerShoupKeyParameters extends AsymmetricKeyParameter { - - private CramerShoupParameters params; - - protected CramerShoupKeyParameters(boolean isPrivate, CramerShoupParameters params) { - super(isPrivate); - - this.params = params; - } - - public CramerShoupParameters getParameters() { - return params; - } - - public boolean equals(Object obj) { - if (!(obj instanceof CramerShoupKeyParameters)) { - return false; - } - - CramerShoupKeyParameters csKey = (CramerShoupKeyParameters) obj; - - if (params == null) { - return csKey.getParameters() == null; - } else { - return params.equals(csKey.getParameters()); - } - } - - public int hashCode() { - int code = isPrivate() ? 0 : 1; - - if (params != null) { - code ^= params.hashCode(); - } - - return code; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupParameters.java deleted file mode 100644 index 24264b6c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupParameters.java +++ /dev/null @@ -1,53 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; - -public class CramerShoupParameters implements CipherParameters { - - private BigInteger p; // prime order of G - private BigInteger g1, g2; // generate G - - private Digest H; // hash function - - public CramerShoupParameters(BigInteger p, BigInteger g1, BigInteger g2, Digest H) { - this.p = p; - this.g1 = g1; - this.g2 = g2; - this.H = H; - } - - public boolean equals(Object obj) { - if (!(obj instanceof DSAParameters)) { - return false; - } - - CramerShoupParameters pm = (CramerShoupParameters) obj; - - return (pm.getP().equals(p) && pm.getG1().equals(g1) && pm.getG2().equals(g2)); - } - - public int hashCode() { - return getP().hashCode() ^ getG1().hashCode() ^ getG2().hashCode(); - } - - public BigInteger getG1() { - return g1; - } - - public BigInteger getG2() { - return g2; - } - - public BigInteger getP() { - return p; - } - - public Digest getH() { - H.reset(); - return H; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPrivateKeyParameters.java deleted file mode 100644 index 79de46ad..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPrivateKeyParameters.java +++ /dev/null @@ -1,61 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class CramerShoupPrivateKeyParameters extends CramerShoupKeyParameters { - - private BigInteger x1, x2, y1, y2, z; // Z_p - private CramerShoupPublicKeyParameters pk; // public key - - public CramerShoupPrivateKeyParameters(CramerShoupParameters params, BigInteger x1, BigInteger x2, BigInteger y1, BigInteger y2, BigInteger z) { - super(true, params); - - this.x1 = x1; - this.x2 = x2; - this.y1 = y1; - this.y2 = y2; - this.z = z; - } - - public BigInteger getX1() { - return x1; - } - - public BigInteger getX2() { - return x2; - } - - public BigInteger getY1() { - return y1; - } - - public BigInteger getY2() { - return y2; - } - - public BigInteger getZ() { - return z; - } - - public void setPk(CramerShoupPublicKeyParameters pk) { - this.pk = pk; - } - - public CramerShoupPublicKeyParameters getPk() { - return pk; - } - - public int hashCode() { - return x1.hashCode() ^ x2.hashCode() ^ y1.hashCode() ^ y2.hashCode() ^ z.hashCode() ^ super.hashCode(); - } - - public boolean equals(Object obj) { - if (!(obj instanceof CramerShoupPrivateKeyParameters)) { - return false; - } - - CramerShoupPrivateKeyParameters other = (CramerShoupPrivateKeyParameters) obj; - - return other.getX1().equals(this.x1) && other.getX2().equals(this.x2) && other.getY1().equals(this.y1) && other.getY2().equals(this.y2) && other.getZ().equals(this.z) && super.equals(obj); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPublicKeyParameters.java deleted file mode 100644 index 341149c1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/CramerShoupPublicKeyParameters.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class CramerShoupPublicKeyParameters extends CramerShoupKeyParameters { - - private BigInteger c, d, h; // public key group elements - - public CramerShoupPublicKeyParameters(CramerShoupParameters params, BigInteger c, BigInteger d, BigInteger h) { - super(false, params); - - this.c = c; - this.d = d; - this.h = h; - } - - public BigInteger getC() { - return c; - } - - public BigInteger getD() { - return d; - } - - public BigInteger getH() { - return h; - } - - public int hashCode() { - return c.hashCode() ^ d.hashCode() ^ h.hashCode() ^ super.hashCode(); - } - - public boolean equals(Object obj) { - if (!(obj instanceof CramerShoupPublicKeyParameters)) { - return false; - } - - CramerShoupPublicKeyParameters other = (CramerShoupPublicKeyParameters) obj; - - return other.getC().equals(c) && other.getD().equals(d) && other.getH().equals(h) && super.equals(obj); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DESParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DESParameters.java deleted file mode 100644 index 5bee3604..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DESParameters.java +++ /dev/null @@ -1,107 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class DESParameters - extends KeyParameter -{ - public DESParameters( - byte[] key) - { - super(key); - - if (isWeakKey(key, 0)) - { - throw new IllegalArgumentException("attempt to create weak DES key"); - } - } - - /* - * DES Key length in bytes. - */ - static public final int DES_KEY_LENGTH = 8; - - /* - * Table of weak and semi-weak keys taken from Schneier pp281 - */ - static private final int N_DES_WEAK_KEYS = 16; - - static private byte[] DES_weak_keys = - { - /* weak keys */ - (byte)0x01,(byte)0x01,(byte)0x01,(byte)0x01, (byte)0x01,(byte)0x01,(byte)0x01,(byte)0x01, - (byte)0x1f,(byte)0x1f,(byte)0x1f,(byte)0x1f, (byte)0x0e,(byte)0x0e,(byte)0x0e,(byte)0x0e, - (byte)0xe0,(byte)0xe0,(byte)0xe0,(byte)0xe0, (byte)0xf1,(byte)0xf1,(byte)0xf1,(byte)0xf1, - (byte)0xfe,(byte)0xfe,(byte)0xfe,(byte)0xfe, (byte)0xfe,(byte)0xfe,(byte)0xfe,(byte)0xfe, - - /* semi-weak keys */ - (byte)0x01,(byte)0xfe,(byte)0x01,(byte)0xfe, (byte)0x01,(byte)0xfe,(byte)0x01,(byte)0xfe, - (byte)0x1f,(byte)0xe0,(byte)0x1f,(byte)0xe0, (byte)0x0e,(byte)0xf1,(byte)0x0e,(byte)0xf1, - (byte)0x01,(byte)0xe0,(byte)0x01,(byte)0xe0, (byte)0x01,(byte)0xf1,(byte)0x01,(byte)0xf1, - (byte)0x1f,(byte)0xfe,(byte)0x1f,(byte)0xfe, (byte)0x0e,(byte)0xfe,(byte)0x0e,(byte)0xfe, - (byte)0x01,(byte)0x1f,(byte)0x01,(byte)0x1f, (byte)0x01,(byte)0x0e,(byte)0x01,(byte)0x0e, - (byte)0xe0,(byte)0xfe,(byte)0xe0,(byte)0xfe, (byte)0xf1,(byte)0xfe,(byte)0xf1,(byte)0xfe, - (byte)0xfe,(byte)0x01,(byte)0xfe,(byte)0x01, (byte)0xfe,(byte)0x01,(byte)0xfe,(byte)0x01, - (byte)0xe0,(byte)0x1f,(byte)0xe0,(byte)0x1f, (byte)0xf1,(byte)0x0e,(byte)0xf1,(byte)0x0e, - (byte)0xe0,(byte)0x01,(byte)0xe0,(byte)0x01, (byte)0xf1,(byte)0x01,(byte)0xf1,(byte)0x01, - (byte)0xfe,(byte)0x1f,(byte)0xfe,(byte)0x1f, (byte)0xfe,(byte)0x0e,(byte)0xfe,(byte)0x0e, - (byte)0x1f,(byte)0x01,(byte)0x1f,(byte)0x01, (byte)0x0e,(byte)0x01,(byte)0x0e,(byte)0x01, - (byte)0xfe,(byte)0xe0,(byte)0xfe,(byte)0xe0, (byte)0xfe,(byte)0xf1,(byte)0xfe,(byte)0xf1 - }; - - /** - * DES has 16 weak keys. This method will check - * if the given DES key material is weak or semi-weak. - * Key material that is too short is regarded as weak. - * <p> - * See <a href="http://www.counterpane.com/applied.html">"Applied - * Cryptography"</a> by Bruce Schneier for more information. - * - * @return true if the given DES key material is weak or semi-weak, - * false otherwise. - */ - public static boolean isWeakKey( - byte[] key, - int offset) - { - if (key.length - offset < DES_KEY_LENGTH) - { - throw new IllegalArgumentException("key material too short."); - } - - nextkey: for (int i = 0; i < N_DES_WEAK_KEYS; i++) - { - for (int j = 0; j < DES_KEY_LENGTH; j++) - { - if (key[j + offset] != DES_weak_keys[i * DES_KEY_LENGTH + j]) - { - continue nextkey; - } - } - - return true; - } - return false; - } - - /** - * DES Keys use the LSB as the odd parity bit. This can - * be used to check for corrupt keys. - * - * @param bytes the byte array to set the parity on. - */ - public static void setOddParity( - byte[] bytes) - { - for (int i = 0; i < bytes.length; i++) - { - int b = bytes[i]; - bytes[i] = (byte)((b & 0xfe) | - ((((b >> 1) ^ - (b >> 2) ^ - (b >> 3) ^ - (b >> 4) ^ - (b >> 5) ^ - (b >> 6) ^ - (b >> 7)) ^ 0x01) & 0x01)); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DESedeParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DESedeParameters.java deleted file mode 100644 index 3a4bbfca..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DESedeParameters.java +++ /dev/null @@ -1,57 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class DESedeParameters - extends DESParameters -{ - /* - * DES-EDE Key length in bytes. - */ - static public final int DES_EDE_KEY_LENGTH = 24; - - public DESedeParameters( - byte[] key) - { - super(key); - - if (isWeakKey(key, 0, key.length)) - { - throw new IllegalArgumentException("attempt to create weak DESede key"); - } - } - - /** - * return true if the passed in key is a DES-EDE weak key. - * - * @param key bytes making up the key - * @param offset offset into the byte array the key starts at - * @param length number of bytes making up the key - */ - public static boolean isWeakKey( - byte[] key, - int offset, - int length) - { - for (int i = offset; i < length; i += DES_KEY_LENGTH) - { - if (DESParameters.isWeakKey(key, i)) - { - return true; - } - } - - return false; - } - - /** - * return true if the passed in key is a DES-EDE weak key. - * - * @param key bytes making up the key - * @param offset offset into the byte array the key starts at - */ - public static boolean isWeakKey( - byte[] key, - int offset) - { - return isWeakKey(key, offset, key.length - offset); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHKeyGenerationParameters.java deleted file mode 100644 index 34c730eb..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHKeyGenerationParameters.java +++ /dev/null @@ -1,30 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class DHKeyGenerationParameters - extends KeyGenerationParameters -{ - private DHParameters params; - - public DHKeyGenerationParameters( - SecureRandom random, - DHParameters params) - { - super(random, getStrength(params)); - - this.params = params; - } - - public DHParameters getParameters() - { - return params; - } - - static int getStrength(DHParameters params) - { - return params.getL() != 0 ? params.getL() : params.getP().bitLength(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHKeyParameters.java deleted file mode 100644 index e686f357..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHKeyParameters.java +++ /dev/null @@ -1,54 +0,0 @@ -package org.bouncycastle.crypto.params; - - -public class DHKeyParameters - extends AsymmetricKeyParameter -{ - private DHParameters params; - - protected DHKeyParameters( - boolean isPrivate, - DHParameters params) - { - super(isPrivate); - - this.params = params; - } - - public DHParameters getParameters() - { - return params; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof DHKeyParameters)) - { - return false; - } - - DHKeyParameters dhKey = (DHKeyParameters)obj; - - if (params == null) - { - return dhKey.getParameters() == null; - } - else - { - return params.equals(dhKey.getParameters()); - } - } - - public int hashCode() - { - int code = isPrivate() ? 0 : 1; - - if (params != null) - { - code ^= params.hashCode(); - } - - return code; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHParameters.java deleted file mode 100644 index b679287c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHParameters.java +++ /dev/null @@ -1,189 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.CipherParameters; - -public class DHParameters - implements CipherParameters -{ - private static final int DEFAULT_MINIMUM_LENGTH = 160; - - // not final due to compiler bug in "simpler" JDKs - private BigInteger g; - private BigInteger p; - private BigInteger q; - private BigInteger j; - private int m; - private int l; - private DHValidationParameters validation; - - private static int getDefaultMParam( - int lParam) - { - if (lParam == 0) - { - return DEFAULT_MINIMUM_LENGTH; - } - - return lParam < DEFAULT_MINIMUM_LENGTH ? lParam : DEFAULT_MINIMUM_LENGTH; - } - - public DHParameters( - BigInteger p, - BigInteger g) - { - this(p, g, null, 0); - } - - public DHParameters( - BigInteger p, - BigInteger g, - BigInteger q) - { - this(p, g, q, 0); - } - - public DHParameters( - BigInteger p, - BigInteger g, - BigInteger q, - int l) - { - this(p, g, q, getDefaultMParam(l), l, null, null); - } - - public DHParameters( - BigInteger p, - BigInteger g, - BigInteger q, - int m, - int l) - { - this(p, g, q, m, l, null, null); - } - - public DHParameters( - BigInteger p, - BigInteger g, - BigInteger q, - BigInteger j, - DHValidationParameters validation) - { - this(p, g, q, DEFAULT_MINIMUM_LENGTH, 0, j, validation); - } - - public DHParameters( - BigInteger p, - BigInteger g, - BigInteger q, - int m, - int l, - BigInteger j, - DHValidationParameters validation) - { - if (l != 0) - { - BigInteger bigL = BigInteger.valueOf(2L ^ (l - 1)); - if (bigL.compareTo(p) == 1) - { - throw new IllegalArgumentException("when l value specified, it must satisfy 2^(l-1) <= p"); - } - if (l < m) - { - throw new IllegalArgumentException("when l value specified, it may not be less than m value"); - } - } - - this.g = g; - this.p = p; - this.q = q; - this.m = m; - this.l = l; - this.j = j; - this.validation = validation; - } - - public BigInteger getP() - { - return p; - } - - public BigInteger getG() - { - return g; - } - - public BigInteger getQ() - { - return q; - } - - /** - * Return the subgroup factor J. - * - * @return subgroup factor - */ - public BigInteger getJ() - { - return j; - } - - /** - * Return the minimum length of the private value. - * - * @return the minimum length of the private value in bits. - */ - public int getM() - { - return m; - } - - /** - * Return the private value length in bits - if set, zero otherwise - * - * @return the private value length in bits, zero otherwise. - */ - public int getL() - { - return l; - } - - public DHValidationParameters getValidationParameters() - { - return validation; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof DHParameters)) - { - return false; - } - - DHParameters pm = (DHParameters)obj; - - if (this.getQ() != null) - { - if (!this.getQ().equals(pm.getQ())) - { - return false; - } - } - else - { - if (pm.getQ() != null) - { - return false; - } - } - - return pm.getP().equals(p) && pm.getG().equals(g); - } - - public int hashCode() - { - return getP().hashCode() ^ getG().hashCode() ^ (getQ() != null ? getQ().hashCode() : 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHPrivateKeyParameters.java deleted file mode 100644 index ee1b34f9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHPrivateKeyParameters.java +++ /dev/null @@ -1,41 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class DHPrivateKeyParameters - extends DHKeyParameters -{ - private BigInteger x; - - public DHPrivateKeyParameters( - BigInteger x, - DHParameters params) - { - super(true, params); - - this.x = x; - } - - public BigInteger getX() - { - return x; - } - - public int hashCode() - { - return x.hashCode() ^ super.hashCode(); - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof DHPrivateKeyParameters)) - { - return false; - } - - DHPrivateKeyParameters other = (DHPrivateKeyParameters)obj; - - return other.getX().equals(this.x) && super.equals(obj); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHPublicKeyParameters.java deleted file mode 100644 index ed531603..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHPublicKeyParameters.java +++ /dev/null @@ -1,41 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class DHPublicKeyParameters - extends DHKeyParameters -{ - private BigInteger y; - - public DHPublicKeyParameters( - BigInteger y, - DHParameters params) - { - super(false, params); - - this.y = y; - } - - public BigInteger getY() - { - return y; - } - - public int hashCode() - { - return y.hashCode() ^ super.hashCode(); - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof DHPublicKeyParameters)) - { - return false; - } - - DHPublicKeyParameters other = (DHPublicKeyParameters)obj; - - return other.getY().equals(y) && super.equals(obj); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DHValidationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DHValidationParameters.java deleted file mode 100644 index b22f7a03..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DHValidationParameters.java +++ /dev/null @@ -1,50 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.util.Arrays; - -public class DHValidationParameters -{ - private byte[] seed; - private int counter; - - public DHValidationParameters( - byte[] seed, - int counter) - { - this.seed = seed; - this.counter = counter; - } - - public int getCounter() - { - return counter; - } - - public byte[] getSeed() - { - return seed; - } - - public boolean equals( - Object o) - { - if (!(o instanceof DHValidationParameters)) - { - return false; - } - - DHValidationParameters other = (DHValidationParameters)o; - - if (other.counter != this.counter) - { - return false; - } - - return Arrays.areEqual(this.seed, other.seed); - } - - public int hashCode() - { - return counter ^ Arrays.hashCode(seed); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyGenerationParameters.java deleted file mode 100644 index 29fa91e6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyGenerationParameters.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class DSAKeyGenerationParameters - extends KeyGenerationParameters -{ - private DSAParameters params; - - public DSAKeyGenerationParameters( - SecureRandom random, - DSAParameters params) - { - super(random, params.getP().bitLength() - 1); - - this.params = params; - } - - public DSAParameters getParameters() - { - return params; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyParameters.java deleted file mode 100644 index 11bb9d97..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAKeyParameters.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class DSAKeyParameters - extends AsymmetricKeyParameter -{ - private DSAParameters params; - - public DSAKeyParameters( - boolean isPrivate, - DSAParameters params) - { - super(isPrivate); - - this.params = params; - } - - public DSAParameters getParameters() - { - return params; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAParameterGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAParameterGenerationParameters.java deleted file mode 100644 index ba841b8e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAParameterGenerationParameters.java +++ /dev/null @@ -1,80 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -public class DSAParameterGenerationParameters -{ - public static final int DIGITAL_SIGNATURE_USAGE = 1; - public static final int KEY_ESTABLISHMENT_USAGE = 2; - - private final int l; - private final int n; - private final int usageIndex; - private final int certainty; - private final SecureRandom random; - - /** - * Construct without a usage index, this will do a random construction of G. - * - * @param L desired length of prime P in bits (the effective key size). - * @param N desired length of prime Q in bits. - * @param certainty certainty level for prime number generation. - * @param random the source of randomness to use. - */ - public DSAParameterGenerationParameters( - int L, - int N, - int certainty, - SecureRandom random) - { - this(L, N, certainty, random, -1); - } - - /** - * Construct for a specific usage index - this has the effect of using verifiable canonical generation of G. - * - * @param L desired length of prime P in bits (the effective key size). - * @param N desired length of prime Q in bits. - * @param certainty certainty level for prime number generation. - * @param random the source of randomness to use. - * @param usageIndex a valid usage index. - */ - public DSAParameterGenerationParameters( - int L, - int N, - int certainty, - SecureRandom random, - int usageIndex) - { - this.l = L; - this.n = N; - this.certainty = certainty; - this.usageIndex = usageIndex; - this.random = random; - } - - public int getL() - { - return l; - } - - public int getN() - { - return n; - } - - public int getCertainty() - { - return certainty; - } - - public SecureRandom getRandom() - { - return random; - } - - public int getUsageIndex() - { - return usageIndex; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAParameters.java deleted file mode 100644 index 7f76d117..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAParameters.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.CipherParameters; - -public class DSAParameters - implements CipherParameters -{ - private BigInteger g; - private BigInteger q; - private BigInteger p; - private DSAValidationParameters validation; - - public DSAParameters( - BigInteger p, - BigInteger q, - BigInteger g) - { - this.g = g; - this.p = p; - this.q = q; - } - - public DSAParameters( - BigInteger p, - BigInteger q, - BigInteger g, - DSAValidationParameters params) - { - this.g = g; - this.p = p; - this.q = q; - this.validation = params; - } - - public BigInteger getP() - { - return p; - } - - public BigInteger getQ() - { - return q; - } - - public BigInteger getG() - { - return g; - } - - public DSAValidationParameters getValidationParameters() - { - return validation; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof DSAParameters)) - { - return false; - } - - DSAParameters pm = (DSAParameters)obj; - - return (pm.getP().equals(p) && pm.getQ().equals(q) && pm.getG().equals(g)); - } - - public int hashCode() - { - return getP().hashCode() ^ getQ().hashCode() ^ getG().hashCode(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAPrivateKeyParameters.java deleted file mode 100644 index 3bef3f40..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAPrivateKeyParameters.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class DSAPrivateKeyParameters - extends DSAKeyParameters -{ - private BigInteger x; - - public DSAPrivateKeyParameters( - BigInteger x, - DSAParameters params) - { - super(true, params); - - this.x = x; - } - - public BigInteger getX() - { - return x; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAPublicKeyParameters.java deleted file mode 100644 index c0066568..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAPublicKeyParameters.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class DSAPublicKeyParameters - extends DSAKeyParameters -{ - private BigInteger y; - - public DSAPublicKeyParameters( - BigInteger y, - DSAParameters params) - { - super(false, params); - - this.y = y; - } - - public BigInteger getY() - { - return y; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/DSAValidationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/DSAValidationParameters.java deleted file mode 100644 index 07d93d07..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/DSAValidationParameters.java +++ /dev/null @@ -1,65 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.util.Arrays; - -public class DSAValidationParameters -{ - private int usageIndex; - private byte[] seed; - private int counter; - - public DSAValidationParameters( - byte[] seed, - int counter) - { - this(seed, counter, -1); - } - - public DSAValidationParameters( - byte[] seed, - int counter, - int usageIndex) - { - this.seed = seed; - this.counter = counter; - this.usageIndex = usageIndex; - } - - public int getCounter() - { - return counter; - } - - public byte[] getSeed() - { - return seed; - } - - public int getUsageIndex() - { - return usageIndex; - } - - public int hashCode() - { - return counter ^ Arrays.hashCode(seed); - } - - public boolean equals( - Object o) - { - if (!(o instanceof DSAValidationParameters)) - { - return false; - } - - DSAValidationParameters other = (DSAValidationParameters)o; - - if (other.counter != this.counter) - { - return false; - } - - return Arrays.areEqual(this.seed, other.seed); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECDomainParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECDomainParameters.java deleted file mode 100644 index 9cc6e727..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECDomainParameters.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.util.Arrays; - -public class ECDomainParameters - implements ECConstants -{ - private ECCurve curve; - private byte[] seed; - private ECPoint G; - private BigInteger n; - private BigInteger h; - - public ECDomainParameters( - ECCurve curve, - ECPoint G, - BigInteger n) - { - this(curve, G, n, ONE, null); - } - - public ECDomainParameters( - ECCurve curve, - ECPoint G, - BigInteger n, - BigInteger h) - { - this(curve, G, n, h, null); - } - - public ECDomainParameters( - ECCurve curve, - ECPoint G, - BigInteger n, - BigInteger h, - byte[] seed) - { - this.curve = curve; - this.G = G.normalize(); - this.n = n; - this.h = h; - this.seed = seed; - } - - public ECCurve getCurve() - { - return curve; - } - - public ECPoint getG() - { - return G; - } - - public BigInteger getN() - { - return n; - } - - public BigInteger getH() - { - return h; - } - - public byte[] getSeed() - { - return Arrays.clone(seed); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECKeyGenerationParameters.java deleted file mode 100644 index be3f20f5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECKeyGenerationParameters.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class ECKeyGenerationParameters - extends KeyGenerationParameters -{ - private ECDomainParameters domainParams; - - public ECKeyGenerationParameters( - ECDomainParameters domainParams, - SecureRandom random) - { - super(random, domainParams.getN().bitLength()); - - this.domainParams = domainParams; - } - - public ECDomainParameters getDomainParameters() - { - return domainParams; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECKeyParameters.java deleted file mode 100644 index 19825c5b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECKeyParameters.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class ECKeyParameters - extends AsymmetricKeyParameter -{ - ECDomainParameters params; - - protected ECKeyParameters( - boolean isPrivate, - ECDomainParameters params) - { - super(isPrivate); - - this.params = params; - } - - public ECDomainParameters getParameters() - { - return params; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECNamedDomainParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECNamedDomainParameters.java deleted file mode 100644 index 5b694bec..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECNamedDomainParameters.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECPoint; - -public class ECNamedDomainParameters - extends ECDomainParameters -{ - private ASN1ObjectIdentifier name; - - public ECNamedDomainParameters(ASN1ObjectIdentifier name, ECCurve curve, ECPoint G, BigInteger n) - { - this(name, curve, G, n, null, null); - } - - public ECNamedDomainParameters(ASN1ObjectIdentifier name, ECCurve curve, ECPoint G, BigInteger n, BigInteger h) - { - this(name, curve, G, n, h, null); - } - - public ECNamedDomainParameters(ASN1ObjectIdentifier name, ECCurve curve, ECPoint G, BigInteger n, BigInteger h, byte[] seed) - { - super(curve, G, n, h, seed); - - this.name = name; - } - - public ASN1ObjectIdentifier getName() - { - return name; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECPrivateKeyParameters.java deleted file mode 100644 index 3e49983e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECPrivateKeyParameters.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class ECPrivateKeyParameters - extends ECKeyParameters -{ - BigInteger d; - - public ECPrivateKeyParameters( - BigInteger d, - ECDomainParameters params) - { - super(true, params); - this.d = d; - } - - public BigInteger getD() - { - return d; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ECPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ECPublicKeyParameters.java deleted file mode 100644 index b6b3fb6d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ECPublicKeyParameters.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.math.ec.ECPoint; - -public class ECPublicKeyParameters - extends ECKeyParameters -{ - ECPoint Q; - - public ECPublicKeyParameters( - ECPoint Q, - ECDomainParameters params) - { - super(false, params); - this.Q = Q.normalize(); - } - - public ECPoint getQ() - { - return Q; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyGenerationParameters.java deleted file mode 100644 index f5fbabd5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyGenerationParameters.java +++ /dev/null @@ -1,30 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class ElGamalKeyGenerationParameters - extends KeyGenerationParameters -{ - private ElGamalParameters params; - - public ElGamalKeyGenerationParameters( - SecureRandom random, - ElGamalParameters params) - { - super(random, getStrength(params)); - - this.params = params; - } - - public ElGamalParameters getParameters() - { - return params; - } - - static int getStrength(ElGamalParameters params) - { - return params.getL() != 0 ? params.getL() : params.getP().bitLength(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyParameters.java deleted file mode 100644 index 72506931..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalKeyParameters.java +++ /dev/null @@ -1,47 +0,0 @@ -package org.bouncycastle.crypto.params; - - -public class ElGamalKeyParameters - extends AsymmetricKeyParameter -{ - private ElGamalParameters params; - - protected ElGamalKeyParameters( - boolean isPrivate, - ElGamalParameters params) - { - super(isPrivate); - - this.params = params; - } - - public ElGamalParameters getParameters() - { - return params; - } - - public int hashCode() - { - return (params != null) ? params.hashCode() : 0; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof ElGamalKeyParameters)) - { - return false; - } - - ElGamalKeyParameters dhKey = (ElGamalKeyParameters)obj; - - if (params == null) - { - return dhKey.getParameters() == null; - } - else - { - return params.equals(dhKey.getParameters()); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ElGamalParameters.java deleted file mode 100644 index 166eff35..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalParameters.java +++ /dev/null @@ -1,69 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.CipherParameters; - -public class ElGamalParameters - implements CipherParameters -{ - private BigInteger g; - private BigInteger p; - private int l; - - public ElGamalParameters( - BigInteger p, - BigInteger g) - { - this(p, g, 0); - } - - public ElGamalParameters( - BigInteger p, - BigInteger g, - int l) - { - this.g = g; - this.p = p; - this.l = l; - } - - public BigInteger getP() - { - return p; - } - - /** - * return the generator - g - */ - public BigInteger getG() - { - return g; - } - - /** - * return private value limit - l - */ - public int getL() - { - return l; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof ElGamalParameters)) - { - return false; - } - - ElGamalParameters pm = (ElGamalParameters)obj; - - return pm.getP().equals(p) && pm.getG().equals(g) && pm.getL() == l; - } - - public int hashCode() - { - return (getP().hashCode() ^ getG().hashCode()) + l; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPrivateKeyParameters.java deleted file mode 100644 index b8fb529f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPrivateKeyParameters.java +++ /dev/null @@ -1,46 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class ElGamalPrivateKeyParameters - extends ElGamalKeyParameters -{ - private BigInteger x; - - public ElGamalPrivateKeyParameters( - BigInteger x, - ElGamalParameters params) - { - super(true, params); - - this.x = x; - } - - public BigInteger getX() - { - return x; - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof ElGamalPrivateKeyParameters)) - { - return false; - } - - ElGamalPrivateKeyParameters pKey = (ElGamalPrivateKeyParameters)obj; - - if (!pKey.getX().equals(x)) - { - return false; - } - - return super.equals(obj); - } - - public int hashCode() - { - return getX().hashCode(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPublicKeyParameters.java deleted file mode 100644 index d7da7a93..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ElGamalPublicKeyParameters.java +++ /dev/null @@ -1,41 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class ElGamalPublicKeyParameters - extends ElGamalKeyParameters -{ - private BigInteger y; - - public ElGamalPublicKeyParameters( - BigInteger y, - ElGamalParameters params) - { - super(false, params); - - this.y = y; - } - - public BigInteger getY() - { - return y; - } - - public int hashCode() - { - return y.hashCode() ^ super.hashCode(); - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof ElGamalPublicKeyParameters)) - { - return false; - } - - ElGamalPublicKeyParameters other = (ElGamalPublicKeyParameters)obj; - - return other.getY().equals(y) && super.equals(obj); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyGenerationParameters.java deleted file mode 100644 index 74e05a96..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyGenerationParameters.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -import java.security.SecureRandom; - -public class GOST3410KeyGenerationParameters - extends KeyGenerationParameters -{ - private GOST3410Parameters params; - - public GOST3410KeyGenerationParameters( - SecureRandom random, - GOST3410Parameters params) - { - super(random, params.getP().bitLength() - 1); - - this.params = params; - } - - public GOST3410Parameters getParameters() - { - return params; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyParameters.java deleted file mode 100644 index 6716924a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410KeyParameters.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class GOST3410KeyParameters - extends AsymmetricKeyParameter -{ - private GOST3410Parameters params; - - public GOST3410KeyParameters( - boolean isPrivate, - GOST3410Parameters params) - { - super(isPrivate); - - this.params = params; - } - - public GOST3410Parameters getParameters() - { - return params; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410Parameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410Parameters.java deleted file mode 100644 index 07450f61..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410Parameters.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -import java.math.BigInteger; - -public class GOST3410Parameters - implements CipherParameters -{ - private BigInteger p; - private BigInteger q; - private BigInteger a; - private GOST3410ValidationParameters validation; - - public GOST3410Parameters( - BigInteger p, - BigInteger q, - BigInteger a) - { - this.p = p; - this.q = q; - this.a = a; - } - - public GOST3410Parameters( - BigInteger p, - BigInteger q, - BigInteger a, - GOST3410ValidationParameters params) - { - this.a = a; - this.p = p; - this.q = q; - this.validation = params; - } - - public BigInteger getP() - { - return p; - } - - public BigInteger getQ() - { - return q; - } - - public BigInteger getA() - { - return a; - } - - public GOST3410ValidationParameters getValidationParameters() - { - return validation; - } - - public int hashCode() - { - return p.hashCode() ^ q.hashCode() ^ a.hashCode(); - } - - public boolean equals( - Object obj) - { - if (!(obj instanceof GOST3410Parameters)) - { - return false; - } - - GOST3410Parameters pm = (GOST3410Parameters)obj; - - return (pm.getP().equals(p) && pm.getQ().equals(q) && pm.getA().equals(a)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PrivateKeyParameters.java deleted file mode 100644 index 408e0657..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PrivateKeyParameters.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class GOST3410PrivateKeyParameters - extends GOST3410KeyParameters -{ - private BigInteger x; - - public GOST3410PrivateKeyParameters( - BigInteger x, - GOST3410Parameters params) - { - super(true, params); - - this.x = x; - } - - public BigInteger getX() - { - return x; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PublicKeyParameters.java deleted file mode 100644 index 9dfd2d98..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410PublicKeyParameters.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class GOST3410PublicKeyParameters - extends GOST3410KeyParameters -{ - private BigInteger y; - - public GOST3410PublicKeyParameters( - BigInteger y, - GOST3410Parameters params) - { - super(false, params); - - this.y = y; - } - - public BigInteger getY() - { - return y; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410ValidationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/GOST3410ValidationParameters.java deleted file mode 100644 index c2a4fb57..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/GOST3410ValidationParameters.java +++ /dev/null @@ -1,84 +0,0 @@ -package org.bouncycastle.crypto.params; - -public class GOST3410ValidationParameters -{ - private int x0; - private int c; - private long x0L; - private long cL; - - - public GOST3410ValidationParameters( - int x0, - int c) - { - this.x0 = x0; - this.c = c; - } - - public GOST3410ValidationParameters( - long x0L, - long cL) - { - this.x0L = x0L; - this.cL = cL; - } - - public int getC() - { - return c; - } - - public int getX0() - { - return x0; - } - - public long getCL() - { - return cL; - } - - public long getX0L() - { - return x0L; - } - - public boolean equals( - Object o) - { - if (!(o instanceof GOST3410ValidationParameters)) - { - return false; - } - - GOST3410ValidationParameters other = (GOST3410ValidationParameters)o; - - if (other.c != this.c) - { - return false; - } - - if (other.x0 != this.x0) - { - return false; - } - - if (other.cL != this.cL) - { - return false; - } - - if (other.x0L != this.x0L) - { - return false; - } - - return true; - } - - public int hashCode() - { - return x0 ^ c ^ (int) x0L ^ (int)(x0L >> 32) ^ (int) cL ^ (int)(cL >> 32); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/HKDFParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/HKDFParameters.java deleted file mode 100644 index 2db3ce61..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/HKDFParameters.java +++ /dev/null @@ -1,123 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.util.Arrays; - -/** - * Parameter class for the HKDFBytesGenerator class. - */ -public class HKDFParameters - implements DerivationParameters -{ - private final byte[] ikm; - private final boolean skipExpand; - private final byte[] salt; - private final byte[] info; - - private HKDFParameters(final byte[] ikm, final boolean skip, - final byte[] salt, final byte[] info) - { - if (ikm == null) - { - throw new IllegalArgumentException( - "IKM (input keying material) should not be null"); - } - - this.ikm = Arrays.clone(ikm); - - this.skipExpand = skip; - - if (salt == null || salt.length == 0) - { - this.salt = null; - } - else - { - this.salt = Arrays.clone(salt); - } - - if (info == null) - { - this.info = new byte[0]; - } - else - { - this.info = Arrays.clone(info); - } - } - - /** - * Generates parameters for HKDF, specifying both the optional salt and - * optional info. Step 1: Extract won't be skipped. - * - * @param ikm the input keying material or seed - * @param salt the salt to use, may be null for a salt for hashLen zeros - * @param info the info to use, may be null for an info field of zero bytes - */ - public HKDFParameters(final byte[] ikm, final byte[] salt, final byte[] info) - { - this(ikm, false, salt, info); - } - - /** - * Factory method that makes the HKDF skip the extract part of the key - * derivation function. - * - * @param ikm the input keying material or seed, directly used for step 2: - * Expand - * @param info the info to use, may be null for an info field of zero bytes - * @return HKDFParameters that makes the implementation skip step 1 - */ - public static HKDFParameters skipExtractParameters(final byte[] ikm, - final byte[] info) - { - - return new HKDFParameters(ikm, true, null, info); - } - - public static HKDFParameters defaultParameters(final byte[] ikm) - { - return new HKDFParameters(ikm, false, null, null); - } - - /** - * Returns the input keying material or seed. - * - * @return the keying material - */ - public byte[] getIKM() - { - return Arrays.clone(ikm); - } - - /** - * Returns if step 1: extract has to be skipped or not - * - * @return true for skipping, false for no skipping of step 1 - */ - public boolean skipExtract() - { - return skipExpand; - } - - /** - * Returns the salt, or null if the salt should be generated as a byte array - * of HashLen zeros. - * - * @return the salt, or null - */ - public byte[] getSalt() - { - return Arrays.clone(salt); - } - - /** - * Returns the info field, which may be empty (null is converted to empty). - * - * @return the info field, never null - */ - public byte[] getInfo() - { - return Arrays.clone(info); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/IESParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/IESParameters.java deleted file mode 100644 index 0600b346..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/IESParameters.java +++ /dev/null @@ -1,44 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -/** - * parameters for using an integrated cipher in stream mode. - */ -public class IESParameters - implements CipherParameters -{ - private byte[] derivation; - private byte[] encoding; - private int macKeySize; - - /** - * @param derivation the derivation parameter for the KDF function. - * @param encoding the encoding parameter for the KDF function. - * @param macKeySize the size of the MAC key (in bits). - */ - public IESParameters( - byte[] derivation, - byte[] encoding, - int macKeySize) - { - this.derivation = derivation; - this.encoding = encoding; - this.macKeySize = macKeySize; - } - - public byte[] getDerivationV() - { - return derivation; - } - - public byte[] getEncodingV() - { - return encoding; - } - - public int getMacKeySize() - { - return macKeySize; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/IESWithCipherParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/IESWithCipherParameters.java deleted file mode 100644 index ef61b2cc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/IESWithCipherParameters.java +++ /dev/null @@ -1,30 +0,0 @@ -package org.bouncycastle.crypto.params; - - -public class IESWithCipherParameters - extends IESParameters -{ - private int cipherKeySize; - - /** - * @param derivation the derivation parameter for the KDF function. - * @param encoding the encoding parameter for the KDF function. - * @param macKeySize the size of the MAC key (in bits). - * @param cipherKeySize the size of the associated Cipher key (in bits). - */ - public IESWithCipherParameters( - byte[] derivation, - byte[] encoding, - int macKeySize, - int cipherKeySize) - { - super(derivation, encoding, macKeySize); - - this.cipherKeySize = cipherKeySize; - } - - public int getCipherKeySize() - { - return cipherKeySize; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ISO18033KDFParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/ISO18033KDFParameters.java deleted file mode 100644 index 8dffe2ee..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ISO18033KDFParameters.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; - -/** - * parameters for Key derivation functions for ISO-18033 - */ -public class ISO18033KDFParameters - implements DerivationParameters -{ - byte[] seed; - - public ISO18033KDFParameters( - byte[] seed) - { - this.seed = seed; - } - - public byte[] getSeed() - { - return seed; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/KDFCounterParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/KDFCounterParameters.java deleted file mode 100644 index 29d8b369..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/KDFCounterParameters.java +++ /dev/null @@ -1,120 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.util.Arrays; - -/** - * This KDF has been defined by the publicly available NIST SP 800-108 specification. - * NIST SP800-108 allows for alternative orderings of the input fields, meaning that the input can be formated in multiple ways. - * There are 3 supported formats: - Below [i]_2 is a counter of r-bits length concatenated to the fixedInputData. - * <ul> - * <li>1: K(i) := PRF( KI, [i]_2 || Label || 0x00 || Context || [L]_2 ) with the counter at the very beginning of the fixedInputData (The default implementation has this format)</li> - * <li>2: K(i) := PRF( KI, Label || 0x00 || Context || [L]_2 || [i]_2 ) with the counter at the very end of the fixedInputData</li> - * <li>3a: K(i) := PRF( KI, Label || 0x00 || [i]_2 || Context || [L]_2 ) OR:</li> - * <li>3b: K(i) := PRF( KI, Label || 0x00 || [i]_2 || [L]_2 || Context ) OR:</li> - * <li>3c: K(i) := PRF( KI, Label || [i]_2 || 0x00 || Context || [L]_2 ) etc... with the counter somewhere in the 'middle' of the fixedInputData.</li> - * </ul> - * <p> - * This function must be called with the following KDFCounterParameters(): - * - KI <br/> - * - The part of the fixedInputData that comes BEFORE the counter OR null <br/> - * - the part of the fixedInputData that comes AFTER the counter OR null <br/> - * - the length of the counter in bits (not bytes) <br/> - * </p> - * Resulting function calls assuming an 8 bit counter. - * <ul> - * <li>1. KDFCounterParameters(ki, null, "Label || 0x00 || Context || [L]_2]", 8); </li> - * <li>2. KDFCounterParameters(ki, "Label || 0x00 || Context || [L]_2]", null, 8); </li> - * <li>3a. KDFCounterParameters(ki, "Label || 0x00", "Context || [L]_2]", 8); </li> - * <li>3b. KDFCounterParameters(ki, "Label || 0x00", "[L]_2] || Context", 8);</li> - * <li>3c. KDFCounterParameters(ki, "Label", "0x00 || Context || [L]_2]", 8); </li> - * </ul> - */ -public final class KDFCounterParameters - implements DerivationParameters -{ - - private byte[] ki; - private byte[] fixedInputDataCounterPrefix; - private byte[] fixedInputDataCounterSuffix; - private int r; - - /** - * Base constructor - suffix fixed input data only. - * - * @param ki the KDF seed - * @param fixedInputDataCounterSuffix fixed input data to follow counter. - * @param r length of the counter in bits. - */ - public KDFCounterParameters(byte[] ki, byte[] fixedInputDataCounterSuffix, int r) - { - this(ki, null, fixedInputDataCounterSuffix, r); - } - - /** - * Base constructor - prefix and suffix fixed input data. - * - * @param ki the KDF seed - * @param fixedInputDataCounterPrefix fixed input data to precede counter - * @param fixedInputDataCounterSuffix fixed input data to follow counter. - * @param r length of the counter in bits. - */ - public KDFCounterParameters(byte[] ki, byte[] fixedInputDataCounterPrefix, byte[] fixedInputDataCounterSuffix, int r) - { - if (ki == null) - { - throw new IllegalArgumentException("A KDF requires Ki (a seed) as input"); - } - this.ki = Arrays.clone(ki); - - if (fixedInputDataCounterPrefix == null) - { - this.fixedInputDataCounterPrefix = new byte[0]; - } - else - { - this.fixedInputDataCounterPrefix = Arrays.clone(fixedInputDataCounterPrefix); - } - - if (fixedInputDataCounterSuffix == null) - { - this.fixedInputDataCounterSuffix = new byte[0]; - } - else - { - this.fixedInputDataCounterSuffix = Arrays.clone(fixedInputDataCounterSuffix); - } - - if (r != 8 && r != 16 && r != 24 && r != 32) - { - throw new IllegalArgumentException("Length of counter should be 8, 16, 24 or 32"); - } - this.r = r; - } - - public byte[] getKI() - { - return ki; - } - - public byte[] getFixedInputData() - { - //Retained for backwards compatibility - return Arrays.clone(fixedInputDataCounterSuffix); - } - - public byte[] getFixedInputDataCounterPrefix() - { - return Arrays.clone(fixedInputDataCounterPrefix); - } - - public byte[] getFixedInputDataCounterSuffix() - { - return Arrays.clone(fixedInputDataCounterSuffix); - } - - public int getR() - { - return r; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/KDFDoublePipelineIterationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/KDFDoublePipelineIterationParameters.java deleted file mode 100644 index 383678aa..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/KDFDoublePipelineIterationParameters.java +++ /dev/null @@ -1,80 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.util.Arrays; - -/** - * Note that counter is only supported at the location presented in the - * NIST SP 800-108 specification, not in the additional locations present - * in the CAVP test vectors. - */ -public final class KDFDoublePipelineIterationParameters - implements DerivationParameters -{ - - // could be any valid value, using 32, don't know why - private static final int UNUSED_R = 32; - - private final byte[] ki; - private final boolean useCounter; - private final int r; - private final byte[] fixedInputData; - - private KDFDoublePipelineIterationParameters(byte[] ki, byte[] fixedInputData, int r, boolean useCounter) - { - if (ki == null) - { - throw new IllegalArgumentException("A KDF requires Ki (a seed) as input"); - } - this.ki = Arrays.clone(ki); - - if (fixedInputData == null) - { - this.fixedInputData = new byte[0]; - } - else - { - this.fixedInputData = Arrays.clone(fixedInputData); - } - - if (r != 8 && r != 16 && r != 24 && r != 32) - { - throw new IllegalArgumentException("Length of counter should be 8, 16, 24 or 32"); - } - this.r = r; - - this.useCounter = useCounter; - } - - public static KDFDoublePipelineIterationParameters createWithCounter( - byte[] ki, byte[] fixedInputData, int r) - { - return new KDFDoublePipelineIterationParameters(ki, fixedInputData, r, true); - } - - public static KDFDoublePipelineIterationParameters createWithoutCounter( - byte[] ki, byte[] fixedInputData) - { - return new KDFDoublePipelineIterationParameters(ki, fixedInputData, UNUSED_R, false); - } - - public byte[] getKI() - { - return ki; - } - - public boolean useCounter() - { - return useCounter; - } - - public int getR() - { - return r; - } - - public byte[] getFixedInputData() - { - return Arrays.clone(fixedInputData); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/KDFFeedbackParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/KDFFeedbackParameters.java deleted file mode 100644 index 8a6e7f57..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/KDFFeedbackParameters.java +++ /dev/null @@ -1,96 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; -import org.bouncycastle.util.Arrays; - -/** - * Note that counter is only supported at the location presented in the - * NIST SP 800-108 specification, not in the additional locations present - * in the CAVP test vectors. - */ -public final class KDFFeedbackParameters - implements DerivationParameters -{ - - // could be any valid value, using 32, don't know why - private static final int UNUSED_R = -1; - - private final byte[] ki; - private final byte[] iv; - private final boolean useCounter; - private final int r; - private final byte[] fixedInputData; - - private KDFFeedbackParameters(byte[] ki, byte[] iv, byte[] fixedInputData, int r, boolean useCounter) - { - if (ki == null) - { - throw new IllegalArgumentException("A KDF requires Ki (a seed) as input"); - } - this.ki = Arrays.clone(ki); - - if (fixedInputData == null) - { - this.fixedInputData = new byte[0]; - } - else - { - this.fixedInputData = Arrays.clone(fixedInputData); - } - - this.r = r; - - if (iv == null) - { - this.iv = new byte[0]; - } - else - { - this.iv = Arrays.clone(iv); - } - - this.useCounter = useCounter; - } - - public static KDFFeedbackParameters createWithCounter( - byte[] ki, final byte[] iv, byte[] fixedInputData, int r) - { - if (r != 8 && r != 16 && r != 24 && r != 32) - { - throw new IllegalArgumentException("Length of counter should be 8, 16, 24 or 32"); - } - - return new KDFFeedbackParameters(ki, iv, fixedInputData, r, true); - } - - public static KDFFeedbackParameters createWithoutCounter( - byte[] ki, final byte[] iv, byte[] fixedInputData) - { - return new KDFFeedbackParameters(ki, iv, fixedInputData, UNUSED_R, false); - } - - public byte[] getKI() - { - return ki; - } - - public byte[] getIV() - { - return iv; - } - - public boolean useCounter() - { - return useCounter; - } - - public int getR() - { - return r; - } - - public byte[] getFixedInputData() - { - return Arrays.clone(fixedInputData); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/KDFParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/KDFParameters.java deleted file mode 100644 index f3bac647..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/KDFParameters.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; - -/** - * parameters for Key derivation functions for IEEE P1363a - */ -public class KDFParameters - implements DerivationParameters -{ - byte[] iv; - byte[] shared; - - public KDFParameters( - byte[] shared, - byte[] iv) - { - this.shared = shared; - this.iv = iv; - } - - public byte[] getSharedSecret() - { - return shared; - } - - public byte[] getIV() - { - return iv; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/KeyParameter.java b/core/src/main/java/org/bouncycastle/crypto/params/KeyParameter.java deleted file mode 100644 index 5c4fe0e0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/KeyParameter.java +++ /dev/null @@ -1,30 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class KeyParameter - implements CipherParameters -{ - private byte[] key; - - public KeyParameter( - byte[] key) - { - this(key, 0, key.length); - } - - public KeyParameter( - byte[] key, - int keyOff, - int keyLen) - { - this.key = new byte[keyLen]; - - System.arraycopy(key, keyOff, this.key, 0, keyLen); - } - - public byte[] getKey() - { - return key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/MGFParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/MGFParameters.java deleted file mode 100644 index 847bd989..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/MGFParameters.java +++ /dev/null @@ -1,32 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.DerivationParameters; - -/** - * parameters for mask derivation functions. - */ -public class MGFParameters - implements DerivationParameters -{ - byte[] seed; - - public MGFParameters( - byte[] seed) - { - this(seed, 0, seed.length); - } - - public MGFParameters( - byte[] seed, - int off, - int len) - { - this.seed = new byte[len]; - System.arraycopy(seed, off, this.seed, 0, len); - } - - public byte[] getSeed() - { - return seed; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/MQVPrivateParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/MQVPrivateParameters.java deleted file mode 100644 index 832c07fd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/MQVPrivateParameters.java +++ /dev/null @@ -1,43 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class MQVPrivateParameters - implements CipherParameters -{ - private ECPrivateKeyParameters staticPrivateKey; - private ECPrivateKeyParameters ephemeralPrivateKey; - private ECPublicKeyParameters ephemeralPublicKey; - - public MQVPrivateParameters( - ECPrivateKeyParameters staticPrivateKey, - ECPrivateKeyParameters ephemeralPrivateKey) - { - this(staticPrivateKey, ephemeralPrivateKey, null); - } - - public MQVPrivateParameters( - ECPrivateKeyParameters staticPrivateKey, - ECPrivateKeyParameters ephemeralPrivateKey, - ECPublicKeyParameters ephemeralPublicKey) - { - this.staticPrivateKey = staticPrivateKey; - this.ephemeralPrivateKey = ephemeralPrivateKey; - this.ephemeralPublicKey = ephemeralPublicKey; - } - - public ECPrivateKeyParameters getStaticPrivateKey() - { - return staticPrivateKey; - } - - public ECPrivateKeyParameters getEphemeralPrivateKey() - { - return ephemeralPrivateKey; - } - - public ECPublicKeyParameters getEphemeralPublicKey() - { - return ephemeralPublicKey; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/MQVPublicParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/MQVPublicParameters.java deleted file mode 100644 index b3b24671..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/MQVPublicParameters.java +++ /dev/null @@ -1,28 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class MQVPublicParameters - implements CipherParameters -{ - private ECPublicKeyParameters staticPublicKey; - private ECPublicKeyParameters ephemeralPublicKey; - - public MQVPublicParameters( - ECPublicKeyParameters staticPublicKey, - ECPublicKeyParameters ephemeralPublicKey) - { - this.staticPublicKey = staticPublicKey; - this.ephemeralPublicKey = ephemeralPublicKey; - } - - public ECPublicKeyParameters getStaticPublicKey() - { - return staticPublicKey; - } - - public ECPublicKeyParameters getEphemeralPublicKey() - { - return ephemeralPublicKey; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java deleted file mode 100644 index 758fcd79..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java +++ /dev/null @@ -1,97 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -/** - * Parameters for NaccacheStern public private key generation. For details on - * this cipher, please see - * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf - */ -public class NaccacheSternKeyGenerationParameters extends KeyGenerationParameters -{ - - // private BigInteger publicExponent; - private int certainty; - - private int cntSmallPrimes; - - private boolean debug = false; - - /** - * Parameters for generating a NaccacheStern KeyPair. - * - * @param random - * The source of randomness - * @param strength - * The desired strength of the Key in Bits - * @param certainty - * the probability that the generated primes are not really prime - * as integer: 2^(-certainty) is then the probability - * @param cntSmallPrimes - * How many small key factors are desired - */ - public NaccacheSternKeyGenerationParameters(SecureRandom random, int strength, int certainty, int cntSmallPrimes) - { - this(random, strength, certainty, cntSmallPrimes, false); - } - - /** - * Parameters for a NaccacheStern KeyPair. - * - * @param random - * The source of randomness - * @param strength - * The desired strength of the Key in Bits - * @param certainty - * the probability that the generated primes are not really prime - * as integer: 2^(-certainty) is then the probability - * @param cntSmallPrimes - * How many small key factors are desired - * @param debug - * Turn debugging on or off (reveals secret information, use with - * caution) - */ - public NaccacheSternKeyGenerationParameters(SecureRandom random, - int strength, int certainty, int cntSmallPrimes, boolean debug) - { - super(random, strength); - - this.certainty = certainty; - if (cntSmallPrimes % 2 == 1) - { - throw new IllegalArgumentException("cntSmallPrimes must be a multiple of 2"); - } - if (cntSmallPrimes < 30) - { - throw new IllegalArgumentException("cntSmallPrimes must be >= 30 for security reasons"); - } - this.cntSmallPrimes = cntSmallPrimes; - - this.debug = debug; - } - - /** - * @return Returns the certainty. - */ - public int getCertainty() - { - return certainty; - } - - /** - * @return Returns the cntSmallPrimes. - */ - public int getCntSmallPrimes() - { - return cntSmallPrimes; - } - - public boolean isDebug() - { - return debug; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java deleted file mode 100644 index 21b6a286..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java +++ /dev/null @@ -1,53 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -/** - * Public key parameters for NaccacheStern cipher. For details on this cipher, - * please see - * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf - */ -public class NaccacheSternKeyParameters extends AsymmetricKeyParameter -{ - - private BigInteger g, n; - - int lowerSigmaBound; - - /** - * @param privateKey - */ - public NaccacheSternKeyParameters(boolean privateKey, BigInteger g, BigInteger n, int lowerSigmaBound) - { - super(privateKey); - this.g = g; - this.n = n; - this.lowerSigmaBound = lowerSigmaBound; - } - - /** - * @return Returns the g. - */ - public BigInteger getG() - { - return g; - } - - /** - * @return Returns the lowerSigmaBound. - */ - public int getLowerSigmaBound() - { - return lowerSigmaBound; - } - - /** - * @return Returns the n. - */ - public BigInteger getModulus() - { - return n; - } - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java deleted file mode 100644 index 6d0ec486..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java +++ /dev/null @@ -1,50 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; -import java.util.Vector; - -/** - * Private key parameters for NaccacheStern cipher. For details on this cipher, - * please see - * - * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf - */ -public class NaccacheSternPrivateKeyParameters extends NaccacheSternKeyParameters -{ - private BigInteger phi_n; - private Vector smallPrimes; - - /** - * Constructs a NaccacheSternPrivateKey - * - * @param g - * the public enryption parameter g - * @param n - * the public modulus n = p*q - * @param lowerSigmaBound - * the public lower sigma bound up to which data can be encrypted - * @param smallPrimes - * the small primes, of which sigma is constructed in the right - * order - * @param phi_n - * the private modulus phi(n) = (p-1)(q-1) - */ - public NaccacheSternPrivateKeyParameters(BigInteger g, BigInteger n, - int lowerSigmaBound, Vector smallPrimes, - BigInteger phi_n) - { - super(true, g, n, lowerSigmaBound); - this.smallPrimes = smallPrimes; - this.phi_n = phi_n; - } - - public BigInteger getPhi_n() - { - return phi_n; - } - - public Vector getSmallPrimes() - { - return smallPrimes; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithIV.java b/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithIV.java deleted file mode 100644 index 4a1e6e9a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithIV.java +++ /dev/null @@ -1,39 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class ParametersWithIV - implements CipherParameters -{ - private byte[] iv; - private CipherParameters parameters; - - public ParametersWithIV( - CipherParameters parameters, - byte[] iv) - { - this(parameters, iv, 0, iv.length); - } - - public ParametersWithIV( - CipherParameters parameters, - byte[] iv, - int ivOff, - int ivLen) - { - this.iv = new byte[ivLen]; - this.parameters = parameters; - - System.arraycopy(iv, ivOff, this.iv, 0, ivLen); - } - - public byte[] getIV() - { - return iv; - } - - public CipherParameters getParameters() - { - return parameters; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithRandom.java b/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithRandom.java deleted file mode 100644 index a7b18e51..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithRandom.java +++ /dev/null @@ -1,36 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -import java.security.SecureRandom; - -public class ParametersWithRandom - implements CipherParameters -{ - private SecureRandom random; - private CipherParameters parameters; - - public ParametersWithRandom( - CipherParameters parameters, - SecureRandom random) - { - this.random = random; - this.parameters = parameters; - } - - public ParametersWithRandom( - CipherParameters parameters) - { - this(parameters, new SecureRandom()); - } - - public SecureRandom getRandom() - { - return random; - } - - public CipherParameters getParameters() - { - return parameters; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSBox.java b/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSBox.java deleted file mode 100644 index b226a9d9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSBox.java +++ /dev/null @@ -1,28 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class ParametersWithSBox - implements CipherParameters -{ - private CipherParameters parameters; - private byte[] sBox; - - public ParametersWithSBox( - CipherParameters parameters, - byte[] sBox) - { - this.parameters = parameters; - this.sBox = sBox; - } - - public byte[] getSBox() - { - return sBox; - } - - public CipherParameters getParameters() - { - return parameters; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSalt.java b/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSalt.java deleted file mode 100644 index 73765dd5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/ParametersWithSalt.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -/** - * Cipher parameters with a fixed salt value associated with them. - */ -public class ParametersWithSalt - implements CipherParameters -{ - private byte[] salt; - private CipherParameters parameters; - - public ParametersWithSalt( - CipherParameters parameters, - byte[] salt) - { - this(parameters, salt, 0, salt.length); - } - - public ParametersWithSalt( - CipherParameters parameters, - byte[] salt, - int saltOff, - int saltLen) - { - this.salt = new byte[saltLen]; - this.parameters = parameters; - - System.arraycopy(salt, saltOff, this.salt, 0, saltLen); - } - - public byte[] getSalt() - { - return salt; - } - - public CipherParameters getParameters() - { - return parameters; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RC2Parameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RC2Parameters.java deleted file mode 100644 index dc33ec5b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RC2Parameters.java +++ /dev/null @@ -1,36 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class RC2Parameters - implements CipherParameters -{ - private byte[] key; - private int bits; - - public RC2Parameters( - byte[] key) - { - this(key, (key.length > 128) ? 1024 : (key.length * 8)); - } - - public RC2Parameters( - byte[] key, - int bits) - { - this.key = new byte[key.length]; - this.bits = bits; - - System.arraycopy(key, 0, this.key, 0, key.length); - } - - public byte[] getKey() - { - return key; - } - - public int getEffectiveKeyBits() - { - return bits; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RC5Parameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RC5Parameters.java deleted file mode 100644 index 6cbd57f1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RC5Parameters.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -public class RC5Parameters - implements CipherParameters -{ - private byte[] key; - private int rounds; - - public RC5Parameters( - byte[] key, - int rounds) - { - if (key.length > 255) - { - throw new IllegalArgumentException("RC5 key length can be no greater than 255"); - } - - this.key = new byte[key.length]; - this.rounds = rounds; - - System.arraycopy(key, 0, this.key, 0, key.length); - } - - public byte[] getKey() - { - return key; - } - - public int getRounds() - { - return rounds; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RSABlindingParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RSABlindingParameters.java deleted file mode 100644 index c7fa6ba6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RSABlindingParameters.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; - -import java.math.BigInteger; - -public class RSABlindingParameters - implements CipherParameters -{ - private RSAKeyParameters publicKey; - private BigInteger blindingFactor; - - public RSABlindingParameters( - RSAKeyParameters publicKey, - BigInteger blindingFactor) - { - if (publicKey instanceof RSAPrivateCrtKeyParameters) - { - throw new IllegalArgumentException("RSA parameters should be for a public key"); - } - - this.publicKey = publicKey; - this.blindingFactor = blindingFactor; - } - - public RSAKeyParameters getPublicKey() - { - return publicKey; - } - - public BigInteger getBlindingFactor() - { - return blindingFactor; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyGenerationParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyGenerationParameters.java deleted file mode 100644 index 38b55fcd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyGenerationParameters.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.KeyGenerationParameters; - -public class RSAKeyGenerationParameters - extends KeyGenerationParameters -{ - private BigInteger publicExponent; - private int certainty; - - public RSAKeyGenerationParameters( - BigInteger publicExponent, - SecureRandom random, - int strength, - int certainty) - { - super(random, strength); - - if (strength < 12) - { - throw new IllegalArgumentException("key strength too small"); - } - - // - // public exponent cannot be even - // - if (!publicExponent.testBit(0)) - { - throw new IllegalArgumentException("public exponent cannot be even"); - } - - this.publicExponent = publicExponent; - this.certainty = certainty; - } - - public BigInteger getPublicExponent() - { - return publicExponent; - } - - public int getCertainty() - { - return certainty; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyParameters.java deleted file mode 100644 index 4a2d9354..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RSAKeyParameters.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class RSAKeyParameters - extends AsymmetricKeyParameter -{ - private BigInteger modulus; - private BigInteger exponent; - - public RSAKeyParameters( - boolean isPrivate, - BigInteger modulus, - BigInteger exponent) - { - super(isPrivate); - - this.modulus = modulus; - this.exponent = exponent; - } - - public BigInteger getModulus() - { - return modulus; - } - - public BigInteger getExponent() - { - return exponent; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/RSAPrivateCrtKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/RSAPrivateCrtKeyParameters.java deleted file mode 100644 index b61cb5c4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/RSAPrivateCrtKeyParameters.java +++ /dev/null @@ -1,67 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.math.BigInteger; - -public class RSAPrivateCrtKeyParameters - extends RSAKeyParameters -{ - private BigInteger e; - private BigInteger p; - private BigInteger q; - private BigInteger dP; - private BigInteger dQ; - private BigInteger qInv; - - /** - * - */ - public RSAPrivateCrtKeyParameters( - BigInteger modulus, - BigInteger publicExponent, - BigInteger privateExponent, - BigInteger p, - BigInteger q, - BigInteger dP, - BigInteger dQ, - BigInteger qInv) - { - super(true, modulus, privateExponent); - - this.e = publicExponent; - this.p = p; - this.q = q; - this.dP = dP; - this.dQ = dQ; - this.qInv = qInv; - } - - public BigInteger getPublicExponent() - { - return e; - } - - public BigInteger getP() - { - return p; - } - - public BigInteger getQ() - { - return q; - } - - public BigInteger getDP() - { - return dP; - } - - public BigInteger getDQ() - { - return dQ; - } - - public BigInteger getQInv() - { - return qInv; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/SkeinParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/SkeinParameters.java deleted file mode 100644 index 326e106c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/SkeinParameters.java +++ /dev/null @@ -1,329 +0,0 @@ -package org.bouncycastle.crypto.params; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStreamWriter; -import java.text.DateFormat; -import java.text.SimpleDateFormat; -import java.util.Date; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Locale; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.digests.SkeinDigest; -import org.bouncycastle.crypto.digests.SkeinEngine; -import org.bouncycastle.crypto.macs.SkeinMac; -import org.bouncycastle.util.Integers; - -/** - * Parameters for the Skein hash function - a series of byte[] strings identified by integer tags. - * <p> - * Parameterised Skein can be used for: - * <ul> - * <li>MAC generation, by providing a {@link SkeinParameters.Builder#setKey(byte[]) key}.</li> - * <li>Randomised hashing, by providing a {@link SkeinParameters.Builder#setNonce(byte[]) nonce}.</li> - * <li>A hash function for digital signatures, associating a - * {@link SkeinParameters.Builder#setPublicKey(byte[]) public key} with the message digest.</li> - * <li>A key derivation function, by providing a - * {@link SkeinParameters.Builder#setKeyIdentifier(byte[]) key identifier}.</li> - * <li>Personalised hashing, by providing a - * {@link SkeinParameters.Builder#setPersonalisation(Date, String, String) recommended format} or - * {@link SkeinParameters.Builder#setPersonalisation(byte[]) arbitrary} personalisation string.</li> - * </ul> - * - * @see SkeinEngine - * @see SkeinDigest - * @see SkeinMac - */ -public class SkeinParameters - implements CipherParameters -{ - /** - * The parameter type for a secret key, supporting MAC or KDF functions: {@value - * #PARAM_TYPE_KEY}. - */ - public static final int PARAM_TYPE_KEY = 0; - - /** - * The parameter type for the Skein configuration block: {@value #PARAM_TYPE_CONFIG}. - */ - public static final int PARAM_TYPE_CONFIG = 4; - - /** - * The parameter type for a personalisation string: {@value #PARAM_TYPE_PERSONALISATION}. - */ - public static final int PARAM_TYPE_PERSONALISATION = 8; - - /** - * The parameter type for a public key: {@value #PARAM_TYPE_PUBLIC_KEY}. - */ - public static final int PARAM_TYPE_PUBLIC_KEY = 12; - - /** - * The parameter type for a key identifier string: {@value #PARAM_TYPE_KEY_IDENTIFIER}. - */ - public static final int PARAM_TYPE_KEY_IDENTIFIER = 16; - - /** - * The parameter type for a nonce: {@value #PARAM_TYPE_NONCE}. - */ - public static final int PARAM_TYPE_NONCE = 20; - - /** - * The parameter type for the message: {@value #PARAM_TYPE_MESSAGE}. - */ - public static final int PARAM_TYPE_MESSAGE = 48; - - /** - * The parameter type for the output transformation: {@value #PARAM_TYPE_OUTPUT}. - */ - public static final int PARAM_TYPE_OUTPUT = 63; - - private Hashtable parameters; - - public SkeinParameters() - { - this(new Hashtable()); - } - - private SkeinParameters(final Hashtable parameters) - { - this.parameters = parameters; - } - - /** - * Obtains a map of type (Integer) to value (byte[]) for the parameters tracked in this object. - */ - public Hashtable getParameters() - { - return parameters; - } - - /** - * Obtains the value of the {@link #PARAM_TYPE_KEY key parameter}, or <code>null</code> if not - * set. - */ - public byte[] getKey() - { - return (byte[])parameters.get(Integers.valueOf(PARAM_TYPE_KEY)); - } - - /** - * Obtains the value of the {@link #PARAM_TYPE_PERSONALISATION personalisation parameter}, or - * <code>null</code> if not set. - */ - public byte[] getPersonalisation() - { - return (byte[])parameters.get(Integers.valueOf(PARAM_TYPE_PERSONALISATION)); - } - - /** - * Obtains the value of the {@link #PARAM_TYPE_PUBLIC_KEY public key parameter}, or - * <code>null</code> if not set. - */ - public byte[] getPublicKey() - { - return (byte[])parameters.get(Integers.valueOf(PARAM_TYPE_PUBLIC_KEY)); - } - - /** - * Obtains the value of the {@link #PARAM_TYPE_KEY_IDENTIFIER key identifier parameter}, or - * <code>null</code> if not set. - */ - public byte[] getKeyIdentifier() - { - return (byte[])parameters.get(Integers.valueOf(PARAM_TYPE_KEY_IDENTIFIER)); - } - - /** - * Obtains the value of the {@link #PARAM_TYPE_NONCE nonce parameter}, or <code>null</code> if - * not set. - */ - public byte[] getNonce() - { - return (byte[])parameters.get(Integers.valueOf(PARAM_TYPE_NONCE)); - } - - /** - * A builder for {@link SkeinParameters}. - */ - public static class Builder - { - private Hashtable parameters = new Hashtable(); - - public Builder() - { - } - - public Builder(Hashtable paramsMap) - { - Enumeration keys = paramsMap.keys(); - while (keys.hasMoreElements()) - { - Integer key = (Integer)keys.nextElement(); - parameters.put(key, paramsMap.get(key)); - } - } - - public Builder(SkeinParameters params) - { - Enumeration keys = params.parameters.keys(); - while (keys.hasMoreElements()) - { - Integer key = (Integer)keys.nextElement(); - parameters.put(key, params.parameters.get(key)); - } - } - - /** - * Sets a parameters to apply to the Skein hash function.<br> - * Parameter types must be in the range 0,5..62, and cannot use the value {@value - * SkeinParameters#PARAM_TYPE_MESSAGE} (reserved for message body). - * <p> - * Parameters with type < {@value SkeinParameters#PARAM_TYPE_MESSAGE} are processed before - * the message content, parameters with type > {@value SkeinParameters#PARAM_TYPE_MESSAGE} - * are processed after the message and prior to output. - * - * @param type the type of the parameter, in the range 5..62. - * @param value the byte sequence of the parameter. - * @return - */ - public Builder set(int type, byte[] value) - { - if (value == null) - { - throw new IllegalArgumentException("Parameter value must not be null."); - } - if ((type != PARAM_TYPE_KEY) - && (type <= PARAM_TYPE_CONFIG || type >= PARAM_TYPE_OUTPUT || type == PARAM_TYPE_MESSAGE)) - { - throw new IllegalArgumentException("Parameter types must be in the range 0,5..47,49..62."); - } - if (type == PARAM_TYPE_CONFIG) - { - throw new IllegalArgumentException("Parameter type " + PARAM_TYPE_CONFIG - + " is reserved for internal use."); - } - this.parameters.put(Integers.valueOf(type), value); - return this; - } - - /** - * Sets the {@link SkeinParameters#PARAM_TYPE_KEY} parameter. - */ - public Builder setKey(byte[] key) - { - return set(PARAM_TYPE_KEY, key); - } - - /** - * Sets the {@link SkeinParameters#PARAM_TYPE_PERSONALISATION} parameter. - */ - public Builder setPersonalisation(byte[] personalisation) - { - return set(PARAM_TYPE_PERSONALISATION, personalisation); - } - - /** - * Implements the recommended personalisation format for Skein defined in Section 4.11 of - * the Skein 1.3 specification. - * <p> - * The format is <code>YYYYMMDD email@address distinguisher</code>, encoded to a byte - * sequence using UTF-8 encoding. - * - * @param date the date the personalised application of the Skein was defined. - * @param emailAddress the email address of the creation of the personalised application. - * @param distinguisher an arbitrary personalisation string distinguishing the application. - * @return the current builder. - */ - public Builder setPersonalisation(Date date, String emailAddress, String distinguisher) - { - try - { - final ByteArrayOutputStream bout = new ByteArrayOutputStream(); - final OutputStreamWriter out = new OutputStreamWriter(bout, "UTF-8"); - final DateFormat format = new SimpleDateFormat("YYYYMMDD"); - out.write(format.format(date)); - out.write(" "); - out.write(emailAddress); - out.write(" "); - out.write(distinguisher); - out.close(); - return set(PARAM_TYPE_PERSONALISATION, bout.toByteArray()); - } - catch (IOException e) - { - throw new IllegalStateException("Byte I/O failed: " + e); - } - } - - /** - * Implements the recommended personalisation format for Skein defined in Section 4.11 of - * the Skein 1.3 specification. You may need to use this method if the default locale - * doesn't use a Gregorian calender so that the GeneralizedTime produced is compatible implementations. - * <p> - * The format is <code>YYYYMMDD email@address distinguisher</code>, encoded to a byte - * sequence using UTF-8 encoding. - * - * @param date the date the personalised application of the Skein was defined. - * @param dateLocale locale to be used for date interpretation. - * @param emailAddress the email address of the creation of the personalised application. - * @param distinguisher an arbitrary personalisation string distinguishing the application. - * @return the current builder. - */ - public Builder setPersonalisation(Date date, Locale dateLocale, String emailAddress, String distinguisher) - { - try - { - final ByteArrayOutputStream bout = new ByteArrayOutputStream(); - final OutputStreamWriter out = new OutputStreamWriter(bout, "UTF-8"); - final DateFormat format = new SimpleDateFormat("YYYYMMDD", dateLocale); - out.write(format.format(date)); - out.write(" "); - out.write(emailAddress); - out.write(" "); - out.write(distinguisher); - out.close(); - return set(PARAM_TYPE_PERSONALISATION, bout.toByteArray()); - } - catch (IOException e) - { - throw new IllegalStateException("Byte I/O failed: " + e); - } - } - - /** - * Sets the {@link SkeinParameters#PARAM_TYPE_KEY_IDENTIFIER} parameter. - */ - public Builder setPublicKey(byte[] publicKey) - { - return set(PARAM_TYPE_PUBLIC_KEY, publicKey); - } - - /** - * Sets the {@link SkeinParameters#PARAM_TYPE_KEY_IDENTIFIER} parameter. - */ - public Builder setKeyIdentifier(byte[] keyIdentifier) - { - return set(PARAM_TYPE_KEY_IDENTIFIER, keyIdentifier); - } - - /** - * Sets the {@link SkeinParameters#PARAM_TYPE_NONCE} parameter. - */ - public Builder setNonce(byte[] nonce) - { - return set(PARAM_TYPE_NONCE, nonce); - } - - /** - * Constructs a new {@link SkeinParameters} instance with the parameters provided to this - * builder. - */ - public SkeinParameters build() - { - return new SkeinParameters(parameters); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/params/TweakableBlockCipherParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/TweakableBlockCipherParameters.java deleted file mode 100644 index fa16facd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/params/TweakableBlockCipherParameters.java +++ /dev/null @@ -1,40 +0,0 @@ -package org.bouncycastle.crypto.params; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.util.Arrays; - -/** - * Parameters for tweakable block ciphers. - */ -public class TweakableBlockCipherParameters - implements CipherParameters -{ - private final byte[] tweak; - private final KeyParameter key; - - public TweakableBlockCipherParameters(final KeyParameter key, final byte[] tweak) - { - this.key = key; - this.tweak = Arrays.clone(tweak); - } - - /** - * Gets the key. - * - * @return the key to use, or <code>null</code> to use the current key. - */ - public KeyParameter getKey() - { - return key; - } - - /** - * Gets the tweak value. - * - * @return the tweak to use, or <code>null</code> to use the current tweak. - */ - public byte[] getTweak() - { - return tweak; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/parsers/DHIESPublicKeyParser.java b/core/src/main/java/org/bouncycastle/crypto/parsers/DHIESPublicKeyParser.java deleted file mode 100644 index 44f5b571..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/parsers/DHIESPublicKeyParser.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.bouncycastle.crypto.parsers; - -import java.io.IOException; -import java.io.InputStream; -import java.math.BigInteger; - -import org.bouncycastle.crypto.KeyParser; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; - -public class DHIESPublicKeyParser - implements KeyParser -{ - private DHParameters dhParams; - - public DHIESPublicKeyParser(DHParameters dhParams) - { - this.dhParams = dhParams; - } - - public AsymmetricKeyParameter readKey(InputStream stream) - throws IOException - { - byte[] V = new byte[(dhParams.getP().bitLength() + 7) / 8]; - - stream.read(V, 0, V.length); - - return new DHPublicKeyParameters(new BigInteger(1, V), dhParams); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/parsers/ECIESPublicKeyParser.java b/core/src/main/java/org/bouncycastle/crypto/parsers/ECIESPublicKeyParser.java deleted file mode 100644 index 1880a506..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/parsers/ECIESPublicKeyParser.java +++ /dev/null @@ -1,53 +0,0 @@ -package org.bouncycastle.crypto.parsers; - -import java.io.IOException; -import java.io.InputStream; - -import org.bouncycastle.crypto.KeyParser; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; - -public class ECIESPublicKeyParser - implements KeyParser -{ - private ECDomainParameters ecParams; - - public ECIESPublicKeyParser(ECDomainParameters ecParams) - { - this.ecParams = ecParams; - } - - public AsymmetricKeyParameter readKey(InputStream stream) - throws IOException - { - byte[] V; - int first = stream.read(); - - // Decode the public ephemeral key - switch (first) - { - case 0x00: // infinity - throw new IOException("Sender's public key invalid."); - - case 0x02: // compressed - case 0x03: // Byte length calculated as in ECPoint.getEncoded(); - V = new byte[1 + (ecParams.getCurve().getFieldSize()+7)/8]; - break; - - case 0x04: // uncompressed or - case 0x06: // hybrid - case 0x07: // Byte length calculated as in ECPoint.getEncoded(); - V = new byte[1 + 2*((ecParams.getCurve().getFieldSize()+7)/8)]; - break; - - default: - throw new IOException("Sender's public key has invalid point encoding 0x" + Integer.toString(first, 16)); - } - - V[0] = (byte)first; - stream.read(V, 1, V.length - 1); - - return new ECPublicKeyParameters(ecParams.getCurve().decodePoint(V), ecParams); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/BasicEntropySourceProvider.java b/core/src/main/java/org/bouncycastle/crypto/prng/BasicEntropySourceProvider.java deleted file mode 100644 index 9f1d0427..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/BasicEntropySourceProvider.java +++ /dev/null @@ -1,53 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import java.security.SecureRandom; - -/** - * An EntropySourceProvider where entropy generation is based on a SecureRandom output using SecureRandom.generateSeed(). - */ -public class BasicEntropySourceProvider - implements EntropySourceProvider -{ - private final SecureRandom _sr; - private final boolean _predictionResistant; - - /** - * Create a entropy source provider based on the passed in SecureRandom. - * - * @param random the SecureRandom to base EntropySource construction on. - * @param isPredictionResistant boolean indicating if the SecureRandom is based on prediction resistant entropy or not (true if it is). - */ - public BasicEntropySourceProvider(SecureRandom random, boolean isPredictionResistant) - { - _sr = random; - _predictionResistant = isPredictionResistant; - } - - /** - * Return an entropy source that will create bitsRequired bits of entropy on - * each invocation of getEntropy(). - * - * @param bitsRequired size (in bits) of entropy to be created by the provided source. - * @return an EntropySource that generates bitsRequired bits of entropy on each call to its getEntropy() method. - */ - public EntropySource get(final int bitsRequired) - { - return new EntropySource() - { - public boolean isPredictionResistant() - { - return _predictionResistant; - } - - public byte[] getEntropy() - { - return _sr.generateSeed((bitsRequired + 7) / 8); - } - - public int entropySize() - { - return bitsRequired; - } - }; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/DRBGProvider.java b/core/src/main/java/org/bouncycastle/crypto/prng/DRBGProvider.java deleted file mode 100644 index c39760c9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/DRBGProvider.java +++ /dev/null @@ -1,8 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import org.bouncycastle.crypto.prng.drbg.SP80090DRBG; - -interface DRBGProvider -{ - SP80090DRBG get(EntropySource entropySource); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/DigestRandomGenerator.java b/core/src/main/java/org/bouncycastle/crypto/prng/DigestRandomGenerator.java deleted file mode 100644 index f36b62c2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/DigestRandomGenerator.java +++ /dev/null @@ -1,123 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import org.bouncycastle.crypto.Digest; - -/** - * Random generation based on the digest with counter. Calling addSeedMaterial will - * always increase the entropy of the hash. - * <p> - * Internal access to the digest is synchronized so a single one of these can be shared. - * </p> - */ -public class DigestRandomGenerator - implements RandomGenerator -{ - private static long CYCLE_COUNT = 10; - - private long stateCounter; - private long seedCounter; - private Digest digest; - private byte[] state; - private byte[] seed; - - // public constructors - public DigestRandomGenerator( - Digest digest) - { - this.digest = digest; - - this.seed = new byte[digest.getDigestSize()]; - this.seedCounter = 1; - - this.state = new byte[digest.getDigestSize()]; - this.stateCounter = 1; - } - - public void addSeedMaterial(byte[] inSeed) - { - synchronized (this) - { - digestUpdate(inSeed); - digestUpdate(seed); - digestDoFinal(seed); - } - } - - public void addSeedMaterial(long rSeed) - { - synchronized (this) - { - digestAddCounter(rSeed); - digestUpdate(seed); - - digestDoFinal(seed); - } - } - - public void nextBytes(byte[] bytes) - { - nextBytes(bytes, 0, bytes.length); - } - - public void nextBytes(byte[] bytes, int start, int len) - { - synchronized (this) - { - int stateOff = 0; - - generateState(); - - int end = start + len; - for (int i = start; i != end; i++) - { - if (stateOff == state.length) - { - generateState(); - stateOff = 0; - } - bytes[i] = state[stateOff++]; - } - } - } - - private void cycleSeed() - { - digestUpdate(seed); - digestAddCounter(seedCounter++); - - digestDoFinal(seed); - } - - private void generateState() - { - digestAddCounter(stateCounter++); - digestUpdate(state); - digestUpdate(seed); - - digestDoFinal(state); - - if ((stateCounter % CYCLE_COUNT) == 0) - { - cycleSeed(); - } - } - - private void digestAddCounter(long seed) - { - for (int i = 0; i != 8; i++) - { - digest.update((byte)seed); - seed >>>= 8; - } - } - - private void digestUpdate(byte[] inSeed) - { - digest.update(inSeed, 0, inSeed.length); - } - - private void digestDoFinal(byte[] result) - { - digest.doFinal(result, 0); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/EntropySource.java b/core/src/main/java/org/bouncycastle/crypto/prng/EntropySource.java deleted file mode 100644 index 53bc549d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/EntropySource.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.bouncycastle.crypto.prng; - -public interface EntropySource -{ - /** - * Return whether or not this entropy source is regarded as prediction resistant. - * - * @return true if it is, false otherwise. - */ - boolean isPredictionResistant(); - - /** - * Return a byte array of entropy. - * - * @return entropy bytes. - */ - byte[] getEntropy(); - - /** - * Return the number of bits of entropy this source can produce. - * - * @return size in bits of the return value of getEntropy. - */ - int entropySize(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/EntropySourceProvider.java b/core/src/main/java/org/bouncycastle/crypto/prng/EntropySourceProvider.java deleted file mode 100644 index 190bf624..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/EntropySourceProvider.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.prng; - -public interface EntropySourceProvider -{ - EntropySource get(final int bitsRequired); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/FixedSecureRandom.java b/core/src/main/java/org/bouncycastle/crypto/prng/FixedSecureRandom.java deleted file mode 100644 index 3245eabb..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/FixedSecureRandom.java +++ /dev/null @@ -1,147 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.SecureRandom; - -/** - * A secure random that returns pre-seeded data to calls of nextBytes() or generateSeed(). - */ -public class FixedSecureRandom - extends SecureRandom -{ - private byte[] _data; - - private int _index; - private int _intPad; - - public FixedSecureRandom(byte[] value) - { - this(false, new byte[][] { value }); - } - - public FixedSecureRandom( - byte[][] values) - { - this(false, values); - } - - /** - * Pad the data on integer boundaries. This is necessary for the classpath project's BigInteger - * implementation. - */ - public FixedSecureRandom( - boolean intPad, - byte[] value) - { - this(intPad, new byte[][] { value }); - } - - /** - * Pad the data on integer boundaries. This is necessary for the classpath project's BigInteger - * implementation. - */ - public FixedSecureRandom( - boolean intPad, - byte[][] values) - { - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - for (int i = 0; i != values.length; i++) - { - try - { - bOut.write(values[i]); - } - catch (IOException e) - { - throw new IllegalArgumentException("can't save value array."); - } - } - - _data = bOut.toByteArray(); - - if (intPad) - { - _intPad = _data.length % 4; - } - } - - public void nextBytes(byte[] bytes) - { - System.arraycopy(_data, _index, bytes, 0, bytes.length); - - _index += bytes.length; - } - - public byte[] generateSeed(int numBytes) - { - byte[] bytes = new byte[numBytes]; - - this.nextBytes(bytes); - - return bytes; - } - - // - // classpath's implementation of SecureRandom doesn't currently go back to nextBytes - // when next is called. We can't override next as it's a final method. - // - public int nextInt() - { - int val = 0; - - val |= nextValue() << 24; - val |= nextValue() << 16; - - if (_intPad == 2) - { - _intPad--; - } - else - { - val |= nextValue() << 8; - } - - if (_intPad == 1) - { - _intPad--; - } - else - { - val |= nextValue(); - } - - return val; - } - - // - // classpath's implementation of SecureRandom doesn't currently go back to nextBytes - // when next is called. We can't override next as it's a final method. - // - public long nextLong() - { - long val = 0; - - val |= (long)nextValue() << 56; - val |= (long)nextValue() << 48; - val |= (long)nextValue() << 40; - val |= (long)nextValue() << 32; - val |= (long)nextValue() << 24; - val |= (long)nextValue() << 16; - val |= (long)nextValue() << 8; - val |= (long)nextValue(); - - return val; - } - - public boolean isExhausted() - { - return _index == _data.length; - } - - private int nextValue() - { - return _data[_index++] & 0xff; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/RandomGenerator.java b/core/src/main/java/org/bouncycastle/crypto/prng/RandomGenerator.java deleted file mode 100644 index 47ff68e3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/RandomGenerator.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.bouncycastle.crypto.prng; - -/** - * Generic interface for objects generating random bytes. - */ -public interface RandomGenerator -{ - /** - * Add more seed material to the generator. - * - * @param seed a byte array to be mixed into the generator's state. - */ - void addSeedMaterial(byte[] seed); - - /** - * Add more seed material to the generator. - * - * @param seed a long value to be mixed into the generator's state. - */ - void addSeedMaterial(long seed); - - /** - * Fill bytes with random values. - * - * @param bytes byte array to be filled. - */ - void nextBytes(byte[] bytes); - - /** - * Fill part of bytes with random values. - * - * @param bytes byte array to be filled. - * @param start index to start filling at. - * @param len length of segment to fill. - */ - void nextBytes(byte[] bytes, int start, int len); - -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/ReversedWindowGenerator.java b/core/src/main/java/org/bouncycastle/crypto/prng/ReversedWindowGenerator.java deleted file mode 100644 index fbb2639c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/ReversedWindowGenerator.java +++ /dev/null @@ -1,111 +0,0 @@ -package org.bouncycastle.crypto.prng; - -/** - * Takes bytes generated by an underling RandomGenerator and reverses the order in - * each small window (of configurable size). - * <p> - * Access to internals is synchronized so a single one of these can be shared. - * </p> - */ -public class ReversedWindowGenerator - implements RandomGenerator -{ - private final RandomGenerator generator; - - private byte[] window; - private int windowCount; - - public ReversedWindowGenerator( - RandomGenerator generator, - int windowSize) - { - if (generator == null) - { - throw new IllegalArgumentException("generator cannot be null"); - } - if (windowSize < 2) - { - throw new IllegalArgumentException("windowSize must be at least 2"); - } - - this.generator = generator; - this.window = new byte[windowSize]; - } - - /** - * Add more seed material to the generator. - * - * @param seed a byte array to be mixed into the generator's state. - */ - public void addSeedMaterial( - byte[] seed) - { - synchronized (this) - { - windowCount = 0; - generator.addSeedMaterial(seed); - } - } - - /** - * Add more seed material to the generator. - * - * @param seed a long value to be mixed into the generator's state. - */ - public void addSeedMaterial( - long seed) - { - synchronized (this) - { - windowCount = 0; - generator.addSeedMaterial(seed); - } - } - - /** - * Fill bytes with random values. - * - * @param bytes byte array to be filled. - */ - public void nextBytes( - byte[] bytes) - { - doNextBytes(bytes, 0, bytes.length); - } - - /** - * Fill part of bytes with random values. - * - * @param bytes byte array to be filled. - * @param start index to start filling at. - * @param len length of segment to fill. - */ - public void nextBytes( - byte[] bytes, - int start, - int len) - { - doNextBytes(bytes, start, len); - } - - private void doNextBytes( - byte[] bytes, - int start, - int len) - { - synchronized (this) - { - int done = 0; - while (done < len) - { - if (windowCount < 1) - { - generator.nextBytes(window, 0, window.length); - windowCount = window.length; - } - - bytes[start + done++] = window[--windowCount]; - } - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandom.java b/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandom.java deleted file mode 100644 index e1ec6c28..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandom.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.prng.drbg.SP80090DRBG; - -public class SP800SecureRandom - extends SecureRandom -{ - private final DRBGProvider drbgProvider; - private final boolean predictionResistant; - private final SecureRandom randomSource; - private final EntropySource entropySource; - - private SP80090DRBG drbg; - - SP800SecureRandom(SecureRandom randomSource, EntropySource entropySource, DRBGProvider drbgProvider, boolean predictionResistant) - { - this.randomSource = randomSource; - this.entropySource = entropySource; - this.drbgProvider = drbgProvider; - this.predictionResistant = predictionResistant; - } - - public void setSeed(byte[] seed) - { - synchronized (this) - { - if (randomSource != null) - { - this.randomSource.setSeed(seed); - } - } - } - - public void setSeed(long seed) - { - synchronized (this) - { - // this will happen when SecureRandom() is created - if (randomSource != null) - { - this.randomSource.setSeed(seed); - } - } - } - - public void nextBytes(byte[] bytes) - { - synchronized (this) - { - if (drbg == null) - { - drbg = drbgProvider.get(entropySource); - } - - // check if a reseed is required... - if (drbg.generate(bytes, null, predictionResistant) < 0) - { - drbg.reseed(entropySource.getEntropy()); - drbg.generate(bytes, null, predictionResistant); - } - } - } - - public byte[] generateSeed(int numBytes) - { - byte[] bytes = new byte[numBytes]; - - this.nextBytes(bytes); - - return bytes; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandomBuilder.java b/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandomBuilder.java deleted file mode 100644 index 59ea1010..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/SP800SecureRandomBuilder.java +++ /dev/null @@ -1,290 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.prng.drbg.CTRSP800DRBG; -import org.bouncycastle.crypto.prng.drbg.DualECPoints; -import org.bouncycastle.crypto.prng.drbg.DualECSP800DRBG; -import org.bouncycastle.crypto.prng.drbg.HMacSP800DRBG; -import org.bouncycastle.crypto.prng.drbg.HashSP800DRBG; -import org.bouncycastle.crypto.prng.drbg.SP80090DRBG; - -/** - * Builder class for making SecureRandom objects based on SP 800-90A Deterministic Random Bit Generators (DRBG). - */ -public class SP800SecureRandomBuilder -{ - private final SecureRandom random; - private final EntropySourceProvider entropySourceProvider; - - private byte[] personalizationString; - private int securityStrength = 256; - private int entropyBitsRequired = 256; - - /** - * Basic constructor, creates a builder using an EntropySourceProvider based on the default SecureRandom with - * predictionResistant set to false. - * <p> - * Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if - * the default SecureRandom does for its generateSeed() call. - * </p> - */ - public SP800SecureRandomBuilder() - { - this(new SecureRandom(), false); - } - - /** - * Construct a builder with an EntropySourceProvider based on the passed in SecureRandom and the passed in value - * for prediction resistance. - * <p> - * Any SecureRandom created from a builder constructed like this will make use of input passed to SecureRandom.setSeed() if - * the passed in SecureRandom does for its generateSeed() call. - * </p> - * @param entropySource - * @param predictionResistant - */ - public SP800SecureRandomBuilder(SecureRandom entropySource, boolean predictionResistant) - { - this.random = entropySource; - this.entropySourceProvider = new BasicEntropySourceProvider(random, predictionResistant); - } - - /** - * Create a builder which makes creates the SecureRandom objects from a specified entropy source provider. - * <p> - * <b>Note:</b> If this constructor is used any calls to setSeed() in the resulting SecureRandom will be ignored. - * </p> - * @param entropySourceProvider a provider of EntropySource objects. - */ - public SP800SecureRandomBuilder(EntropySourceProvider entropySourceProvider) - { - this.random = null; - this.entropySourceProvider = entropySourceProvider; - } - - /** - * Set the personalization string for DRBG SecureRandoms created by this builder - * @param personalizationString the personalisation string for the underlying DRBG. - * @return the current builder. - */ - public SP800SecureRandomBuilder setPersonalizationString(byte[] personalizationString) - { - this.personalizationString = personalizationString; - - return this; - } - - /** - * Set the security strength required for DRBGs used in building SecureRandom objects. - * - * @param securityStrength the security strength (in bits) - * @return the current builder. - */ - public SP800SecureRandomBuilder setSecurityStrength(int securityStrength) - { - this.securityStrength = securityStrength; - - return this; - } - - /** - * Set the amount of entropy bits required for seeding and reseeding DRBGs used in building SecureRandom objects. - * - * @param entropyBitsRequired the number of bits of entropy to be requested from the entropy source on each seed/reseed. - * @return the current builder. - */ - public SP800SecureRandomBuilder setEntropyBitsRequired(int entropyBitsRequired) - { - this.entropyBitsRequired = entropyBitsRequired; - - return this; - } - - /** - * Build a SecureRandom based on a SP 800-90A Hash DRBG. - * - * @param digest digest algorithm to use in the DRBG underneath the SecureRandom. - * @param nonce nonce value to use in DRBG construction. - * @param predictionResistant specify whether the underlying DRBG in the resulting SecureRandom should reseed on each request for bytes. - * @return a SecureRandom supported by a Hash DRBG. - */ - public SP800SecureRandom buildHash(Digest digest, byte[] nonce, boolean predictionResistant) - { - return new SP800SecureRandom(random, entropySourceProvider.get(entropyBitsRequired), new HashDRBGProvider(digest, nonce, personalizationString, securityStrength), predictionResistant); - } - - /** - * Build a SecureRandom based on a SP 800-90A CTR DRBG. - * - * @param cipher the block cipher to base the DRBG on. - * @param keySizeInBits key size in bits to be used with the block cipher. - * @param nonce nonce value to use in DRBG construction. - * @param predictionResistant specify whether the underlying DRBG in the resulting SecureRandom should reseed on each request for bytes. - * @return a SecureRandom supported by a CTR DRBG. - */ - public SP800SecureRandom buildCTR(BlockCipher cipher, int keySizeInBits, byte[] nonce, boolean predictionResistant) - { - return new SP800SecureRandom(random, entropySourceProvider.get(entropyBitsRequired), new CTRDRBGProvider(cipher, keySizeInBits, nonce, personalizationString, securityStrength), predictionResistant); - } - - /** - * Build a SecureRandom based on a SP 800-90A HMAC DRBG. - * - * @param hMac HMAC algorithm to use in the DRBG underneath the SecureRandom. - * @param nonce nonce value to use in DRBG construction. - * @param predictionResistant specify whether the underlying DRBG in the resulting SecureRandom should reseed on each request for bytes. - * @return a SecureRandom supported by a HMAC DRBG. - */ - public SP800SecureRandom buildHMAC(Mac hMac, byte[] nonce, boolean predictionResistant) - { - return new SP800SecureRandom(random, entropySourceProvider.get(entropyBitsRequired), new HMacDRBGProvider(hMac, nonce, personalizationString, securityStrength), predictionResistant); - } - - /** - * Build a SecureRandom based on a SP 800-90A Dual EC DRBG using the NIST point set. - * - * @param digest digest algorithm to use in the DRBG underneath the SecureRandom. - * @param nonce nonce value to use in DRBG construction. - * @param predictionResistant specify whether the underlying DRBG in the resulting SecureRandom should reseed on each request for bytes. - * @return a SecureRandom supported by a Dual EC DRBG. - */ - public SP800SecureRandom buildDualEC(Digest digest, byte[] nonce, boolean predictionResistant) - { - return new SP800SecureRandom(random, entropySourceProvider.get(entropyBitsRequired), new DualECDRBGProvider(digest, nonce, personalizationString, securityStrength), predictionResistant); - } - - /** - * Build a SecureRandom based on a SP 800-90A Dual EC DRBG according to a defined point set. - * - * @param pointSet an array of DualECPoints to use for DRB generation. - * @param digest digest algorithm to use in the DRBG underneath the SecureRandom. - * @param nonce nonce value to use in DRBG construction. - * @param predictionResistant specify whether the underlying DRBG in the resulting SecureRandom should reseed on each request for bytes. - * @return a SecureRandom supported by a Dual EC DRBG. - */ - public SP800SecureRandom buildDualEC(DualECPoints[] pointSet, Digest digest, byte[] nonce, boolean predictionResistant) - { - return new SP800SecureRandom(random, entropySourceProvider.get(entropyBitsRequired), new ConfigurableDualECDRBGProvider(pointSet, digest, nonce, personalizationString, securityStrength), predictionResistant); - } - - - private static class HashDRBGProvider - implements DRBGProvider - { - private final Digest digest; - private final byte[] nonce; - private final byte[] personalizationString; - private final int securityStrength; - - public HashDRBGProvider(Digest digest, byte[] nonce, byte[] personalizationString, int securityStrength) - { - this.digest = digest; - this.nonce = nonce; - this.personalizationString = personalizationString; - this.securityStrength = securityStrength; - } - - public SP80090DRBG get(EntropySource entropySource) - { - return new HashSP800DRBG(digest, securityStrength, entropySource, personalizationString, nonce); - } - } - - private static class DualECDRBGProvider - implements DRBGProvider - { - private final Digest digest; - private final byte[] nonce; - private final byte[] personalizationString; - private final int securityStrength; - - public DualECDRBGProvider(Digest digest, byte[] nonce, byte[] personalizationString, int securityStrength) - { - this.digest = digest; - this.nonce = nonce; - this.personalizationString = personalizationString; - this.securityStrength = securityStrength; - } - - public SP80090DRBG get(EntropySource entropySource) - { - return new DualECSP800DRBG(digest, securityStrength, entropySource, personalizationString, nonce); - } - } - - private static class ConfigurableDualECDRBGProvider - implements DRBGProvider - { - private final DualECPoints[] pointSet; - private final Digest digest; - private final byte[] nonce; - private final byte[] personalizationString; - private final int securityStrength; - - public ConfigurableDualECDRBGProvider(DualECPoints[] pointSet, Digest digest, byte[] nonce, byte[] personalizationString, int securityStrength) - { - this.pointSet = new DualECPoints[pointSet.length]; - System.arraycopy(pointSet, 0, this.pointSet, 0, pointSet.length); - this.digest = digest; - this.nonce = nonce; - this.personalizationString = personalizationString; - this.securityStrength = securityStrength; - } - - public SP80090DRBG get(EntropySource entropySource) - { - return new DualECSP800DRBG(pointSet, digest, securityStrength, entropySource, personalizationString, nonce); - } - } - - private static class HMacDRBGProvider - implements DRBGProvider - { - private final Mac hMac; - private final byte[] nonce; - private final byte[] personalizationString; - private final int securityStrength; - - public HMacDRBGProvider(Mac hMac, byte[] nonce, byte[] personalizationString, int securityStrength) - { - this.hMac = hMac; - this.nonce = nonce; - this.personalizationString = personalizationString; - this.securityStrength = securityStrength; - } - - public SP80090DRBG get(EntropySource entropySource) - { - return new HMacSP800DRBG(hMac, securityStrength, entropySource, personalizationString, nonce); - } - } - - private static class CTRDRBGProvider - implements DRBGProvider - { - - private final BlockCipher blockCipher; - private final int keySizeInBits; - private final byte[] nonce; - private final byte[] personalizationString; - private final int securityStrength; - - public CTRDRBGProvider(BlockCipher blockCipher, int keySizeInBits, byte[] nonce, byte[] personalizationString, int securityStrength) - { - this.blockCipher = blockCipher; - this.keySizeInBits = keySizeInBits; - this.nonce = nonce; - this.personalizationString = personalizationString; - this.securityStrength = securityStrength; - } - - public SP80090DRBG get(EntropySource entropySource) - { - return new CTRSP800DRBG(blockCipher, keySizeInBits, securityStrength, entropySource, personalizationString, nonce); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/ThreadedSeedGenerator.java b/core/src/main/java/org/bouncycastle/crypto/prng/ThreadedSeedGenerator.java deleted file mode 100644 index 6b2d5ec2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/ThreadedSeedGenerator.java +++ /dev/null @@ -1,95 +0,0 @@ -package org.bouncycastle.crypto.prng; - -/** - * A thread based seed generator - one source of randomness. - * <p> - * Based on an idea from Marcus Lippert. - * </p> - */ -public class ThreadedSeedGenerator -{ - private class SeedGenerator - implements Runnable - { - private volatile int counter = 0; - private volatile boolean stop = false; - - public void run() - { - while (!this.stop) - { - this.counter++; - } - - } - - public byte[] generateSeed( - int numbytes, - boolean fast) - { - Thread t = new Thread(this); - byte[] result = new byte[numbytes]; - this.counter = 0; - this.stop = false; - int last = 0; - int end; - - t.start(); - if(fast) - { - end = numbytes; - } - else - { - end = numbytes * 8; - } - for (int i = 0; i < end; i++) - { - while (this.counter == last) - { - try - { - Thread.sleep(1); - } - catch (InterruptedException e) - { - // ignore - } - } - last = this.counter; - if (fast) - { - result[i] = (byte) (last & 0xff); - } - else - { - int bytepos = i/8; - result[bytepos] = (byte) ((result[bytepos] << 1) | (last & 1)); - } - - } - stop = true; - return result; - } - } - - /** - * Generate seed bytes. Set fast to false for best quality. - * <p> - * If fast is set to true, the code should be round about 8 times faster when - * generating a long sequence of random bytes. 20 bytes of random values using - * the fast mode take less than half a second on a Nokia e70. If fast is set to false, - * it takes round about 2500 ms. - * </p> - * @param numBytes the number of bytes to generate - * @param fast true if fast mode should be used - */ - public byte[] generateSeed( - int numBytes, - boolean fast) - { - SeedGenerator gen = new SeedGenerator(); - - return gen.generateSeed(numBytes, fast); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/VMPCRandomGenerator.java b/core/src/main/java/org/bouncycastle/crypto/prng/VMPCRandomGenerator.java deleted file mode 100644 index c7e420db..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/VMPCRandomGenerator.java +++ /dev/null @@ -1,127 +0,0 @@ -package org.bouncycastle.crypto.prng; - -import org.bouncycastle.util.Pack; - -public class VMPCRandomGenerator implements RandomGenerator -{ - private byte n = 0; - - /** - * Permutation generated by code: <code> - * // First 1850 fractional digit of Pi number. - * byte[] key = new BigInteger("14159265358979323846...5068006422512520511").toByteArray(); - * s = 0; - * P = new byte[256]; - * for (int i = 0; i < 256; i++) { - * P[i] = (byte) i; - * } - * for (int m = 0; m < 768; m++) { - * s = P[(s + P[m & 0xff] + key[m % key.length]) & 0xff]; - * byte temp = P[m & 0xff]; - * P[m & 0xff] = P[s & 0xff]; - * P[s & 0xff] = temp; - * } </code> - */ - private byte[] P = - { - (byte) 0xbb, (byte) 0x2c, (byte) 0x62, (byte) 0x7f, - (byte) 0xb5, (byte) 0xaa, (byte) 0xd4, (byte) 0x0d, (byte) 0x81, - (byte) 0xfe, (byte) 0xb2, (byte) 0x82, (byte) 0xcb, (byte) 0xa0, - (byte) 0xa1, (byte) 0x08, (byte) 0x18, (byte) 0x71, (byte) 0x56, - (byte) 0xe8, (byte) 0x49, (byte) 0x02, (byte) 0x10, (byte) 0xc4, - (byte) 0xde, (byte) 0x35, (byte) 0xa5, (byte) 0xec, (byte) 0x80, - (byte) 0x12, (byte) 0xb8, (byte) 0x69, (byte) 0xda, (byte) 0x2f, - (byte) 0x75, (byte) 0xcc, (byte) 0xa2, (byte) 0x09, (byte) 0x36, - (byte) 0x03, (byte) 0x61, (byte) 0x2d, (byte) 0xfd, (byte) 0xe0, - (byte) 0xdd, (byte) 0x05, (byte) 0x43, (byte) 0x90, (byte) 0xad, - (byte) 0xc8, (byte) 0xe1, (byte) 0xaf, (byte) 0x57, (byte) 0x9b, - (byte) 0x4c, (byte) 0xd8, (byte) 0x51, (byte) 0xae, (byte) 0x50, - (byte) 0x85, (byte) 0x3c, (byte) 0x0a, (byte) 0xe4, (byte) 0xf3, - (byte) 0x9c, (byte) 0x26, (byte) 0x23, (byte) 0x53, (byte) 0xc9, - (byte) 0x83, (byte) 0x97, (byte) 0x46, (byte) 0xb1, (byte) 0x99, - (byte) 0x64, (byte) 0x31, (byte) 0x77, (byte) 0xd5, (byte) 0x1d, - (byte) 0xd6, (byte) 0x78, (byte) 0xbd, (byte) 0x5e, (byte) 0xb0, - (byte) 0x8a, (byte) 0x22, (byte) 0x38, (byte) 0xf8, (byte) 0x68, - (byte) 0x2b, (byte) 0x2a, (byte) 0xc5, (byte) 0xd3, (byte) 0xf7, - (byte) 0xbc, (byte) 0x6f, (byte) 0xdf, (byte) 0x04, (byte) 0xe5, - (byte) 0x95, (byte) 0x3e, (byte) 0x25, (byte) 0x86, (byte) 0xa6, - (byte) 0x0b, (byte) 0x8f, (byte) 0xf1, (byte) 0x24, (byte) 0x0e, - (byte) 0xd7, (byte) 0x40, (byte) 0xb3, (byte) 0xcf, (byte) 0x7e, - (byte) 0x06, (byte) 0x15, (byte) 0x9a, (byte) 0x4d, (byte) 0x1c, - (byte) 0xa3, (byte) 0xdb, (byte) 0x32, (byte) 0x92, (byte) 0x58, - (byte) 0x11, (byte) 0x27, (byte) 0xf4, (byte) 0x59, (byte) 0xd0, - (byte) 0x4e, (byte) 0x6a, (byte) 0x17, (byte) 0x5b, (byte) 0xac, - (byte) 0xff, (byte) 0x07, (byte) 0xc0, (byte) 0x65, (byte) 0x79, - (byte) 0xfc, (byte) 0xc7, (byte) 0xcd, (byte) 0x76, (byte) 0x42, - (byte) 0x5d, (byte) 0xe7, (byte) 0x3a, (byte) 0x34, (byte) 0x7a, - (byte) 0x30, (byte) 0x28, (byte) 0x0f, (byte) 0x73, (byte) 0x01, - (byte) 0xf9, (byte) 0xd1, (byte) 0xd2, (byte) 0x19, (byte) 0xe9, - (byte) 0x91, (byte) 0xb9, (byte) 0x5a, (byte) 0xed, (byte) 0x41, - (byte) 0x6d, (byte) 0xb4, (byte) 0xc3, (byte) 0x9e, (byte) 0xbf, - (byte) 0x63, (byte) 0xfa, (byte) 0x1f, (byte) 0x33, (byte) 0x60, - (byte) 0x47, (byte) 0x89, (byte) 0xf0, (byte) 0x96, (byte) 0x1a, - (byte) 0x5f, (byte) 0x93, (byte) 0x3d, (byte) 0x37, (byte) 0x4b, - (byte) 0xd9, (byte) 0xa8, (byte) 0xc1, (byte) 0x1b, (byte) 0xf6, - (byte) 0x39, (byte) 0x8b, (byte) 0xb7, (byte) 0x0c, (byte) 0x20, - (byte) 0xce, (byte) 0x88, (byte) 0x6e, (byte) 0xb6, (byte) 0x74, - (byte) 0x8e, (byte) 0x8d, (byte) 0x16, (byte) 0x29, (byte) 0xf2, - (byte) 0x87, (byte) 0xf5, (byte) 0xeb, (byte) 0x70, (byte) 0xe3, - (byte) 0xfb, (byte) 0x55, (byte) 0x9f, (byte) 0xc6, (byte) 0x44, - (byte) 0x4a, (byte) 0x45, (byte) 0x7d, (byte) 0xe2, (byte) 0x6b, - (byte) 0x5c, (byte) 0x6c, (byte) 0x66, (byte) 0xa9, (byte) 0x8c, - (byte) 0xee, (byte) 0x84, (byte) 0x13, (byte) 0xa7, (byte) 0x1e, - (byte) 0x9d, (byte) 0xdc, (byte) 0x67, (byte) 0x48, (byte) 0xba, - (byte) 0x2e, (byte) 0xe6, (byte) 0xa4, (byte) 0xab, (byte) 0x7c, - (byte) 0x94, (byte) 0x00, (byte) 0x21, (byte) 0xef, (byte) 0xea, - (byte) 0xbe, (byte) 0xca, (byte) 0x72, (byte) 0x4f, (byte) 0x52, - (byte) 0x98, (byte) 0x3f, (byte) 0xc2, (byte) 0x14, (byte) 0x7b, - (byte) 0x3b, (byte) 0x54 }; - - /** - * Value generated in the same way as {@link VMPCRandomGenerator#P}; - */ - private byte s = (byte) 0xbe; - - public VMPCRandomGenerator() - { - } - - public void addSeedMaterial(byte[] seed) - { - for (int m = 0; m < seed.length; m++) - { - s = P[(s + P[n & 0xff] + seed[m]) & 0xff]; - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - } - } - - public void addSeedMaterial(long seed) - { - addSeedMaterial(Pack.longToBigEndian(seed)); - } - - public void nextBytes(byte[] bytes) - { - nextBytes(bytes, 0, bytes.length); - } - - public void nextBytes(byte[] bytes, int start, int len) - { - synchronized (P) - { - int end = start + len; - for (int i = start; i != end; i++) - { - s = P[(s + P[n & 0xff]) & 0xff]; - bytes[i] = P[(P[(P[s & 0xff]) & 0xff] + 1) & 0xff]; - byte temp = P[n & 0xff]; - P[n & 0xff] = P[s & 0xff]; - P[s & 0xff] = temp; - n = (byte) ((n + 1) & 0xff); - } - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/CTRSP800DRBG.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/CTRSP800DRBG.java deleted file mode 100644 index 5ab8f469..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/CTRSP800DRBG.java +++ /dev/null @@ -1,478 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.prng.EntropySource; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.encoders.Hex; - -/** - * A SP800-90A CTR DRBG. - */ -public class CTRSP800DRBG - implements SP80090DRBG -{ - private static final long TDEA_RESEED_MAX = 1L << (32 - 1); - private static final long AES_RESEED_MAX = 1L << (48 - 1); - private static final int TDEA_MAX_BITS_REQUEST = 1 << (13 - 1); - private static final int AES_MAX_BITS_REQUEST = 1 << (19 - 1); - - private EntropySource _entropySource; - private BlockCipher _engine; - private int _keySizeInBits; - private int _seedLength; - - // internal state - private byte[] _Key; - private byte[] _V; - private long _reseedCounter = 0; - private boolean _isTDEA = false; - - /** - * Construct a SP800-90A CTR DRBG. - * <p> - * Minimum entropy requirement is the security strength requested. - * </p> - * @param engine underlying block cipher to use to support DRBG - * @param keySizeInBits size of the key to use with the block cipher. - * @param securityStrength security strength required (in bits) - * @param entropySource source of entropy to use for seeding/reseeding. - * @param personalizationString personalization string to distinguish this DRBG (may be null). - * @param nonce nonce to further distinguish this DRBG (may be null). - */ - public CTRSP800DRBG(BlockCipher engine, int keySizeInBits, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) - { - _entropySource = entropySource; - _engine = engine; - - _keySizeInBits = keySizeInBits; - _seedLength = keySizeInBits + engine.getBlockSize() * 8; - _isTDEA = isTDEA(engine); - - if (securityStrength > 256) - { - throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); - } - - if (getMaxSecurityStrength(engine, keySizeInBits) < securityStrength) - { - throw new IllegalArgumentException("Requested security strength is not supported by block cipher and key size"); - } - - if (entropySource.entropySize() < securityStrength) - { - throw new IllegalArgumentException("Not enough entropy for security strength required"); - } - - byte[] entropy = entropySource.getEntropy(); // Get_entropy_input - - CTR_DRBG_Instantiate_algorithm(entropy, nonce, personalizationString); - } - - private void CTR_DRBG_Instantiate_algorithm(byte[] entropy, byte[] nonce, - byte[] personalisationString) - { - byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalisationString); - byte[] seed = Block_Cipher_df(seedMaterial, _seedLength); - - int outlen = _engine.getBlockSize(); - - _Key = new byte[(_keySizeInBits + 7) / 8]; - _V = new byte[outlen]; - - // _Key & _V are modified by this call - CTR_DRBG_Update(seed, _Key, _V); - - _reseedCounter = 1; - } - - private void CTR_DRBG_Update(byte[] seed, byte[] key, byte[] v) - { - byte[] temp = new byte[seed.length]; - byte[] outputBlock = new byte[_engine.getBlockSize()]; - - int i=0; - int outLen = _engine.getBlockSize(); - - _engine.init(true, new KeyParameter(expandKey(key))); - while (i*outLen < seed.length) - { - addOneTo(v); - _engine.processBlock(v, 0, outputBlock, 0); - - int bytesToCopy = ((temp.length - i * outLen) > outLen) - ? outLen : (temp.length - i * outLen); - - System.arraycopy(outputBlock, 0, temp, i * outLen, bytesToCopy); - ++i; - } - - XOR(temp, seed, temp, 0); - - System.arraycopy(temp, 0, key, 0, key.length); - System.arraycopy(temp, key.length, v, 0, v.length); - } - - private void CTR_DRBG_Reseed_algorithm(EntropySource entropy, byte[] additionalInput) - { - byte[] seedMaterial = Arrays.concatenate(entropy.getEntropy(), additionalInput); - - seedMaterial = Block_Cipher_df(seedMaterial, _seedLength); - - CTR_DRBG_Update(seedMaterial, _Key, _V); - - _reseedCounter = 1; - } - - private void XOR(byte[] out, byte[] a, byte[] b, int bOff) - { - for (int i=0; i< out.length; i++) - { - out[i] = (byte)(a[i] ^ b[i+bOff]); - } - } - - private void addOneTo(byte[] longer) - { - int carry = 1; - for (int i = 1; i <= longer.length; i++) // warning - { - int res = (longer[longer.length - i] & 0xff) + carry; - carry = (res > 0xff) ? 1 : 0; - longer[longer.length - i] = (byte)res; - } - } - - // -- Internal state migration --- - - private static final byte[] K_BITS = Hex.decode("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"); - - // 1. If (number_of_bits_to_return > max_number_of_bits), then return an - // ERROR_FLAG. - // 2. L = len (input_string)/8. - // 3. N = number_of_bits_to_return/8. - // Comment: L is the bitstring represention of - // the integer resulting from len (input_string)/8. - // L shall be represented as a 32-bit integer. - // - // Comment : N is the bitstring represention of - // the integer resulting from - // number_of_bits_to_return/8. N shall be - // represented as a 32-bit integer. - // - // 4. S = L || N || input_string || 0x80. - // 5. While (len (S) mod outlen) - // Comment : Pad S with zeros, if necessary. - // 0, S = S || 0x00. - // - // Comment : Compute the starting value. - // 6. temp = the Null string. - // 7. i = 0. - // 8. K = Leftmost keylen bits of 0x00010203...1D1E1F. - // 9. While len (temp) < keylen + outlen, do - // - // IV = i || 0outlen - len (i). - // - // 9.1 - // - // temp = temp || BCC (K, (IV || S)). - // - // 9.2 - // - // i = i + 1. - // - // 9.3 - // - // Comment : i shall be represented as a 32-bit - // integer, i.e., len (i) = 32. - // - // Comment: The 32-bit integer represenation of - // i is padded with zeros to outlen bits. - // - // Comment: Compute the requested number of - // bits. - // - // 10. K = Leftmost keylen bits of temp. - // - // 11. X = Next outlen bits of temp. - // - // 12. temp = the Null string. - // - // 13. While len (temp) < number_of_bits_to_return, do - // - // 13.1 X = Block_Encrypt (K, X). - // - // 13.2 temp = temp || X. - // - // 14. requested_bits = Leftmost number_of_bits_to_return of temp. - // - // 15. Return SUCCESS and requested_bits. - private byte[] Block_Cipher_df(byte[] inputString, int bitLength) - { - int outLen = _engine.getBlockSize(); - int L = inputString.length; // already in bytes - int N = bitLength / 8; - // 4 S = L || N || inputstring || 0x80 - int sLen = 4 + 4 + L + 1; - int blockLen = ((sLen + outLen - 1) / outLen) * outLen; - byte[] S = new byte[blockLen]; - copyIntToByteArray(S, L, 0); - copyIntToByteArray(S, N, 4); - System.arraycopy(inputString, 0, S, 8, L); - S[8 + L] = (byte)0x80; - // S already padded with zeros - - byte[] temp = new byte[_keySizeInBits / 8 + outLen]; - byte[] bccOut = new byte[outLen]; - - byte[] IV = new byte[outLen]; - - int i = 0; - byte[] K = new byte[_keySizeInBits / 8]; - System.arraycopy(K_BITS, 0, K, 0, K.length); - - while (i*outLen*8 < _keySizeInBits + outLen *8) - { - copyIntToByteArray(IV, i, 0); - BCC(bccOut, K, IV, S); - - int bytesToCopy = ((temp.length - i * outLen) > outLen) - ? outLen - : (temp.length - i * outLen); - - System.arraycopy(bccOut, 0, temp, i * outLen, bytesToCopy); - ++i; - } - - byte[] X = new byte[outLen]; - System.arraycopy(temp, 0, K, 0, K.length); - System.arraycopy(temp, K.length, X, 0, X.length); - - temp = new byte[bitLength / 2]; - - i = 0; - _engine.init(true, new KeyParameter(expandKey(K))); - - while (i * outLen < temp.length) - { - _engine.processBlock(X, 0, X, 0); - - int bytesToCopy = ((temp.length - i * outLen) > outLen) - ? outLen - : (temp.length - i * outLen); - - System.arraycopy(X, 0, temp, i * outLen, bytesToCopy); - i++; - } - - return temp; - } - - /* - * 1. chaining_value = 0^outlen - * . Comment: Set the first chaining value to outlen zeros. - * 2. n = len (data)/outlen. - * 3. Starting with the leftmost bits of data, split the data into n blocks of outlen bits - * each, forming block(1) to block(n). - * 4. For i = 1 to n do - * 4.1 input_block = chaining_value ^ block(i) . - * 4.2 chaining_value = Block_Encrypt (Key, input_block). - * 5. output_block = chaining_value. - * 6. Return output_block. - */ - private void BCC(byte[] bccOut, byte[] k, byte[] iV, byte[] data) - { - int outlen = _engine.getBlockSize(); - byte[] chainingValue = new byte[outlen]; // initial values = 0 - int n = data.length / outlen; - - byte[] inputBlock = new byte[outlen]; - - _engine.init(true, new KeyParameter(expandKey(k))); - - _engine.processBlock(iV, 0, chainingValue, 0); - - for (int i = 0; i < n; i++) - { - XOR(inputBlock, chainingValue, data, i*outlen); - _engine.processBlock(inputBlock, 0, chainingValue, 0); - } - - System.arraycopy(chainingValue, 0, bccOut, 0, bccOut.length); - } - - private void copyIntToByteArray(byte[] buf, int value, int offSet) - { - buf[offSet + 0] = ((byte)(value >> 24)); - buf[offSet + 1] = ((byte)(value >> 16)); - buf[offSet + 2] = ((byte)(value >> 8)); - buf[offSet + 3] = ((byte)(value)); - } - - /** - * Return the block size (in bits) of the DRBG. - * - * @return the number of bits produced on each internal round of the DRBG. - */ - public int getBlockSize() - { - return _V.length * 8; - } - - /** - * Populate a passed in array with random data. - * - * @param output output array for generated bits. - * @param additionalInput additional input to be added to the DRBG in this step. - * @param predictionResistant true if a reseed should be forced, false otherwise. - * - * @return number of bits generated, -1 if a reseed required. - */ - public int generate(byte[] output, byte[] additionalInput, boolean predictionResistant) - { - if (_isTDEA) - { - if (_reseedCounter > TDEA_RESEED_MAX) - { - return -1; - } - - if (Utils.isTooLarge(output, TDEA_MAX_BITS_REQUEST / 8)) - { - throw new IllegalArgumentException("Number of bits per request limited to " + TDEA_MAX_BITS_REQUEST); - } - } - else - { - if (_reseedCounter > AES_RESEED_MAX) - { - return -1; - } - - if (Utils.isTooLarge(output, AES_MAX_BITS_REQUEST / 8)) - { - throw new IllegalArgumentException("Number of bits per request limited to " + AES_MAX_BITS_REQUEST); - } - } - - if (predictionResistant) - { - CTR_DRBG_Reseed_algorithm(_entropySource, additionalInput); - additionalInput = null; - } - - if (additionalInput != null) - { - additionalInput = Block_Cipher_df(additionalInput, _seedLength); - CTR_DRBG_Update(additionalInput, _Key, _V); - } - else - { - additionalInput = new byte[_seedLength]; - } - - byte[] out = new byte[_V.length]; - - _engine.init(true, new KeyParameter(expandKey(_Key))); - - for (int i = 0; i < output.length / out.length; i++) - { - addOneTo(_V); - - _engine.processBlock(_V, 0, out, 0); - - int bytesToCopy = ((output.length - i * out.length) > out.length) - ? out.length - : (output.length - i * _V.length); - - System.arraycopy(out, 0, output, i * out.length, bytesToCopy); - } - - CTR_DRBG_Update(additionalInput, _Key, _V); - - _reseedCounter++; - - return output.length * 8; - } - - /** - * Reseed the DRBG. - * - * @param additionalInput additional input to be added to the DRBG in this step. - */ - public void reseed(byte[] additionalInput) - { - CTR_DRBG_Reseed_algorithm(_entropySource, additionalInput); - } - - private boolean isTDEA(BlockCipher cipher) - { - return cipher.getAlgorithmName().equals("DESede") || cipher.getAlgorithmName().equals("TDEA"); - } - - private int getMaxSecurityStrength(BlockCipher cipher, int keySizeInBits) - { - if (isTDEA(cipher) && keySizeInBits == 168) - { - return 112; - } - if (cipher.getAlgorithmName().equals("AES")) - { - return keySizeInBits; - } - - return -1; - } - - byte[] expandKey(byte[] key) - { - if (_isTDEA) - { - // expand key to 192 bits. - byte[] tmp = new byte[24]; - - padKey(key, 0, tmp, 0); - padKey(key, 7, tmp, 8); - padKey(key, 14, tmp, 16); - - return tmp; - } - else - { - return key; - } - } - - /** - * Pad out a key for TDEA, setting odd parity for each byte. - * - * @param keyMaster - * @param keyOff - * @param tmp - * @param tmpOff - */ - private void padKey(byte[] keyMaster, int keyOff, byte[] tmp, int tmpOff) - { - tmp[tmpOff + 0] = (byte)(keyMaster[keyOff + 0] & 0xfe); - tmp[tmpOff + 1] = (byte)((keyMaster[keyOff + 0] << 7) | ((keyMaster[keyOff + 1] & 0xfc) >>> 1)); - tmp[tmpOff + 2] = (byte)((keyMaster[keyOff + 1] << 6) | ((keyMaster[keyOff + 2] & 0xf8) >>> 2)); - tmp[tmpOff + 3] = (byte)((keyMaster[keyOff + 2] << 5) | ((keyMaster[keyOff + 3] & 0xf0) >>> 3)); - tmp[tmpOff + 4] = (byte)((keyMaster[keyOff + 3] << 4) | ((keyMaster[keyOff + 4] & 0xe0) >>> 4)); - tmp[tmpOff + 5] = (byte)((keyMaster[keyOff + 4] << 3) | ((keyMaster[keyOff + 5] & 0xc0) >>> 5)); - tmp[tmpOff + 6] = (byte)((keyMaster[keyOff + 5] << 2) | ((keyMaster[keyOff + 6] & 0x80) >>> 6)); - tmp[tmpOff + 7] = (byte)(keyMaster[keyOff + 6] << 1); - - for (int i = tmpOff; i <= tmpOff + 7; i++) - { - int b = tmp[i]; - tmp[i] = (byte)((b & 0xfe) | - ((((b >> 1) ^ - (b >> 2) ^ - (b >> 3) ^ - (b >> 4) ^ - (b >> 5) ^ - (b >> 6) ^ - (b >> 7)) ^ 0x01) & 0x01)); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECPoints.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECPoints.java deleted file mode 100644 index 7dcfa94f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECPoints.java +++ /dev/null @@ -1,82 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import org.bouncycastle.math.ec.ECPoint; - -/** - * General class for providing point pairs for use with DualEC DRBG. See NIST SP 800-90A for further details. - */ -public class DualECPoints -{ - private final ECPoint p; - private final ECPoint q; - private final int securityStrength; - private final int cofactor; - - /** - * Base Constructor. - * <p> - * The cofactor is used to calculate the output block length (maxOutlen) according to - * <pre> - * max_outlen = largest multiple of 8 less than ((field size in bits) - (13 + log2(cofactor)) - * </pre> - * - * @param securityStrength maximum security strength to be associated with these parameters - * @param p the P point. - * @param q the Q point. - * @param cofactor cofactor associated with the domain parameters for the point generation. - */ - public DualECPoints(int securityStrength, ECPoint p, ECPoint q, int cofactor) - { - if (!p.getCurve().equals(q.getCurve())) - { - throw new IllegalArgumentException("points need to be on the same curve"); - } - - this.securityStrength = securityStrength; - this.p = p; - this.q = q; - this.cofactor = cofactor; - } - - public int getSeedLen() - { - return p.getCurve().getFieldSize(); - } - - public int getMaxOutlen() - { - return ((p.getCurve().getFieldSize() - (13 + log2(cofactor))) / 8) * 8; - } - - public ECPoint getP() - { - return p; - } - - public ECPoint getQ() - { - return q; - } - - public int getSecurityStrength() - { - return securityStrength; - } - - public int getCofactor() - { - return cofactor; - } - - private static int log2(int value) - { - int log = 0; - - while ((value >>= 1) != 0) - { - log++; - } - - return log; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECSP800DRBG.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECSP800DRBG.java deleted file mode 100644 index 4e1b881d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECSP800DRBG.java +++ /dev/null @@ -1,320 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import java.math.BigInteger; - -import org.bouncycastle.asn1.nist.NISTNamedCurves; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.prng.EntropySource; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; - -/** - * A SP800-90A Dual EC DRBG. - */ -public class DualECSP800DRBG - implements SP80090DRBG -{ - /* - * Default P, Q values for each curve - */ - private static final BigInteger p256_Px = new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16); - private static final BigInteger p256_Py = new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16); - private static final BigInteger p256_Qx = new BigInteger("c97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192", 16); - private static final BigInteger p256_Qy = new BigInteger("b28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046", 16); - - private static final BigInteger p384_Px = new BigInteger("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", 16); - private static final BigInteger p384_Py = new BigInteger("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f", 16); - private static final BigInteger p384_Qx = new BigInteger("8e722de3125bddb05580164bfe20b8b432216a62926c57502ceede31c47816edd1e89769124179d0b695106428815065", 16); - private static final BigInteger p384_Qy = new BigInteger("023b1660dd701d0839fd45eec36f9ee7b32e13b315dc02610aa1b636e346df671f790f84c5e09b05674dbb7e45c803dd", 16); - - private static final BigInteger p521_Px = new BigInteger("c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", 16); - private static final BigInteger p521_Py = new BigInteger("11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", 16); - private static final BigInteger p521_Qx = new BigInteger("1b9fa3e518d683c6b65763694ac8efbaec6fab44f2276171a42726507dd08add4c3b3f4c1ebc5b1222ddba077f722943b24c3edfa0f85fe24d0c8c01591f0be6f63", 16); - private static final BigInteger p521_Qy = new BigInteger("1f3bdba585295d9a1110d1df1f9430ef8442c5018976ff3437ef91b81dc0b8132c8d5c39c32d0e004a3092b7d327c0e7a4d26d2c7b69b58f9066652911e457779de", 16); - - private static final DualECPoints[] nistPoints; - - static - { - nistPoints = new DualECPoints[3]; - - ECCurve.Fp curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-256").getCurve(); - - nistPoints[0] = new DualECPoints(128, curve.createPoint(p256_Px, p256_Py), curve.createPoint(p256_Qx, p256_Qy), 1); - - curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-384").getCurve(); - - nistPoints[1] = new DualECPoints(192, curve.createPoint(p384_Px, p384_Py), curve.createPoint(p384_Qx, p384_Qy), 1); - - curve = (ECCurve.Fp)NISTNamedCurves.getByName("P-521").getCurve(); - - nistPoints[2] = new DualECPoints(256, curve.createPoint(p521_Px, p521_Py), curve.createPoint(p521_Qx, p521_Qy), 1); - } - - - private static final long RESEED_MAX = 1L << (32 - 1); - private static final int MAX_ADDITIONAL_INPUT = 1 << (13 - 1); - private static final int MAX_ENTROPY_LENGTH = 1 << (13 - 1); - private static final int MAX_PERSONALIZATION_STRING = 1 << (13 -1); - - private Digest _digest; - private long _reseedCounter; - private EntropySource _entropySource; - private int _securityStrength; - private int _seedlen; - private int _outlen; - private ECCurve.Fp _curve; - private ECPoint _P; - private ECPoint _Q; - private byte[] _s; - private int _sLength; - private ECMultiplier _fixedPointMultiplier = new FixedPointCombMultiplier(); - - /** - * Construct a SP800-90A Dual EC DRBG. - * <p> - * Minimum entropy requirement is the security strength requested. - * </p> - * @param digest source digest to use with the DRB stream. - * @param securityStrength security strength required (in bits) - * @param entropySource source of entropy to use for seeding/reseeding. - * @param personalizationString personalization string to distinguish this DRBG (may be null). - * @param nonce nonce to further distinguish this DRBG (may be null). - */ - public DualECSP800DRBG(Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) - { - this(nistPoints, digest, securityStrength, entropySource, personalizationString, nonce); - } - - /** - * Construct a SP800-90A Dual EC DRBG. - * <p> - * Minimum entropy requirement is the security strength requested. - * </p> - * @param pointSet an array of points to choose from, in order of increasing security strength - * @param digest source digest to use with the DRB stream. - * @param securityStrength security strength required (in bits) - * @param entropySource source of entropy to use for seeding/reseeding. - * @param personalizationString personalization string to distinguish this DRBG (may be null). - * @param nonce nonce to further distinguish this DRBG (may be null). - */ - public DualECSP800DRBG(DualECPoints[] pointSet, Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) - { - _digest = digest; - _entropySource = entropySource; - _securityStrength = securityStrength; - - if (Utils.isTooLarge(personalizationString, MAX_PERSONALIZATION_STRING / 8)) - { - throw new IllegalArgumentException("Personalization string too large"); - } - - if (entropySource.entropySize() < securityStrength || entropySource.entropySize() > MAX_ENTROPY_LENGTH) - { - throw new IllegalArgumentException("EntropySource must provide between " + securityStrength + " and " + MAX_ENTROPY_LENGTH + " bits"); - } - - byte[] entropy = entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); - - for (int i = 0; i != pointSet.length; i++) - { - if (securityStrength <= pointSet[i].getSecurityStrength()) - { - if (Utils.getMaxSecurityStrength(digest) < pointSet[i].getSecurityStrength()) - { - throw new IllegalArgumentException("Requested security strength is not supported by digest"); - } - _seedlen = pointSet[i].getSeedLen(); - _outlen = pointSet[i].getMaxOutlen() / 8; - _P = pointSet[i].getP(); - _Q = pointSet[i].getQ(); - break; - } - } - - if (_P == null) - { - throw new IllegalArgumentException("security strength cannot be greater than 256 bits"); - } - - _s = Utils.hash_df(_digest, seedMaterial, _seedlen); - _sLength = _s.length; - - _reseedCounter = 0; - } - - /** - * Return the block size (in bits) of the DRBG. - * - * @return the number of bits produced on each internal round of the DRBG. - */ - public int getBlockSize() - { - return _outlen * 8; - } - - /** - * Populate a passed in array with random data. - * - * @param output output array for generated bits. - * @param additionalInput additional input to be added to the DRBG in this step. - * @param predictionResistant true if a reseed should be forced, false otherwise. - * - * @return number of bits generated, -1 if a reseed required. - */ - public int generate(byte[] output, byte[] additionalInput, boolean predictionResistant) - { - int numberOfBits = output.length*8; - int m = output.length / _outlen; - - if (Utils.isTooLarge(additionalInput, MAX_ADDITIONAL_INPUT / 8)) - { - throw new IllegalArgumentException("Additional input too large"); - } - - if (_reseedCounter + m > RESEED_MAX) - { - return -1; - } - - if (predictionResistant) - { - reseed(additionalInput); - additionalInput = null; - } - - BigInteger s; - - if (additionalInput != null) - { - // Note: we ignore the use of pad8 on the additional input as we mandate byte arrays for it. - additionalInput = Utils.hash_df(_digest, additionalInput, _seedlen); - s = new BigInteger(1, xor(_s, additionalInput)); - } - else - { - s = new BigInteger(1, _s); - } - - // make sure we start with a clean output array. - Arrays.fill(output, (byte)0); - - int outOffset = 0; - - for (int i = 0; i < m; i++) - { - s = getScalarMultipleXCoord(_P, s); - - //System.err.println("S: " + new String(Hex.encode(_s))); - - byte[] r = getScalarMultipleXCoord(_Q, s).toByteArray(); - - if (r.length > _outlen) - { - System.arraycopy(r, r.length - _outlen, output, outOffset, _outlen); - } - else - { - System.arraycopy(r, 0, output, outOffset + (_outlen - r.length), r.length); - } - - //System.err.println("R: " + new String(Hex.encode(r))); - outOffset += _outlen; - - _reseedCounter++; - } - - if (outOffset < output.length) - { - s = getScalarMultipleXCoord(_P, s); - - byte[] r = getScalarMultipleXCoord(_Q, s).toByteArray(); - - int required = output.length - outOffset; - - if (r.length > _outlen) - { - System.arraycopy(r, r.length - _outlen, output, outOffset, required); - } - else - { - System.arraycopy(r, 0, output, outOffset + (_outlen - r.length), required); - } - - _reseedCounter++; - } - - // Need to preserve length of S as unsigned int. - _s = BigIntegers.asUnsignedByteArray(_sLength, getScalarMultipleXCoord(_P, s)); - - return numberOfBits; - } - - /** - * Reseed the DRBG. - * - * @param additionalInput additional input to be added to the DRBG in this step. - */ - public void reseed(byte[] additionalInput) - { - if (Utils.isTooLarge(additionalInput, MAX_ADDITIONAL_INPUT / 8)) - { - throw new IllegalArgumentException("Additional input string too large"); - } - - byte[] entropy = _entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(pad8(_s, _seedlen), entropy, additionalInput); - - _s = Utils.hash_df(_digest, seedMaterial, _seedlen); - - _reseedCounter = 0; - } - - private byte[] xor(byte[] a, byte[] b) - { - if (b == null) - { - return a; - } - - byte[] rv = new byte[a.length]; - - for (int i = 0; i != rv.length; i++) - { - rv[i] = (byte)(a[i] ^ b[i]); - } - - return rv; - } - - // Note: works in place - private byte[] pad8(byte[] s, int seedlen) - { - if (seedlen % 8 == 0) - { - return s; - } - - int shift = 8 - (seedlen % 8); - int carry = 0; - - for (int i = s.length - 1; i >= 0; i--) - { - int b = s[i] & 0xff; - s[i] = (byte)((b << shift) | (carry >> (8 - shift))); - carry = b; - } - - return s; - } - - private BigInteger getScalarMultipleXCoord(ECPoint p, BigInteger s) - { - return _fixedPointMultiplier.multiply(p, s).normalize().getAffineXCoord().toBigInteger(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HMacSP800DRBG.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HMacSP800DRBG.java deleted file mode 100644 index f4ef2c45..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HMacSP800DRBG.java +++ /dev/null @@ -1,181 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.prng.EntropySource; -import org.bouncycastle.util.Arrays; - -/** - * A SP800-90A HMAC DRBG. - */ -public class HMacSP800DRBG - implements SP80090DRBG -{ - private final static long RESEED_MAX = 1L << (48 - 1); - private final static int MAX_BITS_REQUEST = 1 << (19 - 1); - - private byte[] _K; - private byte[] _V; - private long _reseedCounter; - private EntropySource _entropySource; - private Mac _hMac; - - /** - * Construct a SP800-90A Hash DRBG. - * <p> - * Minimum entropy requirement is the security strength requested. - * </p> - * @param hMac Hash MAC to base the DRBG on. - * @param securityStrength security strength required (in bits) - * @param entropySource source of entropy to use for seeding/reseeding. - * @param personalizationString personalization string to distinguish this DRBG (may be null). - * @param nonce nonce to further distinguish this DRBG (may be null). - */ - public HMacSP800DRBG(Mac hMac, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) - { - if (securityStrength > Utils.getMaxSecurityStrength(hMac)) - { - throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); - } - - if (entropySource.entropySize() < securityStrength) - { - throw new IllegalArgumentException("Not enough entropy for security strength required"); - } - - _entropySource = entropySource; - _hMac = hMac; - - byte[] entropy = entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); - - _K = new byte[hMac.getMacSize()]; - _V = new byte[_K.length]; - Arrays.fill(_V, (byte)1); - - hmac_DRBG_Update(seedMaterial); - - _reseedCounter = 1; - } - - private void hmac_DRBG_Update(byte[] seedMaterial) - { - hmac_DRBG_Update_Func(seedMaterial, (byte)0x00); - if (seedMaterial != null) - { - hmac_DRBG_Update_Func(seedMaterial, (byte)0x01); - } - } - - private void hmac_DRBG_Update_Func(byte[] seedMaterial, byte vValue) - { - _hMac.init(new KeyParameter(_K)); - - _hMac.update(_V, 0, _V.length); - _hMac.update(vValue); - - if (seedMaterial != null) - { - _hMac.update(seedMaterial, 0, seedMaterial.length); - } - - _hMac.doFinal(_K, 0); - - _hMac.init(new KeyParameter(_K)); - _hMac.update(_V, 0, _V.length); - - _hMac.doFinal(_V, 0); - } - - /** - * Return the block size (in bits) of the DRBG. - * - * @return the number of bits produced on each round of the DRBG. - */ - public int getBlockSize() - { - return _V.length * 8; - } - - /** - * Populate a passed in array with random data. - * - * @param output output array for generated bits. - * @param additionalInput additional input to be added to the DRBG in this step. - * @param predictionResistant true if a reseed should be forced, false otherwise. - * - * @return number of bits generated, -1 if a reseed required. - */ - public int generate(byte[] output, byte[] additionalInput, boolean predictionResistant) - { - int numberOfBits = output.length * 8; - - if (numberOfBits > MAX_BITS_REQUEST) - { - throw new IllegalArgumentException("Number of bits per request limited to " + MAX_BITS_REQUEST); - } - - if (_reseedCounter > RESEED_MAX) - { - return -1; - } - - if (predictionResistant) - { - reseed(additionalInput); - additionalInput = null; - } - - // 2. - if (additionalInput != null) - { - hmac_DRBG_Update(additionalInput); - } - - // 3. - byte[] rv = new byte[output.length]; - - int m = output.length / _V.length; - - _hMac.init(new KeyParameter(_K)); - - for (int i = 0; i < m; i++) - { - _hMac.update(_V, 0, _V.length); - _hMac.doFinal(_V, 0); - - System.arraycopy(_V, 0, rv, i * _V.length, _V.length); - } - - if (m * _V.length < rv.length) - { - _hMac.update(_V, 0, _V.length); - _hMac.doFinal(_V, 0); - - System.arraycopy(_V, 0, rv, m * _V.length, rv.length - (m * _V.length)); - } - - hmac_DRBG_Update(additionalInput); - - _reseedCounter++; - - System.arraycopy(rv, 0, output, 0, output.length); - - return numberOfBits; - } - - /** - * Reseed the DRBG. - * - * @param additionalInput additional input to be added to the DRBG in this step. - */ - public void reseed(byte[] additionalInput) - { - byte[] entropy = _entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(entropy, additionalInput); - - hmac_DRBG_Update(seedMaterial); - - _reseedCounter = 1; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HashSP800DRBG.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HashSP800DRBG.java deleted file mode 100644 index d6ab4f53..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/HashSP800DRBG.java +++ /dev/null @@ -1,284 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import java.util.Hashtable; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.prng.EntropySource; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Integers; - -/** - * A SP800-90A Hash DRBG. - */ -public class HashSP800DRBG - implements SP80090DRBG -{ - private final static byte[] ONE = { 0x01 }; - - private final static long RESEED_MAX = 1L << (48 - 1); - private final static int MAX_BITS_REQUEST = 1 << (19 - 1); - - private final static Hashtable seedlens = new Hashtable(); - - static - { - seedlens.put("SHA-1", Integers.valueOf(440)); - seedlens.put("SHA-224", Integers.valueOf(440)); - seedlens.put("SHA-256", Integers.valueOf(440)); - seedlens.put("SHA-512/256", Integers.valueOf(440)); - seedlens.put("SHA-512/224", Integers.valueOf(440)); - seedlens.put("SHA-384", Integers.valueOf(888)); - seedlens.put("SHA-512", Integers.valueOf(888)); - } - - private Digest _digest; - private byte[] _V; - private byte[] _C; - private long _reseedCounter; - private EntropySource _entropySource; - private int _securityStrength; - private int _seedLength; - - /** - * Construct a SP800-90A Hash DRBG. - * <p> - * Minimum entropy requirement is the security strength requested. - * </p> - * @param digest source digest to use for DRB stream. - * @param securityStrength security strength required (in bits) - * @param entropySource source of entropy to use for seeding/reseeding. - * @param personalizationString personalization string to distinguish this DRBG (may be null). - * @param nonce nonce to further distinguish this DRBG (may be null). - */ - public HashSP800DRBG(Digest digest, int securityStrength, EntropySource entropySource, byte[] personalizationString, byte[] nonce) - { - if (securityStrength > Utils.getMaxSecurityStrength(digest)) - { - throw new IllegalArgumentException("Requested security strength is not supported by the derivation function"); - } - - if (entropySource.entropySize() < securityStrength) - { - throw new IllegalArgumentException("Not enough entropy for security strength required"); - } - - _digest = digest; - _entropySource = entropySource; - _securityStrength = securityStrength; - _seedLength = ((Integer)seedlens.get(digest.getAlgorithmName())).intValue(); - - // 1. seed_material = entropy_input || nonce || personalization_string. - // 2. seed = Hash_df (seed_material, seedlen). - // 3. V = seed. - // 4. C = Hash_df ((0x00 || V), seedlen). Comment: Preceed V with a byte - // of zeros. - // 5. reseed_counter = 1. - // 6. Return V, C, and reseed_counter as the initial_working_state - - byte[] entropy = entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(entropy, nonce, personalizationString); - byte[] seed = Utils.hash_df(_digest, seedMaterial, _seedLength); - - _V = seed; - byte[] subV = new byte[_V.length + 1]; - System.arraycopy(_V, 0, subV, 1, _V.length); - _C = Utils.hash_df(_digest, subV, _seedLength); - - _reseedCounter = 1; - } - - /** - * Return the block size (in bits) of the DRBG. - * - * @return the number of bits produced on each internal round of the DRBG. - */ - public int getBlockSize() - { - return _digest.getDigestSize() * 8; - } - - /** - * Populate a passed in array with random data. - * - * @param output output array for generated bits. - * @param additionalInput additional input to be added to the DRBG in this step. - * @param predictionResistant true if a reseed should be forced, false otherwise. - * - * @return number of bits generated, -1 if a reseed required. - */ - public int generate(byte[] output, byte[] additionalInput, boolean predictionResistant) - { - // 1. If reseed_counter > reseed_interval, then return an indication that a - // reseed is required. - // 2. If (additional_input != Null), then do - // 2.1 w = Hash (0x02 || V || additional_input). - // 2.2 V = (V + w) mod 2^seedlen - // . - // 3. (returned_bits) = Hashgen (requested_number_of_bits, V). - // 4. H = Hash (0x03 || V). - // 5. V = (V + H + C + reseed_counter) mod 2^seedlen - // . - // 6. reseed_counter = reseed_counter + 1. - // 7. Return SUCCESS, returned_bits, and the new values of V, C, and - // reseed_counter for the new_working_state. - int numberOfBits = output.length*8; - - if (numberOfBits > MAX_BITS_REQUEST) - { - throw new IllegalArgumentException("Number of bits per request limited to " + MAX_BITS_REQUEST); - } - - if (_reseedCounter > RESEED_MAX) - { - return -1; - } - - if (predictionResistant) - { - reseed(additionalInput); - additionalInput = null; - } - - // 2. - if (additionalInput != null) - { - byte[] newInput = new byte[1 + _V.length + additionalInput.length]; - newInput[0] = 0x02; - System.arraycopy(_V, 0, newInput, 1, _V.length); - // TODO: inOff / inLength - System.arraycopy(additionalInput, 0, newInput, 1 + _V.length, additionalInput.length); - byte[] w = hash(newInput); - - addTo(_V, w); - } - - // 3. - byte[] rv = hashgen(_V, numberOfBits); - - // 4. - byte[] subH = new byte[_V.length + 1]; - System.arraycopy(_V, 0, subH, 1, _V.length); - subH[0] = 0x03; - - byte[] H = hash(subH); - - // 5. - addTo(_V, H); - addTo(_V, _C); - byte[] c = new byte[4]; - c[0] = (byte)(_reseedCounter >> 24); - c[1] = (byte)(_reseedCounter >> 16); - c[2] = (byte)(_reseedCounter >> 8); - c[3] = (byte)_reseedCounter; - - addTo(_V, c); - - _reseedCounter++; - - System.arraycopy(rv, 0, output, 0, output.length); - - return numberOfBits; - } - - // this will always add the shorter length byte array mathematically to the - // longer length byte array. - // be careful.... - private void addTo(byte[] longer, byte[] shorter) - { - int carry = 0; - for (int i=1;i <= shorter.length; i++) // warning - { - int res = (longer[longer.length-i] & 0xff) + (shorter[shorter.length-i] & 0xff) + carry; - carry = (res > 0xff) ? 1 : 0; - longer[longer.length-i] = (byte)res; - } - - for (int i=shorter.length+1;i <= longer.length; i++) // warning - { - int res = (longer[longer.length-i] & 0xff) + carry; - carry = (res > 0xff) ? 1 : 0; - longer[longer.length-i] = (byte)res; - } - } - - /** - * Reseed the DRBG. - * - * @param additionalInput additional input to be added to the DRBG in this step. - */ - public void reseed(byte[] additionalInput) - { - // 1. seed_material = 0x01 || V || entropy_input || additional_input. - // - // 2. seed = Hash_df (seed_material, seedlen). - // - // 3. V = seed. - // - // 4. C = Hash_df ((0x00 || V), seedlen). - // - // 5. reseed_counter = 1. - // - // 6. Return V, C, and reseed_counter for the new_working_state. - // - // Comment: Precede with a byte of all zeros. - byte[] entropy = _entropySource.getEntropy(); - byte[] seedMaterial = Arrays.concatenate(ONE, _V, entropy, additionalInput); - byte[] seed = Utils.hash_df(_digest, seedMaterial, _seedLength); - - _V = seed; - byte[] subV = new byte[_V.length + 1]; - subV[0] = 0x00; - System.arraycopy(_V, 0, subV, 1, _V.length); - _C = Utils.hash_df(_digest, subV, _seedLength); - - _reseedCounter = 1; - } - - private byte[] hash(byte[] input) - { - byte[] hash = new byte[_digest.getDigestSize()]; - doHash(input, hash); - return hash; - } - - private void doHash(byte[] input, byte[] output) - { - _digest.update(input, 0, input.length); - _digest.doFinal(output, 0); - } - - // 1. m = [requested_number_of_bits / outlen] - // 2. data = V. - // 3. W = the Null string. - // 4. For i = 1 to m - // 4.1 wi = Hash (data). - // 4.2 W = W || wi. - // 4.3 data = (data + 1) mod 2^seedlen - // . - // 5. returned_bits = Leftmost (requested_no_of_bits) bits of W. - private byte[] hashgen(byte[] input, int lengthInBits) - { - int digestSize = _digest.getDigestSize(); - int m = (lengthInBits / 8) / digestSize; - - byte[] data = new byte[input.length]; - System.arraycopy(input, 0, data, 0, input.length); - - byte[] W = new byte[lengthInBits / 8]; - - byte[] dig = new byte[_digest.getDigestSize()]; - for (int i = 0; i <= m; i++) - { - doHash(data, dig); - - int bytesToCopy = ((W.length - i * dig.length) > dig.length) - ? dig.length - : (W.length - i * dig.length); - System.arraycopy(dig, 0, W, i * dig.length, bytesToCopy); - - addTo(data, ONE); - } - - return W; - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/SP80090DRBG.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/SP80090DRBG.java deleted file mode 100644 index 7a919f31..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/SP80090DRBG.java +++ /dev/null @@ -1,32 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -/** - * Interface to SP800-90A deterministic random bit generators. - */ -public interface SP80090DRBG -{ - /** - * Return the block size of the DRBG. - * - * @return the block size (in bits) produced by each round of the DRBG. - */ - int getBlockSize(); - - /** - * Populate a passed in array with random data. - * - * @param output output array for generated bits. - * @param additionalInput additional input to be added to the DRBG in this step. - * @param predictionResistant true if a reseed should be forced, false otherwise. - * - * @return number of bits generated, -1 if a reseed required. - */ - int generate(byte[] output, byte[] additionalInput, boolean predictionResistant); - - /** - * Reseed the DRBG. - * - * @param additionalInput additional input to be added to the DRBG in this step. - */ - void reseed(byte[] additionalInput); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/Utils.java b/core/src/main/java/org/bouncycastle/crypto/prng/drbg/Utils.java deleted file mode 100644 index f7a41176..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/prng/drbg/Utils.java +++ /dev/null @@ -1,103 +0,0 @@ -package org.bouncycastle.crypto.prng.drbg; - -import java.util.Hashtable; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.util.Integers; - -class Utils -{ - static final Hashtable maxSecurityStrengths = new Hashtable(); - - static - { - maxSecurityStrengths.put("SHA-1", Integers.valueOf(128)); - - maxSecurityStrengths.put("SHA-224", Integers.valueOf(192)); - maxSecurityStrengths.put("SHA-256", Integers.valueOf(256)); - maxSecurityStrengths.put("SHA-384", Integers.valueOf(256)); - maxSecurityStrengths.put("SHA-512", Integers.valueOf(256)); - - maxSecurityStrengths.put("SHA-512/224", Integers.valueOf(192)); - maxSecurityStrengths.put("SHA-512/256", Integers.valueOf(256)); - } - - static int getMaxSecurityStrength(Digest d) - { - return ((Integer)maxSecurityStrengths.get(d.getAlgorithmName())).intValue(); - } - - static int getMaxSecurityStrength(Mac m) - { - String name = m.getAlgorithmName(); - - return ((Integer)maxSecurityStrengths.get(name.substring(0, name.indexOf("/")))).intValue(); - } - - /** - * Used by both Dual EC and Hash. - */ - static byte[] hash_df(Digest digest, byte[] seedMaterial, int seedLength) - { - // 1. temp = the Null string. - // 2. . - // 3. counter = an 8-bit binary value representing the integer "1". - // 4. For i = 1 to len do - // Comment : In step 4.1, no_of_bits_to_return - // is used as a 32-bit string. - // 4.1 temp = temp || Hash (counter || no_of_bits_to_return || - // input_string). - // 4.2 counter = counter + 1. - // 5. requested_bits = Leftmost (no_of_bits_to_return) of temp. - // 6. Return SUCCESS and requested_bits. - byte[] temp = new byte[(seedLength + 7) / 8]; - - int len = temp.length / digest.getDigestSize(); - int counter = 1; - - byte[] dig = new byte[digest.getDigestSize()]; - - for (int i = 0; i <= len; i++) - { - digest.update((byte)counter); - - digest.update((byte)(seedLength >> 24)); - digest.update((byte)(seedLength >> 16)); - digest.update((byte)(seedLength >> 8)); - digest.update((byte)seedLength); - - digest.update(seedMaterial, 0, seedMaterial.length); - - digest.doFinal(dig, 0); - - int bytesToCopy = ((temp.length - i * dig.length) > dig.length) - ? dig.length - : (temp.length - i * dig.length); - System.arraycopy(dig, 0, temp, i * dig.length, bytesToCopy); - - counter++; - } - - // do a left shift to get rid of excess bits. - if (seedLength % 8 != 0) - { - int shift = 8 - (seedLength % 8); - int carry = 0; - - for (int i = 0; i != temp.length; i++) - { - int b = temp[i] & 0xff; - temp[i] = (byte)((b >>> shift) | (carry << (8 - shift))); - carry = b; - } - } - - return temp; - } - - static boolean isTooLarge(byte[] bytes, int maxBytes) - { - return bytes != null && bytes.length > maxBytes; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/DSADigestSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/DSADigestSigner.java deleted file mode 100644 index 684eb9c0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/DSADigestSigner.java +++ /dev/null @@ -1,163 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.io.IOException; -import java.math.BigInteger; - -import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERSequence; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -public class DSADigestSigner - implements Signer -{ - private final Digest digest; - private final DSA dsaSigner; - private boolean forSigning; - - public DSADigestSigner( - DSA signer, - Digest digest) - { - this.digest = digest; - this.dsaSigner = signer; - } - - public void init( - boolean forSigning, - CipherParameters parameters) - { - this.forSigning = forSigning; - - AsymmetricKeyParameter k; - - if (parameters instanceof ParametersWithRandom) - { - k = (AsymmetricKeyParameter)((ParametersWithRandom)parameters).getParameters(); - } - else - { - k = (AsymmetricKeyParameter)parameters; - } - - if (forSigning && !k.isPrivate()) - { - throw new IllegalArgumentException("Signing Requires Private Key."); - } - - if (!forSigning && k.isPrivate()) - { - throw new IllegalArgumentException("Verification Requires Public Key."); - } - - reset(); - - dsaSigner.init(forSigning, parameters); - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte input) - { - digest.update(input); - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] input, - int inOff, - int length) - { - digest.update(input, inOff, length); - } - - /** - * Generate a signature for the message we've been loaded with using - * the key we were initialised with. - */ - public byte[] generateSignature() - { - if (!forSigning) - { - throw new IllegalStateException("DSADigestSigner not initialised for signature generation."); - } - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - BigInteger[] sig = dsaSigner.generateSignature(hash); - - try - { - return derEncode(sig[0], sig[1]); - } - catch (IOException e) - { - throw new IllegalStateException("unable to encode signature"); - } - } - - public boolean verifySignature( - byte[] signature) - { - if (forSigning) - { - throw new IllegalStateException("DSADigestSigner not initialised for verification"); - } - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - try - { - BigInteger[] sig = derDecode(signature); - return dsaSigner.verifySignature(hash, sig[0], sig[1]); - } - catch (IOException e) - { - return false; - } - } - - public void reset() - { - digest.reset(); - } - - private byte[] derEncode( - BigInteger r, - BigInteger s) - throws IOException - { - ASN1EncodableVector v = new ASN1EncodableVector(); - v.add(new ASN1Integer(r)); - v.add(new ASN1Integer(s)); - - return new DERSequence(v).getEncoded(ASN1Encoding.DER); - } - - private BigInteger[] derDecode( - byte[] encoding) - throws IOException - { - ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding); - - return new BigInteger[] - { - ((ASN1Integer)s.getObjectAt(0)).getValue(), - ((ASN1Integer)s.getObjectAt(1)).getValue() - }; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/DSAKCalculator.java b/core/src/main/java/org/bouncycastle/crypto/signers/DSAKCalculator.java deleted file mode 100644 index fced06ea..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/DSAKCalculator.java +++ /dev/null @@ -1,41 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * Interface define calculators of K values for DSA/ECDSA. - */ -public interface DSAKCalculator -{ - /** - * Return true if this calculator is deterministic, false otherwise. - * - * @return true if deterministic, otherwise false. - */ - boolean isDeterministic(); - - /** - * Non-deterministic initialiser. - * - * @param n the order of the DSA group. - * @param random a source of randomness. - */ - void init(BigInteger n, SecureRandom random); - - /** - * Deterministic initialiser. - * - * @param n the order of the DSA group. - * @param d the DSA private value. - * @param message the message being signed. - */ - void init(BigInteger n, BigInteger d, byte[] message); - - /** - * Return the next valid value of K. - * - * @return a K value. - */ - BigInteger nextK(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java deleted file mode 100644 index f3614f39..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/DSASigner.java +++ /dev/null @@ -1,168 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.DSAKeyParameters; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * The Digital Signature Algorithm - as described in "Handbook of Applied - * Cryptography", pages 452 - 453. - */ -public class DSASigner - implements DSA -{ - private final DSAKCalculator kCalculator; - - private DSAKeyParameters key; - private SecureRandom random; - - /** - * Default configuration, random K values. - */ - public DSASigner() - { - this.kCalculator = new RandomDSAKCalculator(); - } - - /** - * Configuration with an alternate, possibly deterministic calculator of K. - * - * @param kCalculator a K value calculator. - */ - public DSASigner(DSAKCalculator kCalculator) - { - this.kCalculator = kCalculator; - } - - public void init( - boolean forSigning, - CipherParameters param) - { - SecureRandom providedRandom = null; - - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.key = (DSAPrivateKeyParameters)rParam.getParameters(); - providedRandom = rParam.getRandom(); - } - else - { - this.key = (DSAPrivateKeyParameters)param; - } - } - else - { - this.key = (DSAPublicKeyParameters)param; - } - - this.random = initSecureRandom(forSigning && !kCalculator.isDeterministic(), providedRandom); - } - - /** - * generate a signature for the given message using the key we were - * initialised with. For conventional DSA the message should be a SHA-1 - * hash of the message of interest. - * - * @param message the message that will be verified later. - */ - public BigInteger[] generateSignature( - byte[] message) - { - DSAParameters params = key.getParameters(); - BigInteger m = calculateE(params.getQ(), message); - - if (kCalculator.isDeterministic()) - { - kCalculator.init(params.getQ(), ((DSAPrivateKeyParameters)key).getX(), message); - } - else - { - kCalculator.init(params.getQ(), random); - } - - BigInteger k = kCalculator.nextK(); - - BigInteger r = params.getG().modPow(k, params.getP()).mod(params.getQ()); - - k = k.modInverse(params.getQ()).multiply( - m.add(((DSAPrivateKeyParameters)key).getX().multiply(r))); - - BigInteger s = k.mod(params.getQ()); - - BigInteger[] res = new BigInteger[2]; - - res[0] = r; - res[1] = s; - - return res; - } - - /** - * return true if the value r and s represent a DSA signature for - * the passed in message for standard DSA the message should be a - * SHA-1 hash of the real message to be verified. - */ - public boolean verifySignature( - byte[] message, - BigInteger r, - BigInteger s) - { - DSAParameters params = key.getParameters(); - BigInteger m = calculateE(params.getQ(), message); - BigInteger zero = BigInteger.valueOf(0); - - if (zero.compareTo(r) >= 0 || params.getQ().compareTo(r) <= 0) - { - return false; - } - - if (zero.compareTo(s) >= 0 || params.getQ().compareTo(s) <= 0) - { - return false; - } - - BigInteger w = s.modInverse(params.getQ()); - - BigInteger u1 = m.multiply(w).mod(params.getQ()); - BigInteger u2 = r.multiply(w).mod(params.getQ()); - - u1 = params.getG().modPow(u1, params.getP()); - u2 = ((DSAPublicKeyParameters)key).getY().modPow(u2, params.getP()); - - BigInteger v = u1.multiply(u2).mod(params.getP()).mod(params.getQ()); - - return v.equals(r); - } - - private BigInteger calculateE(BigInteger n, byte[] message) - { - if (n.bitLength() >= message.length * 8) - { - return new BigInteger(1, message); - } - else - { - byte[] trunc = new byte[n.bitLength() / 8]; - - System.arraycopy(message, 0, trunc, 0, trunc.length); - - return new BigInteger(1, trunc); - } - } - - protected SecureRandom initSecureRandom(boolean needed, SecureRandom provided) - { - return !needed ? null : (provided != null) ? provided : new SecureRandom(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/DSTU4145Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/DSTU4145Signer.java deleted file mode 100644 index bceb8220..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/DSTU4145Signer.java +++ /dev/null @@ -1,170 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECFieldElement; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; -import org.bouncycastle.util.Arrays; - -/** - * DSTU 4145-2002 - * <p> - * National Ukrainian standard of digital signature based on elliptic curves (DSTU 4145-2002). - * </p> - */ -public class DSTU4145Signer - implements DSA -{ - private static final BigInteger ONE = BigInteger.valueOf(1); - - private ECKeyParameters key; - private SecureRandom random; - - public void init(boolean forSigning, CipherParameters param) - { - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - param = rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - } - - this.key = (ECPrivateKeyParameters)param; - } - else - { - this.key = (ECPublicKeyParameters)param; - } - - } - - public BigInteger[] generateSignature(byte[] message) - { - ECDomainParameters ec = key.getParameters(); - - ECCurve curve = ec.getCurve(); - - ECFieldElement h = hash2FieldElement(curve, message); - if (h.isZero()) - { - h = curve.fromBigInteger(ONE); - } - - BigInteger n = ec.getN(); - BigInteger e, r, s; - ECFieldElement Fe, y; - - BigInteger d = ((ECPrivateKeyParameters)key).getD(); - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - - do - { - do - { - do - { - e = generateRandomInteger(n, random); - Fe = basePointMultiplier.multiply(ec.getG(), e).normalize().getAffineXCoord(); - } - while (Fe.isZero()); - - y = h.multiply(Fe); - r = fieldElement2Integer(n, y); - } - while (r.signum() == 0); - - s = r.multiply(d).add(e).mod(n); - } - while (s.signum() == 0); - - return new BigInteger[]{r, s}; - } - - public boolean verifySignature(byte[] message, BigInteger r, BigInteger s) - { - if (r.signum() <= 0 || s.signum() <= 0) - { - return false; - } - - ECDomainParameters parameters = key.getParameters(); - - BigInteger n = parameters.getN(); - if (r.compareTo(n) >= 0 || s.compareTo(n) >= 0) - { - return false; - } - - ECCurve curve = parameters.getCurve(); - - ECFieldElement h = hash2FieldElement(curve, message); - if (h.isZero()) - { - h = curve.fromBigInteger(ONE); - } - - ECPoint R = ECAlgorithms.sumOfTwoMultiplies(parameters.getG(), s, ((ECPublicKeyParameters)key).getQ(), r).normalize(); - - // components must be bogus. - if (R.isInfinity()) - { - return false; - } - - ECFieldElement y = h.multiply(R.getAffineXCoord()); - return fieldElement2Integer(n, y).compareTo(r) == 0; - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } - - /** - * Generates random integer such, than its bit length is less than that of n - */ - private static BigInteger generateRandomInteger(BigInteger n, SecureRandom random) - { - return new BigInteger(n.bitLength() - 1, random); - } - - private static ECFieldElement hash2FieldElement(ECCurve curve, byte[] hash) - { - byte[] data = Arrays.reverse(hash); - return curve.fromBigInteger(truncate(new BigInteger(1, data), curve.getFieldSize())); - } - - private static BigInteger fieldElement2Integer(BigInteger n, ECFieldElement fe) - { - return truncate(fe.toBigInteger(), n.bitLength() - 1); - } - - private static BigInteger truncate(BigInteger x, int bitLength) - { - if (x.bitLength() > bitLength) - { - x = x.mod(ONE.shiftLeft(bitLength)); - } - return x; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/ECDSASigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/ECDSASigner.java deleted file mode 100644 index 5fce1121..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/ECDSASigner.java +++ /dev/null @@ -1,197 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -/** - * EC-DSA as described in X9.62 - */ -public class ECDSASigner - implements ECConstants, DSA -{ - private final DSAKCalculator kCalculator; - - private ECKeyParameters key; - private SecureRandom random; - - /** - * Default configuration, random K values. - */ - public ECDSASigner() - { - this.kCalculator = new RandomDSAKCalculator(); - } - - /** - * Configuration with an alternate, possibly deterministic calculator of K. - * - * @param kCalculator a K value calculator. - */ - public ECDSASigner(DSAKCalculator kCalculator) - { - this.kCalculator = kCalculator; - } - - public void init( - boolean forSigning, - CipherParameters param) - { - SecureRandom providedRandom = null; - - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.key = (ECPrivateKeyParameters)rParam.getParameters(); - providedRandom = rParam.getRandom(); - } - else - { - this.key = (ECPrivateKeyParameters)param; - } - } - else - { - this.key = (ECPublicKeyParameters)param; - } - - this.random = initSecureRandom(forSigning && !kCalculator.isDeterministic(), providedRandom); - } - - // 5.3 pg 28 - /** - * generate a signature for the given message using the key we were - * initialised with. For conventional DSA the message should be a SHA-1 - * hash of the message of interest. - * - * @param message the message that will be verified later. - */ - public BigInteger[] generateSignature( - byte[] message) - { - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - BigInteger e = calculateE(n, message); - BigInteger d = ((ECPrivateKeyParameters)key).getD(); - - if (kCalculator.isDeterministic()) - { - kCalculator.init(n, d, message); - } - else - { - kCalculator.init(n, random); - } - - BigInteger r, s; - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - - // 5.3.2 - do // generate s - { - BigInteger k; - do // generate r - { - k = kCalculator.nextK(); - - ECPoint p = basePointMultiplier.multiply(ec.getG(), k).normalize(); - - // 5.3.3 - r = p.getAffineXCoord().toBigInteger().mod(n); - } - while (r.equals(ZERO)); - - s = k.modInverse(n).multiply(e.add(d.multiply(r))).mod(n); - } - while (s.equals(ZERO)); - - return new BigInteger[]{ r, s }; - } - - // 5.4 pg 29 - /** - * return true if the value r and s represent a DSA signature for - * the passed in message (for standard DSA the message should be - * a SHA-1 hash of the real message to be verified). - */ - public boolean verifySignature( - byte[] message, - BigInteger r, - BigInteger s) - { - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - BigInteger e = calculateE(n, message); - - // r in the range [1,n-1] - if (r.compareTo(ONE) < 0 || r.compareTo(n) >= 0) - { - return false; - } - - // s in the range [1,n-1] - if (s.compareTo(ONE) < 0 || s.compareTo(n) >= 0) - { - return false; - } - - BigInteger c = s.modInverse(n); - - BigInteger u1 = e.multiply(c).mod(n); - BigInteger u2 = r.multiply(c).mod(n); - - ECPoint G = ec.getG(); - ECPoint Q = ((ECPublicKeyParameters)key).getQ(); - - ECPoint point = ECAlgorithms.sumOfTwoMultiplies(G, u1, Q, u2).normalize(); - - // components must be bogus. - if (point.isInfinity()) - { - return false; - } - - BigInteger v = point.getAffineXCoord().toBigInteger().mod(n); - - return v.equals(r); - } - - protected BigInteger calculateE(BigInteger n, byte[] message) - { - int log2n = n.bitLength(); - int messageBitLength = message.length * 8; - - BigInteger e = new BigInteger(1, message); - if (log2n < messageBitLength) - { - e = e.shiftRight(messageBitLength - log2n); - } - return e; - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } - - protected SecureRandom initSecureRandom(boolean needed, SecureRandom provided) - { - return !needed ? null : (provided != null) ? provided : new SecureRandom(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/ECGOST3410Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/ECGOST3410Signer.java deleted file mode 100644 index 0ef88762..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/ECGOST3410Signer.java +++ /dev/null @@ -1,160 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECMultiplier; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.ec.FixedPointCombMultiplier; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * GOST R 34.10-2001 Signature Algorithm - */ -public class ECGOST3410Signer - implements DSA -{ - ECKeyParameters key; - - SecureRandom random; - - public void init( - boolean forSigning, - CipherParameters param) - { - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - this.key = (ECPrivateKeyParameters)rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - this.key = (ECPrivateKeyParameters)param; - } - } - else - { - this.key = (ECPublicKeyParameters)param; - } - } - - /** - * generate a signature for the given message using the key we were - * initialised with. For conventional GOST3410 the message should be a GOST3411 - * hash of the message of interest. - * - * @param message the message that will be verified later. - */ - public BigInteger[] generateSignature( - byte[] message) - { - byte[] mRev = new byte[message.length]; // conversion is little-endian - for (int i = 0; i != mRev.length; i++) - { - mRev[i] = message[mRev.length - 1 - i]; - } - - BigInteger e = new BigInteger(1, mRev); - - ECDomainParameters ec = key.getParameters(); - BigInteger n = ec.getN(); - BigInteger d = ((ECPrivateKeyParameters)key).getD(); - - BigInteger r, s; - - ECMultiplier basePointMultiplier = createBasePointMultiplier(); - - do // generate s - { - BigInteger k; - do // generate r - { - do - { - k = new BigInteger(n.bitLength(), random); - } - while (k.equals(ECConstants.ZERO)); - - ECPoint p = basePointMultiplier.multiply(ec.getG(), k).normalize(); - - r = p.getAffineXCoord().toBigInteger().mod(n); - } - while (r.equals(ECConstants.ZERO)); - - s = (k.multiply(e)).add(d.multiply(r)).mod(n); - } - while (s.equals(ECConstants.ZERO)); - - return new BigInteger[]{ r, s }; - } - - /** - * return true if the value r and s represent a GOST3410 signature for - * the passed in message (for standard GOST3410 the message should be - * a GOST3411 hash of the real message to be verified). - */ - public boolean verifySignature( - byte[] message, - BigInteger r, - BigInteger s) - { - byte[] mRev = new byte[message.length]; // conversion is little-endian - for (int i = 0; i != mRev.length; i++) - { - mRev[i] = message[mRev.length - 1 - i]; - } - - BigInteger e = new BigInteger(1, mRev); - BigInteger n = key.getParameters().getN(); - - // r in the range [1,n-1] - if (r.compareTo(ECConstants.ONE) < 0 || r.compareTo(n) >= 0) - { - return false; - } - - // s in the range [1,n-1] - if (s.compareTo(ECConstants.ONE) < 0 || s.compareTo(n) >= 0) - { - return false; - } - - BigInteger v = e.modInverse(n); - - BigInteger z1 = s.multiply(v).mod(n); - BigInteger z2 = (n.subtract(r)).multiply(v).mod(n); - - ECPoint G = key.getParameters().getG(); // P - ECPoint Q = ((ECPublicKeyParameters)key).getQ(); - - ECPoint point = ECAlgorithms.sumOfTwoMultiplies(G, z1, Q, z2).normalize(); - - // components must be bogus. - if (point.isInfinity()) - { - return false; - } - - BigInteger R = point.getAffineXCoord().toBigInteger().mod(n); - - return R.equals(r); - } - - protected ECMultiplier createBasePointMultiplier() - { - return new FixedPointCombMultiplier(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/ECNRSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/ECNRSigner.java deleted file mode 100644 index 3e839163..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/ECNRSigner.java +++ /dev/null @@ -1,188 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.generators.ECKeyPairGenerator; -import org.bouncycastle.crypto.params.ECKeyGenerationParameters; -import org.bouncycastle.crypto.params.ECKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECConstants; -import org.bouncycastle.math.ec.ECPoint; - -import java.math.BigInteger; -import java.security.SecureRandom; - -/** - * EC-NR as described in IEEE 1363-2000 - */ -public class ECNRSigner - implements DSA -{ - private boolean forSigning; - private ECKeyParameters key; - private SecureRandom random; - - public void init( - boolean forSigning, - CipherParameters param) - { - this.forSigning = forSigning; - - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - this.key = (ECPrivateKeyParameters)rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - this.key = (ECPrivateKeyParameters)param; - } - } - else - { - this.key = (ECPublicKeyParameters)param; - } - } - - // Section 7.2.5 ECSP-NR, pg 34 - /** - * generate a signature for the given message using the key we were - * initialised with. Generally, the order of the curve should be at - * least as long as the hash of the message of interest, and with - * ECNR it *must* be at least as long. - * - * @param digest the digest to be signed. - * @exception DataLengthException if the digest is longer than the key allows - */ - public BigInteger[] generateSignature( - byte[] digest) - { - if (! this.forSigning) - { - throw new IllegalStateException("not initialised for signing"); - } - - BigInteger n = ((ECPrivateKeyParameters)this.key).getParameters().getN(); - int nBitLength = n.bitLength(); - - BigInteger e = new BigInteger(1, digest); - int eBitLength = e.bitLength(); - - ECPrivateKeyParameters privKey = (ECPrivateKeyParameters)key; - - if (eBitLength > nBitLength) - { - throw new DataLengthException("input too large for ECNR key."); - } - - BigInteger r = null; - BigInteger s = null; - - AsymmetricCipherKeyPair tempPair; - do // generate r - { - // generate another, but very temporary, key pair using - // the same EC parameters - ECKeyPairGenerator keyGen = new ECKeyPairGenerator(); - - keyGen.init(new ECKeyGenerationParameters(privKey.getParameters(), this.random)); - - tempPair = keyGen.generateKeyPair(); - - // BigInteger Vx = tempPair.getPublic().getW().getAffineX(); - ECPublicKeyParameters V = (ECPublicKeyParameters)tempPair.getPublic(); // get temp's public key - BigInteger Vx = V.getQ().getAffineXCoord().toBigInteger(); // get the point's x coordinate - - r = Vx.add(e).mod(n); - } - while (r.equals(ECConstants.ZERO)); - - // generate s - BigInteger x = privKey.getD(); // private key value - BigInteger u = ((ECPrivateKeyParameters)tempPair.getPrivate()).getD(); // temp's private key value - s = u.subtract(r.multiply(x)).mod(n); - - BigInteger[] res = new BigInteger[2]; - res[0] = r; - res[1] = s; - - return res; - } - - // Section 7.2.6 ECVP-NR, pg 35 - /** - * return true if the value r and s represent a signature for the - * message passed in. Generally, the order of the curve should be at - * least as long as the hash of the message of interest, and with - * ECNR, it *must* be at least as long. But just in case the signer - * applied mod(n) to the longer digest, this implementation will - * apply mod(n) during verification. - * - * @param digest the digest to be verified. - * @param r the r value of the signature. - * @param s the s value of the signature. - * @exception DataLengthException if the digest is longer than the key allows - */ - public boolean verifySignature( - byte[] digest, - BigInteger r, - BigInteger s) - { - if (this.forSigning) - { - throw new IllegalStateException("not initialised for verifying"); - } - - ECPublicKeyParameters pubKey = (ECPublicKeyParameters)key; - BigInteger n = pubKey.getParameters().getN(); - int nBitLength = n.bitLength(); - - BigInteger e = new BigInteger(1, digest); - int eBitLength = e.bitLength(); - - if (eBitLength > nBitLength) - { - throw new DataLengthException("input too large for ECNR key."); - } - - // r in the range [1,n-1] - if (r.compareTo(ECConstants.ONE) < 0 || r.compareTo(n) >= 0) - { - return false; - } - - // s in the range [0,n-1] NB: ECNR spec says 0 - if (s.compareTo(ECConstants.ZERO) < 0 || s.compareTo(n) >= 0) - { - return false; - } - - // compute P = sG + rW - - ECPoint G = pubKey.getParameters().getG(); - ECPoint W = pubKey.getQ(); - // calculate P using Bouncy math - ECPoint P = ECAlgorithms.sumOfTwoMultiplies(G, s, W, r).normalize(); - - // components must be bogus. - if (P.isInfinity()) - { - return false; - } - - BigInteger x = P.getAffineXCoord().toBigInteger(); - BigInteger t = r.subtract(x).mod(n); - - return t.equals(e); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/GOST3410Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/GOST3410Signer.java deleted file mode 100644 index 135f1857..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/GOST3410Signer.java +++ /dev/null @@ -1,131 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.GOST3410KeyParameters; -import org.bouncycastle.crypto.params.GOST3410Parameters; -import org.bouncycastle.crypto.params.GOST3410PrivateKeyParameters; -import org.bouncycastle.crypto.params.GOST3410PublicKeyParameters; -import org.bouncycastle.crypto.params.ParametersWithRandom; - -/** - * GOST R 34.10-94 Signature Algorithm - */ -public class GOST3410Signer - implements DSA -{ - GOST3410KeyParameters key; - - SecureRandom random; - - public void init( - boolean forSigning, - CipherParameters param) - { - if (forSigning) - { - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom rParam = (ParametersWithRandom)param; - - this.random = rParam.getRandom(); - this.key = (GOST3410PrivateKeyParameters)rParam.getParameters(); - } - else - { - this.random = new SecureRandom(); - this.key = (GOST3410PrivateKeyParameters)param; - } - } - else - { - this.key = (GOST3410PublicKeyParameters)param; - } - } - - /** - * generate a signature for the given message using the key we were - * initialised with. For conventional GOST3410 the message should be a GOST3411 - * hash of the message of interest. - * - * @param message the message that will be verified later. - */ - public BigInteger[] generateSignature( - byte[] message) - { - byte[] mRev = new byte[message.length]; // conversion is little-endian - for (int i = 0; i != mRev.length; i++) - { - mRev[i] = message[mRev.length - 1 - i]; - } - - BigInteger m = new BigInteger(1, mRev); - GOST3410Parameters params = key.getParameters(); - BigInteger k; - - do - { - k = new BigInteger(params.getQ().bitLength(), random); - } - while (k.compareTo(params.getQ()) >= 0); - - BigInteger r = params.getA().modPow(k, params.getP()).mod(params.getQ()); - - BigInteger s = k.multiply(m). - add(((GOST3410PrivateKeyParameters)key).getX().multiply(r)). - mod(params.getQ()); - - BigInteger[] res = new BigInteger[2]; - - res[0] = r; - res[1] = s; - - return res; - } - - /** - * return true if the value r and s represent a GOST3410 signature for - * the passed in message for standard GOST3410 the message should be a - * GOST3411 hash of the real message to be verified. - */ - public boolean verifySignature( - byte[] message, - BigInteger r, - BigInteger s) - { - byte[] mRev = new byte[message.length]; // conversion is little-endian - for (int i = 0; i != mRev.length; i++) - { - mRev[i] = message[mRev.length - 1 - i]; - } - - BigInteger m = new BigInteger(1, mRev); - GOST3410Parameters params = key.getParameters(); - BigInteger zero = BigInteger.valueOf(0); - - if (zero.compareTo(r) >= 0 || params.getQ().compareTo(r) <= 0) - { - return false; - } - - if (zero.compareTo(s) >= 0 || params.getQ().compareTo(s) <= 0) - { - return false; - } - - BigInteger v = m.modPow(params.getQ().subtract(new BigInteger("2")),params.getQ()); - - BigInteger z1 = s.multiply(v).mod(params.getQ()); - BigInteger z2 = (params.getQ().subtract(r)).multiply(v).mod(params.getQ()); - - z1 = params.getA().modPow(z1, params.getP()); - z2 = ((GOST3410PublicKeyParameters)key).getY().modPow(z2, params.getP()); - - BigInteger u = z1.multiply(z2).mod(params.getP()).mod(params.getQ()); - - return u.equals(r); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/GenericSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/GenericSigner.java deleted file mode 100644 index 6819e141..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/GenericSigner.java +++ /dev/null @@ -1,136 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; - -public class GenericSigner - implements Signer -{ - private final AsymmetricBlockCipher engine; - private final Digest digest; - private boolean forSigning; - - public GenericSigner( - AsymmetricBlockCipher engine, - Digest digest) - { - this.engine = engine; - this.digest = digest; - } - - /** - * initialise the signer for signing or verification. - * - * @param forSigning - * true if for signing, false otherwise - * @param parameters - * necessary parameters. - */ - public void init( - boolean forSigning, - CipherParameters parameters) - { - this.forSigning = forSigning; - AsymmetricKeyParameter k; - - if (parameters instanceof ParametersWithRandom) - { - k = (AsymmetricKeyParameter)((ParametersWithRandom)parameters).getParameters(); - } - else - { - k = (AsymmetricKeyParameter)parameters; - } - - if (forSigning && !k.isPrivate()) - { - throw new IllegalArgumentException("signing requires private key"); - } - - if (!forSigning && k.isPrivate()) - { - throw new IllegalArgumentException("verification requires public key"); - } - - reset(); - - engine.init(forSigning, parameters); - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte input) - { - digest.update(input); - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] input, - int inOff, - int length) - { - digest.update(input, inOff, length); - } - - /** - * Generate a signature for the message we've been loaded with using the key - * we were initialised with. - */ - public byte[] generateSignature() - throws CryptoException, DataLengthException - { - if (!forSigning) - { - throw new IllegalStateException("GenericSigner not initialised for signature generation."); - } - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - return engine.processBlock(hash, 0, hash.length); - } - - /** - * return true if the internal state represents the signature described in - * the passed in array. - */ - public boolean verifySignature( - byte[] signature) - { - if (forSigning) - { - throw new IllegalStateException("GenericSigner not initialised for verification"); - } - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - try - { - byte[] sig = engine.processBlock(signature, 0, signature.length); - - return Arrays.constantTimeAreEqual(sig, hash); - } - catch (Exception e) - { - return false; - } - } - - public void reset() - { - digest.reset(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/HMacDSAKCalculator.java b/core/src/main/java/org/bouncycastle/crypto/signers/HMacDSAKCalculator.java deleted file mode 100644 index db78d4a3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/HMacDSAKCalculator.java +++ /dev/null @@ -1,152 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; - -/** - * A deterministic K calculator based on the algorithm in section 3.2 of RFC 6979. - */ -public class HMacDSAKCalculator - implements DSAKCalculator -{ - private static final BigInteger ZERO = BigInteger.valueOf(0); - - private final HMac hMac; - private final byte[] K; - private final byte[] V; - - private BigInteger n; - - /** - * Base constructor. - * - * @param digest digest to build the HMAC on. - */ - public HMacDSAKCalculator(Digest digest) - { - this.hMac = new HMac(digest); - this.V = new byte[hMac.getMacSize()]; - this.K = new byte[hMac.getMacSize()]; - } - - public boolean isDeterministic() - { - return true; - } - - public void init(BigInteger n, SecureRandom random) - { - throw new IllegalStateException("Operation not supported"); - } - - public void init(BigInteger n, BigInteger d, byte[] message) - { - this.n = n; - - Arrays.fill(V, (byte)0x01); - Arrays.fill(K, (byte)0); - - byte[] x = new byte[(n.bitLength() + 7) / 8]; - byte[] dVal = BigIntegers.asUnsignedByteArray(d); - - System.arraycopy(dVal, 0, x, x.length - dVal.length, dVal.length); - - byte[] m = new byte[(n.bitLength() + 7) / 8]; - - BigInteger mInt = bitsToInt(message); - - if (mInt.compareTo(n) > 0) - { - mInt = mInt.subtract(n); - } - - byte[] mVal = BigIntegers.asUnsignedByteArray(mInt); - - System.arraycopy(mVal, 0, m, m.length - mVal.length, mVal.length); - - hMac.init(new KeyParameter(K)); - - hMac.update(V, 0, V.length); - hMac.update((byte)0x00); - hMac.update(x, 0, x.length); - hMac.update(m, 0, m.length); - - hMac.doFinal(K, 0); - - hMac.init(new KeyParameter(K)); - - hMac.update(V, 0, V.length); - - hMac.doFinal(V, 0); - - hMac.update(V, 0, V.length); - hMac.update((byte)0x01); - hMac.update(x, 0, x.length); - hMac.update(m, 0, m.length); - - hMac.doFinal(K, 0); - - hMac.init(new KeyParameter(K)); - - hMac.update(V, 0, V.length); - - hMac.doFinal(V, 0); - } - - public BigInteger nextK() - { - byte[] t = new byte[((n.bitLength() + 7) / 8)]; - - for (;;) - { - int tOff = 0; - - while (tOff < t.length) - { - hMac.update(V, 0, V.length); - - hMac.doFinal(V, 0); - - int len = Math.min(t.length - tOff, V.length); - System.arraycopy(V, 0, t, tOff, len); - tOff += len; - } - - BigInteger k = bitsToInt(t); - - if (k.compareTo(ZERO) > 0 && k.compareTo(n) < 0) - { - return k; - } - - hMac.update(V, 0, V.length); - hMac.update((byte)0x00); - - hMac.doFinal(K, 0); - - hMac.init(new KeyParameter(K)); - - hMac.update(V, 0, V.length); - - hMac.doFinal(V, 0); - } - } - - private BigInteger bitsToInt(byte[] t) - { - BigInteger v = new BigInteger(1, t); - - if (t.length * 8 > n.bitLength()) - { - v = v.shiftRight(t.length * 8 - n.bitLength()); - } - - return v; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2PSSSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2PSSSigner.java deleted file mode 100644 index fcd5816a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2PSSSigner.java +++ /dev/null @@ -1,668 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.security.SecureRandom; -import java.util.Hashtable; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.SignerWithRecovery; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.ParametersWithSalt; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Integers; - -/** - * ISO9796-2 - mechanism using a hash function with recovery (scheme 2 and 3). - * <p> - * Note: the usual length for the salt is the length of the hash - * function used in bytes. - */ -public class ISO9796d2PSSSigner - implements SignerWithRecovery -{ - static final public int TRAILER_IMPLICIT = 0xBC; - static final public int TRAILER_RIPEMD160 = 0x31CC; - static final public int TRAILER_RIPEMD128 = 0x32CC; - static final public int TRAILER_SHA1 = 0x33CC; - static final public int TRAILER_SHA256 = 0x34CC; - static final public int TRAILER_SHA512 = 0x35CC; - static final public int TRAILER_SHA384 = 0x36CC; - static final public int TRAILER_WHIRLPOOL = 0x37CC; - - private static Hashtable trailerMap = new Hashtable(); - - static - { - trailerMap.put("RIPEMD128", Integers.valueOf(TRAILER_RIPEMD128)); - trailerMap.put("RIPEMD160", Integers.valueOf(TRAILER_RIPEMD160)); - - trailerMap.put("SHA-1", Integers.valueOf(TRAILER_SHA1)); - trailerMap.put("SHA-256", Integers.valueOf(TRAILER_SHA256)); - trailerMap.put("SHA-384", Integers.valueOf(TRAILER_SHA384)); - trailerMap.put("SHA-512", Integers.valueOf(TRAILER_SHA512)); - - trailerMap.put("Whirlpool", Integers.valueOf(TRAILER_WHIRLPOOL)); - } - - private Digest digest; - private AsymmetricBlockCipher cipher; - - private SecureRandom random; - private byte[] standardSalt; - - private int hLen; - private int trailer; - private int keyBits; - private byte[] block; - private byte[] mBuf; - private int messageLength; - private int saltLength; - private boolean fullMessage; - private byte[] recoveredMessage; - - private byte[] preSig; - private byte[] preBlock; - private int preMStart; - private int preTLength; - - /** - * Generate a signer for the with either implicit or explicit trailers - * for ISO9796-2, scheme 2 or 3. - * - * @param cipher base cipher to use for signature creation/verification - * @param digest digest to use. - * @param saltLength length of salt in bytes. - * @param implicit whether or not the trailer is implicit or gives the hash. - */ - public ISO9796d2PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int saltLength, - boolean implicit) - { - this.cipher = cipher; - this.digest = digest; - this.hLen = digest.getDigestSize(); - this.saltLength = saltLength; - - if (implicit) - { - trailer = TRAILER_IMPLICIT; - } - else - { - Integer trailerObj = (Integer)trailerMap.get(digest.getAlgorithmName()); - - if (trailerObj != null) - { - trailer = trailerObj.intValue(); - } - else - { - throw new IllegalArgumentException("no valid trailer for digest"); - } - } - } - - /** - * Constructor for a signer with an explicit digest trailer. - * - * @param cipher cipher to use. - * @param digest digest to sign with. - * @param saltLength length of salt in bytes. - */ - public ISO9796d2PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int saltLength) - { - this(cipher, digest, saltLength, false); - } - - /** - * Initialise the signer. - * - * @param forSigning true if for signing, false if for verification. - * @param param parameters for signature generation/verification. If the - * parameters are for generation they should be a ParametersWithRandom, - * a ParametersWithSalt, or just an RSAKeyParameters object. If RSAKeyParameters - * are passed in a SecureRandom will be created. - * @throws IllegalArgumentException if wrong parameter type or a fixed - * salt is passed in which is the wrong length. - */ - public void init( - boolean forSigning, - CipherParameters param) - { - RSAKeyParameters kParam; - int lengthOfSalt = saltLength; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - kParam = (RSAKeyParameters)p.getParameters(); - if (forSigning) - { - random = p.getRandom(); - } - } - else if (param instanceof ParametersWithSalt) - { - ParametersWithSalt p = (ParametersWithSalt)param; - - kParam = (RSAKeyParameters)p.getParameters(); - standardSalt = p.getSalt(); - lengthOfSalt = standardSalt.length; - if (standardSalt.length != saltLength) - { - throw new IllegalArgumentException("Fixed salt is of wrong length"); - } - } - else - { - kParam = (RSAKeyParameters)param; - if (forSigning) - { - random = new SecureRandom(); - } - } - - cipher.init(forSigning, kParam); - - keyBits = kParam.getModulus().bitLength(); - - block = new byte[(keyBits + 7) / 8]; - - if (trailer == TRAILER_IMPLICIT) - { - mBuf = new byte[block.length - digest.getDigestSize() - lengthOfSalt - 1 - 1]; - } - else - { - mBuf = new byte[block.length - digest.getDigestSize() - lengthOfSalt - 1 - 2]; - } - - reset(); - } - - /** - * compare two byte arrays - constant time - */ - private boolean isSameAs( - byte[] a, - byte[] b) - { - boolean isOkay = true; - - if (messageLength != b.length) - { - isOkay = false; - } - - for (int i = 0; i != b.length; i++) - { - if (a[i] != b[i]) - { - isOkay = false; - } - } - - return isOkay; - } - - /** - * clear possible sensitive data - */ - private void clearBlock( - byte[] block) - { - for (int i = 0; i != block.length; i++) - { - block[i] = 0; - } - } - - public void updateWithRecoveredMessage(byte[] signature) - throws InvalidCipherTextException - { - byte[] block = cipher.processBlock(signature, 0, signature.length); - - // - // adjust block size for leading zeroes if necessary - // - if (block.length < (keyBits + 7) / 8) - { - byte[] tmp = new byte[(keyBits + 7) / 8]; - - System.arraycopy(block, 0, tmp, tmp.length - block.length, block.length); - clearBlock(block); - block = tmp; - } - - int tLength; - - if (((block[block.length - 1] & 0xFF) ^ 0xBC) == 0) - { - tLength = 1; - } - else - { - int sigTrail = ((block[block.length - 2] & 0xFF) << 8) | (block[block.length - 1] & 0xFF); - - Integer trailerObj = (Integer)trailerMap.get(digest.getAlgorithmName()); - - if (trailerObj != null) - { - if (sigTrail != trailerObj.intValue()) - { - throw new IllegalStateException("signer initialised with wrong digest for trailer " + sigTrail); - } - } - else - { - throw new IllegalArgumentException("unrecognised hash in signature"); - } - - tLength = 2; - } - - // - // calculate H(m2) - // - byte[] m2Hash = new byte[hLen]; - digest.doFinal(m2Hash, 0); - - // - // remove the mask - // - byte[] dbMask = maskGeneratorFunction1(block, block.length - hLen - tLength, hLen, block.length - hLen - tLength); - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - block[0] &= 0x7f; - - // - // find out how much padding we've got - // - int mStart = 0; - for (; mStart != block.length; mStart++) - { - if (block[mStart] == 0x01) - { - break; - } - } - - mStart++; - - if (mStart >= block.length) - { - clearBlock(block); - } - - fullMessage = (mStart > 1); - - recoveredMessage = new byte[dbMask.length - mStart - saltLength]; - - System.arraycopy(block, mStart, recoveredMessage, 0, recoveredMessage.length); - System.arraycopy(recoveredMessage, 0, mBuf, 0, recoveredMessage.length); - - preSig = signature; - preBlock = block; - preMStart = mStart; - preTLength = tLength; - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte b) - { - if (preSig == null && messageLength < mBuf.length) - { - mBuf[messageLength++] = b; - } - else - { - digest.update(b); - } - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] in, - int off, - int len) - { - if (preSig == null) - { - while (len > 0 && messageLength < mBuf.length) - { - this.update(in[off]); - off++; - len--; - } - } - - if (len > 0) - { - digest.update(in, off, len); - } - } - - /** - * reset the internal state - */ - public void reset() - { - digest.reset(); - messageLength = 0; - if (mBuf != null) - { - clearBlock(mBuf); - } - if (recoveredMessage != null) - { - clearBlock(recoveredMessage); - recoveredMessage = null; - } - fullMessage = false; - if (preSig != null) - { - preSig = null; - clearBlock(preBlock); - preBlock = null; - } - } - - /** - * generate a signature for the loaded message using the key we were - * initialised with. - */ - public byte[] generateSignature() - throws CryptoException - { - int digSize = digest.getDigestSize(); - - byte[] m2Hash = new byte[digSize]; - - digest.doFinal(m2Hash, 0); - - byte[] C = new byte[8]; - LtoOSP(messageLength * 8, C); - - digest.update(C, 0, C.length); - - digest.update(mBuf, 0, messageLength); - - digest.update(m2Hash, 0, m2Hash.length); - - byte[] salt; - - if (standardSalt != null) - { - salt = standardSalt; - } - else - { - salt = new byte[saltLength]; - random.nextBytes(salt); - } - - digest.update(salt, 0, salt.length); - - byte[] hash = new byte[digest.getDigestSize()]; - - digest.doFinal(hash, 0); - - int tLength = 2; - if (trailer == TRAILER_IMPLICIT) - { - tLength = 1; - } - - int off = block.length - messageLength - salt.length - hLen - tLength - 1; - - block[off] = 0x01; - - System.arraycopy(mBuf, 0, block, off + 1, messageLength); - System.arraycopy(salt, 0, block, off + 1 + messageLength, salt.length); - - byte[] dbMask = maskGeneratorFunction1(hash, 0, hash.length, block.length - hLen - tLength); - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - System.arraycopy(hash, 0, block, block.length - hLen - tLength, hLen); - - if (trailer == TRAILER_IMPLICIT) - { - block[block.length - 1] = (byte)TRAILER_IMPLICIT; - } - else - { - block[block.length - 2] = (byte)(trailer >>> 8); - block[block.length - 1] = (byte)trailer; - } - - block[0] &= 0x7f; - - byte[] b = cipher.processBlock(block, 0, block.length); - - clearBlock(mBuf); - clearBlock(block); - messageLength = 0; - - return b; - } - - /** - * return true if the signature represents a ISO9796-2 signature - * for the passed in message. - */ - public boolean verifySignature( - byte[] signature) - { - // - // calculate H(m2) - // - byte[] m2Hash = new byte[hLen]; - digest.doFinal(m2Hash, 0); - - byte[] block; - int tLength; - int mStart = 0; - - if (preSig == null) - { - try - { - updateWithRecoveredMessage(signature); - } - catch (Exception e) - { - return false; - } - } - else - { - if (!Arrays.areEqual(preSig, signature)) - { - throw new IllegalStateException("updateWithRecoveredMessage called on different signature"); - } - } - - block = preBlock; - mStart = preMStart; - tLength = preTLength; - - preSig = null; - preBlock = null; - - // - // check the hashes - // - byte[] C = new byte[8]; - LtoOSP(recoveredMessage.length * 8, C); - - digest.update(C, 0, C.length); - - if (recoveredMessage.length != 0) - { - digest.update(recoveredMessage, 0, recoveredMessage.length); - } - - digest.update(m2Hash, 0, m2Hash.length); - - // Update for the salt - digest.update(block, mStart + recoveredMessage.length, saltLength); - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - int off = block.length - tLength - hash.length; - - boolean isOkay = true; - - for (int i = 0; i != hash.length; i++) - { - if (hash[i] != block[off + i]) - { - isOkay = false; - } - } - - clearBlock(block); - clearBlock(hash); - - if (!isOkay) - { - fullMessage = false; - clearBlock(recoveredMessage); - return false; - } - - // - // if they've input a message check what we've recovered against - // what was input. - // - if (messageLength != 0) - { - if (!isSameAs(mBuf, recoveredMessage)) - { - clearBlock(mBuf); - return false; - } - messageLength = 0; - } - - clearBlock(mBuf); - return true; - } - - /** - * Return true if the full message was recoveredMessage. - * - * @return true on full message recovery, false otherwise, or if not sure. - * @see org.bouncycastle.crypto.SignerWithRecovery#hasFullMessage() - */ - public boolean hasFullMessage() - { - return fullMessage; - } - - /** - * Return a reference to the recoveredMessage message. - * - * @return the full/partial recoveredMessage message. - * @see org.bouncycastle.crypto.SignerWithRecovery#getRecoveredMessage() - */ - public byte[] getRecoveredMessage() - { - return recoveredMessage; - } - - /** - * int to octet string. - */ - private void ItoOSP( - int i, - byte[] sp) - { - sp[0] = (byte)(i >>> 24); - sp[1] = (byte)(i >>> 16); - sp[2] = (byte)(i >>> 8); - sp[3] = (byte)(i >>> 0); - } - - /** - * long to octet string. - */ - private void LtoOSP( - long l, - byte[] sp) - { - sp[0] = (byte)(l >>> 56); - sp[1] = (byte)(l >>> 48); - sp[2] = (byte)(l >>> 40); - sp[3] = (byte)(l >>> 32); - sp[4] = (byte)(l >>> 24); - sp[5] = (byte)(l >>> 16); - sp[6] = (byte)(l >>> 8); - sp[7] = (byte)(l >>> 0); - } - - /** - * mask generator function, as described in PKCS1v2. - */ - private byte[] maskGeneratorFunction1( - byte[] Z, - int zOff, - int zLen, - int length) - { - byte[] mask = new byte[length]; - byte[] hashBuf = new byte[hLen]; - byte[] C = new byte[4]; - int counter = 0; - - digest.reset(); - - while (counter < (length / hLen)) - { - ItoOSP(counter, C); - - digest.update(Z, zOff, zLen); - digest.update(C, 0, C.length); - digest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * hLen, hLen); - - counter++; - } - - if ((counter * hLen) < length) - { - ItoOSP(counter, C); - - digest.update(Z, zOff, zLen); - digest.update(C, 0, C.length); - digest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * hLen, mask.length - (counter * hLen)); - } - - return mask; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2Signer.java deleted file mode 100644 index 563fae63..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/ISO9796d2Signer.java +++ /dev/null @@ -1,618 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.util.Hashtable; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.SignerWithRecovery; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Integers; - -/** - * ISO9796-2 - mechanism using a hash function with recovery (scheme 1) - */ -public class ISO9796d2Signer - implements SignerWithRecovery -{ - static final public int TRAILER_IMPLICIT = 0xBC; - static final public int TRAILER_RIPEMD160 = 0x31CC; - static final public int TRAILER_RIPEMD128 = 0x32CC; - static final public int TRAILER_SHA1 = 0x33CC; - static final public int TRAILER_SHA256 = 0x34CC; - static final public int TRAILER_SHA512 = 0x35CC; - static final public int TRAILER_SHA384 = 0x36CC; - static final public int TRAILER_WHIRLPOOL = 0x37CC; - - private static Hashtable trailerMap = new Hashtable(); - - static - { - trailerMap.put("RIPEMD128", Integers.valueOf(TRAILER_RIPEMD128)); - trailerMap.put("RIPEMD160", Integers.valueOf(TRAILER_RIPEMD160)); - - trailerMap.put("SHA-1", Integers.valueOf(TRAILER_SHA1)); - trailerMap.put("SHA-256", Integers.valueOf(TRAILER_SHA256)); - trailerMap.put("SHA-384", Integers.valueOf(TRAILER_SHA384)); - trailerMap.put("SHA-512", Integers.valueOf(TRAILER_SHA512)); - - trailerMap.put("Whirlpool", Integers.valueOf(TRAILER_WHIRLPOOL)); - } - - private Digest digest; - private AsymmetricBlockCipher cipher; - - private int trailer; - private int keyBits; - private byte[] block; - private byte[] mBuf; - private int messageLength; - private boolean fullMessage; - private byte[] recoveredMessage; - - private byte[] preSig; - private byte[] preBlock; - - /** - * Generate a signer for the with either implicit or explicit trailers - * for ISO9796-2. - * - * @param cipher base cipher to use for signature creation/verification - * @param digest digest to use. - * @param implicit whether or not the trailer is implicit or gives the hash. - */ - public ISO9796d2Signer( - AsymmetricBlockCipher cipher, - Digest digest, - boolean implicit) - { - this.cipher = cipher; - this.digest = digest; - - if (implicit) - { - trailer = TRAILER_IMPLICIT; - } - else - { - Integer trailerObj = (Integer)trailerMap.get(digest.getAlgorithmName()); - - if (trailerObj != null) - { - trailer = trailerObj.intValue(); - } - else - { - throw new IllegalArgumentException("no valid trailer for digest"); - } - } - } - - /** - * Constructor for a signer with an explicit digest trailer. - * - * @param cipher cipher to use. - * @param digest digest to sign with. - */ - public ISO9796d2Signer( - AsymmetricBlockCipher cipher, - Digest digest) - { - this(cipher, digest, false); - } - - public void init( - boolean forSigning, - CipherParameters param) - { - RSAKeyParameters kParam = (RSAKeyParameters)param; - - cipher.init(forSigning, kParam); - - keyBits = kParam.getModulus().bitLength(); - - block = new byte[(keyBits + 7) / 8]; - - if (trailer == TRAILER_IMPLICIT) - { - mBuf = new byte[block.length - digest.getDigestSize() - 2]; - } - else - { - mBuf = new byte[block.length - digest.getDigestSize() - 3]; - } - - reset(); - } - - /** - * compare two byte arrays - constant time - */ - private boolean isSameAs( - byte[] a, - byte[] b) - { - boolean isOkay = true; - - if (messageLength > mBuf.length) - { - if (mBuf.length > b.length) - { - isOkay = false; - } - - for (int i = 0; i != mBuf.length; i++) - { - if (a[i] != b[i]) - { - isOkay = false; - } - } - } - else - { - if (messageLength != b.length) - { - isOkay = false; - } - - for (int i = 0; i != b.length; i++) - { - if (a[i] != b[i]) - { - isOkay = false; - } - } - } - - return isOkay; - } - - /** - * clear possible sensitive data - */ - private void clearBlock( - byte[] block) - { - for (int i = 0; i != block.length; i++) - { - block[i] = 0; - } - } - - public void updateWithRecoveredMessage(byte[] signature) - throws InvalidCipherTextException - { - byte[] block = cipher.processBlock(signature, 0, signature.length); - - if (((block[0] & 0xC0) ^ 0x40) != 0) - { - throw new InvalidCipherTextException("malformed signature"); - } - - if (((block[block.length - 1] & 0xF) ^ 0xC) != 0) - { - throw new InvalidCipherTextException("malformed signature"); - } - - int delta = 0; - - if (((block[block.length - 1] & 0xFF) ^ 0xBC) == 0) - { - delta = 1; - } - else - { - int sigTrail = ((block[block.length - 2] & 0xFF) << 8) | (block[block.length - 1] & 0xFF); - Integer trailerObj = (Integer)trailerMap.get(digest.getAlgorithmName()); - - if (trailerObj != null) - { - if (sigTrail != trailerObj.intValue()) - { - throw new IllegalStateException("signer initialised with wrong digest for trailer " + sigTrail); - } - } - else - { - throw new IllegalArgumentException("unrecognised hash in signature"); - } - - delta = 2; - } - - // - // find out how much padding we've got - // - int mStart = 0; - - for (mStart = 0; mStart != block.length; mStart++) - { - if (((block[mStart] & 0x0f) ^ 0x0a) == 0) - { - break; - } - } - - mStart++; - - int off = block.length - delta - digest.getDigestSize(); - - // - // there must be at least one byte of message string - // - if ((off - mStart) <= 0) - { - throw new InvalidCipherTextException("malformed block"); - } - - // - // if we contain the whole message as well, check the hash of that. - // - if ((block[0] & 0x20) == 0) - { - fullMessage = true; - - recoveredMessage = new byte[off - mStart]; - System.arraycopy(block, mStart, recoveredMessage, 0, recoveredMessage.length); - } - else - { - fullMessage = false; - - recoveredMessage = new byte[off - mStart]; - System.arraycopy(block, mStart, recoveredMessage, 0, recoveredMessage.length); - } - - preSig = signature; - preBlock = block; - - digest.update(recoveredMessage, 0, recoveredMessage.length); - messageLength = recoveredMessage.length; - System.arraycopy(recoveredMessage, 0, mBuf, 0, recoveredMessage.length); - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte b) - { - digest.update(b); - - if (messageLength < mBuf.length) - { - mBuf[messageLength] = b; - } - - messageLength++; - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] in, - int off, - int len) - { - while (len > 0 && messageLength < mBuf.length) - { - this.update(in[off]); - off++; - len--; - } - - digest.update(in, off, len); - messageLength += len; - } - - /** - * reset the internal state - */ - public void reset() - { - digest.reset(); - messageLength = 0; - clearBlock(mBuf); - - if (recoveredMessage != null) - { - clearBlock(recoveredMessage); - } - - recoveredMessage = null; - fullMessage = false; - - if (preSig != null) - { - preSig = null; - clearBlock(preBlock); - preBlock = null; - } - } - - /** - * generate a signature for the loaded message using the key we were - * initialised with. - */ - public byte[] generateSignature() - throws CryptoException - { - int digSize = digest.getDigestSize(); - - int t = 0; - int delta = 0; - - if (trailer == TRAILER_IMPLICIT) - { - t = 8; - delta = block.length - digSize - 1; - digest.doFinal(block, delta); - block[block.length - 1] = (byte)TRAILER_IMPLICIT; - } - else - { - t = 16; - delta = block.length - digSize - 2; - digest.doFinal(block, delta); - block[block.length - 2] = (byte)(trailer >>> 8); - block[block.length - 1] = (byte)trailer; - } - - byte header = 0; - int x = (digSize + messageLength) * 8 + t + 4 - keyBits; - - if (x > 0) - { - int mR = messageLength - ((x + 7) / 8); - header = 0x60; - - delta -= mR; - - System.arraycopy(mBuf, 0, block, delta, mR); - } - else - { - header = 0x40; - delta -= messageLength; - - System.arraycopy(mBuf, 0, block, delta, messageLength); - } - - if ((delta - 1) > 0) - { - for (int i = delta - 1; i != 0; i--) - { - block[i] = (byte)0xbb; - } - block[delta - 1] ^= (byte)0x01; - block[0] = (byte)0x0b; - block[0] |= header; - } - else - { - block[0] = (byte)0x0a; - block[0] |= header; - } - - byte[] b = cipher.processBlock(block, 0, block.length); - - clearBlock(mBuf); - clearBlock(block); - - return b; - } - - /** - * return true if the signature represents a ISO9796-2 signature - * for the passed in message. - */ - public boolean verifySignature( - byte[] signature) - { - byte[] block = null; - - if (preSig == null) - { - try - { - block = cipher.processBlock(signature, 0, signature.length); - } - catch (Exception e) - { - return false; - } - } - else - { - if (!Arrays.areEqual(preSig, signature)) - { - throw new IllegalStateException("updateWithRecoveredMessage called on different signature"); - } - - block = preBlock; - - preSig = null; - preBlock = null; - } - - if (((block[0] & 0xC0) ^ 0x40) != 0) - { - return returnFalse(block); - } - - if (((block[block.length - 1] & 0xF) ^ 0xC) != 0) - { - return returnFalse(block); - } - - int delta = 0; - - if (((block[block.length - 1] & 0xFF) ^ 0xBC) == 0) - { - delta = 1; - } - else - { - int sigTrail = ((block[block.length - 2] & 0xFF) << 8) | (block[block.length - 1] & 0xFF); - Integer trailerObj = (Integer)trailerMap.get(digest.getAlgorithmName()); - - if (trailerObj != null) - { - if (sigTrail != trailerObj.intValue()) - { - throw new IllegalStateException("signer initialised with wrong digest for trailer " + sigTrail); - } - } - else - { - throw new IllegalArgumentException("unrecognised hash in signature"); - } - - delta = 2; - } - - // - // find out how much padding we've got - // - int mStart = 0; - - for (mStart = 0; mStart != block.length; mStart++) - { - if (((block[mStart] & 0x0f) ^ 0x0a) == 0) - { - break; - } - } - - mStart++; - - // - // check the hashes - // - byte[] hash = new byte[digest.getDigestSize()]; - - int off = block.length - delta - hash.length; - - // - // there must be at least one byte of message string - // - if ((off - mStart) <= 0) - { - return returnFalse(block); - } - - // - // if we contain the whole message as well, check the hash of that. - // - if ((block[0] & 0x20) == 0) - { - fullMessage = true; - - // check right number of bytes passed in. - if (messageLength > off - mStart) - { - return returnFalse(block); - } - - digest.reset(); - digest.update(block, mStart, off - mStart); - digest.doFinal(hash, 0); - - boolean isOkay = true; - - for (int i = 0; i != hash.length; i++) - { - block[off + i] ^= hash[i]; - if (block[off + i] != 0) - { - isOkay = false; - } - } - - if (!isOkay) - { - return returnFalse(block); - } - - recoveredMessage = new byte[off - mStart]; - System.arraycopy(block, mStart, recoveredMessage, 0, recoveredMessage.length); - } - else - { - fullMessage = false; - - digest.doFinal(hash, 0); - - boolean isOkay = true; - - for (int i = 0; i != hash.length; i++) - { - block[off + i] ^= hash[i]; - if (block[off + i] != 0) - { - isOkay = false; - } - } - - if (!isOkay) - { - return returnFalse(block); - } - - recoveredMessage = new byte[off - mStart]; - System.arraycopy(block, mStart, recoveredMessage, 0, recoveredMessage.length); - } - - // - // if they've input a message check what we've recovered against - // what was input. - // - if (messageLength != 0) - { - if (!isSameAs(mBuf, recoveredMessage)) - { - return returnFalse(block); - } - } - - clearBlock(mBuf); - clearBlock(block); - - return true; - } - - private boolean returnFalse(byte[] block) - { - clearBlock(mBuf); - clearBlock(block); - - return false; - } - - /** - * Return true if the full message was recoveredMessage. - * - * @return true on full message recovery, false otherwise. - * @see org.bouncycastle.crypto.SignerWithRecovery#hasFullMessage() - */ - public boolean hasFullMessage() - { - return fullMessage; - } - - /** - * Return a reference to the recoveredMessage message. - * - * @return the full/partial recoveredMessage message. - * @see org.bouncycastle.crypto.SignerWithRecovery#getRecoveredMessage() - */ - public byte[] getRecoveredMessage() - { - return recoveredMessage; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/PSSSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/PSSSigner.java deleted file mode 100644 index 8c9eb940..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/PSSSigner.java +++ /dev/null @@ -1,348 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSABlindingParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -/** - * RSA-PSS as described in PKCS# 1 v 2.1. - * <p> - * Note: the usual value for the salt length is the number of - * bytes in the hash function. - */ -public class PSSSigner - implements Signer -{ - static final public byte TRAILER_IMPLICIT = (byte)0xBC; - - private Digest contentDigest; - private Digest mgfDigest; - private AsymmetricBlockCipher cipher; - private SecureRandom random; - - private int hLen; - private int mgfhLen; - private int sLen; - private int emBits; - private byte[] salt; - private byte[] mDash; - private byte[] block; - private byte trailer; - - /** - * basic constructor - * - * @param cipher the asymmetric cipher to use. - * @param digest the digest to use. - * @param sLen the length of the salt to use (in bytes). - */ - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int sLen) - { - this(cipher, digest, sLen, TRAILER_IMPLICIT); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest contentDigest, - Digest mgfDigest, - int sLen) - { - this(cipher, contentDigest, mgfDigest, sLen, TRAILER_IMPLICIT); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest digest, - int sLen, - byte trailer) - { - this(cipher, digest, digest, sLen, trailer); - } - - public PSSSigner( - AsymmetricBlockCipher cipher, - Digest contentDigest, - Digest mgfDigest, - int sLen, - byte trailer) - { - this.cipher = cipher; - this.contentDigest = contentDigest; - this.mgfDigest = mgfDigest; - this.hLen = contentDigest.getDigestSize(); - this.mgfhLen = mgfDigest.getDigestSize(); - this.sLen = sLen; - this.salt = new byte[sLen]; - this.mDash = new byte[8 + sLen + hLen]; - this.trailer = trailer; - } - - public void init( - boolean forSigning, - CipherParameters param) - { - CipherParameters params; - - if (param instanceof ParametersWithRandom) - { - ParametersWithRandom p = (ParametersWithRandom)param; - - params = p.getParameters(); - random = p.getRandom(); - } - else - { - params = param; - if (forSigning) - { - random = new SecureRandom(); - } - } - - cipher.init(forSigning, params); - - RSAKeyParameters kParam; - - if (params instanceof RSABlindingParameters) - { - kParam = ((RSABlindingParameters)params).getPublicKey(); - } - else - { - kParam = (RSAKeyParameters)params; - } - - emBits = kParam.getModulus().bitLength() - 1; - - if (emBits < (8 * hLen + 8 * sLen + 9)) - { - throw new IllegalArgumentException("key too small for specified hash and salt lengths"); - } - - block = new byte[(emBits + 7) / 8]; - - reset(); - } - - /** - * clear possible sensitive data - */ - private void clearBlock( - byte[] block) - { - for (int i = 0; i != block.length; i++) - { - block[i] = 0; - } - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte b) - { - contentDigest.update(b); - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] in, - int off, - int len) - { - contentDigest.update(in, off, len); - } - - /** - * reset the internal state - */ - public void reset() - { - contentDigest.reset(); - } - - /** - * generate a signature for the message we've been loaded with using - * the key we were initialised with. - */ - public byte[] generateSignature() - throws CryptoException, DataLengthException - { - contentDigest.doFinal(mDash, mDash.length - hLen - sLen); - - if (sLen != 0) - { - random.nextBytes(salt); - - System.arraycopy(salt, 0, mDash, mDash.length - sLen, sLen); - } - - byte[] h = new byte[hLen]; - - contentDigest.update(mDash, 0, mDash.length); - - contentDigest.doFinal(h, 0); - - block[block.length - sLen - 1 - hLen - 1] = 0x01; - System.arraycopy(salt, 0, block, block.length - sLen - hLen - 1, sLen); - - byte[] dbMask = maskGeneratorFunction1(h, 0, h.length, block.length - hLen - 1); - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - block[0] &= (0xff >> ((block.length * 8) - emBits)); - - System.arraycopy(h, 0, block, block.length - hLen - 1, hLen); - - block[block.length - 1] = trailer; - - byte[] b = cipher.processBlock(block, 0, block.length); - - clearBlock(block); - - return b; - } - - /** - * return true if the internal state represents the signature described - * in the passed in array. - */ - public boolean verifySignature( - byte[] signature) - { - contentDigest.doFinal(mDash, mDash.length - hLen - sLen); - - try - { - byte[] b = cipher.processBlock(signature, 0, signature.length); - System.arraycopy(b, 0, block, block.length - b.length, b.length); - } - catch (Exception e) - { - return false; - } - - if (block[block.length - 1] != trailer) - { - clearBlock(block); - return false; - } - - byte[] dbMask = maskGeneratorFunction1(block, block.length - hLen - 1, hLen, block.length - hLen - 1); - - for (int i = 0; i != dbMask.length; i++) - { - block[i] ^= dbMask[i]; - } - - block[0] &= (0xff >> ((block.length * 8) - emBits)); - - for (int i = 0; i != block.length - hLen - sLen - 2; i++) - { - if (block[i] != 0) - { - clearBlock(block); - return false; - } - } - - if (block[block.length - hLen - sLen - 2] != 0x01) - { - clearBlock(block); - return false; - } - - System.arraycopy(block, block.length - sLen - hLen - 1, mDash, mDash.length - sLen, sLen); - - contentDigest.update(mDash, 0, mDash.length); - contentDigest.doFinal(mDash, mDash.length - hLen); - - for (int i = block.length - hLen - 1, j = mDash.length - hLen; - j != mDash.length; i++, j++) - { - if ((block[i] ^ mDash[j]) != 0) - { - clearBlock(mDash); - clearBlock(block); - return false; - } - } - - clearBlock(mDash); - clearBlock(block); - - return true; - } - - /** - * int to octet string. - */ - private void ItoOSP( - int i, - byte[] sp) - { - sp[0] = (byte)(i >>> 24); - sp[1] = (byte)(i >>> 16); - sp[2] = (byte)(i >>> 8); - sp[3] = (byte)(i >>> 0); - } - - /** - * mask generator function, as described in PKCS1v2. - */ - private byte[] maskGeneratorFunction1( - byte[] Z, - int zOff, - int zLen, - int length) - { - byte[] mask = new byte[length]; - byte[] hashBuf = new byte[mgfhLen]; - byte[] C = new byte[4]; - int counter = 0; - - mgfDigest.reset(); - - while (counter < (length / mgfhLen)) - { - ItoOSP(counter, C); - - mgfDigest.update(Z, zOff, zLen); - mgfDigest.update(C, 0, C.length); - mgfDigest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * mgfhLen, mgfhLen); - - counter++; - } - - if ((counter * mgfhLen) < length) - { - ItoOSP(counter, C); - - mgfDigest.update(Z, zOff, zLen); - mgfDigest.update(C, 0, C.length); - mgfDigest.doFinal(hashBuf, 0); - - System.arraycopy(hashBuf, 0, mask, counter * mgfhLen, mask.length - (counter * mgfhLen)); - } - - return mask; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/RSADigestSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/RSADigestSigner.java deleted file mode 100644 index f34b18c2..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/RSADigestSigner.java +++ /dev/null @@ -1,240 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.DigestInfo; -import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.DataLengthException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.encodings.PKCS1Encoding; -import org.bouncycastle.crypto.engines.RSABlindedEngine; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.util.Arrays; - -public class RSADigestSigner - implements Signer -{ - private final AsymmetricBlockCipher rsaEngine = new PKCS1Encoding(new RSABlindedEngine()); - private final AlgorithmIdentifier algId; - private final Digest digest; - private boolean forSigning; - - private static final Hashtable oidMap = new Hashtable(); - - /* - * Load OID table. - */ - static - { - oidMap.put("RIPEMD128", TeleTrusTObjectIdentifiers.ripemd128); - oidMap.put("RIPEMD160", TeleTrusTObjectIdentifiers.ripemd160); - oidMap.put("RIPEMD256", TeleTrusTObjectIdentifiers.ripemd256); - - oidMap.put("SHA-1", X509ObjectIdentifiers.id_SHA1); - oidMap.put("SHA-224", NISTObjectIdentifiers.id_sha224); - oidMap.put("SHA-256", NISTObjectIdentifiers.id_sha256); - oidMap.put("SHA-384", NISTObjectIdentifiers.id_sha384); - oidMap.put("SHA-512", NISTObjectIdentifiers.id_sha512); - oidMap.put("SHA-512/224", NISTObjectIdentifiers.id_sha512_224); - oidMap.put("SHA-512/256", NISTObjectIdentifiers.id_sha512_256); - - oidMap.put("MD2", PKCSObjectIdentifiers.md2); - oidMap.put("MD4", PKCSObjectIdentifiers.md4); - oidMap.put("MD5", PKCSObjectIdentifiers.md5); - } - - public RSADigestSigner( - Digest digest) - { - this(digest, (ASN1ObjectIdentifier)oidMap.get(digest.getAlgorithmName())); - } - - public RSADigestSigner( - Digest digest, - ASN1ObjectIdentifier digestOid) - { - this.digest = digest; - this.algId = new AlgorithmIdentifier(digestOid, DERNull.INSTANCE); - } - - /** - * @deprecated - */ - public String getAlgorithmName() - { - return digest.getAlgorithmName() + "withRSA"; - } - - /** - * initialise the signer for signing or verification. - * - * @param forSigning - * true if for signing, false otherwise - * @param parameters - * necessary parameters. - */ - public void init( - boolean forSigning, - CipherParameters parameters) - { - this.forSigning = forSigning; - AsymmetricKeyParameter k; - - if (parameters instanceof ParametersWithRandom) - { - k = (AsymmetricKeyParameter)((ParametersWithRandom)parameters).getParameters(); - } - else - { - k = (AsymmetricKeyParameter)parameters; - } - - if (forSigning && !k.isPrivate()) - { - throw new IllegalArgumentException("signing requires private key"); - } - - if (!forSigning && k.isPrivate()) - { - throw new IllegalArgumentException("verification requires public key"); - } - - reset(); - - rsaEngine.init(forSigning, parameters); - } - - /** - * update the internal digest with the byte b - */ - public void update( - byte input) - { - digest.update(input); - } - - /** - * update the internal digest with the byte array in - */ - public void update( - byte[] input, - int inOff, - int length) - { - digest.update(input, inOff, length); - } - - /** - * Generate a signature for the message we've been loaded with using the key - * we were initialised with. - */ - public byte[] generateSignature() - throws CryptoException, DataLengthException - { - if (!forSigning) - { - throw new IllegalStateException("RSADigestSigner not initialised for signature generation."); - } - - byte[] hash = new byte[digest.getDigestSize()]; - digest.doFinal(hash, 0); - - try - { - byte[] data = derEncode(hash); - return rsaEngine.processBlock(data, 0, data.length); - } - catch (IOException e) - { - throw new CryptoException("unable to encode signature: " + e.getMessage(), e); - } - } - - /** - * return true if the internal state represents the signature described in - * the passed in array. - */ - public boolean verifySignature( - byte[] signature) - { - if (forSigning) - { - throw new IllegalStateException("RSADigestSigner not initialised for verification"); - } - - byte[] hash = new byte[digest.getDigestSize()]; - - digest.doFinal(hash, 0); - - byte[] sig; - byte[] expected; - - try - { - sig = rsaEngine.processBlock(signature, 0, signature.length); - expected = derEncode(hash); - } - catch (Exception e) - { - return false; - } - - if (sig.length == expected.length) - { - return Arrays.constantTimeAreEqual(sig, expected); - } - else if (sig.length == expected.length - 2) // NULL left out - { - int sigOffset = sig.length - hash.length - 2; - int expectedOffset = expected.length - hash.length - 2; - - expected[1] -= 2; // adjust lengths - expected[3] -= 2; - - int nonEqual = 0; - - for (int i = 0; i < hash.length; i++) - { - nonEqual |= (sig[sigOffset + i] ^ expected[expectedOffset + i]); - } - - for (int i = 0; i < sigOffset; i++) - { - nonEqual |= (sig[i] ^ expected[i]); // check header less NULL - } - - return nonEqual == 0; - } - else - { - return false; - } - } - - public void reset() - { - digest.reset(); - } - - private byte[] derEncode( - byte[] hash) - throws IOException - { - DigestInfo dInfo = new DigestInfo(algId, hash); - - return dInfo.getEncoded(ASN1Encoding.DER); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/RandomDSAKCalculator.java b/core/src/main/java/org/bouncycastle/crypto/signers/RandomDSAKCalculator.java deleted file mode 100644 index bbd8cda6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/signers/RandomDSAKCalculator.java +++ /dev/null @@ -1,43 +0,0 @@ -package org.bouncycastle.crypto.signers; - -import java.math.BigInteger; -import java.security.SecureRandom; - -class RandomDSAKCalculator - implements DSAKCalculator -{ - private static final BigInteger ZERO = BigInteger.valueOf(0); - - private BigInteger q; - private SecureRandom random; - - public boolean isDeterministic() - { - return false; - } - - public void init(BigInteger n, SecureRandom random) - { - this.q = n; - this.random = random; - } - - public void init(BigInteger n, BigInteger d, byte[] message) - { - throw new IllegalStateException("Operation not supported"); - } - - public BigInteger nextK() - { - int qBitLength = q.bitLength(); - - BigInteger k; - do - { - k = new BigInteger(qBitLength, random); - } - while (k.equals(ZERO) || k.compareTo(q) >= 0); - - return k; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsAgreementCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsAgreementCredentials.java deleted file mode 100644 index ef7f4fba..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsAgreementCredentials.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public abstract class AbstractTlsAgreementCredentials - extends AbstractTlsCredentials - implements TlsAgreementCredentials -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCipherFactory.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCipherFactory.java deleted file mode 100644 index 71a2cab0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCipherFactory.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public class AbstractTlsCipherFactory - implements TlsCipherFactory -{ - public TlsCipher createCipher(TlsContext context, int encryptionAlgorithm, int macAlgorithm) - throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java deleted file mode 100644 index 7d4fd033..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsClient.java +++ /dev/null @@ -1,235 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.util.Hashtable; -import java.util.Vector; - -public abstract class AbstractTlsClient - extends AbstractTlsPeer - implements TlsClient -{ - protected TlsCipherFactory cipherFactory; - - protected TlsClientContext context; - - protected Vector supportedSignatureAlgorithms; - protected int[] namedCurves; - protected short[] clientECPointFormats, serverECPointFormats; - - protected int selectedCipherSuite; - protected short selectedCompressionMethod; - - public AbstractTlsClient() - { - this(new DefaultTlsCipherFactory()); - } - - public AbstractTlsClient(TlsCipherFactory cipherFactory) - { - this.cipherFactory = cipherFactory; - } - - public void init(TlsClientContext context) - { - this.context = context; - } - - public TlsSession getSessionToResume() - { - return null; - } - - /** - * RFC 5246 E.1. "TLS clients that wish to negotiate with older servers MAY send any value - * {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest - * version number supported by the client, and the value of ClientHello.client_version. No - * single value will guarantee interoperability with all old servers, but this is a complex - * topic beyond the scope of this document." - */ - public ProtocolVersion getClientHelloRecordLayerVersion() - { - // "{03,00}" - // return ProtocolVersion.SSLv3; - - // "the lowest version number supported by the client" - // return getMinimumVersion(); - - // "the value of ClientHello.client_version" - return getClientVersion(); - } - - public ProtocolVersion getClientVersion() - { - return ProtocolVersion.TLSv12; - } - - public Hashtable getClientExtensions() - throws IOException - { - Hashtable clientExtensions = null; - - ProtocolVersion clientVersion = context.getClientVersion(); - - /* - * RFC 5246 7.4.1.4.1. Note: this extension is not meaningful for TLS versions prior to 1.2. - * Clients MUST NOT offer it if they are offering prior versions. - */ - if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion)) - { - // TODO Provide a way for the user to specify the acceptable hash/signature algorithms. - - short[] hashAlgorithms = new short[]{ HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, - HashAlgorithm.sha224, HashAlgorithm.sha1 }; - - // TODO Sort out ECDSA signatures and add them as the preferred option here - short[] signatureAlgorithms = new short[]{ SignatureAlgorithm.rsa }; - - this.supportedSignatureAlgorithms = new Vector(); - for (int i = 0; i < hashAlgorithms.length; ++i) - { - for (int j = 0; j < signatureAlgorithms.length; ++j) - { - this.supportedSignatureAlgorithms.addElement(new SignatureAndHashAlgorithm(hashAlgorithms[i], - signatureAlgorithms[j])); - } - } - - /* - * RFC 5264 7.4.3. Currently, DSA [DSS] may only be used with SHA-1. - */ - this.supportedSignatureAlgorithms.addElement(new SignatureAndHashAlgorithm(HashAlgorithm.sha1, - SignatureAlgorithm.dsa)); - - clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(clientExtensions); - - TlsUtils.addSignatureAlgorithmsExtension(clientExtensions, supportedSignatureAlgorithms); - } - - if (TlsECCUtils.containsECCCipherSuites(getCipherSuites())) - { - /* - * RFC 4492 5.1. A client that proposes ECC cipher suites in its ClientHello message - * appends these extensions (along with any others), enumerating the curves it supports - * and the point formats it can parse. Clients SHOULD send both the Supported Elliptic - * Curves Extension and the Supported Point Formats Extension. - */ - /* - * TODO Could just add all the curves since we support them all, but users may not want - * to use unnecessarily large fields. Need configuration options. - */ - this.namedCurves = new int[]{ NamedCurve.secp256r1, NamedCurve.secp384r1 }; - this.clientECPointFormats = new short[]{ ECPointFormat.uncompressed, - ECPointFormat.ansiX962_compressed_prime, ECPointFormat.ansiX962_compressed_char2, }; - - clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(clientExtensions); - - TlsECCUtils.addSupportedEllipticCurvesExtension(clientExtensions, namedCurves); - TlsECCUtils.addSupportedPointFormatsExtension(clientExtensions, clientECPointFormats); - } - - return clientExtensions; - } - - public ProtocolVersion getMinimumVersion() - { - return ProtocolVersion.TLSv10; - } - - public void notifyServerVersion(ProtocolVersion serverVersion) - throws IOException - { - if (!getMinimumVersion().isEqualOrEarlierVersionOf(serverVersion)) - { - throw new TlsFatalAlert(AlertDescription.protocol_version); - } - } - - public short[] getCompressionMethods() - { - return new short[]{CompressionMethod._null}; - } - - public void notifySessionID(byte[] sessionID) - { - // Currently ignored - } - - public void notifySelectedCipherSuite(int selectedCipherSuite) - { - this.selectedCipherSuite = selectedCipherSuite; - } - - public void notifySelectedCompressionMethod(short selectedCompressionMethod) - { - this.selectedCompressionMethod = selectedCompressionMethod; - } - - public void processServerExtensions(Hashtable serverExtensions) - throws IOException - { - /* - * TlsProtocol implementation validates that any server extensions received correspond to - * client extensions sent. By default, we don't send any, and this method is not called. - */ - if (serverExtensions != null) - { - /* - * RFC 5246 7.4.1.4.1. Servers MUST NOT send this extension. - */ - if (serverExtensions.containsKey(TlsUtils.EXT_signature_algorithms)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - int[] namedCurves = TlsECCUtils.getSupportedEllipticCurvesExtension(serverExtensions); - if (namedCurves != null) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.serverECPointFormats = TlsECCUtils.getSupportedPointFormatsExtension(serverExtensions); - if (this.serverECPointFormats != null && !TlsECCUtils.isECCCipherSuite(this.selectedCipherSuite)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public void processServerSupplementalData(Vector serverSupplementalData) - throws IOException - { - if (serverSupplementalData != null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public Vector getClientSupplementalData() - throws IOException - { - return null; - } - - public TlsCompression getCompression() - throws IOException - { - switch (selectedCompressionMethod) - { - case CompressionMethod._null: - return new TlsNullCompression(); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected compression method was in the list of client-offered compression - * methods, so if we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void notifyNewSessionTicket(NewSessionTicket newSessionTicket) - throws IOException - { - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java deleted file mode 100644 index 0b9949f9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java +++ /dev/null @@ -1,133 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.prng.DigestRandomGenerator; -import org.bouncycastle.crypto.prng.RandomGenerator; -import org.bouncycastle.util.Times; - -abstract class AbstractTlsContext - implements TlsContext -{ - private static long counter = Times.nanoTime(); - - private synchronized static long nextCounterValue() - { - return ++counter; - } - - private RandomGenerator nonceRandom; - private SecureRandom secureRandom; - private SecurityParameters securityParameters; - - private ProtocolVersion clientVersion = null; - private ProtocolVersion serverVersion = null; - private TlsSession session = null; - private Object userObject = null; - - AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters) - { - secureRandom.setSeed(nextCounterValue()); - secureRandom.setSeed(Times.nanoTime()); - - this.nonceRandom = new DigestRandomGenerator(TlsUtils.createHash(HashAlgorithm.sha256)); - this.nonceRandom.addSeedMaterial(secureRandom.generateSeed(32)); - - this.secureRandom = secureRandom; - this.securityParameters = securityParameters; - } - - public RandomGenerator getNonceRandomGenerator() - { - return nonceRandom; - } - - public SecureRandom getSecureRandom() - { - return secureRandom; - } - - public SecurityParameters getSecurityParameters() - { - return securityParameters; - } - - public ProtocolVersion getClientVersion() - { - return clientVersion; - } - - void setClientVersion(ProtocolVersion clientVersion) - { - this.clientVersion = clientVersion; - } - - public ProtocolVersion getServerVersion() - { - return serverVersion; - } - - void setServerVersion(ProtocolVersion serverVersion) - { - this.serverVersion = serverVersion; - } - - public TlsSession getResumableSession() - { - return session; - } - - void setResumableSession(TlsSession session) - { - this.session = session; - } - - public Object getUserObject() - { - return userObject; - } - - public void setUserObject(Object userObject) - { - this.userObject = userObject; - } - - public byte[] exportKeyingMaterial(String asciiLabel, byte[] context_value, int length) - { - if (context_value != null && !TlsUtils.isValidUint16(context_value.length)) - { - throw new IllegalArgumentException("'context_value' must have length less than 2^16 (or be null)"); - } - - SecurityParameters sp = getSecurityParameters(); - byte[] cr = sp.getClientRandom(), sr = sp.getServerRandom(); - - int seedLength = cr.length + sr.length; - if (context_value != null) - { - seedLength += (2 + context_value.length); - } - - byte[] seed = new byte[seedLength]; - int seedPos = 0; - - System.arraycopy(cr, 0, seed, seedPos, cr.length); - seedPos += cr.length; - System.arraycopy(sr, 0, seed, seedPos, sr.length); - seedPos += sr.length; - if (context_value != null) - { - TlsUtils.writeUint16(context_value.length, seed, seedPos); - seedPos += 2; - System.arraycopy(context_value, 0, seed, seedPos, context_value.length); - seedPos += context_value.length; - } - - if (seedPos != seedLength) - { - throw new IllegalStateException("error in calculation of seed for export"); - } - - return TlsUtils.PRF(this, sp.getMasterSecret(), asciiLabel, seed, length); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCredentials.java deleted file mode 100644 index b98743f3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsCredentials.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public abstract class AbstractTlsCredentials - implements TlsCredentials -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsEncryptionCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsEncryptionCredentials.java deleted file mode 100644 index e6ff39ba..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsEncryptionCredentials.java +++ /dev/null @@ -1,7 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public abstract class AbstractTlsEncryptionCredentials - extends AbstractTlsCredentials - implements TlsEncryptionCredentials -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsKeyExchange.java deleted file mode 100644 index 43e80e64..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsKeyExchange.java +++ /dev/null @@ -1,166 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.util.Vector; - -public abstract class AbstractTlsKeyExchange - implements TlsKeyExchange -{ - protected int keyExchange; - protected Vector supportedSignatureAlgorithms; - - protected TlsContext context; - - protected AbstractTlsKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms) - { - this.keyExchange = keyExchange; - this.supportedSignatureAlgorithms = supportedSignatureAlgorithms; - } - - public void init(TlsContext context) - { - this.context = context; - - ProtocolVersion clientVersion = context.getClientVersion(); - - if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion)) - { - /* - * RFC 5264 7.4.1.4.1. If the client does not send the signature_algorithms extension, - * the server MUST do the following: - * - * - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, DH_RSA, RSA_PSK, - * ECDH_RSA, ECDHE_RSA), behave as if client had sent the value {sha1,rsa}. - * - * - If the negotiated key exchange algorithm is one of (DHE_DSS, DH_DSS), behave as if - * the client had sent the value {sha1,dsa}. - * - * - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA), - * behave as if the client had sent value {sha1,ecdsa}. - */ - if (this.supportedSignatureAlgorithms == null) - { - switch (keyExchange) - { - case KeyExchangeAlgorithm.DH_DSS: - case KeyExchangeAlgorithm.DHE_DSS: - case KeyExchangeAlgorithm.SRP_DSS: - { - this.supportedSignatureAlgorithms = TlsUtils.getDefaultDSSSignatureAlgorithms(); - break; - } - - case KeyExchangeAlgorithm.ECDH_ECDSA: - case KeyExchangeAlgorithm.ECDHE_ECDSA: - { - this.supportedSignatureAlgorithms = TlsUtils.getDefaultECDSASignatureAlgorithms(); - break; - } - - case KeyExchangeAlgorithm.DH_RSA: - case KeyExchangeAlgorithm.DHE_RSA: - case KeyExchangeAlgorithm.ECDH_RSA: - case KeyExchangeAlgorithm.ECDHE_RSA: - case KeyExchangeAlgorithm.RSA: - case KeyExchangeAlgorithm.RSA_PSK: - case KeyExchangeAlgorithm.SRP_RSA: - { - this.supportedSignatureAlgorithms = TlsUtils.getDefaultRSASignatureAlgorithms(); - break; - } - - case KeyExchangeAlgorithm.DHE_PSK: - case KeyExchangeAlgorithm.ECDHE_PSK: - case KeyExchangeAlgorithm.PSK: - case KeyExchangeAlgorithm.SRP: - break; - - default: - throw new IllegalStateException("unsupported key exchange algorithm"); - } - } - - } - else if (this.supportedSignatureAlgorithms != null) - { - throw new IllegalStateException("supported_signature_algorithms not allowed for " + clientVersion); - } - } - - public void processServerCertificate(Certificate serverCertificate) - throws IOException - { - if (supportedSignatureAlgorithms == null) - { - /* - * TODO RFC 2264 7.4.2. Unless otherwise specified, the signing algorithm for the - * certificate must be the same as the algorithm for the certificate key. - */ - } - else - { - /* - * TODO RFC 5264 7.4.2. If the client provided a "signature_algorithms" extension, then - * all certificates provided by the server MUST be signed by a hash/signature algorithm - * pair that appears in that extension. - */ - } - } - - public void processServerCredentials(TlsCredentials serverCredentials) - throws IOException - { - processServerCertificate(serverCredentials.getCertificate()); - } - - public boolean requiresServerKeyExchange() - { - return false; - } - - public byte[] generateServerKeyExchange() - throws IOException - { - if (requiresServerKeyExchange()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - return null; - } - - public void skipServerKeyExchange() - throws IOException - { - if (requiresServerKeyExchange()) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public void processServerKeyExchange(InputStream input) - throws IOException - { - if (!requiresServerKeyExchange()) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public void skipClientCredentials() - throws IOException - { - } - - public void processClientCertificate(Certificate clientCertificate) - throws IOException - { - } - - public void processClientKeyExchange(InputStream input) - throws IOException - { - // Key exchange implementation MUST support client key exchange - throw new TlsFatalAlert(AlertDescription.internal_error); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsPeer.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsPeer.java deleted file mode 100644 index 26ad6d34..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsPeer.java +++ /dev/null @@ -1,42 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public abstract class AbstractTlsPeer - implements TlsPeer -{ - public boolean shouldUseGMTUnixTime() - { - /* - * draft-mathewson-no-gmtunixtime-00 2. For the reasons we discuss above, we recommend that - * TLS implementors MUST by default set the entire value the ClientHello.Random and - * ServerHello.Random fields, including gmt_unix_time, to a cryptographically random - * sequence. - */ - return false; - } - - public void notifySecureRenegotiation(boolean secureRenegotiation) throws IOException - { - if (!secureRenegotiation) - { - /* - * RFC 5746 3.4/3.6. In this case, some clients/servers may want to terminate the handshake instead - * of continuing; see Section 4.1/4.3 for discussion. - */ - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - - public void notifyAlertRaised(short alertLevel, short alertDescription, String message, Exception cause) - { - } - - public void notifyAlertReceived(short alertLevel, short alertDescription) - { - } - - public void notifyHandshakeComplete() throws IOException - { - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java deleted file mode 100644 index dd5c4409..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsServer.java +++ /dev/null @@ -1,335 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.util.Arrays; - -public abstract class AbstractTlsServer - extends AbstractTlsPeer - implements TlsServer -{ - protected TlsCipherFactory cipherFactory; - - protected TlsServerContext context; - - protected ProtocolVersion clientVersion; - protected int[] offeredCipherSuites; - protected short[] offeredCompressionMethods; - protected Hashtable clientExtensions; - - protected boolean encryptThenMACOffered; - protected short maxFragmentLengthOffered; - protected boolean truncatedHMacOffered; - protected Vector supportedSignatureAlgorithms; - protected boolean eccCipherSuitesOffered; - protected int[] namedCurves; - protected short[] clientECPointFormats, serverECPointFormats; - - protected ProtocolVersion serverVersion; - protected int selectedCipherSuite; - protected short selectedCompressionMethod; - protected Hashtable serverExtensions; - - public AbstractTlsServer() - { - this(new DefaultTlsCipherFactory()); - } - - public AbstractTlsServer(TlsCipherFactory cipherFactory) - { - this.cipherFactory = cipherFactory; - } - - protected boolean allowEncryptThenMAC() - { - return true; - } - - protected boolean allowTruncatedHMac() - { - return false; - } - - protected Hashtable checkServerExtensions() - { - return this.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(this.serverExtensions); - } - - protected abstract int[] getCipherSuites(); - - protected short[] getCompressionMethods() - { - return new short[]{CompressionMethod._null}; - } - - protected ProtocolVersion getMaximumVersion() - { - return ProtocolVersion.TLSv11; - } - - protected ProtocolVersion getMinimumVersion() - { - return ProtocolVersion.TLSv10; - } - - protected boolean supportsClientECCCapabilities(int[] namedCurves, short[] ecPointFormats) - { - // NOTE: BC supports all the current set of point formats so we don't check them here - - if (namedCurves == null) - { - /* - * RFC 4492 4. A client that proposes ECC cipher suites may choose not to include these - * extensions. In this case, the server is free to choose any one of the elliptic curves - * or point formats [...]. - */ - return TlsECCUtils.hasAnySupportedNamedCurves(); - } - - for (int i = 0; i < namedCurves.length; ++i) - { - int namedCurve = namedCurves[i]; - if (NamedCurve.isValid(namedCurve) - && (!NamedCurve.refersToASpecificNamedCurve(namedCurve) || TlsECCUtils.isSupportedNamedCurve(namedCurve))) - { - return true; - } - } - - return false; - } - - public void init(TlsServerContext context) - { - this.context = context; - } - - public void notifyClientVersion(ProtocolVersion clientVersion) - throws IOException - { - this.clientVersion = clientVersion; - } - - public void notifyOfferedCipherSuites(int[] offeredCipherSuites) - throws IOException - { - this.offeredCipherSuites = offeredCipherSuites; - this.eccCipherSuitesOffered = TlsECCUtils.containsECCCipherSuites(this.offeredCipherSuites); - } - - public void notifyOfferedCompressionMethods(short[] offeredCompressionMethods) - throws IOException - { - this.offeredCompressionMethods = offeredCompressionMethods; - } - - public void processClientExtensions(Hashtable clientExtensions) - throws IOException - { - this.clientExtensions = clientExtensions; - - if (clientExtensions != null) - { - this.encryptThenMACOffered = TlsExtensionsUtils.hasEncryptThenMACExtension(clientExtensions); - this.maxFragmentLengthOffered = TlsExtensionsUtils.getMaxFragmentLengthExtension(clientExtensions); - this.truncatedHMacOffered = TlsExtensionsUtils.hasTruncatedHMacExtension(clientExtensions); - - this.supportedSignatureAlgorithms = TlsUtils.getSignatureAlgorithmsExtension(clientExtensions); - if (this.supportedSignatureAlgorithms != null) - { - /* - * RFC 5246 7.4.1.4.1. Note: this extension is not meaningful for TLS versions prior - * to 1.2. Clients MUST NOT offer it if they are offering prior versions. - */ - if (!TlsUtils.isSignatureAlgorithmsExtensionAllowed(clientVersion)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - this.namedCurves = TlsECCUtils.getSupportedEllipticCurvesExtension(clientExtensions); - this.clientECPointFormats = TlsECCUtils.getSupportedPointFormatsExtension(clientExtensions); - } - - /* - * RFC 4429 4. The client MUST NOT include these extensions in the ClientHello message if it - * does not propose any ECC cipher suites. - */ - if (!this.eccCipherSuitesOffered && (this.namedCurves != null || this.clientECPointFormats != null)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - public ProtocolVersion getServerVersion() - throws IOException - { - if (getMinimumVersion().isEqualOrEarlierVersionOf(clientVersion)) - { - ProtocolVersion maximumVersion = getMaximumVersion(); - if (clientVersion.isEqualOrEarlierVersionOf(maximumVersion)) - { - return serverVersion = clientVersion; - } - if (clientVersion.isLaterVersionOf(maximumVersion)) - { - return serverVersion = maximumVersion; - } - } - throw new TlsFatalAlert(AlertDescription.protocol_version); - } - - public int getSelectedCipherSuite() - throws IOException - { - /* - * TODO RFC 5246 7.4.3. In order to negotiate correctly, the server MUST check any candidate - * cipher suites against the "signature_algorithms" extension before selecting them. This is - * somewhat inelegant but is a compromise designed to minimize changes to the original - * cipher suite design. - */ - - /* - * RFC 4429 5.1. A server that receives a ClientHello containing one or both of these - * extensions MUST use the client's enumerated capabilities to guide its selection of an - * appropriate cipher suite. One of the proposed ECC cipher suites must be negotiated only - * if the server can successfully complete the handshake while using the curves and point - * formats supported by the client [...]. - */ - boolean eccCipherSuitesEnabled = supportsClientECCCapabilities(this.namedCurves, this.clientECPointFormats); - - int[] cipherSuites = getCipherSuites(); - for (int i = 0; i < cipherSuites.length; ++i) - { - int cipherSuite = cipherSuites[i]; - - if (Arrays.contains(this.offeredCipherSuites, cipherSuite) - && (eccCipherSuitesEnabled || !TlsECCUtils.isECCCipherSuite(cipherSuite)) - && TlsUtils.isValidCipherSuiteForVersion(cipherSuite, serverVersion)) - { - return this.selectedCipherSuite = cipherSuite; - } - } - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - - public short getSelectedCompressionMethod() - throws IOException - { - short[] compressionMethods = getCompressionMethods(); - for (int i = 0; i < compressionMethods.length; ++i) - { - if (Arrays.contains(offeredCompressionMethods, compressionMethods[i])) - { - return this.selectedCompressionMethod = compressionMethods[i]; - } - } - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - - // Hashtable is (Integer -> byte[]) - public Hashtable getServerExtensions() - throws IOException - { - if (this.encryptThenMACOffered && allowEncryptThenMAC()) - { - /* - * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC - * request extension from a client and then selects a stream or AEAD cipher suite, it - * MUST NOT send an encrypt-then-MAC response extension back to the client. - */ - if (TlsUtils.isBlockCipherSuite(this.selectedCipherSuite)) - { - TlsExtensionsUtils.addEncryptThenMACExtension(checkServerExtensions()); - } - } - - if (this.maxFragmentLengthOffered >= 0) - { - TlsExtensionsUtils.addMaxFragmentLengthExtension(checkServerExtensions(), this.maxFragmentLengthOffered); - } - - if (this.truncatedHMacOffered && allowTruncatedHMac()) - { - TlsExtensionsUtils.addTruncatedHMacExtension(checkServerExtensions()); - } - - if (this.clientECPointFormats != null && TlsECCUtils.isECCCipherSuite(this.selectedCipherSuite)) - { - /* - * RFC 4492 5.2. A server that selects an ECC cipher suite in response to a ClientHello - * message including a Supported Point Formats Extension appends this extension (along - * with others) to its ServerHello message, enumerating the point formats it can parse. - */ - this.serverECPointFormats = new short[]{ ECPointFormat.uncompressed, - ECPointFormat.ansiX962_compressed_prime, ECPointFormat.ansiX962_compressed_char2, }; - - TlsECCUtils.addSupportedPointFormatsExtension(checkServerExtensions(), serverECPointFormats); - } - - return serverExtensions; - } - - public Vector getServerSupplementalData() - throws IOException - { - return null; - } - - public CertificateStatus getCertificateStatus() - throws IOException - { - return null; - } - - public CertificateRequest getCertificateRequest() - throws IOException - { - return null; - } - - public void processClientSupplementalData(Vector clientSupplementalData) - throws IOException - { - if (clientSupplementalData != null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public void notifyClientCertificate(Certificate clientCertificate) - throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - public TlsCompression getCompression() - throws IOException - { - switch (selectedCompressionMethod) - { - case CompressionMethod._null: - return new TlsNullCompression(); - - default: - /* - * Note: internal error here; we selected the compression method, so if we now can't - * produce an implementation, we shouldn't have chosen it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public NewSessionTicket getNewSessionTicket() - throws IOException - { - /* - * RFC 5077 3.3. If the server determines that it does not want to include a ticket after it - * has included the SessionTicket extension in the ServerHello, then it sends a zero-length - * ticket in the NewSessionTicket handshake message. - */ - return new NewSessionTicket(0L, TlsUtils.EMPTY_BYTES); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSigner.java deleted file mode 100644 index 3a1d6319..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSigner.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -public abstract class AbstractTlsSigner - implements TlsSigner -{ - protected TlsContext context; - - public void init(TlsContext context) - { - this.context = context; - } - - public byte[] generateRawSignature(AsymmetricKeyParameter privateKey, byte[] md5AndSha1) - throws CryptoException - { - return generateRawSignature(null, privateKey, md5AndSha1); - } - - public boolean verifyRawSignature(byte[] sigBytes, AsymmetricKeyParameter publicKey, byte[] md5AndSha1) - throws CryptoException - { - return verifyRawSignature(null, sigBytes, publicKey, md5AndSha1); - } - - public Signer createSigner(AsymmetricKeyParameter privateKey) - { - return createSigner(null, privateKey); - } - - public Signer createVerifyer(AsymmetricKeyParameter publicKey) - { - return createVerifyer(null, publicKey); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSignerCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSignerCredentials.java deleted file mode 100644 index 3452f527..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsSignerCredentials.java +++ /dev/null @@ -1,11 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public abstract class AbstractTlsSignerCredentials - extends AbstractTlsCredentials - implements TlsSignerCredentials -{ - public SignatureAndHashAlgorithm getSignatureAndHashAlgorithm() - { - throw new IllegalStateException("TlsSignerCredentials implementation does not support (D)TLS 1.2+"); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AlertDescription.java b/core/src/main/java/org/bouncycastle/crypto/tls/AlertDescription.java deleted file mode 100644 index 91366be0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AlertDescription.java +++ /dev/null @@ -1,216 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5246 7.2. - */ -public class AlertDescription -{ - /** - * This message notifies the recipient that the sender will not send any more messages on this - * connection. Note that as of TLS 1.1, failure to properly close a connection no longer - * requires that a session not be resumed. This is a change from TLS 1.0 ("The session becomes - * unresumable if any connection is terminated without proper close_notify messages with level - * equal to warning.") to conform with widespread implementation practice. - */ - public static final short close_notify = 0; - - /** - * An inappropriate message was received. This alert is always fatal and should never be - * observed in communication between proper implementations. - */ - public static final short unexpected_message = 10; - - /** - * This alert is returned if a record is received with an incorrect MAC. This alert also MUST be - * returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it - * wasn't an even multiple of the block length, or its padding values, when checked, weren't - * correct. This message is always fatal and should never be observed in communication between - * proper implementations (except when messages were corrupted in the network). - */ - public static final short bad_record_mac = 20; - - /** - * This alert was used in some earlier versions of TLS, and may have permitted certain attacks - * against the CBC mode [CBCATT]. It MUST NOT be sent by compliant implementations. - */ - public static final short decryption_failed = 21; - - /** - * A TLSCiphertext record was received that had a length more than 2^14+2048 bytes, or a record - * decrypted to a TLSCompressed record with more than 2^14+1024 bytes. This message is always - * fatal and should never be observed in communication between proper implementations (except - * when messages were corrupted in the network). - */ - public static final short record_overflow = 22; - - /** - * The decompression function received improper input (e.g., data that would expand to excessive - * length). This message is always fatal and should never be observed in communication between - * proper implementations. - */ - public static final short decompression_failure = 30; - - /** - * Reception of a handshake_failure alert message indicates that the sender was unable to - * negotiate an acceptable set of security parameters given the options available. This is a - * fatal error. - */ - public static final short handshake_failure = 40; - - /** - * This alert was used in SSLv3 but not any version of TLS. It MUST NOT be sent by compliant - * implementations. - */ - public static final short no_certificate = 41; - - /** - * A certificate was corrupt, contained signatures that did not verify correctly, etc. - */ - public static final short bad_certificate = 42; - - /** - * A certificate was of an unsupported type. - */ - public static final short unsupported_certificate = 43; - - /** - * A certificate was revoked by its signer. - */ - public static final short certificate_revoked = 44; - - /** - * A certificate has expired or is not currently valid. - */ - public static final short certificate_expired = 45; - - /** - * Some other (unspecified) issue arose in processing the certificate, rendering it - * unacceptable. - */ - public static final short certificate_unknown = 46; - - /** - * A field in the handshake was out of range or inconsistent with other fields. This message is - * always fatal. - */ - public static final short illegal_parameter = 47; - - /** - * A valid certificate chain or partial chain was received, but the certificate was not accepted - * because the CA certificate could not be located or couldn't be matched with a known, trusted - * CA. This message is always fatal. - */ - public static final short unknown_ca = 48; - - /** - * A valid certificate was received, but when access control was applied, the sender decided not - * to proceed with negotiation. This message is always fatal. - */ - public static final short access_denied = 49; - - /** - * A message could not be decoded because some field was out of the specified range or the - * length of the message was incorrect. This message is always fatal and should never be - * observed in communication between proper implementations (except when messages were corrupted - * in the network). - */ - public static final short decode_error = 50; - - /** - * A handshake cryptographic operation failed, including being unable to correctly verify a - * signature or validate a Finished message. This message is always fatal. - */ - public static final short decrypt_error = 51; - - /** - * This alert was used in some earlier versions of TLS. It MUST NOT be sent by compliant - * implementations. - */ - public static final short export_restriction = 60; - - /** - * The protocol version the client has attempted to negotiate is recognized but not supported. - * (For example, old protocol versions might be avoided for security reasons.) This message is - * always fatal. - */ - public static final short protocol_version = 70; - - /** - * Returned instead of handshake_failure when a negotiation has failed specifically because the - * server requires ciphers more secure than those supported by the client. This message is - * always fatal. - */ - public static final short insufficient_security = 71; - - /** - * An internal error unrelated to the peer or the correctness of the protocol (such as a memory - * allocation failure) makes it impossible to continue. This message is always fatal. - */ - public static final short internal_error = 80; - - /** - * This handshake is being canceled for some reason unrelated to a protocol failure. If the user - * cancels an operation after the handshake is complete, just closing the connection by sending - * a close_notify is more appropriate. This alert should be followed by a close_notify. This - * message is generally a warning. - */ - public static final short user_canceled = 90; - - /** - * Sent by the client in response to a hello request or by the server in response to a client - * hello after initial handshaking. Either of these would normally lead to renegotiation; when - * that is not appropriate, the recipient should respond with this alert. At that point, the - * original requester can decide whether to proceed with the connection. One case where this - * would be appropriate is where a server has spawned a process to satisfy a request; the - * process might receive security parameters (key length, authentication, etc.) at startup, and - * it might be difficult to communicate changes to these parameters after that point. This - * message is always a warning. - */ - public static final short no_renegotiation = 100; - - /** - * Sent by clients that receive an extended server hello containing an extension that they did - * not put in the corresponding client hello. This message is always fatal. - */ - public static final short unsupported_extension = 110; - - /* - * RFC 3546 - */ - - /** - * This alert is sent by servers who are unable to retrieve a certificate chain from the URL - * supplied by the client (see Section 3.3). This message MAY be fatal - for example if client - * authentication is required by the server for the handshake to continue and the server is - * unable to retrieve the certificate chain, it may send a fatal alert. - */ - public static final short certificate_unobtainable = 111; - - /** - * This alert is sent by servers that receive a server_name extension request, but do not - * recognize the server name. This message MAY be fatal. - */ - public static final short unrecognized_name = 112; - - /** - * This alert is sent by clients that receive an invalid certificate status response (see - * Section 3.6). This message is always fatal. - */ - public static final short bad_certificate_status_response = 113; - - /** - * This alert is sent by servers when a certificate hash does not match a client provided - * certificate_hash. This message is always fatal. - */ - public static final short bad_certificate_hash_value = 114; - - /* - * RFC 4279 - */ - - /** - * If the server does not recognize the PSK identity, it MAY respond with an - * "unknown_psk_identity" alert message. - */ - public static final short unknown_psk_identity = 115; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AlertLevel.java b/core/src/main/java/org/bouncycastle/crypto/tls/AlertLevel.java deleted file mode 100644 index 53e843a4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AlertLevel.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5246 7.2 - */ -public class AlertLevel -{ - public static final short warning = 1; - public static final short fatal = 2; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AlwaysValidVerifyer.java b/core/src/main/java/org/bouncycastle/crypto/tls/AlwaysValidVerifyer.java deleted file mode 100644 index 961408ae..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AlwaysValidVerifyer.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * A certificate verifyer, that will always return true. - * <pre> - * DO NOT USE THIS FILE UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING. - * </pre> - * - * @deprecated Perform certificate verification in TlsAuthentication implementation - */ -public class AlwaysValidVerifyer - implements CertificateVerifyer -{ - /** - * Return true. - * - * @see org.bouncycastle.crypto.tls.CertificateVerifyer#isValid(org.bouncycastle.asn1.x509.Certificate[]) - */ - public boolean isValid(org.bouncycastle.asn1.x509.Certificate[] certs) - { - return true; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/BulkCipherAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/BulkCipherAlgorithm.java deleted file mode 100644 index 7f013b3a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/BulkCipherAlgorithm.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class BulkCipherAlgorithm -{ - public static final int _null = 0; - public static final int rc4 = 1; - public static final int rc2 = 2; - public static final int des = 3; - public static final int _3des = 4; - public static final int des40 = 5; - - /* - * RFC 4346 - */ - public static final int aes = 6; - public static final int idea = 7; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ByteQueue.java b/core/src/main/java/org/bouncycastle/crypto/tls/ByteQueue.java deleted file mode 100644 index 560ea459..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ByteQueue.java +++ /dev/null @@ -1,153 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * A queue for bytes. This file could be more optimized. - */ -public class ByteQueue -{ - /** - * @return The smallest number which can be written as 2^x which is bigger than i. - */ - public static int nextTwoPow(int i) - { - /* - * This code is based of a lot of code I found on the Internet which mostly - * referenced a book called "Hacking delight". - */ - i |= (i >> 1); - i |= (i >> 2); - i |= (i >> 4); - i |= (i >> 8); - i |= (i >> 16); - return i + 1; - } - - /** - * The initial size for our buffer. - */ - private static final int DEFAULT_CAPACITY = 1024; - - /** - * The buffer where we store our data. - */ - private byte[] databuf; - - /** - * How many bytes at the beginning of the buffer are skipped. - */ - private int skipped = 0; - - /** - * How many bytes in the buffer are valid data. - */ - private int available = 0; - - public ByteQueue() - { - this(DEFAULT_CAPACITY); - } - - public ByteQueue(int capacity) - { - databuf = new byte[capacity]; - } - - /** - * Read data from the buffer. - * - * @param buf The buffer where the read data will be copied to. - * @param offset How many bytes to skip at the beginning of buf. - * @param len How many bytes to read at all. - * @param skip How many bytes from our data to skip. - */ - public void read(byte[] buf, int offset, int len, int skip) - { - if ((buf.length - offset) < len) - { - throw new IllegalArgumentException("Buffer size of " + buf.length - + " is too small for a read of " + len + " bytes"); - } - if ((available - skip) < len) - { - throw new IllegalStateException("Not enough data to read"); - } - System.arraycopy(databuf, skipped + skip, buf, offset, len); - } - - /** - * Add some data to our buffer. - * - * @param buf A byte-array to read data from. - * @param off How many bytes to skip at the beginning of the array. - * @param len How many bytes to read from the array. - */ - public void addData(byte[] buf, int off, int len) - { - if ((skipped + available + len) > databuf.length) - { - int desiredSize = ByteQueue.nextTwoPow(available + len); - if (desiredSize > databuf.length) - { - byte[] tmp = new byte[desiredSize]; - System.arraycopy(databuf, skipped, tmp, 0, available); - databuf = tmp; - } - else - { - System.arraycopy(databuf, skipped, databuf, 0, available); - } - skipped = 0; - } - - System.arraycopy(buf, off, databuf, skipped + available, len); - available += len; - } - - /** - * Remove some bytes from our data from the beginning. - * - * @param i How many bytes to remove. - */ - public void removeData(int i) - { - if (i > available) - { - throw new IllegalStateException("Cannot remove " + i + " bytes, only got " + available); - } - - /* - * Skip the data. - */ - available -= i; - skipped += i; - } - - /** - * Remove data from the buffer. - * - * @param buf The buffer where the removed data will be copied to. - * @param off How many bytes to skip at the beginning of buf. - * @param len How many bytes to read at all. - * @param skip How many bytes from our data to skip. - */ - public void removeData(byte[] buf, int off, int len, int skip) - { - read(buf, off, len, skip); - removeData(skip + len); - } - - public byte[] removeData(int len, int skip) - { - byte[] buf = new byte[len]; - removeData(buf, 0, len, skip); - return buf; - } - - /** - * @return The number of bytes which are available in this buffer. - */ - public int size() - { - return available; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertChainType.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertChainType.java deleted file mode 100644 index 8902ed79..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertChainType.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/* - * RFC 3546 3.3. - */ -public class CertChainType -{ - public static final short individual_certs = 0; - public static final short pkipath = 1; - - public static boolean isValid(short certChainType) - { - return certChainType >= individual_certs && certChainType <= pkipath; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/Certificate.java b/core/src/main/java/org/bouncycastle/crypto/tls/Certificate.java deleted file mode 100644 index 33a6edd4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/Certificate.java +++ /dev/null @@ -1,148 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1Primitive; - -/** - * Parsing and encoding of a <i>Certificate</i> struct from RFC 4346. - * <pre> - * opaque ASN.1Cert<2^24-1>; - * - * struct { - * ASN.1Cert certificate_list<0..2^24-1>; - * } Certificate; - * </pre> - * - * @see org.bouncycastle.asn1.x509.Certificate - */ -public class Certificate -{ - public static final Certificate EMPTY_CHAIN = new Certificate( - new org.bouncycastle.asn1.x509.Certificate[0]); - - protected org.bouncycastle.asn1.x509.Certificate[] certificateList; - - public Certificate(org.bouncycastle.asn1.x509.Certificate[] certificateList) - { - if (certificateList == null) - { - throw new IllegalArgumentException("'certificateList' cannot be null"); - } - - this.certificateList = certificateList; - } - - /** - * @deprecated use {@link #getCertificateList()} instead - */ - public org.bouncycastle.asn1.x509.Certificate[] getCerts() - { - return getCertificateList(); - } - - /** - * @return an array of {@link org.bouncycastle.asn1.x509.Certificate} representing a certificate - * chain. - */ - public org.bouncycastle.asn1.x509.Certificate[] getCertificateList() - { - return cloneCertificateList(); - } - - public org.bouncycastle.asn1.x509.Certificate getCertificateAt(int index) - { - return certificateList[index]; - } - - public int getLength() - { - return certificateList.length; - } - - /** - * @return <code>true</code> if this certificate chain contains no certificates, or - * <code>false</code> otherwise. - */ - public boolean isEmpty() - { - return certificateList.length == 0; - } - - /** - * Encode this {@link Certificate} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - Vector derEncodings = new Vector(this.certificateList.length); - - int totalLength = 0; - for (int i = 0; i < this.certificateList.length; ++i) - { - byte[] derEncoding = certificateList[i].getEncoded(ASN1Encoding.DER); - derEncodings.addElement(derEncoding); - totalLength += derEncoding.length + 3; - } - - TlsUtils.checkUint24(totalLength); - TlsUtils.writeUint24(totalLength, output); - - for (int i = 0; i < derEncodings.size(); ++i) - { - byte[] derEncoding = (byte[])derEncodings.elementAt(i); - TlsUtils.writeOpaque24(derEncoding, output); - } - } - - /** - * Parse a {@link Certificate} from an {@link InputStream}. - * - * @param input the {@link InputStream} to parse from. - * @return a {@link Certificate} object. - * @throws IOException - */ - public static Certificate parse(InputStream input) - throws IOException - { - int totalLength = TlsUtils.readUint24(input); - if (totalLength == 0) - { - return EMPTY_CHAIN; - } - - byte[] certListData = TlsUtils.readFully(totalLength, input); - - ByteArrayInputStream buf = new ByteArrayInputStream(certListData); - - Vector certificate_list = new Vector(); - while (buf.available() > 0) - { - byte[] derEncoding = TlsUtils.readOpaque24(buf); - ASN1Primitive asn1Cert = TlsUtils.readDERObject(derEncoding); - certificate_list.addElement(org.bouncycastle.asn1.x509.Certificate.getInstance(asn1Cert)); - } - - org.bouncycastle.asn1.x509.Certificate[] certificateList = new org.bouncycastle.asn1.x509.Certificate[certificate_list.size()]; - for (int i = 0; i < certificate_list.size(); i++) - { - certificateList[i] = (org.bouncycastle.asn1.x509.Certificate)certificate_list.elementAt(i); - } - return new Certificate(certificateList); - } - - protected org.bouncycastle.asn1.x509.Certificate[] cloneCertificateList() - { - org.bouncycastle.asn1.x509.Certificate[] result = new org.bouncycastle.asn1.x509.Certificate[certificateList.length]; - System.arraycopy(certificateList, 0, result, 0, result.length); - return result; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateRequest.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateRequest.java deleted file mode 100644 index 68e051ea..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateRequest.java +++ /dev/null @@ -1,158 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.x500.X500Name; - -/** - * Parsing and encoding of a <i>CertificateRequest</i> struct from RFC 4346. - * <pre> - * struct { - * ClientCertificateType certificate_types<1..2^8-1>; - * DistinguishedName certificate_authorities<3..2^16-1>; - * } CertificateRequest; - * </pre> - * - * @see ClientCertificateType - * @see X500Name - */ -public class CertificateRequest -{ - protected short[] certificateTypes; - protected Vector supportedSignatureAlgorithms; - protected Vector certificateAuthorities; - - /** - * @param certificateTypes see {@link ClientCertificateType} for valid constants. - * @param certificateAuthorities a {@link Vector} of {@link X500Name}. - */ - public CertificateRequest(short[] certificateTypes, Vector supportedSignatureAlgorithms, Vector certificateAuthorities) - { - this.certificateTypes = certificateTypes; - this.supportedSignatureAlgorithms = supportedSignatureAlgorithms; - this.certificateAuthorities = certificateAuthorities; - } - - /** - * @return an array of certificate types - * @see ClientCertificateType - */ - public short[] getCertificateTypes() - { - return certificateTypes; - } - - /** - * @return a {@link Vector} of {@link SignatureAndHashAlgorithm} (or null before TLS 1.2). - */ - public Vector getSupportedSignatureAlgorithms() - { - return supportedSignatureAlgorithms; - } - - /** - * @return a {@link Vector} of {@link X500Name} - */ - public Vector getCertificateAuthorities() - { - return certificateAuthorities; - } - - /** - * Encode this {@link CertificateRequest} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - if (certificateTypes == null || certificateTypes.length == 0) - { - TlsUtils.writeUint8(0, output); - } - else - { - TlsUtils.writeUint8ArrayWithUint8Length(certificateTypes, output); - } - - if (supportedSignatureAlgorithms != null) - { - // TODO Check whether SignatureAlgorithm.anonymous is allowed here - TlsUtils.encodeSupportedSignatureAlgorithms(supportedSignatureAlgorithms, false, output); - } - - if (certificateAuthorities == null || certificateAuthorities.isEmpty()) - { - TlsUtils.writeUint16(0, output); - } - else - { - Vector derEncodings = new Vector(certificateAuthorities.size()); - - int totalLength = 0; - for (int i = 0; i < certificateAuthorities.size(); ++i) - { - X500Name certificateAuthority = (X500Name)certificateAuthorities.elementAt(i); - byte[] derEncoding = certificateAuthority.getEncoded(ASN1Encoding.DER); - derEncodings.addElement(derEncoding); - totalLength += derEncoding.length + 2; - } - - TlsUtils.checkUint16(totalLength); - TlsUtils.writeUint16(totalLength, output); - - for (int i = 0; i < derEncodings.size(); ++i) - { - byte[] derEncoding = (byte[])derEncodings.elementAt(i); - TlsUtils.writeOpaque16(derEncoding, output); - } - } - } - - /** - * Parse a {@link CertificateRequest} from an {@link InputStream}. - * - * @param context - * the {@link TlsContext} of the current connection. - * @param input - * the {@link InputStream} to parse from. - * @return a {@link CertificateRequest} object. - * @throws IOException - */ - public static CertificateRequest parse(TlsContext context, InputStream input) - throws IOException - { - int numTypes = TlsUtils.readUint8(input); - short[] certificateTypes = new short[numTypes]; - for (int i = 0; i < numTypes; ++i) - { - certificateTypes[i] = TlsUtils.readUint8(input); - } - - Vector supportedSignatureAlgorithms = null; - if (TlsUtils.isTLSv12(context)) - { - // TODO Check whether SignatureAlgorithm.anonymous is allowed here - supportedSignatureAlgorithms = TlsUtils.parseSupportedSignatureAlgorithms(false, input); - } - - Vector certificateAuthorities = new Vector(); - byte[] certAuthData = TlsUtils.readOpaque16(input); - ByteArrayInputStream bis = new ByteArrayInputStream(certAuthData); - while (bis.available() > 0) - { - byte[] derEncoding = TlsUtils.readOpaque16(bis); - ASN1Primitive asn1 = TlsUtils.readDERObject(derEncoding); - certificateAuthorities.addElement(X500Name.getInstance(asn1)); - } - - return new CertificateRequest(certificateTypes, supportedSignatureAlgorithms, certificateAuthorities); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatus.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatus.java deleted file mode 100644 index 34a0284a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatus.java +++ /dev/null @@ -1,105 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ocsp.OCSPResponse; - -public class CertificateStatus -{ - protected short statusType; - protected Object response; - - public CertificateStatus(short statusType, Object response) - { - if (!isCorrectType(statusType, response)) - { - throw new IllegalArgumentException("'response' is not an instance of the correct type"); - } - - this.statusType = statusType; - this.response = response; - } - - public short getStatusType() - { - return statusType; - } - - public Object getResponse() - { - return response; - } - - public OCSPResponse getOCSPResponse() - { - if (!isCorrectType(CertificateStatusType.ocsp, response)) - { - throw new IllegalStateException("'response' is not an OCSPResponse"); - } - return (OCSPResponse)response; - } - - /** - * Encode this {@link CertificateStatus} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - TlsUtils.writeUint8(statusType, output); - - switch (statusType) - { - case CertificateStatusType.ocsp: - byte[] derEncoding = ((OCSPResponse) response).getEncoded(ASN1Encoding.DER); - TlsUtils.writeOpaque24(derEncoding, output); - break; - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - /** - * Parse a {@link CertificateStatus} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link CertificateStatus} object. - * @throws IOException - */ - public static CertificateStatus parse(InputStream input) throws IOException - { - short status_type = TlsUtils.readUint8(input); - Object response; - - switch (status_type) - { - case CertificateStatusType.ocsp: - { - byte[] derEncoding = TlsUtils.readOpaque24(input); - response = OCSPResponse.getInstance(TlsUtils.readDERObject(derEncoding)); - break; - } - default: - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - return new CertificateStatus(status_type, response); - } - - protected static boolean isCorrectType(short statusType, Object response) - { - switch (statusType) - { - case CertificateStatusType.ocsp: - return response instanceof OCSPResponse; - default: - throw new IllegalArgumentException("'statusType' is an unsupported value"); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusRequest.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusRequest.java deleted file mode 100644 index b947c488..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusRequest.java +++ /dev/null @@ -1,98 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -public class CertificateStatusRequest -{ - protected short statusType; - protected Object request; - - public CertificateStatusRequest(short statusType, Object request) - { - if (!isCorrectType(statusType, request)) - { - throw new IllegalArgumentException("'request' is not an instance of the correct type"); - } - - this.statusType = statusType; - this.request = request; - } - - public short getStatusType() - { - return statusType; - } - - public Object getRequest() - { - return request; - } - - public OCSPStatusRequest getOCSPStatusRequest() - { - if (!isCorrectType(CertificateStatusType.ocsp, request)) - { - throw new IllegalStateException("'request' is not an OCSPStatusRequest"); - } - return (OCSPStatusRequest)request; - } - - /** - * Encode this {@link CertificateStatusRequest} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - TlsUtils.writeUint8(statusType, output); - - switch (statusType) - { - case CertificateStatusType.ocsp: - ((OCSPStatusRequest) request).encode(output); - break; - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - /** - * Parse a {@link CertificateStatusRequest} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link CertificateStatusRequest} object. - * @throws IOException - */ - public static CertificateStatusRequest parse(InputStream input) throws IOException - { - short status_type = TlsUtils.readUint8(input); - Object result; - - switch (status_type) - { - case CertificateStatusType.ocsp: - result = OCSPStatusRequest.parse(input); - break; - default: - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - return new CertificateStatusRequest(status_type, result); - } - - protected static boolean isCorrectType(short statusType, Object request) - { - switch (statusType) - { - case CertificateStatusType.ocsp: - return request instanceof OCSPStatusRequest; - default: - throw new IllegalArgumentException("'statusType' is an unsupported value"); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusType.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusType.java deleted file mode 100644 index bfe82981..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateStatusType.java +++ /dev/null @@ -1,9 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class CertificateStatusType -{ - /* - * RFC 3546 3.6 - */ - public static final short ocsp = 1; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateURL.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateURL.java deleted file mode 100644 index aab89087..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateURL.java +++ /dev/null @@ -1,133 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -/* - * RFC 3546 3.3 - */ -public class CertificateURL -{ - protected short type; - protected Vector urlAndHashList; - - /** - * @param type - * see {@link CertChainType} for valid constants. - * @param urlAndHashList - * a {@link Vector} of {@link URLAndHash}. - */ - public CertificateURL(short type, Vector urlAndHashList) - { - if (!CertChainType.isValid(type)) - { - throw new IllegalArgumentException("'type' is not a valid CertChainType value"); - } - if (urlAndHashList == null || urlAndHashList.isEmpty()) - { - throw new IllegalArgumentException("'urlAndHashList' must have length > 0"); - } - - this.type = type; - this.urlAndHashList = urlAndHashList; - } - - /** - * @return {@link CertChainType} - */ - public short getType() - { - return type; - } - - /** - * @return a {@link Vector} of {@link URLAndHash} - */ - public Vector getURLAndHashList() - { - return urlAndHashList; - } - - /** - * Encode this {@link CertificateURL} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - TlsUtils.writeUint8(this.type, output); - - ListBuffer16 buf = new ListBuffer16(); - for (int i = 0; i < this.urlAndHashList.size(); ++i) - { - URLAndHash urlAndHash = (URLAndHash)this.urlAndHashList.elementAt(i); - urlAndHash.encode(buf); - } - buf.encodeTo(output); - } - - /** - * Parse a {@link CertificateURL} from an {@link InputStream}. - * - * @param context - * the {@link TlsContext} of the current connection. - * @param input - * the {@link InputStream} to parse from. - * @return a {@link CertificateURL} object. - * @throws IOException - */ - public static CertificateURL parse(TlsContext context, InputStream input) - throws IOException - { - short type = TlsUtils.readUint8(input); - if (!CertChainType.isValid(type)) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int totalLength = TlsUtils.readUint16(input); - if (totalLength < 1) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - byte[] urlAndHashListData = TlsUtils.readFully(totalLength, input); - - ByteArrayInputStream buf = new ByteArrayInputStream(urlAndHashListData); - - Vector url_and_hash_list = new Vector(); - while (buf.available() > 0) - { - URLAndHash url_and_hash = URLAndHash.parse(context, buf); - url_and_hash_list.addElement(url_and_hash); - } - - return new CertificateURL(type, url_and_hash_list); - } - - // TODO Could be more generally useful - class ListBuffer16 extends ByteArrayOutputStream - { - ListBuffer16() throws IOException - { - // Reserve space for length - TlsUtils.writeUint16(0, this); - } - - void encodeTo(OutputStream output) throws IOException - { - // Patch actual length back in - int length = count - 2; - TlsUtils.checkUint16(length); - TlsUtils.writeUint16(length, buf, 0); - output.write(buf, 0, count); - buf = null; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateVerifyer.java b/core/src/main/java/org/bouncycastle/crypto/tls/CertificateVerifyer.java deleted file mode 100644 index 2e3715c1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CertificateVerifyer.java +++ /dev/null @@ -1,16 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * This should be implemented by any class which can find out, if a given certificate - * chain is being accepted by an client. - * - * @deprecated Perform certificate verification in TlsAuthentication implementation - */ -public interface CertificateVerifyer -{ - /** - * @param certs The certs, which are part of the chain. - * @return True, if the chain is accepted, false otherwise. - */ - public boolean isValid(org.bouncycastle.asn1.x509.Certificate[] certs); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/Chacha20Poly1305.java b/core/src/main/java/org/bouncycastle/crypto/tls/Chacha20Poly1305.java deleted file mode 100644 index a82045bf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/Chacha20Poly1305.java +++ /dev/null @@ -1,156 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.engines.ChaChaEngine; -import org.bouncycastle.crypto.generators.Poly1305KeyGenerator; -import org.bouncycastle.crypto.macs.Poly1305; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Pack; - -public class Chacha20Poly1305 implements TlsCipher -{ - protected TlsContext context; - - protected ChaChaEngine encryptCipher; - protected ChaChaEngine decryptCipher; - - public Chacha20Poly1305(TlsContext context) throws IOException - { - if (!TlsUtils.isTLSv12(context)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.context = context; - - byte[] key_block = TlsUtils.calculateKeyBlock(context, 64); - - KeyParameter client_write_key = new KeyParameter(key_block, 0, 32); - KeyParameter server_write_key = new KeyParameter(key_block, 32, 32); - - this.encryptCipher = new ChaChaEngine(20); - this.decryptCipher = new ChaChaEngine(20); - - KeyParameter encryptKey, decryptKey; - if (context.isServer()) - { - encryptKey = server_write_key; - decryptKey = client_write_key; - } - else - { - encryptKey = client_write_key; - decryptKey = server_write_key; - } - - byte[] dummyNonce = new byte[8]; - - this.encryptCipher.init(true, new ParametersWithIV(encryptKey, dummyNonce)); - this.decryptCipher.init(false, new ParametersWithIV(decryptKey, dummyNonce)); - } - - public int getPlaintextLimit(int ciphertextLimit) - { - return ciphertextLimit - 16; - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) throws IOException - { - int ciphertextLength = len + 16; - - KeyParameter macKey = initRecordMAC(encryptCipher, true, seqNo); - - byte[] output = new byte[ciphertextLength]; - encryptCipher.processBytes(plaintext, offset, len, output, 0); - - byte[] additionalData = getAdditionalData(seqNo, type, len); - byte[] mac = calculateRecordMAC(macKey, additionalData, output, 0, len); - System.arraycopy(mac, 0, output, len, mac.length); - - return output; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) throws IOException - { - if (getPlaintextLimit(len) < 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int plaintextLength = len - 16; - - byte[] receivedMAC = Arrays.copyOfRange(ciphertext, offset + plaintextLength, offset + len); - - KeyParameter macKey = initRecordMAC(decryptCipher, false, seqNo); - - byte[] additionalData = getAdditionalData(seqNo, type, plaintextLength); - byte[] calculatedMAC = calculateRecordMAC(macKey, additionalData, ciphertext, offset, plaintextLength); - - if (!Arrays.constantTimeAreEqual(calculatedMAC, receivedMAC)) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - - byte[] output = new byte[plaintextLength]; - decryptCipher.processBytes(ciphertext, offset, plaintextLength, output, 0); - - return output; - } - - protected KeyParameter initRecordMAC(ChaChaEngine cipher, boolean forEncryption, long seqNo) - { - byte[] nonce = new byte[8]; - TlsUtils.writeUint64(seqNo, nonce, 0); - - cipher.init(forEncryption, new ParametersWithIV(null, nonce)); - - byte[] firstBlock = new byte[64]; - cipher.processBytes(firstBlock, 0, firstBlock.length, firstBlock, 0); - - // NOTE: The BC implementation puts 'r' after 'k' - System.arraycopy(firstBlock, 0, firstBlock, 32, 16); - KeyParameter macKey = new KeyParameter(firstBlock, 16, 32); - Poly1305KeyGenerator.clamp(macKey.getKey()); - return macKey; - } - - protected byte[] calculateRecordMAC(KeyParameter macKey, byte[] additionalData, byte[] buf, int off, int len) - { - Mac mac = new Poly1305(); - mac.init(macKey); - - updateRecordMAC(mac, additionalData, 0, additionalData.length); - updateRecordMAC(mac, buf, off, len); - - byte[] output = new byte[mac.getMacSize()]; - mac.doFinal(output, 0); - return output; - } - - protected void updateRecordMAC(Mac mac, byte[] buf, int off, int len) - { - mac.update(buf, off, len); - - byte[] longLen = Pack.longToLittleEndian(len & 0xFFFFFFFFL); - mac.update(longLen, 0, longLen.length); - } - - protected byte[] getAdditionalData(long seqNo, short type, int len) throws IOException - { - /* - * additional_data = seq_num + TLSCompressed.type + TLSCompressed.version + - * TLSCompressed.length - */ - byte[] additional_data = new byte[13]; - TlsUtils.writeUint64(seqNo, additional_data, 0); - TlsUtils.writeUint8(type, additional_data, 8); - TlsUtils.writeVersion(context.getServerVersion(), additional_data, 9); - TlsUtils.writeUint16(len, additional_data, 11); - - return additional_data; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ChangeCipherSpec.java b/core/src/main/java/org/bouncycastle/crypto/tls/ChangeCipherSpec.java deleted file mode 100644 index a858deda..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ChangeCipherSpec.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class ChangeCipherSpec -{ - public static final short change_cipher_spec = 1; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CipherSuite.java b/core/src/main/java/org/bouncycastle/crypto/tls/CipherSuite.java deleted file mode 100644 index 3d4dccab..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CipherSuite.java +++ /dev/null @@ -1,351 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 A.5 - */ -public class CipherSuite -{ - public static final int TLS_NULL_WITH_NULL_NULL = 0x0000; - public static final int TLS_RSA_WITH_NULL_MD5 = 0x0001; - public static final int TLS_RSA_WITH_NULL_SHA = 0x0002; - public static final int TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; - public static final int TLS_RSA_WITH_RC4_128_MD5 = 0x0004; - public static final int TLS_RSA_WITH_RC4_128_SHA = 0x0005; - public static final int TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; - public static final int TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007; - public static final int TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; - public static final int TLS_RSA_WITH_DES_CBC_SHA = 0x0009; - public static final int TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A; - public static final int TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B; - public static final int TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C; - public static final int TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D; - public static final int TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E; - public static final int TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F; - public static final int TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; - public static final int TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; - public static final int TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; - public static final int TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; - public static final int TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; - public static final int TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; - public static final int TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; - public static final int TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017; - public static final int TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018; - public static final int TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019; - public static final int TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A; - public static final int TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B; - - /* - * Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are reserved to avoid - * collision with Fortezza-based cipher suites in SSL 3. - */ - - /* - * RFC 3268 - */ - public static final int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; - public static final int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; - public static final int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; - public static final int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; - public static final int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; - public static final int TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034; - public static final int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; - public static final int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; - public static final int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; - public static final int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; - public static final int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; - public static final int TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A; - - /* - * RFC 5932 - */ - public static final int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; - public static final int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; - public static final int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; - public static final int TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046; - - public static final int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; - public static final int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; - public static final int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; - public static final int TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089; - - public static final int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA; - public static final int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB; - public static final int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE; - public static final int TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF; - - public static final int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0; - public static final int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1; - public static final int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4; - public static final int TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5; - - /* - * RFC 4162 - */ - public static final int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; - public static final int TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097; - public static final int TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098; - public static final int TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099; - public static final int TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A; - public static final int TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B; - - /* - * RFC 4279 - */ - public static final int TLS_PSK_WITH_RC4_128_SHA = 0x008A; - public static final int TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B; - public static final int TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C; - public static final int TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D; - public static final int TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E; - public static final int TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F; - public static final int TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090; - public static final int TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091; - public static final int TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092; - public static final int TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093; - public static final int TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094; - public static final int TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095; - - /* - * RFC 4492 - */ - public static final int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001; - public static final int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002; - public static final int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003; - public static final int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004; - public static final int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005; - public static final int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006; - public static final int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007; - public static final int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008; - public static final int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009; - public static final int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A; - public static final int TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B; - public static final int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C; - public static final int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D; - public static final int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E; - public static final int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F; - public static final int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010; - public static final int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011; - public static final int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012; - public static final int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013; - public static final int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014; - public static final int TLS_ECDH_anon_WITH_NULL_SHA = 0xC015; - public static final int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016; - public static final int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017; - public static final int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018; - public static final int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019; - - /* - * RFC 4785 - */ - public static final int TLS_PSK_WITH_NULL_SHA = 0x002C; - public static final int TLS_DHE_PSK_WITH_NULL_SHA = 0x002D; - public static final int TLS_RSA_PSK_WITH_NULL_SHA = 0x002E; - - /* - * RFC 5054 - */ - public static final int TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A; - public static final int TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B; - public static final int TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C; - public static final int TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D; - public static final int TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E; - public static final int TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F; - public static final int TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020; - public static final int TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021; - public static final int TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022; - - /* - * RFC 5246 - */ - public static final int TLS_RSA_WITH_NULL_SHA256 = 0x003B; - public static final int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; - public static final int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; - public static final int TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E; - public static final int TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F; - public static final int TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040; - public static final int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; - public static final int TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068; - public static final int TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069; - public static final int TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A; - public static final int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; - public static final int TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C; - public static final int TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D; - - /* - * RFC 5288 - */ - public static final int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; - public static final int TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D; - public static final int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; - public static final int TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F; - public static final int TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0; - public static final int TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1; - public static final int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; - public static final int TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3; - public static final int TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4; - public static final int TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5; - public static final int TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6; - public static final int TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7; - - /* - * RFC 5289 - */ - public static final int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023; - public static final int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024; - public static final int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025; - public static final int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026; - public static final int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027; - public static final int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028; - public static final int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029; - public static final int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A; - public static final int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B; - public static final int TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C; - public static final int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D; - public static final int TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E; - public static final int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F; - public static final int TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030; - public static final int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031; - public static final int TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032; - - /* - * RFC 5487 - */ - public static final int TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8; - public static final int TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9; - public static final int TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA; - public static final int TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB; - public static final int TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC; - public static final int TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD; - public static final int TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE; - public static final int TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF; - public static final int TLS_PSK_WITH_NULL_SHA256 = 0x00B0; - public static final int TLS_PSK_WITH_NULL_SHA384 = 0x00B1; - public static final int TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2; - public static final int TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3; - public static final int TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4; - public static final int TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5; - public static final int TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6; - public static final int TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7; - public static final int TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8; - public static final int TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9; - - /* - * RFC 5489 - */ - public static final int TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033; - public static final int TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034; - public static final int TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035; - public static final int TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036; - public static final int TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037; - public static final int TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038; - public static final int TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039; - public static final int TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A; - public static final int TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B; - - /* - * RFC 5746 - */ - public static final int TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF; - - /* - * RFC 6367 - */ - public static final int TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072; - public static final int TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073; - public static final int TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074; - public static final int TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075; - public static final int TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076; - public static final int TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077; - public static final int TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078; - public static final int TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079; - - public static final int TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A; - public static final int TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C; - public static final int TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D; - public static final int TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E; - public static final int TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080; - public static final int TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081; - public static final int TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082; - public static final int TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083; - public static final int TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084; - public static final int TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085; - public static final int TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086; - public static final int TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087; - public static final int TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088; - public static final int TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089; - public static final int TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A; - public static final int TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B; - public static final int TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C; - public static final int TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D; - - public static final int TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E; - public static final int TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F; - public static final int TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090; - public static final int TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091; - public static final int TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092; - public static final int TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093; - public static final int TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094; - public static final int TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095; - public static final int TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096; - public static final int TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097; - public static final int TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098; - public static final int TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099; - public static final int TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A; - public static final int TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B; - - /* - * RFC 6655 - */ - public static final int TLS_RSA_WITH_AES_128_CCM = 0xC09C; - public static final int TLS_RSA_WITH_AES_256_CCM = 0xC09D; - public static final int TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E; - public static final int TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F; - public static final int TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0; - public static final int TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1; - public static final int TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2; - public static final int TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3; - public static final int TLS_PSK_WITH_AES_128_CCM = 0xC0A4; - public static final int TLS_PSK_WITH_AES_256_CCM = 0xC0A5; - public static final int TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6; - public static final int TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7; - public static final int TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8; - public static final int TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9; - public static final int TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA; - public static final int TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB; - - /* - * draft-agl-tls-chacha20poly1305-04 - */ - public static final int TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13; - public static final int TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14; - public static final int TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15; - - /* - * draft-josefsson-salsa20-tls-04 - */ - public static final int TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = 0xE410; - public static final int TLS_RSA_WITH_SALSA20_SHA1 = 0xE411; - public static final int TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = 0xE412; - public static final int TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = 0xE413; - public static final int TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = 0xE414; - public static final int TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = 0xE415; - public static final int TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = 0xE416; - public static final int TLS_PSK_WITH_SALSA20_SHA1 = 0xE417; - public static final int TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = 0xE418; - public static final int TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = 0xE419; - public static final int TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = 0xE41A; - public static final int TLS_RSA_PSK_WITH_SALSA20_SHA1 = 0xE41B; - public static final int TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = 0xE41C; - public static final int TLS_DHE_PSK_WITH_SALSA20_SHA1 = 0xE41D; - public static final int TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = 0xE41E; - public static final int TLS_DHE_RSA_WITH_SALSA20_SHA1 = 0xE41F; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CipherType.java b/core/src/main/java/org/bouncycastle/crypto/tls/CipherType.java deleted file mode 100644 index c6d845a6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CipherType.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class CipherType -{ - public static final int stream = 0; - public static final int block = 1; - - /* - * RFC 5246 - */ - public static final int aead = 2; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ClientAuthenticationType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ClientAuthenticationType.java deleted file mode 100644 index 77e64607..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ClientAuthenticationType.java +++ /dev/null @@ -1,11 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class ClientAuthenticationType -{ - /* - * RFC 5077 4 - */ - public static final short anonymous = 0; - public static final short certificate_based = 1; - public static final short psk = 2; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ClientCertificateType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ClientCertificateType.java deleted file mode 100644 index 6bddfc0f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ClientCertificateType.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class ClientCertificateType -{ - /* - * RFC 4346 7.4.4 - */ - public static final short rsa_sign = 1; - public static final short dss_sign = 2; - public static final short rsa_fixed_dh = 3; - public static final short dss_fixed_dh = 4; - public static final short rsa_ephemeral_dh_RESERVED = 5; - public static final short dss_ephemeral_dh_RESERVED = 6; - public static final short fortezza_dms_RESERVED = 20; - - /* - * RFC 4492 5.5 - */ - public static final short ecdsa_sign = 64; - public static final short rsa_fixed_ecdh = 65; - public static final short ecdsa_fixed_ecdh = 66; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CombinedHash.java b/core/src/main/java/org/bouncycastle/crypto/tls/CombinedHash.java deleted file mode 100644 index 43b73bff..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CombinedHash.java +++ /dev/null @@ -1,135 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.Digest; - -/** - * A combined hash, which implements md5(m) || sha1(m). - */ -class CombinedHash - implements TlsHandshakeHash -{ - protected TlsContext context; - protected Digest md5; - protected Digest sha1; - - CombinedHash() - { - this.md5 = TlsUtils.createHash(HashAlgorithm.md5); - this.sha1 = TlsUtils.createHash(HashAlgorithm.sha1); - } - - CombinedHash(CombinedHash t) - { - this.context = t.context; - this.md5 = TlsUtils.cloneHash(HashAlgorithm.md5, t.md5); - this.sha1 = TlsUtils.cloneHash(HashAlgorithm.sha1, t.sha1); - } - - public void init(TlsContext context) - { - this.context = context; - } - - public TlsHandshakeHash notifyPRFDetermined() - { - return this; - } - - public void trackHashAlgorithm(short hashAlgorithm) - { - throw new IllegalStateException("CombinedHash only supports calculating the legacy PRF for handshake hash"); - } - - public void sealHashAlgorithms() - { - } - - public TlsHandshakeHash stopTracking() - { - return new CombinedHash(this); - } - - public Digest forkPRFHash() - { - return new CombinedHash(this); - } - - public byte[] getFinalHash(short hashAlgorithm) - { - throw new IllegalStateException("CombinedHash doesn't support multiple hashes"); - } - - /** - * @see org.bouncycastle.crypto.Digest#getAlgorithmName() - */ - public String getAlgorithmName() - { - return md5.getAlgorithmName() + " and " + sha1.getAlgorithmName(); - } - - /** - * @see org.bouncycastle.crypto.Digest#getDigestSize() - */ - public int getDigestSize() - { - return md5.getDigestSize() + sha1.getDigestSize(); - } - - /** - * @see org.bouncycastle.crypto.Digest#update(byte) - */ - public void update(byte in) - { - md5.update(in); - sha1.update(in); - } - - /** - * @see org.bouncycastle.crypto.Digest#update(byte[], int, int) - */ - public void update(byte[] in, int inOff, int len) - { - md5.update(in, inOff, len); - sha1.update(in, inOff, len); - } - - /** - * @see org.bouncycastle.crypto.Digest#doFinal(byte[], int) - */ - public int doFinal(byte[] out, int outOff) - { - if (context != null && TlsUtils.isSSL(context)) - { - ssl3Complete(md5, SSL3Mac.IPAD, SSL3Mac.OPAD, 48); - ssl3Complete(sha1, SSL3Mac.IPAD, SSL3Mac.OPAD, 40); - } - - int i1 = md5.doFinal(out, outOff); - int i2 = sha1.doFinal(out, outOff + i1); - return i1 + i2; - } - - /** - * @see org.bouncycastle.crypto.Digest#reset() - */ - public void reset() - { - md5.reset(); - sha1.reset(); - } - - protected void ssl3Complete(Digest d, byte[] ipad, byte[] opad, int padLength) - { - byte[] master_secret = context.getSecurityParameters().masterSecret; - - d.update(master_secret, 0, master_secret.length); - d.update(ipad, 0, padLength); - - byte[] tmp = new byte[d.getDigestSize()]; - d.doFinal(tmp, 0); - - d.update(master_secret, 0, master_secret.length); - d.update(opad, 0, padLength); - d.update(tmp, 0, tmp.length); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/CompressionMethod.java b/core/src/main/java/org/bouncycastle/crypto/tls/CompressionMethod.java deleted file mode 100644 index 935d378f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/CompressionMethod.java +++ /dev/null @@ -1,24 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 6.1 - */ -public class CompressionMethod -{ - public static final short _null = 0; - - /** - * @deprecated use '_null' instead - */ - public static final short NULL = _null; - - /* - * RFC 3749 2 - */ - public static final short DEFLATE = 1; - - /* - * Values from 224 decimal (0xE0) through 255 decimal (0xFF) - * inclusive are reserved for private use. - */ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ConnectionEnd.java b/core/src/main/java/org/bouncycastle/crypto/tls/ConnectionEnd.java deleted file mode 100644 index bcbf607e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ConnectionEnd.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class ConnectionEnd -{ - public static final int server = 0; - public static final int client = 1; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ContentType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ContentType.java deleted file mode 100644 index 65ed9b60..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ContentType.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 6.2.1 - */ -public class ContentType -{ - public static final short change_cipher_spec = 20; - public static final short alert = 21; - public static final short handshake = 22; - public static final short application_data = 23; - public static final short heartbeat = 24; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java deleted file mode 100644 index b88d8f33..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java +++ /dev/null @@ -1,831 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.SecureRandom; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.util.Arrays; - -public class DTLSClientProtocol - extends DTLSProtocol -{ - public DTLSClientProtocol(SecureRandom secureRandom) - { - super(secureRandom); - } - - public DTLSTransport connect(TlsClient client, DatagramTransport transport) - throws IOException - { - if (client == null) - { - throw new IllegalArgumentException("'client' cannot be null"); - } - if (transport == null) - { - throw new IllegalArgumentException("'transport' cannot be null"); - } - - SecurityParameters securityParameters = new SecurityParameters(); - securityParameters.entity = ConnectionEnd.client; - - ClientHandshakeState state = new ClientHandshakeState(); - state.client = client; - state.clientContext = new TlsClientContextImpl(secureRandom, securityParameters); - - securityParameters.clientRandom = TlsProtocol.createRandomBlock(client.shouldUseGMTUnixTime(), - state.clientContext.getNonceRandomGenerator()); - - client.init(state.clientContext); - - DTLSRecordLayer recordLayer = new DTLSRecordLayer(transport, state.clientContext, client, ContentType.handshake); - - TlsSession sessionToResume = state.client.getSessionToResume(); - if (sessionToResume != null) - { - SessionParameters sessionParameters = sessionToResume.exportSessionParameters(); - if (sessionParameters != null) - { - state.tlsSession = sessionToResume; - state.sessionParameters = sessionParameters; - } - } - - try - { - return clientHandshake(state, recordLayer); - } - catch (TlsFatalAlert fatalAlert) - { - recordLayer.fail(fatalAlert.getAlertDescription()); - throw fatalAlert; - } - catch (IOException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw e; - } - catch (RuntimeException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected DTLSTransport clientHandshake(ClientHandshakeState state, DTLSRecordLayer recordLayer) - throws IOException - { - SecurityParameters securityParameters = state.clientContext.getSecurityParameters(); - DTLSReliableHandshake handshake = new DTLSReliableHandshake(state.clientContext, recordLayer); - - byte[] clientHelloBody = generateClientHello(state, state.client); - handshake.sendMessage(HandshakeType.client_hello, clientHelloBody); - - DTLSReliableHandshake.Message serverMessage = handshake.receiveMessage(); - - while (serverMessage.getType() == HandshakeType.hello_verify_request) - { - ProtocolVersion recordLayerVersion = recordLayer.resetDiscoveredPeerVersion(); - ProtocolVersion client_version = state.clientContext.getClientVersion(); - - /* - * RFC 6347 4.2.1 DTLS 1.2 server implementations SHOULD use DTLS version 1.0 regardless of - * the version of TLS that is expected to be negotiated. DTLS 1.2 and 1.0 clients MUST use - * the version solely to indicate packet formatting (which is the same in both DTLS 1.2 and - * 1.0) and not as part of version negotiation. - */ - if (!recordLayerVersion.isEqualOrEarlierVersionOf(client_version)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - byte[] cookie = processHelloVerifyRequest(state, serverMessage.getBody()); - byte[] patched = patchClientHelloWithCookie(clientHelloBody, cookie); - - handshake.resetHandshakeMessagesDigest(); - handshake.sendMessage(HandshakeType.client_hello, patched); - - serverMessage = handshake.receiveMessage(); - } - - if (serverMessage.getType() == HandshakeType.server_hello) - { - reportServerVersion(state, recordLayer.getDiscoveredPeerVersion()); - - processServerHello(state, serverMessage.getBody()); - } - else - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - if (state.maxFragmentLength >= 0) - { - int plainTextLimit = 1 << (8 + state.maxFragmentLength); - recordLayer.setPlaintextLimit(plainTextLimit); - } - - securityParameters.cipherSuite = state.selectedCipherSuite; - securityParameters.compressionAlgorithm = state.selectedCompressionMethod; - securityParameters.prfAlgorithm = TlsProtocol.getPRFAlgorithm(state.clientContext, state.selectedCipherSuite); - - /* - * RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length has - * a verify_data_length equal to 12. This includes all existing cipher suites. - */ - securityParameters.verifyDataLength = 12; - - handshake.notifyHelloComplete(); - - boolean resumedSession = state.selectedSessionID.length > 0 && state.tlsSession != null - && Arrays.areEqual(state.selectedSessionID, state.tlsSession.getSessionID()); - - if (resumedSession) - { - if (securityParameters.getCipherSuite() != state.sessionParameters.getCipherSuite() - || securityParameters.getCompressionAlgorithm() != state.sessionParameters.getCompressionAlgorithm()) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - securityParameters.masterSecret = Arrays.clone(state.sessionParameters.getMasterSecret()); - recordLayer.initPendingEpoch(state.client.getCipher()); - - // NOTE: Calculated exclusive of the actual Finished message from the server - byte[] expectedServerVerifyData = TlsUtils.calculateVerifyData(state.clientContext, ExporterLabel.server_finished, - TlsProtocol.getCurrentPRFHash(state.clientContext, handshake.getHandshakeHash(), null)); - processFinished(handshake.receiveMessageBody(HandshakeType.finished), expectedServerVerifyData); - - // NOTE: Calculated exclusive of the Finished message itself - byte[] clientVerifyData = TlsUtils.calculateVerifyData(state.clientContext, ExporterLabel.client_finished, - TlsProtocol.getCurrentPRFHash(state.clientContext, handshake.getHandshakeHash(), null)); - handshake.sendMessage(HandshakeType.finished, clientVerifyData); - - handshake.finish(); - - state.clientContext.setResumableSession(state.tlsSession); - - state.client.notifyHandshakeComplete(); - - return new DTLSTransport(recordLayer); - } - - invalidateSession(state); - - if (state.selectedSessionID.length > 0) - { - state.tlsSession = new TlsSessionImpl(state.selectedSessionID, null); - } - - serverMessage = handshake.receiveMessage(); - - if (serverMessage.getType() == HandshakeType.supplemental_data) - { - processServerSupplementalData(state, serverMessage.getBody()); - serverMessage = handshake.receiveMessage(); - } - else - { - state.client.processServerSupplementalData(null); - } - - state.keyExchange = state.client.getKeyExchange(); - state.keyExchange.init(state.clientContext); - - Certificate serverCertificate = null; - - if (serverMessage.getType() == HandshakeType.certificate) - { - serverCertificate = processServerCertificate(state, serverMessage.getBody()); - serverMessage = handshake.receiveMessage(); - } - else - { - // Okay, Certificate is optional - state.keyExchange.skipServerCredentials(); - } - - // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus - if (serverCertificate == null || serverCertificate.isEmpty()) - { - state.allowCertificateStatus = false; - } - - if (serverMessage.getType() == HandshakeType.certificate_status) - { - processCertificateStatus(state, serverMessage.getBody()); - serverMessage = handshake.receiveMessage(); - } - else - { - // Okay, CertificateStatus is optional - } - - if (serverMessage.getType() == HandshakeType.server_key_exchange) - { - processServerKeyExchange(state, serverMessage.getBody()); - serverMessage = handshake.receiveMessage(); - } - else - { - // Okay, ServerKeyExchange is optional - state.keyExchange.skipServerKeyExchange(); - } - - if (serverMessage.getType() == HandshakeType.certificate_request) - { - processCertificateRequest(state, serverMessage.getBody()); - - /* - * TODO Give the client a chance to immediately select the CertificateVerify hash - * algorithm here to avoid tracking the other hash algorithms unnecessarily? - */ - TlsUtils.trackHashAlgorithms(handshake.getHandshakeHash(), - state.certificateRequest.getSupportedSignatureAlgorithms()); - - serverMessage = handshake.receiveMessage(); - } - else - { - // Okay, CertificateRequest is optional - } - - if (serverMessage.getType() == HandshakeType.server_hello_done) - { - if (serverMessage.getBody().length != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - } - else - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - handshake.getHandshakeHash().sealHashAlgorithms(); - - Vector clientSupplementalData = state.client.getClientSupplementalData(); - if (clientSupplementalData != null) - { - byte[] supplementalDataBody = generateSupplementalData(clientSupplementalData); - handshake.sendMessage(HandshakeType.supplemental_data, supplementalDataBody); - } - - if (state.certificateRequest != null) - { - state.clientCredentials = state.authentication.getClientCredentials(state.certificateRequest); - - /* - * RFC 5246 If no suitable certificate is available, the client MUST send a certificate - * message containing no certificates. - * - * NOTE: In previous RFCs, this was SHOULD instead of MUST. - */ - Certificate clientCertificate = null; - if (state.clientCredentials != null) - { - clientCertificate = state.clientCredentials.getCertificate(); - } - if (clientCertificate == null) - { - clientCertificate = Certificate.EMPTY_CHAIN; - } - - byte[] certificateBody = generateCertificate(clientCertificate); - handshake.sendMessage(HandshakeType.certificate, certificateBody); - } - - if (state.clientCredentials != null) - { - state.keyExchange.processClientCredentials(state.clientCredentials); - } - else - { - state.keyExchange.skipClientCredentials(); - } - - byte[] clientKeyExchangeBody = generateClientKeyExchange(state); - handshake.sendMessage(HandshakeType.client_key_exchange, clientKeyExchangeBody); - - TlsProtocol.establishMasterSecret(state.clientContext, state.keyExchange); - recordLayer.initPendingEpoch(state.client.getCipher()); - - TlsHandshakeHash prepareFinishHash = handshake.prepareToFinish(); - - if (state.clientCredentials != null && state.clientCredentials instanceof TlsSignerCredentials) - { - TlsSignerCredentials signerCredentials = (TlsSignerCredentials)state.clientCredentials; - - /* - * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 - */ - SignatureAndHashAlgorithm signatureAndHashAlgorithm; - byte[] hash; - - if (TlsUtils.isTLSv12(state.clientContext)) - { - signatureAndHashAlgorithm = signerCredentials.getSignatureAndHashAlgorithm(); - if (signatureAndHashAlgorithm == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - hash = prepareFinishHash.getFinalHash(signatureAndHashAlgorithm.getHash()); - } - else - { - signatureAndHashAlgorithm = null; - hash = TlsProtocol.getCurrentPRFHash(state.clientContext, prepareFinishHash, null); - } - - byte[] signature = signerCredentials.generateCertificateSignature(hash); - DigitallySigned certificateVerify = new DigitallySigned(signatureAndHashAlgorithm, signature); - byte[] certificateVerifyBody = generateCertificateVerify(state, certificateVerify); - handshake.sendMessage(HandshakeType.certificate_verify, certificateVerifyBody); - } - - // NOTE: Calculated exclusive of the Finished message itself - byte[] clientVerifyData = TlsUtils.calculateVerifyData(state.clientContext, ExporterLabel.client_finished, - TlsProtocol.getCurrentPRFHash(state.clientContext, handshake.getHandshakeHash(), null)); - handshake.sendMessage(HandshakeType.finished, clientVerifyData); - - if (state.expectSessionTicket) - { - serverMessage = handshake.receiveMessage(); - if (serverMessage.getType() == HandshakeType.session_ticket) - { - processNewSessionTicket(state, serverMessage.getBody()); - } - else - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - // NOTE: Calculated exclusive of the actual Finished message from the server - byte[] expectedServerVerifyData = TlsUtils.calculateVerifyData(state.clientContext, ExporterLabel.server_finished, - TlsProtocol.getCurrentPRFHash(state.clientContext, handshake.getHandshakeHash(), null)); - processFinished(handshake.receiveMessageBody(HandshakeType.finished), expectedServerVerifyData); - - handshake.finish(); - - if (state.tlsSession != null) - { - state.sessionParameters = new SessionParameters.Builder() - .setCipherSuite(securityParameters.cipherSuite) - .setCompressionAlgorithm(securityParameters.compressionAlgorithm) - .setMasterSecret(securityParameters.masterSecret) - .setPeerCertificate(serverCertificate) - .build(); - - state.tlsSession = TlsUtils.importSession(state.tlsSession.getSessionID(), state.sessionParameters); - - state.clientContext.setResumableSession(state.tlsSession); - } - - state.client.notifyHandshakeComplete(); - - return new DTLSTransport(recordLayer); - } - - protected byte[] generateCertificateVerify(ClientHandshakeState state, DigitallySigned certificateVerify) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - certificateVerify.encode(buf); - return buf.toByteArray(); - } - - protected byte[] generateClientHello(ClientHandshakeState state, TlsClient client) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - ProtocolVersion client_version = client.getClientVersion(); - if (!client_version.isDTLS()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - state.clientContext.setClientVersion(client_version); - TlsUtils.writeVersion(client_version, buf); - - buf.write(state.clientContext.getSecurityParameters().getClientRandom()); - - // Session ID - byte[] session_id = TlsUtils.EMPTY_BYTES; - if (state.tlsSession != null) - { - session_id = state.tlsSession.getSessionID(); - if (session_id == null || session_id.length > 32) - { - session_id = TlsUtils.EMPTY_BYTES; - } - } - TlsUtils.writeOpaque8(session_id, buf); - - // Cookie - TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, buf); - - /* - * Cipher suites - */ - state.offeredCipherSuites = client.getCipherSuites(); - - // Integer -> byte[] - state.clientExtensions = client.getClientExtensions(); - - // Cipher Suites (and SCSV) - { - /* - * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, - * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the - * ClientHello. Including both is NOT RECOMMENDED. - */ - byte[] renegExtData = TlsUtils.getExtensionData(state.clientExtensions, TlsProtocol.EXT_RenegotiationInfo); - boolean noRenegExt = (null == renegExtData); - - boolean noSCSV = !Arrays.contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV); - - if (noRenegExt && noSCSV) - { - // TODO Consider whether to default to a client extension instead - state.offeredCipherSuites = Arrays.append(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV); - } - - TlsUtils.writeUint16ArrayWithUint16Length(state.offeredCipherSuites, buf); - } - - // TODO Add support for compression - // Compression methods - // state.offeredCompressionMethods = client.getCompressionMethods(); - state.offeredCompressionMethods = new short[]{ CompressionMethod._null }; - - TlsUtils.writeUint8ArrayWithUint8Length(state.offeredCompressionMethods, buf); - - // Extensions - if (state.clientExtensions != null) - { - TlsProtocol.writeExtensions(buf, state.clientExtensions); - } - - return buf.toByteArray(); - } - - protected byte[] generateClientKeyExchange(ClientHandshakeState state) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - state.keyExchange.generateClientKeyExchange(buf); - return buf.toByteArray(); - } - - protected void invalidateSession(ClientHandshakeState state) - { - if (state.sessionParameters != null) - { - state.sessionParameters.clear(); - state.sessionParameters = null; - } - - if (state.tlsSession != null) - { - state.tlsSession.invalidate(); - state.tlsSession = null; - } - } - - protected void processCertificateRequest(ClientHandshakeState state, byte[] body) - throws IOException - { - if (state.authentication == null) - { - /* - * RFC 2246 7.4.4. It is a fatal handshake_failure alert for an anonymous server to - * request client identification. - */ - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - state.certificateRequest = CertificateRequest.parse(state.clientContext, buf); - - TlsProtocol.assertEmpty(buf); - - state.keyExchange.validateCertificateRequest(state.certificateRequest); - } - - protected void processCertificateStatus(ClientHandshakeState state, byte[] body) - throws IOException - { - if (!state.allowCertificateStatus) - { - /* - * RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the - * server MUST have included an extension of type "status_request" with empty - * "extension_data" in the extended server hello.. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - state.certificateStatus = CertificateStatus.parse(buf); - - TlsProtocol.assertEmpty(buf); - - // TODO[RFC 3546] Figure out how to provide this to the client/authentication. - } - - protected byte[] processHelloVerifyRequest(ClientHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - ProtocolVersion server_version = TlsUtils.readVersion(buf); - byte[] cookie = TlsUtils.readOpaque8(buf); - - TlsProtocol.assertEmpty(buf); - - // TODO Seems this behaviour is not yet in line with OpenSSL for DTLS 1.2 -// reportServerVersion(state, server_version); - if (!server_version.isEqualOrEarlierVersionOf(state.clientContext.getClientVersion())) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - /* - * RFC 6347 This specification increases the cookie size limit to 255 bytes for greater - * future flexibility. The limit remains 32 for previous versions of DTLS. - */ - if (!ProtocolVersion.DTLSv12.isEqualOrEarlierVersionOf(server_version) && cookie.length > 32) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return cookie; - } - - protected void processNewSessionTicket(ClientHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - NewSessionTicket newSessionTicket = NewSessionTicket.parse(buf); - - TlsProtocol.assertEmpty(buf); - - state.client.notifyNewSessionTicket(newSessionTicket); - } - - protected Certificate processServerCertificate(ClientHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - Certificate serverCertificate = Certificate.parse(buf); - - TlsProtocol.assertEmpty(buf); - - state.keyExchange.processServerCertificate(serverCertificate); - state.authentication = state.client.getAuthentication(); - state.authentication.notifyServerCertificate(serverCertificate); - - return serverCertificate; - } - - protected void processServerHello(ClientHandshakeState state, byte[] body) - throws IOException - { - SecurityParameters securityParameters = state.clientContext.getSecurityParameters(); - - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - ProtocolVersion server_version = TlsUtils.readVersion(buf); - reportServerVersion(state, server_version); - - securityParameters.serverRandom = TlsUtils.readFully(32, buf); - - state.selectedSessionID = TlsUtils.readOpaque8(buf); - if (state.selectedSessionID.length > 32) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - state.client.notifySessionID(state.selectedSessionID); - - state.selectedCipherSuite = TlsUtils.readUint16(buf); - if (!Arrays.contains(state.offeredCipherSuites, state.selectedCipherSuite) - || state.selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL - || state.selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV - || !TlsUtils.isValidCipherSuiteForVersion(state.selectedCipherSuite, server_version)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - validateSelectedCipherSuite(state.selectedCipherSuite, AlertDescription.illegal_parameter); - - state.client.notifySelectedCipherSuite(state.selectedCipherSuite); - - state.selectedCompressionMethod = TlsUtils.readUint8(buf); - if (!Arrays.contains(state.offeredCompressionMethods, state.selectedCompressionMethod)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - state.client.notifySelectedCompressionMethod(state.selectedCompressionMethod); - - /* - * RFC3546 2.2 The extended server hello message format MAY be sent in place of the server - * hello message when the client has requested extended functionality via the extended - * client hello message specified in Section 2.1. ... Note that the extended server hello - * message is only sent in response to an extended client hello message. This prevents the - * possibility that the extended server hello message could "break" existing TLS 1.0 - * clients. - */ - - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ - - // Integer -> byte[] - Hashtable serverExtensions = TlsProtocol.readExtensions(buf); - - /* - * RFC 3546 2.2 Note that the extended server hello message is only sent in response to an - * extended client hello message. However, see RFC 5746 exception below. We always include - * the SCSV, so an Extended Server Hello is always allowed. - */ - if (serverExtensions != null) - { - Enumeration e = serverExtensions.keys(); - while (e.hasMoreElements()) - { - Integer extType = (Integer)e.nextElement(); - - /* - * RFC 5746 Note that sending a "renegotiation_info" extension in response to a - * ClientHello containing only the SCSV is an explicit exception to the prohibition - * in RFC 5246, Section 7.4.1.4, on the server sending unsolicited extensions and is - * only allowed because the client is signaling its willingness to receive the - * extension via the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. TLS implementations - * MUST continue to comply with Section 7.4.1.4 for all other extensions. - */ - if (!extType.equals(TlsProtocol.EXT_RenegotiationInfo) - && null == TlsUtils.getExtensionData(state.clientExtensions, extType)) - { - /* - * RFC 3546 2.3 Note that for all extension types (including those defined in - * future), the extension type MUST NOT appear in the extended server hello - * unless the same extension type appeared in the corresponding client hello. - * Thus clients MUST abort the handshake if they receive an extension type in - * the extended server hello that they did not request in the associated - * (extended) client hello. - */ - throw new TlsFatalAlert(AlertDescription.unsupported_extension); - } - } - - /* - * RFC 5746 3.4. Client Behavior: Initial Handshake - */ - { - /* - * When a ServerHello is received, the client MUST check if it includes the - * "renegotiation_info" extension: - */ - byte[] renegExtData = (byte[])serverExtensions.get(TlsProtocol.EXT_RenegotiationInfo); - if (renegExtData != null) - { - /* - * If the extension is present, set the secure_renegotiation flag to TRUE. The - * client MUST then verify that the length of the "renegotiated_connection" - * field is zero, and if it is not, MUST abort the handshake (by sending a fatal - * handshake_failure alert). - */ - state.secure_renegotiation = true; - - if (!Arrays.constantTimeAreEqual(renegExtData, - TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - } - - /* - * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC - * request extension from a client and then selects a stream or AEAD cipher suite, it - * MUST NOT send an encrypt-then-MAC response extension back to the client. - */ - boolean serverSentEncryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(serverExtensions); - if (serverSentEncryptThenMAC && !TlsUtils.isBlockCipherSuite(state.selectedCipherSuite)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - securityParameters.encryptThenMAC = serverSentEncryptThenMAC; - - state.maxFragmentLength = evaluateMaxFragmentLengthExtension(state.clientExtensions, serverExtensions, - AlertDescription.illegal_parameter); - - securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(serverExtensions); - - state.allowCertificateStatus = TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, - TlsExtensionsUtils.EXT_status_request, AlertDescription.illegal_parameter); - - state.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, - TlsProtocol.EXT_SessionTicket, AlertDescription.illegal_parameter); - } - - state.client.notifySecureRenegotiation(state.secure_renegotiation); - - if (state.clientExtensions != null) - { - state.client.processServerExtensions(serverExtensions); - } - } - - protected void processServerKeyExchange(ClientHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - state.keyExchange.processServerKeyExchange(buf); - - TlsProtocol.assertEmpty(buf); - } - - protected void processServerSupplementalData(ClientHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - Vector serverSupplementalData = TlsProtocol.readSupplementalDataMessage(buf); - state.client.processServerSupplementalData(serverSupplementalData); - } - - protected void reportServerVersion(ClientHandshakeState state, ProtocolVersion server_version) - throws IOException - { - TlsClientContextImpl clientContext = state.clientContext; - ProtocolVersion currentServerVersion = clientContext.getServerVersion(); - if (null == currentServerVersion) - { - clientContext.setServerVersion(server_version); - state.client.notifyServerVersion(server_version); - } - else if (!currentServerVersion.equals(server_version)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - protected static byte[] patchClientHelloWithCookie(byte[] clientHelloBody, byte[] cookie) - throws IOException - { - int sessionIDPos = 34; - int sessionIDLength = TlsUtils.readUint8(clientHelloBody, sessionIDPos); - - int cookieLengthPos = sessionIDPos + 1 + sessionIDLength; - int cookiePos = cookieLengthPos + 1; - - byte[] patched = new byte[clientHelloBody.length + cookie.length]; - System.arraycopy(clientHelloBody, 0, patched, 0, cookieLengthPos); - TlsUtils.checkUint8(cookie.length); - TlsUtils.writeUint8(cookie.length, patched, cookieLengthPos); - System.arraycopy(cookie, 0, patched, cookiePos, cookie.length); - System.arraycopy(clientHelloBody, cookiePos, patched, cookiePos + cookie.length, clientHelloBody.length - - cookiePos); - - return patched; - } - - protected static class ClientHandshakeState - { - TlsClient client = null; - TlsClientContextImpl clientContext = null; - TlsSession tlsSession = null; - SessionParameters sessionParameters = null; - SessionParameters.Builder sessionParametersBuilder = null; - int[] offeredCipherSuites = null; - short[] offeredCompressionMethods = null; - Hashtable clientExtensions = null; - byte[] selectedSessionID = null; - int selectedCipherSuite = -1; - short selectedCompressionMethod = -1; - boolean secure_renegotiation = false; - short maxFragmentLength = -1; - boolean allowCertificateStatus = false; - boolean expectSessionTicket = false; - TlsKeyExchange keyExchange = null; - TlsAuthentication authentication = null; - CertificateStatus certificateStatus = null; - CertificateRequest certificateRequest = null; - TlsCredentials clientCredentials = null; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSEpoch.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSEpoch.java deleted file mode 100644 index 57dd42f6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSEpoch.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.tls; - -class DTLSEpoch -{ - private final DTLSReplayWindow replayWindow = new DTLSReplayWindow(); - - private final int epoch; - private final TlsCipher cipher; - - private long sequence_number = 0; - - DTLSEpoch(int epoch, TlsCipher cipher) - { - if (epoch < 0) - { - throw new IllegalArgumentException("'epoch' must be >= 0"); - } - if (cipher == null) - { - throw new IllegalArgumentException("'cipher' cannot be null"); - } - - this.epoch = epoch; - this.cipher = cipher; - } - - long allocateSequenceNumber() - { - // TODO Check for overflow - return sequence_number++; - } - - TlsCipher getCipher() - { - return cipher; - } - - int getEpoch() - { - return epoch; - } - - DTLSReplayWindow getReplayWindow() - { - return replayWindow; - } - - long getSequence_number() - { - return sequence_number; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSHandshakeRetransmit.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSHandshakeRetransmit.java deleted file mode 100644 index 251d3a28..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSHandshakeRetransmit.java +++ /dev/null @@ -1,9 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -interface DTLSHandshakeRetransmit -{ - void receivedHandshakeRecord(int epoch, byte[] buf, int off, int len) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSProtocol.java deleted file mode 100644 index db43011b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSProtocol.java +++ /dev/null @@ -1,78 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.SecureRandom; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.util.Arrays; - -public abstract class DTLSProtocol -{ - protected final SecureRandom secureRandom; - - protected DTLSProtocol(SecureRandom secureRandom) - { - if (secureRandom == null) - { - throw new IllegalArgumentException("'secureRandom' cannot be null"); - } - - this.secureRandom = secureRandom; - } - - protected void processFinished(byte[] body, byte[] expected_verify_data) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - byte[] verify_data = TlsUtils.readFully(expected_verify_data.length, buf); - - TlsProtocol.assertEmpty(buf); - - if (!Arrays.constantTimeAreEqual(expected_verify_data, verify_data)) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - - protected static short evaluateMaxFragmentLengthExtension(Hashtable clientExtensions, Hashtable serverExtensions, - short alertDescription) throws IOException - { - short maxFragmentLength = TlsExtensionsUtils.getMaxFragmentLengthExtension(serverExtensions); - if (maxFragmentLength >= 0 && maxFragmentLength != TlsExtensionsUtils.getMaxFragmentLengthExtension(clientExtensions)) - { - throw new TlsFatalAlert(alertDescription); - } - return maxFragmentLength; - } - - protected static byte[] generateCertificate(Certificate certificate) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - certificate.encode(buf); - return buf.toByteArray(); - } - - protected static byte[] generateSupplementalData(Vector supplementalData) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - TlsProtocol.writeSupplementalData(buf, supplementalData); - return buf.toByteArray(); - } - - protected static void validateSelectedCipherSuite(int selectedCipherSuite, short alertDescription) - throws IOException - { - switch (TlsUtils.getEncryptionAlgorithm(selectedCipherSuite)) - { - case EncryptionAlgorithm.RC4_40: - case EncryptionAlgorithm.RC4_128: - throw new TlsFatalAlert(alertDescription); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReassembler.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReassembler.java deleted file mode 100644 index 788306c8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReassembler.java +++ /dev/null @@ -1,133 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.util.Vector; - -class DTLSReassembler -{ - private final short msg_type; - private final byte[] body; - - private Vector missing = new Vector(); - - DTLSReassembler(short msg_type, int length) - { - this.msg_type = msg_type; - this.body = new byte[length]; - this.missing.addElement(new Range(0, length)); - } - - short getType() - { - return msg_type; - } - - byte[] getBodyIfComplete() - { - return missing.isEmpty() ? body : null; - } - - void contributeFragment(short msg_type, int length, byte[] buf, int off, int fragment_offset, - int fragment_length) - { - int fragment_end = fragment_offset + fragment_length; - - if (this.msg_type != msg_type || this.body.length != length || fragment_end > length) - { - return; - } - - if (fragment_length == 0) - { - // NOTE: Empty messages still require an empty fragment to complete it - if (fragment_offset == 0 && !missing.isEmpty()) - { - Range firstRange = (Range)missing.firstElement(); - if (firstRange.getEnd() == 0) - { - missing.removeElementAt(0); - } - } - return; - } - - for (int i = 0; i < missing.size(); ++i) - { - Range range = (Range)missing.elementAt(i); - if (range.getStart() >= fragment_end) - { - break; - } - if (range.getEnd() > fragment_offset) - { - - int copyStart = Math.max(range.getStart(), fragment_offset); - int copyEnd = Math.min(range.getEnd(), fragment_end); - int copyLength = copyEnd - copyStart; - - System.arraycopy(buf, off + copyStart - fragment_offset, body, copyStart, - copyLength); - - if (copyStart == range.getStart()) - { - if (copyEnd == range.getEnd()) - { - missing.removeElementAt(i--); - } - else - { - range.setStart(copyEnd); - } - } - else - { - if (copyEnd == range.getEnd()) - { - range.setEnd(copyStart); - } - else - { - missing.insertElementAt(new Range(copyEnd, range.getEnd()), ++i); - range.setEnd(copyStart); - } - } - } - } - } - - void reset() - { - this.missing.removeAllElements(); - this.missing.addElement(new Range(0, body.length)); - } - - private static class Range - { - private int start, end; - - Range(int start, int end) - { - this.start = start; - this.end = end; - } - - public int getStart() - { - return start; - } - - public void setStart(int start) - { - this.start = start; - } - - public int getEnd() - { - return end; - } - - public void setEnd(int end) - { - this.end = end; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSRecordLayer.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSRecordLayer.java deleted file mode 100644 index 15192395..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSRecordLayer.java +++ /dev/null @@ -1,516 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -class DTLSRecordLayer - implements DatagramTransport -{ - private static final int RECORD_HEADER_LENGTH = 13; - private static final int MAX_FRAGMENT_LENGTH = 1 << 14; - private static final long TCP_MSL = 1000L * 60 * 2; - private static final long RETRANSMIT_TIMEOUT = TCP_MSL * 2; - - private final DatagramTransport transport; - private final TlsContext context; - private final TlsPeer peer; - - private final ByteQueue recordQueue = new ByteQueue(); - - private volatile boolean closed = false; - private volatile boolean failed = false; - private volatile ProtocolVersion discoveredPeerVersion = null; - private volatile boolean inHandshake; - private volatile int plaintextLimit; - private DTLSEpoch currentEpoch, pendingEpoch; - private DTLSEpoch readEpoch, writeEpoch; - - private DTLSHandshakeRetransmit retransmit = null; - private DTLSEpoch retransmitEpoch = null; - private long retransmitExpiry = 0; - - DTLSRecordLayer(DatagramTransport transport, TlsContext context, TlsPeer peer, short contentType) - { - this.transport = transport; - this.context = context; - this.peer = peer; - - this.inHandshake = true; - - this.currentEpoch = new DTLSEpoch(0, new TlsNullCipher(context)); - this.pendingEpoch = null; - this.readEpoch = currentEpoch; - this.writeEpoch = currentEpoch; - - setPlaintextLimit(MAX_FRAGMENT_LENGTH); - } - - void setPlaintextLimit(int plaintextLimit) - { - this.plaintextLimit = plaintextLimit; - } - - ProtocolVersion getDiscoveredPeerVersion() - { - return discoveredPeerVersion; - } - - ProtocolVersion resetDiscoveredPeerVersion() - { - ProtocolVersion result = discoveredPeerVersion; - discoveredPeerVersion = null; - return result; - } - - void initPendingEpoch(TlsCipher pendingCipher) - { - if (pendingEpoch != null) - { - throw new IllegalStateException(); - } - - /* - * TODO "In order to ensure that any given sequence/epoch pair is unique, implementations - * MUST NOT allow the same epoch value to be reused within two times the TCP maximum segment - * lifetime." - */ - - // TODO Check for overflow - this.pendingEpoch = new DTLSEpoch(writeEpoch.getEpoch() + 1, pendingCipher); - } - - void handshakeSuccessful(DTLSHandshakeRetransmit retransmit) - { - if (readEpoch == currentEpoch || writeEpoch == currentEpoch) - { - // TODO - throw new IllegalStateException(); - } - - if (retransmit != null) - { - this.retransmit = retransmit; - this.retransmitEpoch = currentEpoch; - this.retransmitExpiry = System.currentTimeMillis() + RETRANSMIT_TIMEOUT; - } - - this.inHandshake = false; - this.currentEpoch = pendingEpoch; - this.pendingEpoch = null; - } - - void resetWriteEpoch() - { - if (retransmitEpoch != null) - { - this.writeEpoch = retransmitEpoch; - } - else - { - this.writeEpoch = currentEpoch; - } - } - - public int getReceiveLimit() - throws IOException - { - return Math.min(this.plaintextLimit, - readEpoch.getCipher().getPlaintextLimit(transport.getReceiveLimit() - RECORD_HEADER_LENGTH)); - } - - public int getSendLimit() - throws IOException - { - return Math.min(this.plaintextLimit, - writeEpoch.getCipher().getPlaintextLimit(transport.getSendLimit() - RECORD_HEADER_LENGTH)); - } - - public int receive(byte[] buf, int off, int len, int waitMillis) - throws IOException - { - byte[] record = null; - - for (;;) - { - int receiveLimit = Math.min(len, getReceiveLimit()) + RECORD_HEADER_LENGTH; - if (record == null || record.length < receiveLimit) - { - record = new byte[receiveLimit]; - } - - try - { - if (retransmit != null && System.currentTimeMillis() > retransmitExpiry) - { - retransmit = null; - retransmitEpoch = null; - } - - int received = receiveRecord(record, 0, receiveLimit, waitMillis); - if (received < 0) - { - return received; - } - if (received < RECORD_HEADER_LENGTH) - { - continue; - } - int length = TlsUtils.readUint16(record, 11); - if (received != (length + RECORD_HEADER_LENGTH)) - { - continue; - } - - short type = TlsUtils.readUint8(record, 0); - - // TODO Support user-specified custom protocols? - switch (type) - { - case ContentType.alert: - case ContentType.application_data: - case ContentType.change_cipher_spec: - case ContentType.handshake: - case ContentType.heartbeat: - break; - default: - // TODO Exception? - continue; - } - - int epoch = TlsUtils.readUint16(record, 3); - - DTLSEpoch recordEpoch = null; - if (epoch == readEpoch.getEpoch()) - { - recordEpoch = readEpoch; - } - else if (type == ContentType.handshake && retransmitEpoch != null - && epoch == retransmitEpoch.getEpoch()) - { - recordEpoch = retransmitEpoch; - } - - if (recordEpoch == null) - { - continue; - } - - long seq = TlsUtils.readUint48(record, 5); - if (recordEpoch.getReplayWindow().shouldDiscard(seq)) - { - continue; - } - - ProtocolVersion version = TlsUtils.readVersion(record, 1); - if (discoveredPeerVersion != null && !discoveredPeerVersion.equals(version)) - { - continue; - } - - byte[] plaintext = recordEpoch.getCipher().decodeCiphertext( - getMacSequenceNumber(recordEpoch.getEpoch(), seq), type, record, RECORD_HEADER_LENGTH, - received - RECORD_HEADER_LENGTH); - - recordEpoch.getReplayWindow().reportAuthenticated(seq); - - if (plaintext.length > this.plaintextLimit) - { - continue; - } - - if (discoveredPeerVersion == null) - { - discoveredPeerVersion = version; - } - - switch (type) - { - case ContentType.alert: - { - if (plaintext.length == 2) - { - short alertLevel = plaintext[0]; - short alertDescription = plaintext[1]; - - peer.notifyAlertReceived(alertLevel, alertDescription); - - if (alertLevel == AlertLevel.fatal) - { - fail(alertDescription); - throw new TlsFatalAlert(alertDescription); - } - - // TODO Can close_notify be a fatal alert? - if (alertDescription == AlertDescription.close_notify) - { - closeTransport(); - } - } - - continue; - } - case ContentType.application_data: - { - if (inHandshake) - { - // TODO Consider buffering application data for new epoch that arrives - // out-of-order with the Finished message - continue; - } - break; - } - case ContentType.change_cipher_spec: - { - // Implicitly receive change_cipher_spec and change to pending cipher state - - for (int i = 0; i < plaintext.length; ++i) - { - short message = TlsUtils.readUint8(plaintext, i); - if (message != ChangeCipherSpec.change_cipher_spec) - { - continue; - } - - if (pendingEpoch != null) - { - readEpoch = pendingEpoch; - } - } - - continue; - } - case ContentType.handshake: - { - if (!inHandshake) - { - if (retransmit != null) - { - retransmit.receivedHandshakeRecord(epoch, plaintext, 0, plaintext.length); - } - - // TODO Consider support for HelloRequest - continue; - } - break; - } - case ContentType.heartbeat: - { - // TODO[RFC 6520] - continue; - } - } - - /* - * NOTE: If we receive any non-handshake data in the new epoch implies the peer has - * received our final flight. - */ - if (!inHandshake && retransmit != null) - { - this.retransmit = null; - this.retransmitEpoch = null; - } - - System.arraycopy(plaintext, 0, buf, off, plaintext.length); - return plaintext.length; - } - catch (IOException e) - { - // NOTE: Assume this is a timeout for the moment - throw e; - } - } - } - - public void send(byte[] buf, int off, int len) - throws IOException - { - short contentType = ContentType.application_data; - - if (this.inHandshake || this.writeEpoch == this.retransmitEpoch) - { - contentType = ContentType.handshake; - - short handshakeType = TlsUtils.readUint8(buf, off); - if (handshakeType == HandshakeType.finished) - { - DTLSEpoch nextEpoch = null; - if (this.inHandshake) - { - nextEpoch = pendingEpoch; - } - else if (this.writeEpoch == this.retransmitEpoch) - { - nextEpoch = currentEpoch; - } - - if (nextEpoch == null) - { - // TODO - throw new IllegalStateException(); - } - - // Implicitly send change_cipher_spec and change to pending cipher state - - // TODO Send change_cipher_spec and finished records in single datagram? - byte[] data = new byte[]{ 1 }; - sendRecord(ContentType.change_cipher_spec, data, 0, data.length); - - writeEpoch = nextEpoch; - } - } - - sendRecord(contentType, buf, off, len); - } - - public void close() - throws IOException - { - if (!closed) - { - if (inHandshake) - { - warn(AlertDescription.user_canceled, "User canceled handshake"); - } - closeTransport(); - } - } - - void fail(short alertDescription) - { - if (!closed) - { - try - { - raiseAlert(AlertLevel.fatal, alertDescription, null, null); - } - catch (Exception e) - { - // Ignore - } - - failed = true; - - closeTransport(); - } - } - - void warn(short alertDescription, String message) - throws IOException - { - raiseAlert(AlertLevel.warning, alertDescription, message, null); - } - - private void closeTransport() - { - if (!closed) - { - /* - * RFC 5246 7.2.1. Unless some other fatal alert has been transmitted, each party is - * required to send a close_notify alert before closing the write side of the - * connection. The other party MUST respond with a close_notify alert of its own and - * close down the connection immediately, discarding any pending writes. - */ - - try - { - if (!failed) - { - warn(AlertDescription.close_notify, null); - } - transport.close(); - } - catch (Exception e) - { - // Ignore - } - - closed = true; - } - } - - private void raiseAlert(short alertLevel, short alertDescription, String message, Exception cause) - throws IOException - { - peer.notifyAlertRaised(alertLevel, alertDescription, message, cause); - - byte[] error = new byte[2]; - error[0] = (byte)alertLevel; - error[1] = (byte)alertDescription; - - sendRecord(ContentType.alert, error, 0, 2); - } - - private int receiveRecord(byte[] buf, int off, int len, int waitMillis) - throws IOException - { - if (recordQueue.size() > 0) - { - int length = 0; - if (recordQueue.size() >= RECORD_HEADER_LENGTH) - { - byte[] lengthBytes = new byte[2]; - recordQueue.read(lengthBytes, 0, 2, 11); - length = TlsUtils.readUint16(lengthBytes, 0); - } - - int received = Math.min(recordQueue.size(), RECORD_HEADER_LENGTH + length); - recordQueue.removeData(buf, off, received, 0); - return received; - } - - int received = transport.receive(buf, off, len, waitMillis); - if (received >= RECORD_HEADER_LENGTH) - { - int fragmentLength = TlsUtils.readUint16(buf, off + 11); - int recordLength = RECORD_HEADER_LENGTH + fragmentLength; - if (received > recordLength) - { - recordQueue.addData(buf, off + recordLength, received - recordLength); - received = recordLength; - } - } - - return received; - } - - private void sendRecord(short contentType, byte[] buf, int off, int len) - throws IOException - { - if (len > this.plaintextLimit) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - /* - * RFC 5264 6.2.1 Implementations MUST NOT send zero-length fragments of Handshake, Alert, - * or ChangeCipherSpec content types. - */ - if (len < 1 && contentType != ContentType.application_data) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - int recordEpoch = writeEpoch.getEpoch(); - long recordSequenceNumber = writeEpoch.allocateSequenceNumber(); - - byte[] ciphertext = writeEpoch.getCipher().encodePlaintext( - getMacSequenceNumber(recordEpoch, recordSequenceNumber), contentType, buf, off, len); - - // TODO Check the ciphertext length? - - byte[] record = new byte[ciphertext.length + RECORD_HEADER_LENGTH]; - TlsUtils.writeUint8(contentType, record, 0); - ProtocolVersion version = discoveredPeerVersion != null ? discoveredPeerVersion : context.getClientVersion(); - TlsUtils.writeVersion(version, record, 1); - TlsUtils.writeUint16(recordEpoch, record, 3); - TlsUtils.writeUint48(recordSequenceNumber, record, 5); - TlsUtils.writeUint16(ciphertext.length, record, 11); - System.arraycopy(ciphertext, 0, record, RECORD_HEADER_LENGTH, ciphertext.length); - - transport.send(record, 0, record.length); - } - - private static long getMacSequenceNumber(int epoch, long sequence_number) - { - return ((epoch & 0xFFFFFFFFL) << 48) | sequence_number; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReliableHandshake.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReliableHandshake.java deleted file mode 100644 index 50a5eeac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReliableHandshake.java +++ /dev/null @@ -1,453 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.util.Integers; - -class DTLSReliableHandshake -{ - private final static int MAX_RECEIVE_AHEAD = 10; - - private final DTLSRecordLayer recordLayer; - - private TlsHandshakeHash handshakeHash; - - private Hashtable currentInboundFlight = new Hashtable(); - private Hashtable previousInboundFlight = null; - private Vector outboundFlight = new Vector(); - private boolean sending = true; - - private int message_seq = 0, next_receive_seq = 0; - - DTLSReliableHandshake(TlsContext context, DTLSRecordLayer transport) - { - this.recordLayer = transport; - this.handshakeHash = new DeferredHash(); - this.handshakeHash.init(context); - } - - void notifyHelloComplete() - { - this.handshakeHash = handshakeHash.notifyPRFDetermined(); - } - - TlsHandshakeHash getHandshakeHash() - { - return handshakeHash; - } - - TlsHandshakeHash prepareToFinish() - { - TlsHandshakeHash result = handshakeHash; - this.handshakeHash = handshakeHash.stopTracking(); - return result; - } - - void sendMessage(short msg_type, byte[] body) - throws IOException - { - TlsUtils.checkUint24(body.length); - - if (!sending) - { - checkInboundFlight(); - sending = true; - outboundFlight.removeAllElements(); - } - - Message message = new Message(message_seq++, msg_type, body); - - outboundFlight.addElement(message); - - writeMessage(message); - updateHandshakeMessagesDigest(message); - } - - byte[] receiveMessageBody(short msg_type) - throws IOException - { - Message message = receiveMessage(); - if (message.getType() != msg_type) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - return message.getBody(); - } - - Message receiveMessage() - throws IOException - { - if (sending) - { - sending = false; - prepareInboundFlight(); - } - - // Check if we already have the next message waiting - { - DTLSReassembler next = (DTLSReassembler)currentInboundFlight.get(Integers.valueOf(next_receive_seq)); - if (next != null) - { - byte[] body = next.getBodyIfComplete(); - if (body != null) - { - previousInboundFlight = null; - return updateHandshakeMessagesDigest(new Message(next_receive_seq++, next.getType(), body)); - } - } - } - - byte[] buf = null; - - // TODO Check the conditions under which we should reset this - int readTimeoutMillis = 1000; - - for (;;) - { - int receiveLimit = recordLayer.getReceiveLimit(); - if (buf == null || buf.length < receiveLimit) - { - buf = new byte[receiveLimit]; - } - - // TODO Handle records containing multiple handshake messages - - try - { - for (; ; ) - { - int received = recordLayer.receive(buf, 0, receiveLimit, readTimeoutMillis); - if (received < 0) - { - break; - } - if (received < 12) - { - continue; - } - int fragment_length = TlsUtils.readUint24(buf, 9); - if (received != (fragment_length + 12)) - { - continue; - } - int seq = TlsUtils.readUint16(buf, 4); - if (seq > (next_receive_seq + MAX_RECEIVE_AHEAD)) - { - continue; - } - short msg_type = TlsUtils.readUint8(buf, 0); - int length = TlsUtils.readUint24(buf, 1); - int fragment_offset = TlsUtils.readUint24(buf, 6); - if (fragment_offset + fragment_length > length) - { - continue; - } - - if (seq < next_receive_seq) - { - /* - * NOTE: If we receive the previous flight of incoming messages in full - * again, retransmit our last flight - */ - if (previousInboundFlight != null) - { - DTLSReassembler reassembler = (DTLSReassembler)previousInboundFlight.get(Integers - .valueOf(seq)); - if (reassembler != null) - { - reassembler.contributeFragment(msg_type, length, buf, 12, fragment_offset, - fragment_length); - - if (checkAll(previousInboundFlight)) - { - resendOutboundFlight(); - - /* - * TODO[DTLS] implementations SHOULD back off handshake packet - * size during the retransmit backoff. - */ - readTimeoutMillis = Math.min(readTimeoutMillis * 2, 60000); - - resetAll(previousInboundFlight); - } - } - } - } - else - { - DTLSReassembler reassembler = (DTLSReassembler)currentInboundFlight.get(Integers.valueOf(seq)); - if (reassembler == null) - { - reassembler = new DTLSReassembler(msg_type, length); - currentInboundFlight.put(Integers.valueOf(seq), reassembler); - } - - reassembler.contributeFragment(msg_type, length, buf, 12, fragment_offset, fragment_length); - - if (seq == next_receive_seq) - { - byte[] body = reassembler.getBodyIfComplete(); - if (body != null) - { - previousInboundFlight = null; - return updateHandshakeMessagesDigest(new Message(next_receive_seq++, - reassembler.getType(), body)); - } - } - } - } - } - catch (IOException e) - { - // NOTE: Assume this is a timeout for the moment - } - - resendOutboundFlight(); - - /* - * TODO[DTLS] implementations SHOULD back off handshake packet size during the - * retransmit backoff. - */ - readTimeoutMillis = Math.min(readTimeoutMillis * 2, 60000); - } - } - - void finish() - { - DTLSHandshakeRetransmit retransmit = null; - if (!sending) - { - checkInboundFlight(); - } - else if (currentInboundFlight != null) - { - /* - * RFC 6347 4.2.4. In addition, for at least twice the default MSL defined for [TCP], - * when in the FINISHED state, the node that transmits the last flight (the server in an - * ordinary handshake or the client in a resumed handshake) MUST respond to a retransmit - * of the peer's last flight with a retransmit of the last flight. - */ - retransmit = new DTLSHandshakeRetransmit() - { - public void receivedHandshakeRecord(int epoch, byte[] buf, int off, int len) - throws IOException - { - /* - * TODO Need to handle the case where the previous inbound flight contains - * messages from two epochs. - */ - if (len < 12) - { - return; - } - int fragment_length = TlsUtils.readUint24(buf, off + 9); - if (len != (fragment_length + 12)) - { - return; - } - int seq = TlsUtils.readUint16(buf, off + 4); - if (seq >= next_receive_seq) - { - return; - } - - short msg_type = TlsUtils.readUint8(buf, off); - - // TODO This is a hack that only works until we try to support renegotiation - int expectedEpoch = msg_type == HandshakeType.finished ? 1 : 0; - if (epoch != expectedEpoch) - { - return; - } - - int length = TlsUtils.readUint24(buf, off + 1); - int fragment_offset = TlsUtils.readUint24(buf, off + 6); - if (fragment_offset + fragment_length > length) - { - return; - } - - DTLSReassembler reassembler = (DTLSReassembler)currentInboundFlight.get(Integers.valueOf(seq)); - if (reassembler != null) - { - reassembler.contributeFragment(msg_type, length, buf, off + 12, fragment_offset, - fragment_length); - if (checkAll(currentInboundFlight)) - { - resendOutboundFlight(); - resetAll(currentInboundFlight); - } - } - } - }; - } - - recordLayer.handshakeSuccessful(retransmit); - } - - void resetHandshakeMessagesDigest() - { - handshakeHash.reset(); - } - - /** - * Check that there are no "extra" messages left in the current inbound flight - */ - private void checkInboundFlight() - { - Enumeration e = currentInboundFlight.keys(); - while (e.hasMoreElements()) - { - Integer key = (Integer)e.nextElement(); - if (key.intValue() >= next_receive_seq) - { - // TODO Should this be considered an error? - } - } - } - - private void prepareInboundFlight() - { - resetAll(currentInboundFlight); - previousInboundFlight = currentInboundFlight; - currentInboundFlight = new Hashtable(); - } - - private void resendOutboundFlight() - throws IOException - { - recordLayer.resetWriteEpoch(); - for (int i = 0; i < outboundFlight.size(); ++i) - { - writeMessage((Message)outboundFlight.elementAt(i)); - } - } - - private Message updateHandshakeMessagesDigest(Message message) - throws IOException - { - if (message.getType() != HandshakeType.hello_request) - { - byte[] body = message.getBody(); - byte[] buf = new byte[12]; - TlsUtils.writeUint8(message.getType(), buf, 0); - TlsUtils.writeUint24(body.length, buf, 1); - TlsUtils.writeUint16(message.getSeq(), buf, 4); - TlsUtils.writeUint24(0, buf, 6); - TlsUtils.writeUint24(body.length, buf, 9); - handshakeHash.update(buf, 0, buf.length); - handshakeHash.update(body, 0, body.length); - } - return message; - } - - private void writeMessage(Message message) - throws IOException - { - int sendLimit = recordLayer.getSendLimit(); - int fragmentLimit = sendLimit - 12; - - // TODO Support a higher minimum fragment size? - if (fragmentLimit < 1) - { - // TODO Should we be throwing an exception here? - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - int length = message.getBody().length; - - // NOTE: Must still send a fragment if body is empty - int fragment_offset = 0; - do - { - int fragment_length = Math.min(length - fragment_offset, fragmentLimit); - writeHandshakeFragment(message, fragment_offset, fragment_length); - fragment_offset += fragment_length; - } - while (fragment_offset < length); - } - - private void writeHandshakeFragment(Message message, int fragment_offset, int fragment_length) - throws IOException - { - RecordLayerBuffer fragment = new RecordLayerBuffer(12 + fragment_length); - TlsUtils.writeUint8(message.getType(), fragment); - TlsUtils.writeUint24(message.getBody().length, fragment); - TlsUtils.writeUint16(message.getSeq(), fragment); - TlsUtils.writeUint24(fragment_offset, fragment); - TlsUtils.writeUint24(fragment_length, fragment); - fragment.write(message.getBody(), fragment_offset, fragment_length); - - fragment.sendToRecordLayer(recordLayer); - } - - private static boolean checkAll(Hashtable inboundFlight) - { - Enumeration e = inboundFlight.elements(); - while (e.hasMoreElements()) - { - if (((DTLSReassembler)e.nextElement()).getBodyIfComplete() == null) - { - return false; - } - } - return true; - } - - private static void resetAll(Hashtable inboundFlight) - { - Enumeration e = inboundFlight.elements(); - while (e.hasMoreElements()) - { - ((DTLSReassembler)e.nextElement()).reset(); - } - } - - static class Message - { - private final int message_seq; - private final short msg_type; - private final byte[] body; - - private Message(int message_seq, short msg_type, byte[] body) - { - this.message_seq = message_seq; - this.msg_type = msg_type; - this.body = body; - } - - public int getSeq() - { - return message_seq; - } - - public short getType() - { - return msg_type; - } - - public byte[] getBody() - { - return body; - } - } - - static class RecordLayerBuffer extends ByteArrayOutputStream - { - RecordLayerBuffer(int size) - { - super(size); - } - - void sendToRecordLayer(DTLSRecordLayer recordLayer) throws IOException - { - recordLayer.send(buf, 0, count); - buf = null; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReplayWindow.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReplayWindow.java deleted file mode 100644 index 00bbf147..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSReplayWindow.java +++ /dev/null @@ -1,90 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4347 4.1.2.5 Anti-replay - * <p/> - * Support fast rejection of duplicate records by maintaining a sliding receive window - */ -class DTLSReplayWindow -{ - private static final long VALID_SEQ_MASK = 0x0000FFFFFFFFFFFFL; - - private static final long WINDOW_SIZE = 64L; - - private long latestConfirmedSeq = -1; - private long bitmap = 0; - - /** - * Check whether a received record with the given sequence number should be rejected as a duplicate. - * - * @param seq the 48-bit DTLSPlainText.sequence_number field of a received record. - * @return true if the record should be discarded without further processing. - */ - boolean shouldDiscard(long seq) - { - if ((seq & VALID_SEQ_MASK) != seq) - { - return true; - } - - if (seq <= latestConfirmedSeq) - { - long diff = latestConfirmedSeq - seq; - if (diff >= WINDOW_SIZE) - { - return true; - } - if ((bitmap & (1L << diff)) != 0) - { - return true; - } - } - - return false; - } - - /** - * Report that a received record with the given sequence number passed authentication checks. - * - * @param seq the 48-bit DTLSPlainText.sequence_number field of an authenticated record. - */ - void reportAuthenticated(long seq) - { - if ((seq & VALID_SEQ_MASK) != seq) - { - throw new IllegalArgumentException("'seq' out of range"); - } - - if (seq <= latestConfirmedSeq) - { - long diff = latestConfirmedSeq - seq; - if (diff < WINDOW_SIZE) - { - bitmap |= (1L << diff); - } - } - else - { - long diff = seq - latestConfirmedSeq; - if (diff >= WINDOW_SIZE) - { - bitmap = 1; - } - else - { - bitmap <<= (int)diff; // for earlier JDKs - bitmap |= 1; - } - latestConfirmedSeq = seq; - } - } - - /** - * When a new epoch begins, sequence numbers begin again at 0 - */ - void reset() - { - latestConfirmedSeq = -1; - bitmap = 0; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java deleted file mode 100644 index 5f86eff5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java +++ /dev/null @@ -1,667 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.SecureRandom; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.util.PublicKeyFactory; -import org.bouncycastle.util.Arrays; - -public class DTLSServerProtocol - extends DTLSProtocol -{ - protected boolean verifyRequests = true; - - public DTLSServerProtocol(SecureRandom secureRandom) - { - super(secureRandom); - } - - public boolean getVerifyRequests() - { - return verifyRequests; - } - - public void setVerifyRequests(boolean verifyRequests) - { - this.verifyRequests = verifyRequests; - } - - public DTLSTransport accept(TlsServer server, DatagramTransport transport) - throws IOException - { - if (server == null) - { - throw new IllegalArgumentException("'server' cannot be null"); - } - if (transport == null) - { - throw new IllegalArgumentException("'transport' cannot be null"); - } - - SecurityParameters securityParameters = new SecurityParameters(); - securityParameters.entity = ConnectionEnd.server; - - ServerHandshakeState state = new ServerHandshakeState(); - state.server = server; - state.serverContext = new TlsServerContextImpl(secureRandom, securityParameters); - - securityParameters.serverRandom = TlsProtocol.createRandomBlock(server.shouldUseGMTUnixTime(), - state.serverContext.getNonceRandomGenerator()); - - server.init(state.serverContext); - - DTLSRecordLayer recordLayer = new DTLSRecordLayer(transport, state.serverContext, server, ContentType.handshake); - - // TODO Need to handle sending of HelloVerifyRequest without entering a full connection - - try - { - return serverHandshake(state, recordLayer); - } - catch (TlsFatalAlert fatalAlert) - { - recordLayer.fail(fatalAlert.getAlertDescription()); - throw fatalAlert; - } - catch (IOException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw e; - } - catch (RuntimeException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected DTLSTransport serverHandshake(ServerHandshakeState state, DTLSRecordLayer recordLayer) - throws IOException - { - SecurityParameters securityParameters = state.serverContext.getSecurityParameters(); - DTLSReliableHandshake handshake = new DTLSReliableHandshake(state.serverContext, recordLayer); - - DTLSReliableHandshake.Message clientMessage = handshake.receiveMessage(); - - { - // NOTE: After receiving a record from the client, we discover the record layer version - ProtocolVersion client_version = recordLayer.getDiscoveredPeerVersion(); - // TODO Read RFCs for guidance on the expected record layer version number - state.serverContext.setClientVersion(client_version); - } - - if (clientMessage.getType() == HandshakeType.client_hello) - { - processClientHello(state, clientMessage.getBody()); - } - else - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - { - byte[] serverHelloBody = generateServerHello(state); - - if (state.maxFragmentLength >= 0) - { - int plainTextLimit = 1 << (8 + state.maxFragmentLength); - recordLayer.setPlaintextLimit(plainTextLimit); - } - - securityParameters.cipherSuite = state.selectedCipherSuite; - securityParameters.compressionAlgorithm = state.selectedCompressionMethod; - securityParameters.prfAlgorithm = TlsProtocol.getPRFAlgorithm(state.serverContext, - state.selectedCipherSuite); - - /* - * RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length - * has a verify_data_length equal to 12. This includes all existing cipher suites. - */ - securityParameters.verifyDataLength = 12; - - handshake.sendMessage(HandshakeType.server_hello, serverHelloBody); - } - - handshake.notifyHelloComplete(); - - Vector serverSupplementalData = state.server.getServerSupplementalData(); - if (serverSupplementalData != null) - { - byte[] supplementalDataBody = generateSupplementalData(serverSupplementalData); - handshake.sendMessage(HandshakeType.supplemental_data, supplementalDataBody); - } - - state.keyExchange = state.server.getKeyExchange(); - state.keyExchange.init(state.serverContext); - - state.serverCredentials = state.server.getCredentials(); - - Certificate serverCertificate = null; - - if (state.serverCredentials == null) - { - state.keyExchange.skipServerCredentials(); - } - else - { - state.keyExchange.processServerCredentials(state.serverCredentials); - - serverCertificate = state.serverCredentials.getCertificate(); - byte[] certificateBody = generateCertificate(serverCertificate); - handshake.sendMessage(HandshakeType.certificate, certificateBody); - } - - // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus - if (serverCertificate == null || serverCertificate.isEmpty()) - { - state.allowCertificateStatus = false; - } - - if (state.allowCertificateStatus) - { - CertificateStatus certificateStatus = state.server.getCertificateStatus(); - if (certificateStatus != null) - { - byte[] certificateStatusBody = generateCertificateStatus(state, certificateStatus); - handshake.sendMessage(HandshakeType.certificate_status, certificateStatusBody); - } - } - - byte[] serverKeyExchange = state.keyExchange.generateServerKeyExchange(); - if (serverKeyExchange != null) - { - handshake.sendMessage(HandshakeType.server_key_exchange, serverKeyExchange); - } - - if (state.serverCredentials != null) - { - state.certificateRequest = state.server.getCertificateRequest(); - if (state.certificateRequest != null) - { - state.keyExchange.validateCertificateRequest(state.certificateRequest); - - byte[] certificateRequestBody = generateCertificateRequest(state, state.certificateRequest); - handshake.sendMessage(HandshakeType.certificate_request, certificateRequestBody); - - TlsUtils.trackHashAlgorithms(handshake.getHandshakeHash(), - state.certificateRequest.getSupportedSignatureAlgorithms()); - } - } - - handshake.sendMessage(HandshakeType.server_hello_done, TlsUtils.EMPTY_BYTES); - - handshake.getHandshakeHash().sealHashAlgorithms(); - - clientMessage = handshake.receiveMessage(); - - if (clientMessage.getType() == HandshakeType.supplemental_data) - { - processClientSupplementalData(state, clientMessage.getBody()); - clientMessage = handshake.receiveMessage(); - } - else - { - state.server.processClientSupplementalData(null); - } - - if (state.certificateRequest == null) - { - state.keyExchange.skipClientCredentials(); - } - else - { - if (clientMessage.getType() == HandshakeType.certificate) - { - processClientCertificate(state, clientMessage.getBody()); - clientMessage = handshake.receiveMessage(); - } - else - { - if (TlsUtils.isTLSv12(state.serverContext)) - { - /* - * RFC 5246 If no suitable certificate is available, the client MUST send a - * certificate message containing no certificates. - * - * NOTE: In previous RFCs, this was SHOULD instead of MUST. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - notifyClientCertificate(state, Certificate.EMPTY_CHAIN); - } - } - - if (clientMessage.getType() == HandshakeType.client_key_exchange) - { - processClientKeyExchange(state, clientMessage.getBody()); - } - else - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - TlsProtocol.establishMasterSecret(state.serverContext, state.keyExchange); - recordLayer.initPendingEpoch(state.server.getCipher()); - - TlsHandshakeHash prepareFinishHash = handshake.prepareToFinish(); - - /* - * RFC 5246 7.4.8 This message is only sent following a client certificate that has signing - * capability (i.e., all certificates except those containing fixed Diffie-Hellman - * parameters). - */ - if (expectCertificateVerifyMessage(state)) - { - byte[] certificateVerifyBody = handshake.receiveMessageBody(HandshakeType.certificate_verify); - processCertificateVerify(state, certificateVerifyBody, prepareFinishHash); - } - - // NOTE: Calculated exclusive of the actual Finished message from the client - byte[] expectedClientVerifyData = TlsUtils.calculateVerifyData(state.serverContext, ExporterLabel.client_finished, - TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null)); - processFinished(handshake.receiveMessageBody(HandshakeType.finished), expectedClientVerifyData); - - if (state.expectSessionTicket) - { - NewSessionTicket newSessionTicket = state.server.getNewSessionTicket(); - byte[] newSessionTicketBody = generateNewSessionTicket(state, newSessionTicket); - handshake.sendMessage(HandshakeType.session_ticket, newSessionTicketBody); - } - - // NOTE: Calculated exclusive of the Finished message itself - byte[] serverVerifyData = TlsUtils.calculateVerifyData(state.serverContext, ExporterLabel.server_finished, - TlsProtocol.getCurrentPRFHash(state.serverContext, handshake.getHandshakeHash(), null)); - handshake.sendMessage(HandshakeType.finished, serverVerifyData); - - handshake.finish(); - - state.server.notifyHandshakeComplete(); - - return new DTLSTransport(recordLayer); - } - - protected byte[] generateCertificateRequest(ServerHandshakeState state, CertificateRequest certificateRequest) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - certificateRequest.encode(buf); - return buf.toByteArray(); - } - - protected byte[] generateCertificateStatus(ServerHandshakeState state, CertificateStatus certificateStatus) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - certificateStatus.encode(buf); - return buf.toByteArray(); - } - - protected byte[] generateNewSessionTicket(ServerHandshakeState state, NewSessionTicket newSessionTicket) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - newSessionTicket.encode(buf); - return buf.toByteArray(); - } - - protected byte[] generateServerHello(ServerHandshakeState state) - throws IOException - { - SecurityParameters securityParameters = state.serverContext.getSecurityParameters(); - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - ProtocolVersion server_version = state.server.getServerVersion(); - if (!server_version.isEqualOrEarlierVersionOf(state.serverContext.getClientVersion())) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - // TODO Read RFCs for guidance on the expected record layer version number - // recordStream.setReadVersion(server_version); - // recordStream.setWriteVersion(server_version); - // recordStream.setRestrictReadVersion(true); - state.serverContext.setServerVersion(server_version); - - TlsUtils.writeVersion(state.serverContext.getServerVersion(), buf); - - buf.write(securityParameters.getServerRandom()); - - /* - * The server may return an empty session_id to indicate that the session will not be cached - * and therefore cannot be resumed. - */ - TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, buf); - - state.selectedCipherSuite = state.server.getSelectedCipherSuite(); - if (!Arrays.contains(state.offeredCipherSuites, state.selectedCipherSuite) - || state.selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL - || state.selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV - || !TlsUtils.isValidCipherSuiteForVersion(state.selectedCipherSuite, server_version)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - validateSelectedCipherSuite(state.selectedCipherSuite, AlertDescription.internal_error); - - state.selectedCompressionMethod = state.server.getSelectedCompressionMethod(); - if (!Arrays.contains(state.offeredCompressionMethods, state.selectedCompressionMethod)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - TlsUtils.writeUint16(state.selectedCipherSuite, buf); - TlsUtils.writeUint8(state.selectedCompressionMethod, buf); - - state.serverExtensions = state.server.getServerExtensions(); - - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ - if (state.secure_renegotiation) - { - byte[] renegExtData = TlsUtils.getExtensionData(state.serverExtensions, TlsProtocol.EXT_RenegotiationInfo); - boolean noRenegExt = (null == renegExtData); - - if (noRenegExt) - { - /* - * Note that sending a "renegotiation_info" extension in response to a ClientHello - * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, - * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed - * because the client is signaling its willingness to receive the extension via the - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. - */ - - /* - * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty - * "renegotiation_info" extension in the ServerHello message. - */ - state.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(state.serverExtensions); - state.serverExtensions.put(TlsProtocol.EXT_RenegotiationInfo, - TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES)); - } - } - - if (state.serverExtensions != null) - { - securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(state.serverExtensions); - - state.maxFragmentLength = evaluateMaxFragmentLengthExtension(state.clientExtensions, state.serverExtensions, - AlertDescription.internal_error); - - securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(state.serverExtensions); - - state.allowCertificateStatus = TlsUtils.hasExpectedEmptyExtensionData(state.serverExtensions, - TlsExtensionsUtils.EXT_status_request, AlertDescription.internal_error); - - state.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(state.serverExtensions, - TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error); - - TlsProtocol.writeExtensions(buf, state.serverExtensions); - } - - return buf.toByteArray(); - } - - protected void notifyClientCertificate(ServerHandshakeState state, Certificate clientCertificate) - throws IOException - { - if (state.certificateRequest == null) - { - throw new IllegalStateException(); - } - - if (state.clientCertificate != null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - state.clientCertificate = clientCertificate; - - if (clientCertificate.isEmpty()) - { - state.keyExchange.skipClientCredentials(); - } - else - { - - /* - * TODO RFC 5246 7.4.6. If the certificate_authorities list in the certificate request - * message was non-empty, one of the certificates in the certificate chain SHOULD be - * issued by one of the listed CAs. - */ - - state.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, - state.serverCredentials.getCertificate()); - - state.keyExchange.processClientCertificate(clientCertificate); - } - - /* - * RFC 5246 7.4.6. If the client does not send any certificates, the server MAY at its - * discretion either continue the handshake without client authentication, or respond with a - * fatal handshake_failure alert. Also, if some aspect of the certificate chain was - * unacceptable (e.g., it was not signed by a known, trusted CA), the server MAY at its - * discretion either continue the handshake (considering the client unauthenticated) or send - * a fatal alert. - */ - state.server.notifyClientCertificate(clientCertificate); - } - - protected void processClientCertificate(ServerHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - Certificate clientCertificate = Certificate.parse(buf); - - TlsProtocol.assertEmpty(buf); - - notifyClientCertificate(state, clientCertificate); - } - - protected void processCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - DigitallySigned clientCertificateVerify = DigitallySigned.parse(state.serverContext, buf); - - TlsProtocol.assertEmpty(buf); - - // Verify the CertificateVerify message contains a correct signature. - boolean verified = false; - try - { - byte[] certificateVerifyHash; - if (TlsUtils.isTLSv12(state.serverContext)) - { - certificateVerifyHash = prepareFinishHash.getFinalHash(clientCertificateVerify.getAlgorithm().getHash()); - } - else - { - certificateVerifyHash = TlsProtocol.getCurrentPRFHash(state.serverContext, prepareFinishHash, null); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = state.clientCertificate.getCertificateAt(0); - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - AsymmetricKeyParameter publicKey = PublicKeyFactory.createKey(keyInfo); - - TlsSigner tlsSigner = TlsUtils.createTlsSigner(state.clientCertificateType); - tlsSigner.init(state.serverContext); - verified = tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(), - clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash); - } - catch (Exception e) - { - } - - if (!verified) - { - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - } - - protected void processClientHello(ServerHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - // TODO Read RFCs for guidance on the expected record layer version number - ProtocolVersion client_version = TlsUtils.readVersion(buf); - if (!client_version.isDTLS()) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - /* - * Read the client random - */ - byte[] client_random = TlsUtils.readFully(32, buf); - - byte[] sessionID = TlsUtils.readOpaque8(buf); - if (sessionID.length > 32) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - // TODO RFC 4347 has the cookie length restricted to 32, but not in RFC 6347 - byte[] cookie = TlsUtils.readOpaque8(buf); - - int cipher_suites_length = TlsUtils.readUint16(buf); - if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - /* - * NOTE: "If the session_id field is not empty (implying a session resumption request) this - * vector must include at least the cipher_suite from that session." - */ - state.offeredCipherSuites = TlsUtils.readUint16Array(cipher_suites_length / 2, buf); - - int compression_methods_length = TlsUtils.readUint8(buf); - if (compression_methods_length < 1) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - state.offeredCompressionMethods = TlsUtils.readUint8Array(compression_methods_length, buf); - - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ - state.clientExtensions = TlsProtocol.readExtensions(buf); - - state.serverContext.setClientVersion(client_version); - - state.server.notifyClientVersion(client_version); - - state.serverContext.getSecurityParameters().clientRandom = client_random; - - state.server.notifyOfferedCipherSuites(state.offeredCipherSuites); - state.server.notifyOfferedCompressionMethods(state.offeredCompressionMethods); - - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ - { - /* - * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, - * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the - * ClientHello. Including both is NOT RECOMMENDED. - */ - - /* - * When a ClientHello is received, the server MUST check if it includes the - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag - * to TRUE. - */ - if (Arrays.contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) - { - state.secure_renegotiation = true; - } - - /* - * The server MUST check if the "renegotiation_info" extension is included in the - * ClientHello. - */ - byte[] renegExtData = TlsUtils.getExtensionData(state.clientExtensions, TlsProtocol.EXT_RenegotiationInfo); - if (renegExtData != null) - { - /* - * If the extension is present, set secure_renegotiation flag to TRUE. The - * server MUST then verify that the length of the "renegotiated_connection" - * field is zero, and if it is not, MUST abort the handshake. - */ - state.secure_renegotiation = true; - - if (!Arrays.constantTimeAreEqual(renegExtData, TlsProtocol.createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - } - - state.server.notifySecureRenegotiation(state.secure_renegotiation); - - if (state.clientExtensions != null) - { - state.server.processClientExtensions(state.clientExtensions); - } - } - - protected void processClientKeyExchange(ServerHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - - state.keyExchange.processClientKeyExchange(buf); - - TlsProtocol.assertEmpty(buf); - } - - protected void processClientSupplementalData(ServerHandshakeState state, byte[] body) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(body); - Vector clientSupplementalData = TlsProtocol.readSupplementalDataMessage(buf); - state.server.processClientSupplementalData(clientSupplementalData); - } - - protected boolean expectCertificateVerifyMessage(ServerHandshakeState state) - { - return state.clientCertificateType >= 0 && TlsUtils.hasSigningCapability(state.clientCertificateType); - } - - protected static class ServerHandshakeState - { - TlsServer server = null; - TlsServerContextImpl serverContext = null; - int[] offeredCipherSuites; - short[] offeredCompressionMethods; - Hashtable clientExtensions; - int selectedCipherSuite = -1; - short selectedCompressionMethod = -1; - boolean secure_renegotiation = false; - short maxFragmentLength = -1; - boolean allowCertificateStatus = false; - boolean expectSessionTicket = false; - Hashtable serverExtensions = null; - TlsKeyExchange keyExchange = null; - TlsCredentials serverCredentials = null; - CertificateRequest certificateRequest = null; - short clientCertificateType = -1; - Certificate clientCertificate = null; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSTransport.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSTransport.java deleted file mode 100644 index 45c2d30d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSTransport.java +++ /dev/null @@ -1,80 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public class DTLSTransport - implements DatagramTransport -{ - private final DTLSRecordLayer recordLayer; - - DTLSTransport(DTLSRecordLayer recordLayer) - { - this.recordLayer = recordLayer; - } - - public int getReceiveLimit() - throws IOException - { - return recordLayer.getReceiveLimit(); - } - - public int getSendLimit() - throws IOException - { - return recordLayer.getSendLimit(); - } - - public int receive(byte[] buf, int off, int len, int waitMillis) - throws IOException - { - try - { - return recordLayer.receive(buf, off, len, waitMillis); - } - catch (TlsFatalAlert fatalAlert) - { - recordLayer.fail(fatalAlert.getAlertDescription()); - throw fatalAlert; - } - catch (IOException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw e; - } - catch (RuntimeException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void send(byte[] buf, int off, int len) - throws IOException - { - try - { - recordLayer.send(buf, off, len); - } - catch (TlsFatalAlert fatalAlert) - { - recordLayer.fail(fatalAlert.getAlertDescription()); - throw fatalAlert; - } - catch (IOException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw e; - } - catch (RuntimeException e) - { - recordLayer.fail(AlertDescription.internal_error); - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void close() - throws IOException - { - recordLayer.close(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DatagramTransport.java b/core/src/main/java/org/bouncycastle/crypto/tls/DatagramTransport.java deleted file mode 100644 index 14972146..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DatagramTransport.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface DatagramTransport -{ - int getReceiveLimit() - throws IOException; - - int getSendLimit() - throws IOException; - - int receive(byte[] buf, int off, int len, int waitMillis) - throws IOException; - - void send(byte[] buf, int off, int len) - throws IOException; - - void close() - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsAgreementCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsAgreementCredentials.java deleted file mode 100644 index 78afb418..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsAgreementCredentials.java +++ /dev/null @@ -1,78 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.math.BigInteger; - -import org.bouncycastle.crypto.BasicAgreement; -import org.bouncycastle.crypto.agreement.DHBasicAgreement; -import org.bouncycastle.crypto.agreement.ECDHBasicAgreement; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.util.BigIntegers; - -public class DefaultTlsAgreementCredentials - extends AbstractTlsAgreementCredentials -{ - protected Certificate certificate; - protected AsymmetricKeyParameter privateKey; - - protected BasicAgreement basicAgreement; - protected boolean truncateAgreement; - - public DefaultTlsAgreementCredentials(Certificate certificate, AsymmetricKeyParameter privateKey) - { - if (certificate == null) - { - throw new IllegalArgumentException("'certificate' cannot be null"); - } - if (certificate.isEmpty()) - { - throw new IllegalArgumentException("'certificate' cannot be empty"); - } - if (privateKey == null) - { - throw new IllegalArgumentException("'privateKey' cannot be null"); - } - if (!privateKey.isPrivate()) - { - throw new IllegalArgumentException("'privateKey' must be private"); - } - - if (privateKey instanceof DHPrivateKeyParameters) - { - basicAgreement = new DHBasicAgreement(); - truncateAgreement = true; - } - else if (privateKey instanceof ECPrivateKeyParameters) - { - basicAgreement = new ECDHBasicAgreement(); - truncateAgreement = false; - } - else - { - throw new IllegalArgumentException("'privateKey' type not supported: " - + privateKey.getClass().getName()); - } - - this.certificate = certificate; - this.privateKey = privateKey; - } - - public Certificate getCertificate() - { - return certificate; - } - - public byte[] generateAgreement(AsymmetricKeyParameter peerPublicKey) - { - basicAgreement.init(privateKey); - BigInteger agreementValue = basicAgreement.calculateAgreement(peerPublicKey); - - if (truncateAgreement) - { - return BigIntegers.asUnsignedByteArray(agreementValue); - } - - return BigIntegers.asUnsignedByteArray(basicAgreement.getFieldSize(), agreementValue); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsCipherFactory.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsCipherFactory.java deleted file mode 100644 index 92caeb50..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsCipherFactory.java +++ /dev/null @@ -1,237 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.digests.MD5Digest; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.digests.SHA384Digest; -import org.bouncycastle.crypto.digests.SHA512Digest; -import org.bouncycastle.crypto.engines.AESEngine; -import org.bouncycastle.crypto.engines.CamelliaEngine; -import org.bouncycastle.crypto.engines.DESedeEngine; -import org.bouncycastle.crypto.engines.RC4Engine; -import org.bouncycastle.crypto.engines.SEEDEngine; -import org.bouncycastle.crypto.engines.Salsa20Engine; -import org.bouncycastle.crypto.modes.AEADBlockCipher; -import org.bouncycastle.crypto.modes.CBCBlockCipher; -import org.bouncycastle.crypto.modes.CCMBlockCipher; -import org.bouncycastle.crypto.modes.GCMBlockCipher; - -public class DefaultTlsCipherFactory - extends AbstractTlsCipherFactory -{ - public TlsCipher createCipher(TlsContext context, int encryptionAlgorithm, int macAlgorithm) - throws IOException - { - switch (encryptionAlgorithm) - { - case EncryptionAlgorithm._3DES_EDE_CBC: - return createDESedeCipher(context, macAlgorithm); - case EncryptionAlgorithm.AEAD_CHACHA20_POLY1305: - // NOTE: Ignores macAlgorithm - return createChaCha20Poly1305(context); - case EncryptionAlgorithm.AES_128_CBC: - return createAESCipher(context, 16, macAlgorithm); - case EncryptionAlgorithm.AES_128_CCM: - // NOTE: Ignores macAlgorithm - return createCipher_AES_CCM(context, 16, 16); - case EncryptionAlgorithm.AES_128_CCM_8: - // NOTE: Ignores macAlgorithm - return createCipher_AES_CCM(context, 16, 8); - case EncryptionAlgorithm.AES_256_CCM: - // NOTE: Ignores macAlgorithm - return createCipher_AES_CCM(context, 32, 16); - case EncryptionAlgorithm.AES_256_CCM_8: - // NOTE: Ignores macAlgorithm - return createCipher_AES_CCM(context, 32, 8); - case EncryptionAlgorithm.AES_128_GCM: - // NOTE: Ignores macAlgorithm - return createCipher_AES_GCM(context, 16, 16); - case EncryptionAlgorithm.AES_256_CBC: - return createAESCipher(context, 32, macAlgorithm); - case EncryptionAlgorithm.AES_256_GCM: - // NOTE: Ignores macAlgorithm - return createCipher_AES_GCM(context, 32, 16); - case EncryptionAlgorithm.CAMELLIA_128_CBC: - return createCamelliaCipher(context, 16, macAlgorithm); - case EncryptionAlgorithm.CAMELLIA_128_GCM: - // NOTE: Ignores macAlgorithm - return createCipher_Camellia_GCM(context, 16, 16); - case EncryptionAlgorithm.CAMELLIA_256_CBC: - return createCamelliaCipher(context, 32, macAlgorithm); - case EncryptionAlgorithm.CAMELLIA_256_GCM: - // NOTE: Ignores macAlgorithm - return createCipher_Camellia_GCM(context, 32, 16); - case EncryptionAlgorithm.ESTREAM_SALSA20: - return createSalsa20Cipher(context, 12, 32, macAlgorithm); - case EncryptionAlgorithm.NULL: - return createNullCipher(context, macAlgorithm); - case EncryptionAlgorithm.RC4_128: - return createRC4Cipher(context, 16, macAlgorithm); - case EncryptionAlgorithm.SALSA20: - return createSalsa20Cipher(context, 20, 32, macAlgorithm); - case EncryptionAlgorithm.SEED_CBC: - return createSEEDCipher(context, macAlgorithm); - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected TlsBlockCipher createAESCipher(TlsContext context, int cipherKeySize, int macAlgorithm) - throws IOException - { - return new TlsBlockCipher(context, createAESBlockCipher(), createAESBlockCipher(), - createHMACDigest(macAlgorithm), createHMACDigest(macAlgorithm), cipherKeySize); - } - - protected TlsBlockCipher createCamelliaCipher(TlsContext context, int cipherKeySize, int macAlgorithm) - throws IOException - { - return new TlsBlockCipher(context, createCamelliaBlockCipher(), - createCamelliaBlockCipher(), createHMACDigest(macAlgorithm), - createHMACDigest(macAlgorithm), cipherKeySize); - } - - protected TlsCipher createChaCha20Poly1305(TlsContext context) throws IOException - { - return new Chacha20Poly1305(context); - } - - protected TlsAEADCipher createCipher_AES_CCM(TlsContext context, int cipherKeySize, int macSize) - throws IOException - { - return new TlsAEADCipher(context, createAEADBlockCipher_AES_CCM(), - createAEADBlockCipher_AES_CCM(), cipherKeySize, macSize); - } - - protected TlsAEADCipher createCipher_AES_GCM(TlsContext context, int cipherKeySize, int macSize) - throws IOException - { - return new TlsAEADCipher(context, createAEADBlockCipher_AES_GCM(), - createAEADBlockCipher_AES_GCM(), cipherKeySize, macSize); - } - - protected TlsAEADCipher createCipher_Camellia_GCM(TlsContext context, int cipherKeySize, int macSize) - throws IOException - { - return new TlsAEADCipher(context, createAEADBlockCipher_Camellia_GCM(), - createAEADBlockCipher_Camellia_GCM(), cipherKeySize, macSize); - } - - protected TlsBlockCipher createDESedeCipher(TlsContext context, int macAlgorithm) - throws IOException - { - return new TlsBlockCipher(context, createDESedeBlockCipher(), createDESedeBlockCipher(), - createHMACDigest(macAlgorithm), createHMACDigest(macAlgorithm), 24); - } - - protected TlsNullCipher createNullCipher(TlsContext context, int macAlgorithm) - throws IOException - { - return new TlsNullCipher(context, createHMACDigest(macAlgorithm), - createHMACDigest(macAlgorithm)); - } - - protected TlsStreamCipher createRC4Cipher(TlsContext context, int cipherKeySize, int macAlgorithm) - throws IOException - { - return new TlsStreamCipher(context, createRC4StreamCipher(), createRC4StreamCipher(), - createHMACDigest(macAlgorithm), createHMACDigest(macAlgorithm), cipherKeySize, false); - } - - protected TlsStreamCipher createSalsa20Cipher(TlsContext context, int rounds, int cipherKeySize, int macAlgorithm) - throws IOException - { - return new TlsStreamCipher(context, createSalsa20StreamCipher(rounds), createSalsa20StreamCipher(rounds), - createHMACDigest(macAlgorithm), createHMACDigest(macAlgorithm), cipherKeySize, true); - } - - protected TlsBlockCipher createSEEDCipher(TlsContext context, int macAlgorithm) - throws IOException - { - return new TlsBlockCipher(context, createSEEDBlockCipher(), createSEEDBlockCipher(), - createHMACDigest(macAlgorithm), createHMACDigest(macAlgorithm), 16); - } - - protected BlockCipher createAESEngine() - { - return new AESEngine(); - } - - protected BlockCipher createCamelliaEngine() - { - return new CamelliaEngine(); - } - - protected BlockCipher createAESBlockCipher() - { - return new CBCBlockCipher(createAESEngine()); - } - - protected AEADBlockCipher createAEADBlockCipher_AES_CCM() - { - return new CCMBlockCipher(createAESEngine()); - } - - protected AEADBlockCipher createAEADBlockCipher_AES_GCM() - { - // TODO Consider allowing custom configuration of multiplier - return new GCMBlockCipher(createAESEngine()); - } - - protected AEADBlockCipher createAEADBlockCipher_Camellia_GCM() - { - // TODO Consider allowing custom configuration of multiplier - return new GCMBlockCipher(createCamelliaEngine()); - } - - protected BlockCipher createCamelliaBlockCipher() - { - return new CBCBlockCipher(createCamelliaEngine()); - } - - protected BlockCipher createDESedeBlockCipher() - { - return new CBCBlockCipher(new DESedeEngine()); - } - - protected StreamCipher createRC4StreamCipher() - { - return new RC4Engine(); - } - - protected StreamCipher createSalsa20StreamCipher(int rounds) - { - return new Salsa20Engine(rounds); - } - - protected BlockCipher createSEEDBlockCipher() - { - return new CBCBlockCipher(new SEEDEngine()); - } - - protected Digest createHMACDigest(int macAlgorithm) throws IOException - { - switch (macAlgorithm) - { - case MACAlgorithm._null: - return null; - case MACAlgorithm.hmac_md5: - return TlsUtils.createHash(HashAlgorithm.md5); - case MACAlgorithm.hmac_sha1: - return TlsUtils.createHash(HashAlgorithm.sha1); - case MACAlgorithm.hmac_sha256: - return TlsUtils.createHash(HashAlgorithm.sha256); - case MACAlgorithm.hmac_sha384: - return TlsUtils.createHash(HashAlgorithm.sha384); - case MACAlgorithm.hmac_sha512: - return TlsUtils.createHash(HashAlgorithm.sha512); - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsClient.java deleted file mode 100644 index 8f5b900e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsClient.java +++ /dev/null @@ -1,453 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public abstract class DefaultTlsClient - extends AbstractTlsClient -{ - public DefaultTlsClient() - { - super(); - } - - public DefaultTlsClient(TlsCipherFactory cipherFactory) - { - super(cipherFactory); - } - - public int[] getCipherSuites() - { - return new int[] - { - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA, - }; - } - - public TlsKeyExchange getKeyExchange() - throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: - return createDHKeyExchange(KeyExchangeAlgorithm.DH_DSS); - - case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: - return createDHKeyExchange(KeyExchangeAlgorithm.DH_RSA); - - case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: - return createDHEKeyExchange(KeyExchangeAlgorithm.DHE_DSS); - - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - return createDHEKeyExchange(KeyExchangeAlgorithm.DHE_RSA); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - return createECDHKeyExchange(KeyExchangeAlgorithm.ECDH_ECDSA); - - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - return createECDHKeyExchange(KeyExchangeAlgorithm.ECDH_RSA); - - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - return createECDHEKeyExchange(KeyExchangeAlgorithm.ECDHE_ECDSA); - - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - return createECDHEKeyExchange(KeyExchangeAlgorithm.ECDHE_RSA); - - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return createRSAKeyExchange(); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public TlsCipher getCipher() - throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm._3DES_EDE_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AEAD_CHACHA20_POLY1305, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_ESTREAM_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.ESTREAM_SALSA20, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_md5); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - return cipherFactory.createCipher(context, EncryptionAlgorithm.RC4_128, MACAlgorithm.hmac_md5); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.RC4_128, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.SALSA20, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.SEED_CBC, MACAlgorithm.hmac_sha1); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected TlsKeyExchange createDHKeyExchange(int keyExchange) - { - return new TlsDHKeyExchange(keyExchange, supportedSignatureAlgorithms, null); - } - - protected TlsKeyExchange createDHEKeyExchange(int keyExchange) - { - return new TlsDHEKeyExchange(keyExchange, supportedSignatureAlgorithms, null); - } - - protected TlsKeyExchange createECDHKeyExchange(int keyExchange) - { - return new TlsECDHKeyExchange(keyExchange, supportedSignatureAlgorithms, namedCurves, clientECPointFormats, - serverECPointFormats); - } - - protected TlsKeyExchange createECDHEKeyExchange(int keyExchange) - { - return new TlsECDHEKeyExchange(keyExchange, supportedSignatureAlgorithms, namedCurves, clientECPointFormats, - serverECPointFormats); - } - - protected TlsKeyExchange createRSAKeyExchange() - { - return new TlsRSAKeyExchange(supportedSignatureAlgorithms); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsEncryptionCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsEncryptionCredentials.java deleted file mode 100644 index 54bcd90c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsEncryptionCredentials.java +++ /dev/null @@ -1,62 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.encodings.PKCS1Encoding; -import org.bouncycastle.crypto.engines.RSABlindedEngine; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -public class DefaultTlsEncryptionCredentials extends AbstractTlsEncryptionCredentials -{ - protected TlsContext context; - protected Certificate certificate; - protected AsymmetricKeyParameter privateKey; - - public DefaultTlsEncryptionCredentials(TlsContext context, Certificate certificate, - AsymmetricKeyParameter privateKey) - { - if (certificate == null) - { - throw new IllegalArgumentException("'certificate' cannot be null"); - } - if (certificate.isEmpty()) - { - throw new IllegalArgumentException("'certificate' cannot be empty"); - } - if (privateKey == null) - { - throw new IllegalArgumentException("'privateKey' cannot be null"); - } - if (!privateKey.isPrivate()) - { - throw new IllegalArgumentException("'privateKey' must be private"); - } - - if (privateKey instanceof RSAKeyParameters) - { - } - else - { - throw new IllegalArgumentException("'privateKey' type not supported: " - + privateKey.getClass().getName()); - } - - this.context = context; - this.certificate = certificate; - this.privateKey = privateKey; - } - - public Certificate getCertificate() - { - return certificate; - } - - public byte[] decryptPreMasterSecret(byte[] encryptedPreMasterSecret) - throws IOException - { - return TlsRSAUtils.safeDecryptPreMasterSecret(context, (RSAKeyParameters)privateKey, encryptedPreMasterSecret); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsServer.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsServer.java deleted file mode 100644 index f8f83465..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsServer.java +++ /dev/null @@ -1,550 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.agreement.DHStandardGroups; -import org.bouncycastle.crypto.params.DHParameters; - -public abstract class DefaultTlsServer - extends AbstractTlsServer -{ - public DefaultTlsServer() - { - super(); - } - - public DefaultTlsServer(TlsCipherFactory cipherFactory) - { - super(cipherFactory); - } - - protected TlsEncryptionCredentials getRSAEncryptionCredentials() - throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - protected TlsSignerCredentials getRSASignerCredentials() - throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - protected DHParameters getDHParameters() - { - return DHStandardGroups.rfc5114_1024_160; - } - - protected int[] getCipherSuites() - { - return new int[] - { - CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384, - CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256, - CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA, - CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA, - }; - } - - public TlsCredentials getCredentials() - throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return getRSAEncryptionCredentials(); - - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - return getRSASignerCredentials(); - - default: - /* - * Note: internal error here; selected a key exchange we don't implement! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public TlsKeyExchange getKeyExchange() - throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: - return createDHKeyExchange(KeyExchangeAlgorithm.DH_DSS); - - case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: - return createDHKeyExchange(KeyExchangeAlgorithm.DH_RSA); - - case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: - return createDHEKeyExchange(KeyExchangeAlgorithm.DHE_DSS); - - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - return createDHEKeyExchange(KeyExchangeAlgorithm.DHE_RSA); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - return createECDHKeyExchange(KeyExchangeAlgorithm.ECDH_ECDSA); - - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - return createECDHKeyExchange(KeyExchangeAlgorithm.ECDH_RSA); - - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - return createECDHEKeyExchange(KeyExchangeAlgorithm.ECDHE_ECDSA); - - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - return createECDHEKeyExchange(KeyExchangeAlgorithm.ECDHE_RSA); - - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return createRSAKeyExchange(); - - default: - /* - * Note: internal error here; selected a key exchange we don't implement! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public TlsCipher getCipher() - throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm._3DES_EDE_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AEAD_CHACHA20_POLY1305, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_ESTREAM_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.ESTREAM_SALSA20, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_md5); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - return cipherFactory.createCipher(context, EncryptionAlgorithm.RC4_128, MACAlgorithm.hmac_md5); - - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.RC4_128, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.SALSA20, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.SEED_CBC, MACAlgorithm.hmac_sha1); - - default: - /* - * Note: internal error here; selected a cipher suite we don't implement! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected TlsKeyExchange createDHKeyExchange(int keyExchange) - { - return new TlsDHKeyExchange(keyExchange, supportedSignatureAlgorithms, getDHParameters()); - } - - protected TlsKeyExchange createDHEKeyExchange(int keyExchange) - { - return new TlsDHEKeyExchange(keyExchange, supportedSignatureAlgorithms, getDHParameters()); - } - - protected TlsKeyExchange createECDHKeyExchange(int keyExchange) - { - return new TlsECDHKeyExchange(keyExchange, supportedSignatureAlgorithms, namedCurves, clientECPointFormats, - serverECPointFormats); - } - - protected TlsKeyExchange createECDHEKeyExchange(int keyExchange) - { - return new TlsECDHEKeyExchange(keyExchange, supportedSignatureAlgorithms, namedCurves, clientECPointFormats, - serverECPointFormats); - } - - protected TlsKeyExchange createRSAKeyExchange() - { - return new TlsRSAKeyExchange(supportedSignatureAlgorithms); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsSignerCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsSignerCredentials.java deleted file mode 100755 index 15bf4a40..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DefaultTlsSignerCredentials.java +++ /dev/null @@ -1,104 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -public class DefaultTlsSignerCredentials - extends AbstractTlsSignerCredentials -{ - protected TlsContext context; - protected Certificate certificate; - protected AsymmetricKeyParameter privateKey; - protected SignatureAndHashAlgorithm signatureAndHashAlgorithm; - - protected TlsSigner signer; - - public DefaultTlsSignerCredentials(TlsContext context, Certificate certificate, AsymmetricKeyParameter privateKey) - { - this(context, certificate, privateKey, null); - } - - public DefaultTlsSignerCredentials(TlsContext context, Certificate certificate, AsymmetricKeyParameter privateKey, - SignatureAndHashAlgorithm signatureAndHashAlgorithm) - { - if (certificate == null) - { - throw new IllegalArgumentException("'certificate' cannot be null"); - } - if (certificate.isEmpty()) - { - throw new IllegalArgumentException("'certificate' cannot be empty"); - } - if (privateKey == null) - { - throw new IllegalArgumentException("'privateKey' cannot be null"); - } - if (!privateKey.isPrivate()) - { - throw new IllegalArgumentException("'privateKey' must be private"); - } - if (TlsUtils.isTLSv12(context) && signatureAndHashAlgorithm == null) - { - throw new IllegalArgumentException("'signatureAndHashAlgorithm' cannot be null for (D)TLS 1.2+"); - } - - if (privateKey instanceof RSAKeyParameters) - { - this.signer = new TlsRSASigner(); - } - else if (privateKey instanceof DSAPrivateKeyParameters) - { - this.signer = new TlsDSSSigner(); - } - else if (privateKey instanceof ECPrivateKeyParameters) - { - this.signer = new TlsECDSASigner(); - } - else - { - throw new IllegalArgumentException("'privateKey' type not supported: " + privateKey.getClass().getName()); - } - - this.signer.init(context); - - this.context = context; - this.certificate = certificate; - this.privateKey = privateKey; - this.signatureAndHashAlgorithm = signatureAndHashAlgorithm; - } - - public Certificate getCertificate() - { - return certificate; - } - - public byte[] generateCertificateSignature(byte[] hash) - throws IOException - { - try - { - if (TlsUtils.isTLSv12(context)) - { - return signer.generateRawSignature(signatureAndHashAlgorithm, privateKey, hash); - } - else - { - return signer.generateRawSignature(privateKey, hash); - } - } - catch (CryptoException e) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public SignatureAndHashAlgorithm getSignatureAndHashAlgorithm() - { - return signatureAndHashAlgorithm; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DeferredHash.java b/core/src/main/java/org/bouncycastle/crypto/tls/DeferredHash.java deleted file mode 100644 index 274e69a3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DeferredHash.java +++ /dev/null @@ -1,207 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.util.Enumeration; -import java.util.Hashtable; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.util.Shorts; - -/** - * Buffers input until the hash algorithm is determined. - */ -class DeferredHash - implements TlsHandshakeHash -{ - protected static final int BUFFERING_HASH_LIMIT = 4; - - protected TlsContext context; - - private DigestInputBuffer buf; - private Hashtable hashes; - private Short prfHashAlgorithm; - - DeferredHash() - { - this.buf = new DigestInputBuffer(); - this.hashes = new Hashtable(); - this.prfHashAlgorithm = null; - } - - private DeferredHash(Short prfHashAlgorithm, Digest prfHash) - { - this.buf = null; - this.hashes = new Hashtable(); - this.prfHashAlgorithm = prfHashAlgorithm; - hashes.put(prfHashAlgorithm, prfHash); - } - - public void init(TlsContext context) - { - this.context = context; - } - - public TlsHandshakeHash notifyPRFDetermined() - { - int prfAlgorithm = context.getSecurityParameters().getPrfAlgorithm(); - if (prfAlgorithm == PRFAlgorithm.tls_prf_legacy) - { - CombinedHash legacyHash = new CombinedHash(); - legacyHash.init(context); - buf.updateDigest(legacyHash); - return legacyHash.notifyPRFDetermined(); - } - - this.prfHashAlgorithm = Shorts.valueOf(TlsUtils.getHashAlgorithmForPRFAlgorithm(prfAlgorithm)); - - checkTrackingHash(prfHashAlgorithm); - - return this; - } - - public void trackHashAlgorithm(short hashAlgorithm) - { - if (buf == null) - { - throw new IllegalStateException("Too late to track more hash algorithms"); - } - - checkTrackingHash(Shorts.valueOf(hashAlgorithm)); - } - - public void sealHashAlgorithms() - { - checkStopBuffering(); - } - - public TlsHandshakeHash stopTracking() - { - Digest prfHash = TlsUtils.cloneHash(prfHashAlgorithm.shortValue(), (Digest)hashes.get(prfHashAlgorithm)); - if (buf != null) - { - buf.updateDigest(prfHash); - } - DeferredHash result = new DeferredHash(prfHashAlgorithm, prfHash); - result.init(context); - return result; - } - - public Digest forkPRFHash() - { - checkStopBuffering(); - - if (buf != null) - { - Digest prfHash = TlsUtils.createHash(prfHashAlgorithm.shortValue()); - buf.updateDigest(prfHash); - return prfHash; - } - - return TlsUtils.cloneHash(prfHashAlgorithm.shortValue(), (Digest)hashes.get(prfHashAlgorithm)); - } - - public byte[] getFinalHash(short hashAlgorithm) - { - Digest d = (Digest)hashes.get(Shorts.valueOf(hashAlgorithm)); - if (d == null) - { - throw new IllegalStateException("HashAlgorithm " + hashAlgorithm + " is not being tracked"); - } - - d = TlsUtils.cloneHash(hashAlgorithm, d); - if (buf != null) - { - buf.updateDigest(d); - } - - byte[] bs = new byte[d.getDigestSize()]; - d.doFinal(bs, 0); - return bs; - } - - public String getAlgorithmName() - { - throw new IllegalStateException("Use fork() to get a definite Digest"); - } - - public int getDigestSize() - { - throw new IllegalStateException("Use fork() to get a definite Digest"); - } - - public void update(byte input) - { - if (buf != null) - { - buf.write(input); - return; - } - - Enumeration e = hashes.elements(); - while (e.hasMoreElements()) - { - Digest hash = (Digest)e.nextElement(); - hash.update(input); - } - } - - public void update(byte[] input, int inOff, int len) - { - if (buf != null) - { - buf.write(input, inOff, len); - return; - } - - Enumeration e = hashes.elements(); - while (e.hasMoreElements()) - { - Digest hash = (Digest)e.nextElement(); - hash.update(input, inOff, len); - } - } - - public int doFinal(byte[] output, int outOff) - { - throw new IllegalStateException("Use fork() to get a definite Digest"); - } - - public void reset() - { - if (buf != null) - { - buf.reset(); - return; - } - - Enumeration e = hashes.elements(); - while (e.hasMoreElements()) - { - Digest hash = (Digest)e.nextElement(); - hash.reset(); - } - } - - protected void checkStopBuffering() - { - if (buf != null && hashes.size() <= BUFFERING_HASH_LIMIT) - { - Enumeration e = hashes.elements(); - while (e.hasMoreElements()) - { - Digest hash = (Digest)e.nextElement(); - buf.updateDigest(hash); - } - - this.buf = null; - } - } - - protected void checkTrackingHash(Short hashAlgorithm) - { - if (!hashes.containsKey(hashAlgorithm)) - { - Digest hash = TlsUtils.createHash(hashAlgorithm.shortValue()); - hashes.put(hashAlgorithm, hash); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DigestAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/DigestAlgorithm.java deleted file mode 100644 index 8bb89a66..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DigestAlgorithm.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - * - * @deprecated use MACAlgorithm constants instead - */ -public class DigestAlgorithm -{ - public static final int NULL = 0; - public static final int MD5 = 1; - public static final int SHA = 2; - - /* - * RFC 5246 - */ - public static final int SHA256 = 3; - public static final int SHA384 = 4; - public static final int SHA512 = 5; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DigestInputBuffer.java b/core/src/main/java/org/bouncycastle/crypto/tls/DigestInputBuffer.java deleted file mode 100644 index 7cfa8909..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DigestInputBuffer.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; - -import org.bouncycastle.crypto.Digest; - -class DigestInputBuffer extends ByteArrayOutputStream -{ - void updateDigest(Digest d) - { - d.update(this.buf, 0, count); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DigitallySigned.java b/core/src/main/java/org/bouncycastle/crypto/tls/DigitallySigned.java deleted file mode 100644 index c366ca9d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DigitallySigned.java +++ /dev/null @@ -1,72 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -public class DigitallySigned -{ - protected SignatureAndHashAlgorithm algorithm; - protected byte[] signature; - - public DigitallySigned(SignatureAndHashAlgorithm algorithm, byte[] signature) - { - if (signature == null) - { - throw new IllegalArgumentException("'signature' cannot be null"); - } - - this.algorithm = algorithm; - this.signature = signature; - } - - /** - * @return a {@link SignatureAndHashAlgorithm} (or null before TLS 1.2). - */ - public SignatureAndHashAlgorithm getAlgorithm() - { - return algorithm; - } - - public byte[] getSignature() - { - return signature; - } - - /** - * Encode this {@link DigitallySigned} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - if (algorithm != null) - { - algorithm.encode(output); - } - TlsUtils.writeOpaque16(signature, output); - } - - /** - * Parse a {@link DigitallySigned} from an {@link InputStream}. - * - * @param context - * the {@link TlsContext} of the current connection. - * @param input - * the {@link InputStream} to parse from. - * @return a {@link DigitallySigned} object. - * @throws IOException - */ - public static DigitallySigned parse(TlsContext context, InputStream input) throws IOException - { - SignatureAndHashAlgorithm algorithm = null; - if (TlsUtils.isTLSv12(context)) - { - algorithm = SignatureAndHashAlgorithm.parse(input); - } - byte[] signature = TlsUtils.readOpaque16(input); - return new DigitallySigned(algorithm, signature); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ECBasisType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ECBasisType.java deleted file mode 100644 index 630dfcd6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ECBasisType.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4492 5.4. (Errata ID: 2389) - */ -public class ECBasisType -{ - public static final short ec_basis_trinomial = 1; - public static final short ec_basis_pentanomial = 2; - - public static boolean isValid(short ecBasisType) - { - return ecBasisType >= ec_basis_trinomial && ecBasisType <= ec_basis_pentanomial; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ECCurveType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ECCurveType.java deleted file mode 100644 index 0b6542fc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ECCurveType.java +++ /dev/null @@ -1,28 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4492 5.4 - */ -public class ECCurveType -{ - /** - * Indicates the elliptic curve domain parameters are conveyed verbosely, and the - * underlying finite field is a prime field. - */ - public static final short explicit_prime = 1; - - /** - * Indicates the elliptic curve domain parameters are conveyed verbosely, and the - * underlying finite field is a characteristic-2 field. - */ - public static final short explicit_char2 = 2; - - /** - * Indicates that a named curve is used. This option SHOULD be used when applicable. - */ - public static final short named_curve = 3; - - /* - * Values 248 through 255 are reserved for private use. - */ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ECPointFormat.java b/core/src/main/java/org/bouncycastle/crypto/tls/ECPointFormat.java deleted file mode 100644 index 969d42ee..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ECPointFormat.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4492 5.1.2 - */ -public class ECPointFormat -{ - public static final short uncompressed = 0; - public static final short ansiX962_compressed_prime = 1; - public static final short ansiX962_compressed_char2 = 2; - - /* - * reserved (248..255) - */ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/EncryptionAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/EncryptionAlgorithm.java deleted file mode 100644 index 2da2f76a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/EncryptionAlgorithm.java +++ /dev/null @@ -1,67 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class EncryptionAlgorithm -{ - public static final int NULL = 0; - public static final int RC4_40 = 1; - public static final int RC4_128 = 2; - public static final int RC2_CBC_40 = 3; - public static final int IDEA_CBC = 4; - public static final int DES40_CBC = 5; - public static final int DES_CBC = 6; - public static final int _3DES_EDE_CBC = 7; - - /* - * RFC 3268 - */ - public static final int AES_128_CBC = 8; - public static final int AES_256_CBC = 9; - - /* - * RFC 5289 - */ - public static final int AES_128_GCM = 10; - public static final int AES_256_GCM = 11; - - /* - * RFC 5932 - */ - public static final int CAMELLIA_128_CBC = 12; - public static final int CAMELLIA_256_CBC = 13; - - /* - * RFC 4162 - */ - public static final int SEED_CBC = 14; - - /* - * RFC 6655 - */ - public static final int AES_128_CCM = 15; - public static final int AES_128_CCM_8 = 16; - public static final int AES_256_CCM = 17; - public static final int AES_256_CCM_8 = 18; - - /* - * RFC 6367 - */ - public static final int CAMELLIA_128_GCM = 19; - public static final int CAMELLIA_256_GCM = 20; - - /* - * draft-josefsson-salsa20-tls-04 - */ - public static final int ESTREAM_SALSA20 = 100; - public static final int SALSA20 = 101; - - /* - * draft-agl-tls-chacha20poly1305-04 - */ - public static final int AEAD_CHACHA20_POLY1305 = 102; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java deleted file mode 100644 index 902720ac..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java +++ /dev/null @@ -1,31 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5705 - */ -public class ExporterLabel -{ - /* - * RFC 5246 - */ - public static final String client_finished = "client finished"; - public static final String server_finished = "server finished"; - public static final String master_secret = "master secret"; - public static final String key_expansion = "key expansion"; - - /* - * RFC 5216 - */ - public static final String client_EAP_encryption = "client EAP encryption"; - - /* - * RFC 5281 - */ - public static final String ttls_keying_material = "ttls keying material"; - public static final String ttls_challenge = "ttls challenge"; - - /* - * RFC 5764 - */ - public static final String dtls_srtp = "EXTRACTOR-dtls_srtp"; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java deleted file mode 100644 index c0a7a90a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ExtensionType.java +++ /dev/null @@ -1,60 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class ExtensionType -{ - /* - * RFC 2546 2.3. - */ - public static final int server_name = 0; - public static final int max_fragment_length = 1; - public static final int client_certificate_url = 2; - public static final int trusted_ca_keys = 3; - public static final int truncated_hmac = 4; - public static final int status_request = 5; - - /* - * RFC 4681 - */ - public static final int user_mapping = 6; - - /* - * RFC 4492 5.1. - */ - public static final int elliptic_curves = 10; - public static final int ec_point_formats = 11; - - /* - * RFC 5054 2.8.1. - */ - public static final int srp = 12; - - /* - * RFC 5246 7.4.1.4. - */ - public static final int signature_algorithms = 13; - - /* - * RFC 5764 9. - */ - public static final int use_srtp = 14; - - /* - * RFC 6520 6. - */ - public static final int heartbeat = 15; - - /* - * RFC 5077 7. - */ - public static final int session_ticket = 35; - - /* - * draft-ietf-tls-encrypt-then-mac-03 - */ - public static final int encrypt_then_mac = 22; - - /* - * RFC 5746 3.2. - */ - public static final int renegotiation_info = 0xff01; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HandshakeType.java b/core/src/main/java/org/bouncycastle/crypto/tls/HandshakeType.java deleted file mode 100644 index c81660a5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HandshakeType.java +++ /dev/null @@ -1,39 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class HandshakeType -{ - /* - * RFC 2246 7.4 - */ - public static final short hello_request = 0; - public static final short client_hello = 1; - public static final short server_hello = 2; - public static final short certificate = 11; - public static final short server_key_exchange = 12; - public static final short certificate_request = 13; - public static final short server_hello_done = 14; - public static final short certificate_verify = 15; - public static final short client_key_exchange = 16; - public static final short finished = 20; - - /* - * RFC 3546 2.4 - */ - public static final short certificate_url = 21; - public static final short certificate_status = 22; - - /* - * (DTLS) RFC 4347 4.3.2 - */ - public static final short hello_verify_request = 3; - - /* - * RFC 4680 - */ - public static final short supplemental_data = 23; - - /* - * RFC 5077 - */ - public static final short session_ticket = 4; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HashAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/HashAlgorithm.java deleted file mode 100644 index dc7482b8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HashAlgorithm.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5246 7.4.1.4.1 - */ -public class HashAlgorithm -{ - public static final short none = 0; - public static final short md5 = 1; - public static final short sha1 = 2; - public static final short sha224 = 3; - public static final short sha256 = 4; - public static final short sha384 = 5; - public static final short sha512 = 6; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatExtension.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatExtension.java deleted file mode 100644 index f9f3670e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatExtension.java +++ /dev/null @@ -1,56 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -public class HeartbeatExtension -{ - protected short mode; - - public HeartbeatExtension(short mode) - { - if (!HeartbeatMode.isValid(mode)) - { - throw new IllegalArgumentException("'mode' is not a valid HeartbeatMode value"); - } - - this.mode = mode; - } - - public short getMode() - { - return mode; - } - - /** - * Encode this {@link HeartbeatExtension} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - TlsUtils.writeUint8(mode, output); - } - - /** - * Parse a {@link HeartbeatExtension} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link HeartbeatExtension} object. - * @throws IOException - */ - public static HeartbeatExtension parse(InputStream input) throws IOException - { - short mode = TlsUtils.readUint8(input); - if (!HeartbeatMode.isValid(mode)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return new HeartbeatExtension(mode); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java deleted file mode 100644 index c6a447fc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java +++ /dev/null @@ -1,111 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.io.Streams; - -public class HeartbeatMessage -{ - protected short type; - protected byte[] payload; - protected int paddingLength; - - public HeartbeatMessage(short type, byte[] payload, int paddingLength) - { - if (!HeartbeatMessageType.isValid(type)) - { - throw new IllegalArgumentException("'type' is not a valid HeartbeatMessageType value"); - } - if (payload == null || payload.length >= (1 << 16)) - { - throw new IllegalArgumentException("'payload' must have length < 2^16"); - } - if (paddingLength < 16) - { - throw new IllegalArgumentException("'paddingLength' must be at least 16"); - } - - this.type = type; - this.payload = payload; - this.paddingLength = paddingLength; - } - - /** - * Encode this {@link HeartbeatMessage} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(TlsContext context, OutputStream output) throws IOException - { - TlsUtils.writeUint8(type, output); - - TlsUtils.checkUint16(payload.length); - TlsUtils.writeUint16(payload.length, output); - output.write(payload); - - byte[] padding = new byte[paddingLength]; - context.getNonceRandomGenerator().nextBytes(padding); - output.write(padding); - } - - /** - * Parse a {@link HeartbeatMessage} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link HeartbeatMessage} object. - * @throws IOException - */ - public static HeartbeatMessage parse(InputStream input) throws IOException - { - short type = TlsUtils.readUint8(input); - if (!HeartbeatMessageType.isValid(type)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - int payload_length = TlsUtils.readUint16(input); - - PayloadBuffer buf = new PayloadBuffer(); - Streams.pipeAll(input, buf); - - byte[] payload = buf.toTruncatedByteArray(payload_length); - if (payload == null) - { - /* - * RFC 6520 4. If the payload_length of a received HeartbeatMessage is too large, the - * received HeartbeatMessage MUST be discarded silently. - */ - return null; - } - - int padding_length = buf.size() - payload.length; - - /* - * RFC 6520 4. The padding of a received HeartbeatMessage message MUST be ignored - */ - return new HeartbeatMessage(type, payload, padding_length); - } - - static class PayloadBuffer extends ByteArrayOutputStream - { - byte[] toTruncatedByteArray(int payloadLength) - { - /* - * RFC 6520 4. The padding_length MUST be at least 16. - */ - int minimumCount = payloadLength + 16; - if (count < minimumCount) - { - return null; - } - return Arrays.copyOf(buf, payloadLength); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessageType.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessageType.java deleted file mode 100644 index f1a3b43a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessageType.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/* - * RFC 6520 3. - */ -public class HeartbeatMessageType -{ - public static final short heartbeat_request = 1; - public static final short heartbeat_response = 2; - - public static boolean isValid(short heartbeatMessageType) - { - return heartbeatMessageType >= heartbeat_request && heartbeatMessageType <= heartbeat_response; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMode.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMode.java deleted file mode 100644 index 4024faaf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMode.java +++ /dev/null @@ -1,15 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/* - * RFC 6520 - */ -public class HeartbeatMode -{ - public static final short peer_allowed_to_send = 1; - public static final short peer_not_allowed_to_send = 2; - - public static boolean isValid(short heartbeatMode) - { - return heartbeatMode >= peer_allowed_to_send && heartbeatMode <= peer_not_allowed_to_send; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/KeyExchangeAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/KeyExchangeAlgorithm.java deleted file mode 100644 index d862d769..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/KeyExchangeAlgorithm.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class KeyExchangeAlgorithm -{ - public static final int NULL = 0; - public static final int RSA = 1; - public static final int RSA_EXPORT = 2; - public static final int DHE_DSS = 3; - public static final int DHE_DSS_EXPORT = 4; - public static final int DHE_RSA = 5; - public static final int DHE_RSA_EXPORT = 6; - public static final int DH_DSS = 7; - public static final int DH_DSS_EXPORT = 8; - public static final int DH_RSA = 9; - public static final int DH_RSA_EXPORT = 10; - public static final int DH_anon = 11; - public static final int DH_anon_EXPORT = 12; - - /* - * RFC 4279 - */ - public static final int PSK = 13; - public static final int DHE_PSK = 14; - public static final int RSA_PSK = 15; - - /* - * RFC 4429 - */ - public static final int ECDH_ECDSA = 16; - public static final int ECDHE_ECDSA = 17; - public static final int ECDH_RSA = 18; - public static final int ECDHE_RSA = 19; - public static final int ECDH_anon = 20; - - /* - * RFC 5054 - */ - public static final int SRP = 21; - public static final int SRP_DSS = 22; - public static final int SRP_RSA = 23; - - /* - * RFC 5489 - */ - public static final int ECDHE_PSK = 24; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsAuthentication.java b/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsAuthentication.java deleted file mode 100644 index f638714e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsAuthentication.java +++ /dev/null @@ -1,28 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -/** - * A temporary class to wrap old CertificateVerifyer stuff for new TlsAuthentication - * - * @deprecated - */ -public class LegacyTlsAuthentication - extends ServerOnlyTlsAuthentication -{ - protected CertificateVerifyer verifyer; - - public LegacyTlsAuthentication(CertificateVerifyer verifyer) - { - this.verifyer = verifyer; - } - - public void notifyServerCertificate(Certificate serverCertificate) - throws IOException - { - if (!this.verifyer.isValid(serverCertificate.getCertificateList())) - { - throw new TlsFatalAlert(AlertDescription.user_canceled); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsClient.java deleted file mode 100644 index 33217ac4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/LegacyTlsClient.java +++ /dev/null @@ -1,33 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -/** - * A temporary class to use LegacyTlsAuthentication - * - * @deprecated - */ -public class LegacyTlsClient - extends DefaultTlsClient -{ - /** - * @deprecated - */ - protected CertificateVerifyer verifyer; - - /** - * @deprecated - */ - public LegacyTlsClient(CertificateVerifyer verifyer) - { - super(); - - this.verifyer = verifyer; - } - - public TlsAuthentication getAuthentication() - throws IOException - { - return new LegacyTlsAuthentication(verifyer); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/MACAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/MACAlgorithm.java deleted file mode 100644 index bd13ab89..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/MACAlgorithm.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 2246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class MACAlgorithm -{ - public static final int _null = 0; - public static final int md5 = 1; - public static final int sha = 2; - - /* - * RFC 5246 - */ - public static final int hmac_md5 = md5; - public static final int hmac_sha1 = sha; - public static final int hmac_sha256 = 3; - public static final int hmac_sha384 = 4; - public static final int hmac_sha512 = 5; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/MaxFragmentLength.java b/core/src/main/java/org/bouncycastle/crypto/tls/MaxFragmentLength.java deleted file mode 100644 index 6bc61b0c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/MaxFragmentLength.java +++ /dev/null @@ -1,17 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class MaxFragmentLength -{ - /* - * RFC 3546 3.2. - */ - public static final short pow2_9 = 1; - public static final short pow2_10 = 2; - public static final short pow2_11 = 3; - public static final short pow2_12 = 4; - - public static boolean isValid(short maxFragmentLength) - { - return maxFragmentLength >= pow2_9 && maxFragmentLength <= pow2_12; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/NameType.java b/core/src/main/java/org/bouncycastle/crypto/tls/NameType.java deleted file mode 100644 index 9b0cd1b9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/NameType.java +++ /dev/null @@ -1,9 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class NameType -{ - /* - * RFC 3546 3.1. - */ - public static final short host_name = 0; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/NamedCurve.java b/core/src/main/java/org/bouncycastle/crypto/tls/NamedCurve.java deleted file mode 100644 index 49fc923a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/NamedCurve.java +++ /dev/null @@ -1,71 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4492 5.1.1 - * <p> - * The named curves defined here are those specified in SEC 2 [13]. Note that many of these curves - * are also recommended in ANSI X9.62 [7] and FIPS 186-2 [11]. Values 0xFE00 through 0xFEFF are - * reserved for private use. Values 0xFF01 and 0xFF02 indicate that the client supports arbitrary - * prime and characteristic-2 curves, respectively (the curve parameters must be encoded explicitly - * in ECParameters). - */ -public class NamedCurve -{ - public static final int sect163k1 = 1; - public static final int sect163r1 = 2; - public static final int sect163r2 = 3; - public static final int sect193r1 = 4; - public static final int sect193r2 = 5; - public static final int sect233k1 = 6; - public static final int sect233r1 = 7; - public static final int sect239k1 = 8; - public static final int sect283k1 = 9; - public static final int sect283r1 = 10; - public static final int sect409k1 = 11; - public static final int sect409r1 = 12; - public static final int sect571k1 = 13; - public static final int sect571r1 = 14; - public static final int secp160k1 = 15; - public static final int secp160r1 = 16; - public static final int secp160r2 = 17; - public static final int secp192k1 = 18; - public static final int secp192r1 = 19; - public static final int secp224k1 = 20; - public static final int secp224r1 = 21; - public static final int secp256k1 = 22; - public static final int secp256r1 = 23; - public static final int secp384r1 = 24; - public static final int secp521r1 = 25; - - /* - * RFC 7027 - */ - public static final int brainpoolP256r1 = 26; - public static final int brainpoolP384r1 = 27; - public static final int brainpoolP512r1 = 28; - - /* - * reserved (0xFE00..0xFEFF) - */ - - public static final int arbitrary_explicit_prime_curves = 0xFF01; - public static final int arbitrary_explicit_char2_curves = 0xFF02; - - public static boolean isValid(int namedCurve) - { - return (namedCurve >= sect163k1 && namedCurve <= brainpoolP512r1) - || (namedCurve >= arbitrary_explicit_prime_curves && namedCurve <= arbitrary_explicit_char2_curves); - } - - public static boolean refersToASpecificNamedCurve(int namedCurve) - { - switch (namedCurve) - { - case arbitrary_explicit_prime_curves: - case arbitrary_explicit_char2_curves: - return false; - default: - return true; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/NewSessionTicket.java b/core/src/main/java/org/bouncycastle/crypto/tls/NewSessionTicket.java deleted file mode 100644 index 8f87a65e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/NewSessionTicket.java +++ /dev/null @@ -1,55 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -public class NewSessionTicket -{ - protected long ticketLifetimeHint; - protected byte[] ticket; - - public NewSessionTicket(long ticketLifetimeHint, byte[] ticket) - { - this.ticketLifetimeHint = ticketLifetimeHint; - this.ticket = ticket; - } - - public long getTicketLifetimeHint() - { - return ticketLifetimeHint; - } - - public byte[] getTicket() - { - return ticket; - } - - /** - * Encode this {@link NewSessionTicket} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - TlsUtils.writeUint32(ticketLifetimeHint, output); - TlsUtils.writeOpaque16(ticket, output); - } - - /** - * Parse a {@link NewSessionTicket} from an {@link InputStream}. - * - * @param input the {@link InputStream} to parse from. - * @return a {@link NewSessionTicket} object. - * @throws IOException - */ - public static NewSessionTicket parse(InputStream input) - throws IOException - { - long ticketLifetimeHint = TlsUtils.readUint32(input); - byte[] ticket = TlsUtils.readOpaque16(input); - return new NewSessionTicket(ticketLifetimeHint, ticket); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/OCSPStatusRequest.java b/core/src/main/java/org/bouncycastle/crypto/tls/OCSPStatusRequest.java deleted file mode 100644 index 473db23f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/OCSPStatusRequest.java +++ /dev/null @@ -1,131 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ocsp.ResponderID; -import org.bouncycastle.asn1.x509.Extensions; - -/** - * RFC 3546 3.6 - */ -public class OCSPStatusRequest -{ - protected Vector responderIDList; - protected Extensions requestExtensions; - - /** - * @param responderIDList - * a {@link Vector} of {@link ResponderID}, specifying the list of trusted OCSP - * responders. An empty list has the special meaning that the responders are - * implicitly known to the server - e.g., by prior arrangement. - * @param requestExtensions - * OCSP request extensions. A null value means that there are no extensions. - */ - public OCSPStatusRequest(Vector responderIDList, Extensions requestExtensions) - { - this.responderIDList = responderIDList; - this.requestExtensions = requestExtensions; - } - - /** - * @return a {@link Vector} of {@link ResponderID} - */ - public Vector getResponderIDList() - { - return responderIDList; - } - - /** - * @return OCSP request extensions - */ - public Extensions getRequestExtensions() - { - return requestExtensions; - } - - /** - * Encode this {@link OCSPStatusRequest} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - if (responderIDList == null || responderIDList.isEmpty()) - { - TlsUtils.writeUint16(0, output); - } - else - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - for (int i = 0; i < responderIDList.size(); ++i) - { - ResponderID responderID = (ResponderID) responderIDList.elementAt(i); - byte[] derEncoding = responderID.getEncoded(ASN1Encoding.DER); - TlsUtils.writeOpaque16(derEncoding, buf); - } - TlsUtils.checkUint16(buf.size()); - TlsUtils.writeUint16(buf.size(), output); - buf.writeTo(output); - } - - if (requestExtensions == null) - { - TlsUtils.writeUint16(0, output); - } - else - { - byte[] derEncoding = requestExtensions.getEncoded(ASN1Encoding.DER); - TlsUtils.checkUint16(derEncoding.length); - TlsUtils.writeUint16(derEncoding.length, output); - output.write(derEncoding); - } - } - - /** - * Parse an {@link OCSPStatusRequest} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return an {@link OCSPStatusRequest} object. - * @throws IOException - */ - public static OCSPStatusRequest parse(InputStream input) throws IOException - { - Vector responderIDList = new Vector(); - { - int length = TlsUtils.readUint16(input); - if (length > 0) - { - byte[] data = TlsUtils.readFully(length, input); - ByteArrayInputStream buf = new ByteArrayInputStream(data); - do - { - byte[] derEncoding = TlsUtils.readOpaque16(buf); - ResponderID responderID = ResponderID.getInstance(TlsUtils.readDERObject(derEncoding)); - responderIDList.addElement(responderID); - } - while (buf.available() > 0); - } - } - - Extensions requestExtensions = null; - { - int length = TlsUtils.readUint16(input); - if (length > 0) - { - byte[] derEncoding = TlsUtils.readFully(length, input); - requestExtensions = Extensions.getInstance(TlsUtils.readDERObject(derEncoding)); - } - } - - return new OCSPStatusRequest(responderIDList, requestExtensions); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/PRFAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/PRFAlgorithm.java deleted file mode 100644 index 33c27c4a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/PRFAlgorithm.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5246 - * <p> - * Note that the values here are implementation-specific and arbitrary. It is recommended not to - * depend on the particular values (e.g. serialization). - */ -public class PRFAlgorithm -{ - /* - * Placeholder to refer to the legacy TLS algorithm - */ - public static final int tls_prf_legacy = 0; - - public static final int tls_prf_sha256 = 1; - - /* - * Implied by RFC 5288 - */ - public static final int tls_prf_sha384 = 2; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/PSKTlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/PSKTlsClient.java deleted file mode 100644 index e442ce2f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/PSKTlsClient.java +++ /dev/null @@ -1,256 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public abstract class PSKTlsClient - extends AbstractTlsClient -{ - protected TlsPSKIdentity pskIdentity; - - public PSKTlsClient(TlsPSKIdentity pskIdentity) - { - super(); - this.pskIdentity = pskIdentity; - } - - public PSKTlsClient(TlsCipherFactory cipherFactory, TlsPSKIdentity pskIdentity) - { - super(cipherFactory); - this.pskIdentity = pskIdentity; - } - - public int[] getCipherSuites() - { - return new int[] { CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, - CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA }; - } - - public TlsKeyExchange getKeyExchange() throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: - return createPSKKeyExchange(KeyExchangeAlgorithm.DHE_PSK); - - case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_SALSA20_SHA1: - return createPSKKeyExchange(KeyExchangeAlgorithm.ECDHE_PSK); - - case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_PSK_WITH_SALSA20_SHA1: - return createPSKKeyExchange(KeyExchangeAlgorithm.PSK); - - case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_SALSA20_SHA1: - return createPSKKeyExchange(KeyExchangeAlgorithm.RSA_PSK); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public TlsCipher getCipher() throws IOException - { - switch (selectedCipherSuite) - { - case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm._3DES_EDE_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM, MACAlgorithm._null); - - case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CCM_8, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_CBC, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_128_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_CBC, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.CAMELLIA_256_GCM, MACAlgorithm._null); - - case CipherSuite.TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.ESTREAM_SALSA20, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha256); - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: - return cipherFactory.createCipher(context, EncryptionAlgorithm.NULL, MACAlgorithm.hmac_sha384); - - case CipherSuite.TLS_DHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_RC4_128_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.RC4_128, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_DHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_PSK_WITH_SALSA20_SHA1: - return cipherFactory.createCipher(context, EncryptionAlgorithm.SALSA20, MACAlgorithm.hmac_sha1); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected TlsKeyExchange createPSKKeyExchange(int keyExchange) - { - return new TlsPSKKeyExchange(keyExchange, supportedSignatureAlgorithms, pskIdentity, null, namedCurves, - clientECPointFormats, serverECPointFormats); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ProtocolVersion.java b/core/src/main/java/org/bouncycastle/crypto/tls/ProtocolVersion.java deleted file mode 100644 index 8be2bec0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ProtocolVersion.java +++ /dev/null @@ -1,158 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.util.Strings; - -public final class ProtocolVersion -{ - public static final ProtocolVersion SSLv3 = new ProtocolVersion(0x0300, "SSL 3.0"); - public static final ProtocolVersion TLSv10 = new ProtocolVersion(0x0301, "TLS 1.0"); - public static final ProtocolVersion TLSv11 = new ProtocolVersion(0x0302, "TLS 1.1"); - public static final ProtocolVersion TLSv12 = new ProtocolVersion(0x0303, "TLS 1.2"); - public static final ProtocolVersion DTLSv10 = new ProtocolVersion(0xFEFF, "DTLS 1.0"); - public static final ProtocolVersion DTLSv12 = new ProtocolVersion(0xFEFD, "DTLS 1.2"); - - private int version; - private String name; - - private ProtocolVersion(int v, String name) - { - this.version = v & 0xffff; - this.name = name; - } - - public int getFullVersion() - { - return version; - } - - public int getMajorVersion() - { - return version >> 8; - } - - public int getMinorVersion() - { - return version & 0xff; - } - - public boolean isDTLS() - { - return getMajorVersion() == 0xFE; - } - - public boolean isSSL() - { - return this == SSLv3; - } - - public boolean isTLS() - { - return getMajorVersion() == 0x03; - } - - public ProtocolVersion getEquivalentTLSVersion() - { - if (!isDTLS()) - { - return this; - } - if (this == DTLSv10) - { - return TLSv11; - } - return TLSv12; - } - - public boolean isEqualOrEarlierVersionOf(ProtocolVersion version) - { - if (getMajorVersion() != version.getMajorVersion()) - { - return false; - } - int diffMinorVersion = version.getMinorVersion() - getMinorVersion(); - return isDTLS() ? diffMinorVersion <= 0 : diffMinorVersion >= 0; - } - - public boolean isLaterVersionOf(ProtocolVersion version) - { - if (getMajorVersion() != version.getMajorVersion()) - { - return false; - } - int diffMinorVersion = version.getMinorVersion() - getMinorVersion(); - return isDTLS() ? diffMinorVersion > 0 : diffMinorVersion < 0; - } - - public boolean equals(Object other) - { - return this == other || (other instanceof ProtocolVersion && equals((ProtocolVersion)other)); - } - - public boolean equals(ProtocolVersion other) - { - return other != null && this.version == other.version; - } - - public int hashCode() - { - return version; - } - - public static ProtocolVersion get(int major, int minor) - throws IOException - { - switch (major) - { - case 0x03: - { - switch (minor) - { - case 0x00: - return SSLv3; - case 0x01: - return TLSv10; - case 0x02: - return TLSv11; - case 0x03: - return TLSv12; - } - return getUnknownVersion(major, minor, "TLS"); - } - case 0xFE: - { - switch (minor) - { - case 0xFF: - return DTLSv10; - case 0xFE: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - case 0xFD: - return DTLSv12; - } - return getUnknownVersion(major, minor, "DTLS"); - } - default: - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public String toString() - { - return name; - } - - private static ProtocolVersion getUnknownVersion(int major, int minor, String prefix) - throws IOException - { - TlsUtils.checkUint8(major); - TlsUtils.checkUint8(minor); - - int v = (major << 8) | minor; - String hex = Strings.toUpperCase(Integer.toHexString(0x10000 | v).substring(1)); - return new ProtocolVersion(v, prefix + " 0x" + hex); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/RecordStream.java b/core/src/main/java/org/bouncycastle/crypto/tls/RecordStream.java deleted file mode 100644 index 922b951d..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/RecordStream.java +++ /dev/null @@ -1,365 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -/** - * An implementation of the TLS 1.0/1.1/1.2 record layer, allowing downgrade to SSLv3. - */ -class RecordStream -{ - private static int DEFAULT_PLAINTEXT_LIMIT = (1 << 14); - - private TlsProtocol handler; - private InputStream input; - private OutputStream output; - private TlsCompression pendingCompression = null, readCompression = null, writeCompression = null; - private TlsCipher pendingCipher = null, readCipher = null, writeCipher = null; - private long readSeqNo = 0, writeSeqNo = 0; - private ByteArrayOutputStream buffer = new ByteArrayOutputStream(); - - private TlsContext context = null; - private TlsHandshakeHash handshakeHash = null; - - private ProtocolVersion readVersion = null, writeVersion = null; - private boolean restrictReadVersion = true; - - private int plaintextLimit, compressedLimit, ciphertextLimit; - - RecordStream(TlsProtocol handler, InputStream input, OutputStream output) - { - this.handler = handler; - this.input = input; - this.output = output; - this.readCompression = new TlsNullCompression(); - this.writeCompression = this.readCompression; - this.readCipher = new TlsNullCipher(context); - this.writeCipher = this.readCipher; - - setPlaintextLimit(DEFAULT_PLAINTEXT_LIMIT); - } - - void init(TlsContext context) - { - this.context = context; - this.handshakeHash = new DeferredHash(); - this.handshakeHash.init(context); - } - - int getPlaintextLimit() - { - return plaintextLimit; - } - - void setPlaintextLimit(int plaintextLimit) - { - this.plaintextLimit = plaintextLimit; - this.compressedLimit = this.plaintextLimit + 1024; - this.ciphertextLimit = this.compressedLimit + 1024; - } - - ProtocolVersion getReadVersion() - { - return readVersion; - } - - void setReadVersion(ProtocolVersion readVersion) - { - this.readVersion = readVersion; - } - - void setWriteVersion(ProtocolVersion writeVersion) - { - this.writeVersion = writeVersion; - } - - /** - * RFC 5246 E.1. "Earlier versions of the TLS specification were not fully clear on what the - * record layer version number (TLSPlaintext.version) should contain when sending ClientHello - * (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers - * compliant with this specification MUST accept any value {03,XX} as the record layer version - * number for ClientHello." - */ - void setRestrictReadVersion(boolean enabled) - { - this.restrictReadVersion = enabled; - } - - void setPendingConnectionState(TlsCompression tlsCompression, TlsCipher tlsCipher) - { - this.pendingCompression = tlsCompression; - this.pendingCipher = tlsCipher; - } - - void sentWriteCipherSpec() - throws IOException - { - if (pendingCompression == null || pendingCipher == null) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - this.writeCompression = this.pendingCompression; - this.writeCipher = this.pendingCipher; - this.writeSeqNo = 0; - } - - void receivedReadCipherSpec() - throws IOException - { - if (pendingCompression == null || pendingCipher == null) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - this.readCompression = this.pendingCompression; - this.readCipher = this.pendingCipher; - this.readSeqNo = 0; - } - - void finaliseHandshake() - throws IOException - { - if (readCompression != pendingCompression || writeCompression != pendingCompression - || readCipher != pendingCipher || writeCipher != pendingCipher) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - pendingCompression = null; - pendingCipher = null; - } - - public boolean readRecord() - throws IOException - { - byte[] recordHeader = TlsUtils.readAllOrNothing(5, input); - if (recordHeader == null) - { - return false; - } - - short type = TlsUtils.readUint8(recordHeader, 0); - - /* - * RFC 5246 6. If a TLS implementation receives an unexpected record type, it MUST send an - * unexpected_message alert. - */ - checkType(type, AlertDescription.unexpected_message); - - if (!restrictReadVersion) - { - int version = TlsUtils.readVersionRaw(recordHeader, 1); - if ((version & 0xffffff00) != 0x0300) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - else - { - ProtocolVersion version = TlsUtils.readVersion(recordHeader, 1); - if (readVersion == null) - { - readVersion = version; - } - else if (!version.equals(readVersion)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - int length = TlsUtils.readUint16(recordHeader, 3); - byte[] plaintext = decodeAndVerify(type, input, length); - handler.processRecord(type, plaintext, 0, plaintext.length); - return true; - } - - protected byte[] decodeAndVerify(short type, InputStream input, int len) - throws IOException - { - checkLength(len, ciphertextLimit, AlertDescription.record_overflow); - - byte[] buf = TlsUtils.readFully(len, input); - byte[] decoded = readCipher.decodeCiphertext(readSeqNo++, type, buf, 0, buf.length); - - checkLength(decoded.length, compressedLimit, AlertDescription.record_overflow); - - /* - * TODO RFC5264 6.2.2. Implementation note: Decompression functions are responsible for - * ensuring that messages cannot cause internal buffer overflows. - */ - OutputStream cOut = readCompression.decompress(buffer); - if (cOut != buffer) - { - cOut.write(decoded, 0, decoded.length); - cOut.flush(); - decoded = getBufferContents(); - } - - /* - * RFC 5264 6.2.2. If the decompression function encounters a TLSCompressed.fragment that - * would decompress to a length in excess of 2^14 bytes, it should report a fatal - * decompression failure error. - */ - checkLength(decoded.length, plaintextLimit, AlertDescription.decompression_failure); - - /* - * RFC 5264 6.2.1 Implementations MUST NOT send zero-length fragments of Handshake, Alert, - * or ChangeCipherSpec content types. - */ - if (decoded.length < 1 && type != ContentType.application_data) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return decoded; - } - - protected void writeRecord(short type, byte[] plaintext, int plaintextOffset, int plaintextLength) - throws IOException - { - // Never send anything until a valid ClientHello has been received - if (writeVersion == null) - { - return; - } - - /* - * RFC 5264 6. Implementations MUST NOT send record types not defined in this document - * unless negotiated by some extension. - */ - checkType(type, AlertDescription.internal_error); - - /* - * RFC 5264 6.2.1 The length should not exceed 2^14. - */ - checkLength(plaintextLength, plaintextLimit, AlertDescription.internal_error); - - /* - * RFC 5264 6.2.1 Implementations MUST NOT send zero-length fragments of Handshake, Alert, - * or ChangeCipherSpec content types. - */ - if (plaintextLength < 1 && type != ContentType.application_data) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - if (type == ContentType.handshake) - { - updateHandshakeData(plaintext, plaintextOffset, plaintextLength); - } - - OutputStream cOut = writeCompression.compress(buffer); - - byte[] ciphertext; - if (cOut == buffer) - { - ciphertext = writeCipher.encodePlaintext(writeSeqNo++, type, plaintext, plaintextOffset, plaintextLength); - } - else - { - cOut.write(plaintext, plaintextOffset, plaintextLength); - cOut.flush(); - byte[] compressed = getBufferContents(); - - /* - * RFC5264 6.2.2. Compression must be lossless and may not increase the content length - * by more than 1024 bytes. - */ - checkLength(compressed.length, plaintextLength + 1024, AlertDescription.internal_error); - - ciphertext = writeCipher.encodePlaintext(writeSeqNo++, type, compressed, 0, compressed.length); - } - - /* - * RFC 5264 6.2.3. The length may not exceed 2^14 + 2048. - */ - checkLength(ciphertext.length, ciphertextLimit, AlertDescription.internal_error); - - byte[] record = new byte[ciphertext.length + 5]; - TlsUtils.writeUint8(type, record, 0); - TlsUtils.writeVersion(writeVersion, record, 1); - TlsUtils.writeUint16(ciphertext.length, record, 3); - System.arraycopy(ciphertext, 0, record, 5, ciphertext.length); - output.write(record); - output.flush(); - } - - void notifyHelloComplete() - { - this.handshakeHash = handshakeHash.notifyPRFDetermined(); - } - - TlsHandshakeHash getHandshakeHash() - { - return handshakeHash; - } - - TlsHandshakeHash prepareToFinish() - { - TlsHandshakeHash result = handshakeHash; - this.handshakeHash = handshakeHash.stopTracking(); - return result; - } - - void updateHandshakeData(byte[] message, int offset, int len) - { - handshakeHash.update(message, offset, len); - } - - protected void safeClose() - { - try - { - input.close(); - } - catch (IOException e) - { - } - - try - { - output.close(); - } - catch (IOException e) - { - } - } - - protected void flush() - throws IOException - { - output.flush(); - } - - private byte[] getBufferContents() - { - byte[] contents = buffer.toByteArray(); - buffer.reset(); - return contents; - } - - private static void checkType(short type, short alertDescription) - throws IOException - { - switch (type) - { - case ContentType.application_data: - case ContentType.alert: - case ContentType.change_cipher_spec: - case ContentType.handshake: - case ContentType.heartbeat: - break; - default: - throw new TlsFatalAlert(alertDescription); - } - } - - private static void checkLength(int length, int limit, short alertDescription) - throws IOException - { - if (length > limit) - { - throw new TlsFatalAlert(alertDescription); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SRPTlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/SRPTlsClient.java deleted file mode 100644 index 15295ea8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SRPTlsClient.java +++ /dev/null @@ -1,121 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.util.Arrays; - -public abstract class SRPTlsClient - extends AbstractTlsClient -{ - /** - * @deprecated use TlsSRPUtils.EXT_SRP instead - */ - public static final Integer EXT_SRP = TlsSRPUtils.EXT_SRP; - - protected byte[] identity; - protected byte[] password; - - public SRPTlsClient(byte[] identity, byte[] password) - { - super(); - this.identity = Arrays.clone(identity); - this.password = Arrays.clone(password); - } - - public SRPTlsClient(TlsCipherFactory cipherFactory, byte[] identity, byte[] password) - { - super(cipherFactory); - this.identity = Arrays.clone(identity); - this.password = Arrays.clone(password); - } - - public int[] getCipherSuites() - { - return new int[] { CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA }; - } - - public Hashtable getClientExtensions() - throws IOException - { - Hashtable clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(super.getClientExtensions()); - TlsSRPUtils.addSRPExtension(clientExtensions, this.identity); - return clientExtensions; - } - - public void processServerExtensions(Hashtable serverExtensions) - throws IOException - { - if (!TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsSRPUtils.EXT_SRP, AlertDescription.illegal_parameter)) - { - // No explicit guidance in RFC 5054 here; we allow an optional empty extension from server - } - } - - public TlsKeyExchange getKeyExchange() - throws IOException - { - - switch (selectedCipherSuite) - { - case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: - return createSRPKeyExchange(KeyExchangeAlgorithm.SRP); - - case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: - return createSRPKeyExchange(KeyExchangeAlgorithm.SRP_RSA); - - case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: - return createSRPKeyExchange(KeyExchangeAlgorithm.SRP_DSS); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public TlsCipher getCipher() - throws IOException - { - - switch (selectedCipherSuite) - { - case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm._3DES_EDE_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_128_CBC, MACAlgorithm.hmac_sha1); - - case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: - return cipherFactory.createCipher(context, EncryptionAlgorithm.AES_256_CBC, MACAlgorithm.hmac_sha1); - - default: - /* - * Note: internal error here; the TlsProtocol implementation verifies that the - * server-selected cipher suite was in the list of client-offered cipher suites, so if - * we now can't produce an implementation, we shouldn't have offered it! - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected TlsKeyExchange createSRPKeyExchange(int keyExchange) - { - return new TlsSRPKeyExchange(keyExchange, supportedSignatureAlgorithms, identity, password); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SRTPProtectionProfile.java b/core/src/main/java/org/bouncycastle/crypto/tls/SRTPProtectionProfile.java deleted file mode 100644 index 1faac960..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SRTPProtectionProfile.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class SRTPProtectionProfile -{ - /* - * RFC 5764 4.1.2. - */ - public static final int SRTP_AES128_CM_HMAC_SHA1_80 = 0x0001; - public static final int SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002; - public static final int SRTP_NULL_HMAC_SHA1_80 = 0x0005; - public static final int SRTP_NULL_HMAC_SHA1_32 = 0x0006; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SSL3Mac.java b/core/src/main/java/org/bouncycastle/crypto/tls/SSL3Mac.java deleted file mode 100644 index 7d838590..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SSL3Mac.java +++ /dev/null @@ -1,114 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; - -/** - * HMAC implementation based on original internet draft for HMAC (RFC 2104) - * <p> - * The difference is that padding is concatenated versus XORed with the key - * <p> - * H(K + opad, H(K + ipad, text)) - */ -public class SSL3Mac - implements Mac -{ - private final static byte IPAD_BYTE = (byte)0x36; - private final static byte OPAD_BYTE = (byte)0x5C; - - static final byte[] IPAD = genPad(IPAD_BYTE, 48); - static final byte[] OPAD = genPad(OPAD_BYTE, 48); - - private Digest digest; - - private byte[] secret; - private int padLength; - - /** - * Base constructor for one of the standard digest algorithms that the byteLength of - * the algorithm is know for. Behaviour is undefined for digests other than MD5 or SHA1. - * - * @param digest the digest. - */ - public SSL3Mac(Digest digest) - { - this.digest = digest; - - if (digest.getDigestSize() == 20) - { - this.padLength = 40; - } - else - { - this.padLength = 48; - } - } - - public String getAlgorithmName() - { - return digest.getAlgorithmName() + "/SSL3MAC"; - } - - public Digest getUnderlyingDigest() - { - return digest; - } - - public void init(CipherParameters params) - { - secret = Arrays.clone(((KeyParameter)params).getKey()); - - reset(); - } - - public int getMacSize() - { - return digest.getDigestSize(); - } - - public void update(byte in) - { - digest.update(in); - } - - public void update(byte[] in, int inOff, int len) - { - digest.update(in, inOff, len); - } - - public int doFinal(byte[] out, int outOff) - { - byte[] tmp = new byte[digest.getDigestSize()]; - digest.doFinal(tmp, 0); - - digest.update(secret, 0, secret.length); - digest.update(OPAD, 0, padLength); - digest.update(tmp, 0, tmp.length); - - int len = digest.doFinal(out, outOff); - - reset(); - - return len; - } - - /** - * Reset the mac generator. - */ - public void reset() - { - digest.reset(); - digest.update(secret, 0, secret.length); - digest.update(IPAD, 0, padLength); - } - - private static byte[] genPad(byte b, int count) - { - byte[] padding = new byte[count]; - Arrays.fill(padding, b); - return padding; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SecurityParameters.java b/core/src/main/java/org/bouncycastle/crypto/tls/SecurityParameters.java deleted file mode 100644 index 6b0eb6db..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SecurityParameters.java +++ /dev/null @@ -1,91 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.util.Arrays; - -public class SecurityParameters -{ - int entity = -1; - int cipherSuite = -1; - short compressionAlgorithm = -1; - int prfAlgorithm = -1; - int verifyDataLength = -1; - byte[] masterSecret = null; - byte[] clientRandom = null; - byte[] serverRandom = null; - - // TODO Keep these internal, since it's maybe not the ideal place for them - short maxFragmentLength = -1; - boolean truncatedHMac = false; - boolean encryptThenMAC = false; - - void copySessionParametersFrom(SecurityParameters other) - { - this.entity = other.entity; - this.cipherSuite = other.cipherSuite; - this.compressionAlgorithm = other.compressionAlgorithm; - this.prfAlgorithm = other.prfAlgorithm; - this.verifyDataLength = other.verifyDataLength; - this.masterSecret = Arrays.clone(other.masterSecret); - } - - void clear() - { - if (this.masterSecret != null) - { - Arrays.fill(this.masterSecret, (byte)0); - this.masterSecret = null; - } - } - - /** - * @return {@link ConnectionEnd} - */ - public int getEntity() - { - return entity; - } - - /** - * @return {@link CipherSuite} - */ - public int getCipherSuite() - { - return cipherSuite; - } - - /** - * @return {@link CompressionMethod} - */ - public short getCompressionAlgorithm() - { - return compressionAlgorithm; - } - - /** - * @return {@link PRFAlgorithm} - */ - public int getPrfAlgorithm() - { - return prfAlgorithm; - } - - public int getVerifyDataLength() - { - return verifyDataLength; - } - - public byte[] getMasterSecret() - { - return masterSecret; - } - - public byte[] getClientRandom() - { - return clientRandom; - } - - public byte[] getServerRandom() - { - return serverRandom; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ServerDHParams.java b/core/src/main/java/org/bouncycastle/crypto/tls/ServerDHParams.java deleted file mode 100644 index c3050f1b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ServerDHParams.java +++ /dev/null @@ -1,63 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.math.BigInteger; - -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; - -public class ServerDHParams -{ - protected DHPublicKeyParameters publicKey; - - public ServerDHParams(DHPublicKeyParameters publicKey) - { - if (publicKey == null) - { - throw new IllegalArgumentException("'publicKey' cannot be null"); - } - - this.publicKey = publicKey; - } - - public DHPublicKeyParameters getPublicKey() - { - return publicKey; - } - - /** - * Encode this {@link ServerDHParams} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - DHParameters dhParameters = publicKey.getParameters(); - BigInteger Ys = publicKey.getY(); - - TlsDHUtils.writeDHParameter(dhParameters.getP(), output); - TlsDHUtils.writeDHParameter(dhParameters.getG(), output); - TlsDHUtils.writeDHParameter(Ys, output); - } - - /** - * Parse a {@link ServerDHParams} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link ServerDHParams} object. - * @throws IOException - */ - public static ServerDHParams parse(InputStream input) throws IOException - { - BigInteger p = TlsDHUtils.readDHParameter(input); - BigInteger g = TlsDHUtils.readDHParameter(input); - BigInteger Ys = TlsDHUtils.readDHParameter(input); - - return new ServerDHParams(new DHPublicKeyParameters(Ys, new DHParameters(p, g))); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ServerName.java b/core/src/main/java/org/bouncycastle/crypto/tls/ServerName.java deleted file mode 100644 index df9a4395..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ServerName.java +++ /dev/null @@ -1,112 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -import org.bouncycastle.util.Strings; - -public class ServerName -{ - protected short nameType; - protected Object name; - - public ServerName(short nameType, Object name) - { - if (!isCorrectType(nameType, name)) - { - throw new IllegalArgumentException("'name' is not an instance of the correct type"); - } - - this.nameType = nameType; - this.name = name; - } - - public short getNameType() - { - return nameType; - } - - public Object getName() - { - return name; - } - - public String getHostName() - { - if (!isCorrectType(NameType.host_name, name)) - { - throw new IllegalStateException("'name' is not a HostName string"); - } - return (String)name; - } - - /** - * Encode this {@link ServerName} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - TlsUtils.writeUint8(nameType, output); - - switch (nameType) - { - case NameType.host_name: - byte[] utf8Encoding = Strings.toUTF8ByteArray((String)name); - if (utf8Encoding.length < 1) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - TlsUtils.writeOpaque16(utf8Encoding, output); - break; - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - /** - * Parse a {@link ServerName} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link ServerName} object. - * @throws IOException - */ - public static ServerName parse(InputStream input) throws IOException - { - short name_type = TlsUtils.readUint8(input); - Object name; - - switch (name_type) - { - case NameType.host_name: - { - byte[] utf8Encoding = TlsUtils.readOpaque16(input); - if (utf8Encoding.length < 1) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - name = Strings.fromUTF8ByteArray(utf8Encoding); - break; - } - default: - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - return new ServerName(name_type, name); - } - - protected static boolean isCorrectType(short nameType, Object name) - { - switch (nameType) - { - case NameType.host_name: - return name instanceof String; - default: - throw new IllegalArgumentException("'name' is an unsupported value"); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ServerNameList.java b/core/src/main/java/org/bouncycastle/crypto/tls/ServerNameList.java deleted file mode 100644 index 1dc81f01..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ServerNameList.java +++ /dev/null @@ -1,86 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -public class ServerNameList -{ - protected Vector serverNameList; - - /** - * @param serverNameList a {@link Vector} of {@link ServerName}. - */ - public ServerNameList(Vector serverNameList) - { - if (serverNameList == null || serverNameList.isEmpty()) - { - throw new IllegalArgumentException("'serverNameList' must not be null or empty"); - } - - this.serverNameList = serverNameList; - } - - /** - * @return a {@link Vector} of {@link ServerName}. - */ - public Vector getServerNameList() - { - return serverNameList; - } - - /** - * Encode this {@link ServerNameList} to an {@link OutputStream}. - * - * @param output - * the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - for (int i = 0; i < serverNameList.size(); ++i) - { - ServerName entry = (ServerName)serverNameList.elementAt(i); - entry.encode(buf); - } - - TlsUtils.checkUint16(buf.size()); - TlsUtils.writeUint16(buf.size(), output); - buf.writeTo(output); - } - - /** - * Parse a {@link ServerNameList} from an {@link InputStream}. - * - * @param input - * the {@link InputStream} to parse from. - * @return a {@link ServerNameList} object. - * @throws IOException - */ - public static ServerNameList parse(InputStream input) throws IOException - { - int length = TlsUtils.readUint16(input); - if (length < 1) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - byte[] data = TlsUtils.readFully(length, input); - - ByteArrayInputStream buf = new ByteArrayInputStream(data); - - Vector server_name_list = new Vector(); - while (buf.available() > 0) - { - ServerName entry = ServerName.parse(buf); - server_name_list.addElement(entry); - } - - return new ServerNameList(server_name_list); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ServerOnlyTlsAuthentication.java b/core/src/main/java/org/bouncycastle/crypto/tls/ServerOnlyTlsAuthentication.java deleted file mode 100644 index eccbb3f6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ServerOnlyTlsAuthentication.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public abstract class ServerOnlyTlsAuthentication - implements TlsAuthentication -{ - public final TlsCredentials getClientCredentials(CertificateRequest certificateRequest) - { - return null; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SessionParameters.java b/core/src/main/java/org/bouncycastle/crypto/tls/SessionParameters.java deleted file mode 100644 index 68412f84..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SessionParameters.java +++ /dev/null @@ -1,142 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.util.Arrays; - -public final class SessionParameters -{ - public static final class Builder - { - private int cipherSuite = -1; - private short compressionAlgorithm = -1; - private byte[] masterSecret = null; - private Certificate peerCertificate = null; - private byte[] encodedServerExtensions = null; - - public Builder() - { - } - - public SessionParameters build() - { - validate(this.cipherSuite >= 0, "cipherSuite"); - validate(this.compressionAlgorithm >= 0, "compressionAlgorithm"); - validate(this.masterSecret != null, "masterSecret"); - return new SessionParameters(cipherSuite, compressionAlgorithm, masterSecret, peerCertificate, - encodedServerExtensions); - } - - public Builder setCipherSuite(int cipherSuite) - { - this.cipherSuite = cipherSuite; - return this; - } - - public Builder setCompressionAlgorithm(short compressionAlgorithm) - { - this.compressionAlgorithm = compressionAlgorithm; - return this; - } - - public Builder setMasterSecret(byte[] masterSecret) - { - this.masterSecret = masterSecret; - return this; - } - - public Builder setPeerCertificate(Certificate peerCertificate) - { - this.peerCertificate = peerCertificate; - return this; - } - - public Builder setServerExtensions(Hashtable serverExtensions) - throws IOException - { - if (serverExtensions == null) - { - encodedServerExtensions = null; - } - else - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - TlsProtocol.writeExtensions(buf, serverExtensions); - encodedServerExtensions = buf.toByteArray(); - } - return this; - } - - private void validate(boolean condition, String parameter) - { - if (!condition) - { - throw new IllegalStateException("Required session parameter '" + parameter + "' not configured"); - } - } - } - - private int cipherSuite; - private short compressionAlgorithm; - private byte[] masterSecret; - private Certificate peerCertificate; - private byte[] encodedServerExtensions; - - private SessionParameters(int cipherSuite, short compressionAlgorithm, byte[] masterSecret, - Certificate peerCertificate, byte[] encodedServerExtensions) - { - this.cipherSuite = cipherSuite; - this.compressionAlgorithm = compressionAlgorithm; - this.masterSecret = Arrays.clone(masterSecret); - this.peerCertificate = peerCertificate; - this.encodedServerExtensions = encodedServerExtensions; - } - - public void clear() - { - if (this.masterSecret != null) - { - Arrays.fill(this.masterSecret, (byte)0); - } - } - - public SessionParameters copy() - { - return new SessionParameters(cipherSuite, compressionAlgorithm, masterSecret, peerCertificate, - encodedServerExtensions); - } - - public int getCipherSuite() - { - return cipherSuite; - } - - public short getCompressionAlgorithm() - { - return compressionAlgorithm; - } - - public byte[] getMasterSecret() - { - return masterSecret; - } - - public Certificate getPeerCertificate() - { - return peerCertificate; - } - - public Hashtable readServerExtensions() throws IOException - { - if (encodedServerExtensions == null) - { - return null; - } - - ByteArrayInputStream buf = new ByteArrayInputStream(encodedServerExtensions); - return TlsProtocol.readExtensions(buf); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAlgorithm.java deleted file mode 100644 index 820c80cd..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAlgorithm.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5246 7.4.1.4.1 (in RFC 2246, there were no specific values assigned) - */ -public class SignatureAlgorithm -{ - public static final short anonymous = 0; - public static final short rsa = 1; - public static final short dsa = 2; - public static final short ecdsa = 3; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAndHashAlgorithm.java b/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAndHashAlgorithm.java deleted file mode 100644 index 9404a72f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SignatureAndHashAlgorithm.java +++ /dev/null @@ -1,96 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -/** - * RFC 5246 7.4.1.4.1 - */ -public class SignatureAndHashAlgorithm -{ - protected short hash; - protected short signature; - - /** - * @param hash {@link HashAlgorithm} - * @param signature {@link SignatureAlgorithm} - */ - public SignatureAndHashAlgorithm(short hash, short signature) - { - if (!TlsUtils.isValidUint8(hash)) - { - throw new IllegalArgumentException("'hash' should be a uint8"); - } - if (!TlsUtils.isValidUint8(signature)) - { - throw new IllegalArgumentException("'signature' should be a uint8"); - } - if (signature == SignatureAlgorithm.anonymous) - { - throw new IllegalArgumentException("'signature' MUST NOT be \"anonymous\""); - } - - this.hash = hash; - this.signature = signature; - } - - /** - * @return {@link HashAlgorithm} - */ - public short getHash() - { - return hash; - } - - /** - * @return {@link SignatureAlgorithm} - */ - public short getSignature() - { - return signature; - } - - public boolean equals(Object obj) - { - if (!(obj instanceof SignatureAndHashAlgorithm)) - { - return false; - } - SignatureAndHashAlgorithm other = (SignatureAndHashAlgorithm)obj; - return other.getHash() == getHash() && other.getSignature() == getSignature(); - } - - public int hashCode() - { - return (getHash() << 16) | getSignature(); - } - - /** - * Encode this {@link SignatureAndHashAlgorithm} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - TlsUtils.writeUint8(getHash(), output); - TlsUtils.writeUint8(getSignature(), output); - } - - /** - * Parse a {@link SignatureAndHashAlgorithm} from an {@link InputStream}. - * - * @param input the {@link InputStream} to parse from. - * @return a {@link SignatureAndHashAlgorithm} object. - * @throws IOException - */ - public static SignatureAndHashAlgorithm parse(InputStream input) - throws IOException - { - short hash = TlsUtils.readUint8(input); - short signature = TlsUtils.readUint8(input); - return new SignatureAndHashAlgorithm(hash, signature); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SignerInputBuffer.java b/core/src/main/java/org/bouncycastle/crypto/tls/SignerInputBuffer.java deleted file mode 100644 index 8293135f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SignerInputBuffer.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; - -import org.bouncycastle.crypto.Signer; - -class SignerInputBuffer extends ByteArrayOutputStream -{ - void updateSigner(Signer s) - { - s.update(this.buf, 0, count); - } -}
\ No newline at end of file diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataEntry.java b/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataEntry.java deleted file mode 100644 index 4080aaa9..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataEntry.java +++ /dev/null @@ -1,23 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public class SupplementalDataEntry -{ - protected int dataType; - protected byte[] data; - - public SupplementalDataEntry(int dataType, byte[] data) - { - this.dataType = dataType; - this.data = data; - } - - public int getDataType() - { - return dataType; - } - - public byte[] getData() - { - return data; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataType.java b/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataType.java deleted file mode 100644 index 218f36b1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/SupplementalDataType.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4680 - */ -public class SupplementalDataType -{ - /* - * RFC 4681 - */ - public static final int user_mapping_data = 0; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java deleted file mode 100644 index bb9306a1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAEADCipher.java +++ /dev/null @@ -1,193 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.modes.AEADBlockCipher; -import org.bouncycastle.crypto.params.AEADParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; - -public class TlsAEADCipher - implements TlsCipher -{ - protected TlsContext context; - protected int macSize; - protected int nonce_explicit_length; - - protected AEADBlockCipher encryptCipher; - protected AEADBlockCipher decryptCipher; - - protected byte[] encryptImplicitNonce, decryptImplicitNonce; - - public TlsAEADCipher(TlsContext context, AEADBlockCipher clientWriteCipher, AEADBlockCipher serverWriteCipher, - int cipherKeySize, int macSize) throws IOException - { - if (!TlsUtils.isTLSv12(context)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.context = context; - this.macSize = macSize; - - // NOTE: Valid for RFC 5288/6655 ciphers but may need review for other AEAD ciphers - this.nonce_explicit_length = 8; - - // TODO SecurityParameters.fixed_iv_length - int fixed_iv_length = 4; - - int key_block_size = (2 * cipherKeySize) + (2 * fixed_iv_length); - - byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size); - - int offset = 0; - - KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - byte[] client_write_IV = Arrays.copyOfRange(key_block, offset, offset + fixed_iv_length); - offset += fixed_iv_length; - byte[] server_write_IV = Arrays.copyOfRange(key_block, offset, offset + fixed_iv_length); - offset += fixed_iv_length; - - if (offset != key_block_size) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - KeyParameter encryptKey, decryptKey; - if (context.isServer()) - { - this.encryptCipher = serverWriteCipher; - this.decryptCipher = clientWriteCipher; - this.encryptImplicitNonce = server_write_IV; - this.decryptImplicitNonce = client_write_IV; - encryptKey = server_write_key; - decryptKey = client_write_key; - } - else - { - this.encryptCipher = clientWriteCipher; - this.decryptCipher = serverWriteCipher; - this.encryptImplicitNonce = client_write_IV; - this.decryptImplicitNonce = server_write_IV; - encryptKey = client_write_key; - decryptKey = server_write_key; - } - - byte[] dummyNonce = new byte[fixed_iv_length + nonce_explicit_length]; - - this.encryptCipher.init(true, new AEADParameters(encryptKey, 8 * macSize, dummyNonce)); - this.decryptCipher.init(false, new AEADParameters(decryptKey, 8 * macSize, dummyNonce)); - } - - public int getPlaintextLimit(int ciphertextLimit) - { - // TODO We ought to be able to ask the decryptCipher (independently of it's current state!) - return ciphertextLimit - macSize - nonce_explicit_length; - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - throws IOException - { - byte[] nonce = new byte[this.encryptImplicitNonce.length + nonce_explicit_length]; - System.arraycopy(encryptImplicitNonce, 0, nonce, 0, encryptImplicitNonce.length); - - /* - * RFC 5288/6655 The nonce_explicit MAY be the 64-bit sequence number. - * - * (May need review for other AEAD ciphers). - */ - TlsUtils.writeUint64(seqNo, nonce, encryptImplicitNonce.length); - - int plaintextOffset = offset; - int plaintextLength = len; - int ciphertextLength = encryptCipher.getOutputSize(plaintextLength); - - byte[] output = new byte[nonce_explicit_length + ciphertextLength]; - System.arraycopy(nonce, encryptImplicitNonce.length, output, 0, nonce_explicit_length); - int outputPos = nonce_explicit_length; - - byte[] additionalData = getAdditionalData(seqNo, type, plaintextLength); - AEADParameters parameters = new AEADParameters(null, 8 * macSize, nonce, additionalData); - - try - { - encryptCipher.init(true, parameters); - outputPos += encryptCipher.processBytes(plaintext, plaintextOffset, plaintextLength, output, outputPos); - outputPos += encryptCipher.doFinal(output, outputPos); - } - catch (Exception e) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - if (outputPos != output.length) - { - // NOTE: Existing AEAD cipher implementations all give exact output lengths - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return output; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException - { - if (getPlaintextLimit(len) < 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - byte[] nonce = new byte[this.decryptImplicitNonce.length + nonce_explicit_length]; - System.arraycopy(decryptImplicitNonce, 0, nonce, 0, decryptImplicitNonce.length); - System.arraycopy(ciphertext, offset, nonce, decryptImplicitNonce.length, nonce_explicit_length); - - int ciphertextOffset = offset + nonce_explicit_length; - int ciphertextLength = len - nonce_explicit_length; - int plaintextLength = decryptCipher.getOutputSize(ciphertextLength); - - byte[] output = new byte[plaintextLength]; - int outputPos = 0; - - byte[] additionalData = getAdditionalData(seqNo, type, plaintextLength); - AEADParameters parameters = new AEADParameters(null, 8 * macSize, nonce, additionalData); - - try - { - decryptCipher.init(false, parameters); - outputPos += decryptCipher.processBytes(ciphertext, ciphertextOffset, ciphertextLength, output, outputPos); - outputPos += decryptCipher.doFinal(output, outputPos); - } - catch (Exception e) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - - if (outputPos != output.length) - { - // NOTE: Existing AEAD cipher implementations all give exact output lengths - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return output; - } - - protected byte[] getAdditionalData(long seqNo, short type, int len) - throws IOException - { - /* - * additional_data = seq_num + TLSCompressed.type + TLSCompressed.version + - * TLSCompressed.length - */ - - byte[] additional_data = new byte[13]; - TlsUtils.writeUint64(seqNo, additional_data, 0); - TlsUtils.writeUint8(type, additional_data, 8); - TlsUtils.writeVersion(context.getServerVersion(), additional_data, 9); - TlsUtils.writeUint16(len, additional_data, 11); - - return additional_data; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAgreementCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsAgreementCredentials.java deleted file mode 100644 index 525cdb38..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAgreementCredentials.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -public interface TlsAgreementCredentials - extends TlsCredentials -{ - byte[] generateAgreement(AsymmetricKeyParameter peerPublicKey) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAuthentication.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsAuthentication.java deleted file mode 100755 index 62c2616e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsAuthentication.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsAuthentication -{ - /** - * Called by the protocol handler to report the server certificate - * Note: this method is responsible for certificate verification and validation - * - * @param serverCertificate the server certificate received - * @throws IOException - */ - void notifyServerCertificate(Certificate serverCertificate) - throws IOException; - - /** - * Return client credentials in response to server's certificate request - * - * @param certificateRequest details of the certificate request - * @return a TlsCredentials object or null for no client authentication - * @throws IOException - */ - TlsCredentials getClientCredentials(CertificateRequest certificateRequest) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java deleted file mode 100644 index 9a79226c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java +++ /dev/null @@ -1,386 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.BlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -/** - * A generic TLS 1.0-1.2 / SSLv3 block cipher. This can be used for AES or 3DES for example. - */ -public class TlsBlockCipher - implements TlsCipher -{ - protected TlsContext context; - protected byte[] randomData; - protected boolean useExplicitIV; - private boolean encryptThenMAC; - - protected BlockCipher encryptCipher; - protected BlockCipher decryptCipher; - - protected TlsMac writeMac; - protected TlsMac readMac; - - public TlsMac getWriteMac() - { - return writeMac; - } - - public TlsMac getReadMac() - { - return readMac; - } - - public TlsBlockCipher(TlsContext context, BlockCipher clientWriteCipher, BlockCipher serverWriteCipher, - Digest clientWriteDigest, Digest serverWriteDigest, int cipherKeySize) throws IOException - { - this.context = context; - - this.randomData = new byte[256]; - context.getNonceRandomGenerator().nextBytes(randomData); - - this.useExplicitIV = TlsUtils.isTLSv11(context); - this.encryptThenMAC = context.getSecurityParameters().encryptThenMAC; - - int key_block_size = (2 * cipherKeySize) + clientWriteDigest.getDigestSize() - + serverWriteDigest.getDigestSize(); - - // From TLS 1.1 onwards, block ciphers don't need client_write_IV - if (!useExplicitIV) - { - key_block_size += clientWriteCipher.getBlockSize() + serverWriteCipher.getBlockSize(); - } - - byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size); - - int offset = 0; - - TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, - clientWriteDigest.getDigestSize()); - offset += clientWriteDigest.getDigestSize(); - TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, - serverWriteDigest.getDigestSize()); - offset += serverWriteDigest.getDigestSize(); - - KeyParameter client_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - KeyParameter server_write_key = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - - byte[] client_write_IV, server_write_IV; - if (useExplicitIV) - { - client_write_IV = new byte[clientWriteCipher.getBlockSize()]; - server_write_IV = new byte[serverWriteCipher.getBlockSize()]; - } - else - { - client_write_IV = Arrays.copyOfRange(key_block, offset, offset + clientWriteCipher.getBlockSize()); - offset += clientWriteCipher.getBlockSize(); - server_write_IV = Arrays.copyOfRange(key_block, offset, offset + serverWriteCipher.getBlockSize()); - offset += serverWriteCipher.getBlockSize(); - } - - if (offset != key_block_size) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - CipherParameters encryptParams, decryptParams; - if (context.isServer()) - { - this.writeMac = serverWriteMac; - this.readMac = clientWriteMac; - this.encryptCipher = serverWriteCipher; - this.decryptCipher = clientWriteCipher; - encryptParams = new ParametersWithIV(server_write_key, server_write_IV); - decryptParams = new ParametersWithIV(client_write_key, client_write_IV); - } - else - { - this.writeMac = clientWriteMac; - this.readMac = serverWriteMac; - this.encryptCipher = clientWriteCipher; - this.decryptCipher = serverWriteCipher; - encryptParams = new ParametersWithIV(client_write_key, client_write_IV); - decryptParams = new ParametersWithIV(server_write_key, server_write_IV); - } - - this.encryptCipher.init(true, encryptParams); - this.decryptCipher.init(false, decryptParams); - } - - public int getPlaintextLimit(int ciphertextLimit) - { - int blockSize = encryptCipher.getBlockSize(); - int macSize = writeMac.getSize(); - - int plaintextLimit = ciphertextLimit; - - // An explicit IV consumes 1 block - if (useExplicitIV) - { - plaintextLimit -= blockSize; - } - - // Leave room for the MAC, and require block-alignment - if (encryptThenMAC) - { - plaintextLimit -= macSize; - plaintextLimit -= plaintextLimit % blockSize; - } - else - { - plaintextLimit -= plaintextLimit % blockSize; - plaintextLimit -= macSize; - } - - // Minimum 1 byte of padding - --plaintextLimit; - - return plaintextLimit; - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - { - int blockSize = encryptCipher.getBlockSize(); - int macSize = writeMac.getSize(); - - ProtocolVersion version = context.getServerVersion(); - - int enc_input_length = len; - if (!encryptThenMAC) - { - enc_input_length += macSize; - } - - int padding_length = blockSize - 1 - (enc_input_length % blockSize); - - // TODO[DTLS] Consider supporting in DTLS (without exceeding send limit though) - if (!version.isDTLS() && !version.isSSL()) - { - // Add a random number of extra blocks worth of padding - int maxExtraPadBlocks = (255 - padding_length) / blockSize; - int actualExtraPadBlocks = chooseExtraPadBlocks(context.getSecureRandom(), maxExtraPadBlocks); - padding_length += actualExtraPadBlocks * blockSize; - } - - int totalSize = len + macSize + padding_length + 1; - if (useExplicitIV) - { - totalSize += blockSize; - } - - byte[] outBuf = new byte[totalSize]; - int outOff = 0; - - if (useExplicitIV) - { - byte[] explicitIV = new byte[blockSize]; - context.getNonceRandomGenerator().nextBytes(explicitIV); - - encryptCipher.init(true, new ParametersWithIV(null, explicitIV)); - - System.arraycopy(explicitIV, 0, outBuf, outOff, blockSize); - outOff += blockSize; - } - - int blocks_start = outOff; - - System.arraycopy(plaintext, offset, outBuf, outOff, len); - outOff += len; - - if (!encryptThenMAC) - { - byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); - System.arraycopy(mac, 0, outBuf, outOff, mac.length); - outOff += mac.length; - } - - for (int i = 0; i <= padding_length; i++) - { - outBuf[outOff++] = (byte)padding_length; - } - - for (int i = blocks_start; i < outOff; i += blockSize) - { - encryptCipher.processBlock(outBuf, i, outBuf, i); - } - - if (encryptThenMAC) - { - byte[] mac = writeMac.calculateMac(seqNo, type, outBuf, 0, outOff); - System.arraycopy(mac, 0, outBuf, outOff, mac.length); - outOff += mac.length; - } - -// assert outBuf.length == outOff; - - return outBuf; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException - { - int blockSize = decryptCipher.getBlockSize(); - int macSize = readMac.getSize(); - - int minLen = blockSize; - if (encryptThenMAC) - { - minLen += macSize; - } - else - { - minLen = Math.max(minLen, macSize + 1); - } - - if (useExplicitIV) - { - minLen += blockSize; - } - - if (len < minLen) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int blocks_length = len; - if (encryptThenMAC) - { - blocks_length -= macSize; - } - - if (blocks_length % blockSize != 0) - { - throw new TlsFatalAlert(AlertDescription.decryption_failed); - } - - if (encryptThenMAC) - { - int end = offset + len; - byte[] receivedMac = Arrays.copyOfRange(ciphertext, end - macSize, end); - byte[] calculatedMac = readMac.calculateMac(seqNo, type, ciphertext, offset, len - macSize); - - boolean badMac = !Arrays.constantTimeAreEqual(calculatedMac, receivedMac); - - if (badMac) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - } - - if (useExplicitIV) - { - decryptCipher.init(false, new ParametersWithIV(null, ciphertext, offset, blockSize)); - - offset += blockSize; - blocks_length -= blockSize; - } - - for (int i = 0; i < blocks_length; i += blockSize) - { - decryptCipher.processBlock(ciphertext, offset + i, ciphertext, offset + i); - } - - // If there's anything wrong with the padding, this will return zero - int totalPad = checkPaddingConstantTime(ciphertext, offset, blocks_length, blockSize, encryptThenMAC ? 0 : macSize); - - int dec_output_length = blocks_length - totalPad; - - if (!encryptThenMAC) - { - dec_output_length -= macSize; - int macInputLen = dec_output_length; - int macOff = offset + macInputLen; - byte[] receivedMac = Arrays.copyOfRange(ciphertext, macOff, macOff + macSize); - byte[] calculatedMac = readMac.calculateMacConstantTime(seqNo, type, ciphertext, offset, macInputLen, - blocks_length - macSize, randomData); - - boolean badMac = !Arrays.constantTimeAreEqual(calculatedMac, receivedMac); - - if (badMac || totalPad == 0) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - } - - return Arrays.copyOfRange(ciphertext, offset, offset + dec_output_length); - } - - protected int checkPaddingConstantTime(byte[] buf, int off, int len, int blockSize, int macSize) - { - int end = off + len; - byte lastByte = buf[end - 1]; - int padlen = lastByte & 0xff; - int totalPad = padlen + 1; - - int dummyIndex = 0; - byte padDiff = 0; - - if ((TlsUtils.isSSL(context) && totalPad > blockSize) || (macSize + totalPad > len)) - { - totalPad = 0; - } - else - { - int padPos = end - totalPad; - do - { - padDiff |= (buf[padPos++] ^ lastByte); - } - while (padPos < end); - - dummyIndex = totalPad; - - if (padDiff != 0) - { - totalPad = 0; - } - } - - // Run some extra dummy checks so the number of checks is always constant - { - byte[] dummyPad = randomData; - while (dummyIndex < 256) - { - padDiff |= (dummyPad[dummyIndex++] ^ lastByte); - } - // Ensure the above loop is not eliminated - dummyPad[0] ^= padDiff; - } - - return totalPad; - } - - protected int chooseExtraPadBlocks(SecureRandom r, int max) - { - // return r.nextInt(max + 1); - - int x = r.nextInt(); - int n = lowestBitSet(x); - return Math.min(n, max); - } - - protected int lowestBitSet(int x) - { - if (x == 0) - { - return 32; - } - - int n = 0; - while ((x & 1) == 0) - { - ++n; - x >>= 1; - } - return n; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipher.java deleted file mode 100644 index 2f0af080..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipher.java +++ /dev/null @@ -1,14 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsCipher -{ - int getPlaintextLimit(int ciphertextLimit); - - byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - throws IOException; - - byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipherFactory.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipherFactory.java deleted file mode 100644 index 74074747..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCipherFactory.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsCipherFactory -{ - /** - * See enumeration classes EncryptionAlgorithm, MACAlgorithm for appropriate argument values - */ - TlsCipher createCipher(TlsContext context, int encryptionAlgorithm, int macAlgorithm) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClient.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClient.java deleted file mode 100644 index 8b29c1f7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClient.java +++ /dev/null @@ -1,79 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.util.Hashtable; -import java.util.Vector; - -public interface TlsClient - extends TlsPeer -{ - void init(TlsClientContext context); - - /** - * Return the session this client wants to resume, if any. Note that the peer's certificate - * chain for the session (if any) may need to be periodically revalidated. - * - * @return A {@link TlsSession} representing the resumable session to be used for this - * connection, or null to use a new session. - * @see SessionParameters#getPeerCertificate() - */ - TlsSession getSessionToResume(); - - ProtocolVersion getClientHelloRecordLayerVersion(); - - ProtocolVersion getClientVersion(); - - int[] getCipherSuites(); - - short[] getCompressionMethods(); - - // Hashtable is (Integer -> byte[]) - Hashtable getClientExtensions() - throws IOException; - - void notifyServerVersion(ProtocolVersion selectedVersion) - throws IOException; - - /** - * Notifies the client of the session_id sent in the ServerHello. - * - * @param sessionID - * @see TlsContext#getResumableSession() - */ - void notifySessionID(byte[] sessionID); - - void notifySelectedCipherSuite(int selectedCipherSuite); - - void notifySelectedCompressionMethod(short selectedCompressionMethod); - - // Hashtable is (Integer -> byte[]) - void processServerExtensions(Hashtable serverExtensions) - throws IOException; - - // Vector is (SupplementalDataEntry) - void processServerSupplementalData(Vector serverSupplementalData) - throws IOException; - - TlsKeyExchange getKeyExchange() - throws IOException; - - TlsAuthentication getAuthentication() - throws IOException; - - // Vector is (SupplementalDataEntry) - Vector getClientSupplementalData() - throws IOException; - - /** - * RFC 5077 3.3. NewSessionTicket Handshake Message - * <p> - * This method will be called (only) when a NewSessionTicket handshake message is received. The - * ticket is opaque to the client and clients MUST NOT examine the ticket under the assumption - * that it complies with e.g. <i>RFC 5077 4. Recommended Ticket Construction</i>. - * - * @param newSessionTicket The ticket. - * @throws IOException - */ - void notifyNewSessionTicket(NewSessionTicket newSessionTicket) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContext.java deleted file mode 100644 index db9f15b7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContext.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public interface TlsClientContext - extends TlsContext -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContextImpl.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContextImpl.java deleted file mode 100644 index b3201443..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientContextImpl.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.security.SecureRandom; - -class TlsClientContextImpl - extends AbstractTlsContext - implements TlsClientContext -{ - TlsClientContextImpl(SecureRandom secureRandom, SecurityParameters securityParameters) - { - super(secureRandom, securityParameters); - } - - public boolean isServer() - { - return false; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java deleted file mode 100644 index d4d19ef7..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java +++ /dev/null @@ -1,917 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.crypto.prng.ThreadedSeedGenerator; -import org.bouncycastle.util.Arrays; - -public class TlsClientProtocol - extends TlsProtocol -{ - protected TlsClient tlsClient = null; - protected TlsClientContextImpl tlsClientContext = null; - - protected byte[] selectedSessionID = null; - - protected TlsKeyExchange keyExchange = null; - protected TlsAuthentication authentication = null; - - protected CertificateStatus certificateStatus = null; - protected CertificateRequest certificateRequest = null; - - private static SecureRandom createSecureRandom() - { - /* - * We use our threaded seed generator to generate a good random seed. If the user has a - * better random seed, he should use the constructor with a SecureRandom. - */ - ThreadedSeedGenerator tsg = new ThreadedSeedGenerator(); - SecureRandom random = new SecureRandom(); - - /* - * Hopefully, 20 bytes in fast mode are good enough. - */ - random.setSeed(tsg.generateSeed(20, true)); - - return random; - } - - /** - * @deprecated use alternate constructor taking an explicit {@link SecureRandom} - */ - public TlsClientProtocol(InputStream input, OutputStream output) - { - this(input, output, createSecureRandom()); - } - - public TlsClientProtocol(InputStream input, OutputStream output, SecureRandom secureRandom) - { - super(input, output, secureRandom); - } - - /** - * Initiates a TLS handshake in the role of client - * - * @param tlsClient The {@link TlsClient} to use for the handshake. - * @throws IOException If handshake was not successful. - */ - public void connect(TlsClient tlsClient) throws IOException - { - if (tlsClient == null) - { - throw new IllegalArgumentException("'tlsClient' cannot be null"); - } - if (this.tlsClient != null) - { - throw new IllegalStateException("'connect' can only be called once"); - } - - this.tlsClient = tlsClient; - - this.securityParameters = new SecurityParameters(); - this.securityParameters.entity = ConnectionEnd.client; - - this.tlsClientContext = new TlsClientContextImpl(secureRandom, securityParameters); - - this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(), - tlsClientContext.getNonceRandomGenerator()); - - this.tlsClient.init(tlsClientContext); - this.recordStream.init(tlsClientContext); - - TlsSession sessionToResume = tlsClient.getSessionToResume(); - if (sessionToResume != null) - { - SessionParameters sessionParameters = sessionToResume.exportSessionParameters(); - if (sessionParameters != null) - { - this.tlsSession = sessionToResume; - this.sessionParameters = sessionParameters; - } - } - - sendClientHelloMessage(); - this.connection_state = CS_CLIENT_HELLO; - - completeHandshake(); - } - - protected void cleanupHandshake() - { - super.cleanupHandshake(); - - this.selectedSessionID = null; - this.keyExchange = null; - this.authentication = null; - this.certificateStatus = null; - this.certificateRequest = null; - } - - protected AbstractTlsContext getContext() - { - return tlsClientContext; - } - - protected TlsPeer getPeer() - { - return tlsClient; - } - - protected void handleHandshakeMessage(short type, byte[] data) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(data); - - if (this.resumedSession) - { - if (type != HandshakeType.finished || this.connection_state != CS_SERVER_HELLO) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - processFinishedMessage(buf); - this.connection_state = CS_SERVER_FINISHED; - - sendFinishedMessage(); - this.connection_state = CS_CLIENT_FINISHED; - this.connection_state = CS_END; - - return; - } - - switch (type) - { - case HandshakeType.certificate: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO: - { - handleSupplementalData(null); - // NB: Fall through to next case label - } - case CS_SERVER_SUPPLEMENTAL_DATA: - { - // Parse the Certificate message and send to cipher suite - - this.peerCertificate = Certificate.parse(buf); - - assertEmpty(buf); - - // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus - if (this.peerCertificate == null || this.peerCertificate.isEmpty()) - { - this.allowCertificateStatus = false; - } - - this.keyExchange.processServerCertificate(this.peerCertificate); - - this.authentication = tlsClient.getAuthentication(); - this.authentication.notifyServerCertificate(this.peerCertificate); - - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - this.connection_state = CS_SERVER_CERTIFICATE; - break; - } - case HandshakeType.certificate_status: - { - switch (this.connection_state) - { - case CS_SERVER_CERTIFICATE: - { - if (!this.allowCertificateStatus) - { - /* - * RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the - * server MUST have included an extension of type "status_request" with empty - * "extension_data" in the extended server hello.. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - this.certificateStatus = CertificateStatus.parse(buf); - - assertEmpty(buf); - - // TODO[RFC 3546] Figure out how to provide this to the client/authentication. - - this.connection_state = CS_CERTIFICATE_STATUS; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.finished: - { - switch (this.connection_state) - { - case CS_CLIENT_FINISHED: - { - if (this.expectSessionTicket) - { - /* - * RFC 5077 3.3. This message MUST be sent if the server included a - * SessionTicket extension in the ServerHello. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - // NB: Fall through to next case label - } - case CS_SERVER_SESSION_TICKET: - { - processFinishedMessage(buf); - this.connection_state = CS_SERVER_FINISHED; - this.connection_state = CS_END; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.server_hello: - { - switch (this.connection_state) - { - case CS_CLIENT_HELLO: - { - receiveServerHelloMessage(buf); - this.connection_state = CS_SERVER_HELLO; - - if (this.securityParameters.maxFragmentLength >= 0) - { - int plainTextLimit = 1 << (8 + this.securityParameters.maxFragmentLength); - recordStream.setPlaintextLimit(plainTextLimit); - } - - this.securityParameters.prfAlgorithm = getPRFAlgorithm(getContext(), - this.securityParameters.getCipherSuite()); - - /* - * RFC 5264 7.4.9. Any cipher suite which does not explicitly specify - * verify_data_length has a verify_data_length equal to 12. This includes all - * existing cipher suites. - */ - this.securityParameters.verifyDataLength = 12; - - this.recordStream.notifyHelloComplete(); - - if (this.resumedSession) - { - this.securityParameters.masterSecret = Arrays.clone(this.sessionParameters.getMasterSecret()); - this.recordStream.setPendingConnectionState(getPeer().getCompression(), getPeer().getCipher()); - - sendChangeCipherSpecMessage(); - } - else - { - invalidateSession(); - - if (this.selectedSessionID.length > 0) - { - this.tlsSession = new TlsSessionImpl(this.selectedSessionID, null); - } - } - - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.supplemental_data: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO: - { - handleSupplementalData(readSupplementalDataMessage(buf)); - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.server_hello_done: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO: - { - handleSupplementalData(null); - // NB: Fall through to next case label - } - case CS_SERVER_SUPPLEMENTAL_DATA: - { - // There was no server certificate message; check it's OK - this.keyExchange.skipServerCredentials(); - this.authentication = null; - - // NB: Fall through to next case label - } - case CS_SERVER_CERTIFICATE: - case CS_CERTIFICATE_STATUS: - { - // There was no server key exchange message; check it's OK - this.keyExchange.skipServerKeyExchange(); - - // NB: Fall through to next case label - } - case CS_SERVER_KEY_EXCHANGE: - case CS_CERTIFICATE_REQUEST: - { - assertEmpty(buf); - - this.connection_state = CS_SERVER_HELLO_DONE; - - this.recordStream.getHandshakeHash().sealHashAlgorithms(); - - Vector clientSupplementalData = tlsClient.getClientSupplementalData(); - if (clientSupplementalData != null) - { - sendSupplementalDataMessage(clientSupplementalData); - } - this.connection_state = CS_CLIENT_SUPPLEMENTAL_DATA; - - TlsCredentials clientCreds = null; - if (certificateRequest == null) - { - this.keyExchange.skipClientCredentials(); - } - else - { - clientCreds = this.authentication.getClientCredentials(certificateRequest); - - if (clientCreds == null) - { - this.keyExchange.skipClientCredentials(); - - /* - * RFC 5246 If no suitable certificate is available, the client MUST send a - * certificate message containing no certificates. - * - * NOTE: In previous RFCs, this was SHOULD instead of MUST. - */ - sendCertificateMessage(Certificate.EMPTY_CHAIN); - } - else - { - this.keyExchange.processClientCredentials(clientCreds); - - sendCertificateMessage(clientCreds.getCertificate()); - } - } - - this.connection_state = CS_CLIENT_CERTIFICATE; - - /* - * Send the client key exchange message, depending on the key exchange we are using - * in our CipherSuite. - */ - sendClientKeyExchangeMessage(); - this.connection_state = CS_CLIENT_KEY_EXCHANGE; - - establishMasterSecret(getContext(), keyExchange); - recordStream.setPendingConnectionState(getPeer().getCompression(), getPeer().getCipher()); - - TlsHandshakeHash prepareFinishHash = recordStream.prepareToFinish(); - - if (clientCreds != null && clientCreds instanceof TlsSignerCredentials) - { - TlsSignerCredentials signerCredentials = (TlsSignerCredentials)clientCreds; - - /* - * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 - */ - SignatureAndHashAlgorithm signatureAndHashAlgorithm; - byte[] hash; - - if (TlsUtils.isTLSv12(getContext())) - { - signatureAndHashAlgorithm = signerCredentials.getSignatureAndHashAlgorithm(); - if (signatureAndHashAlgorithm == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - hash = prepareFinishHash.getFinalHash(signatureAndHashAlgorithm.getHash()); - } - else - { - signatureAndHashAlgorithm = null; - hash = getCurrentPRFHash(getContext(), prepareFinishHash, null); - } - - byte[] signature = signerCredentials.generateCertificateSignature(hash); - DigitallySigned certificateVerify = new DigitallySigned(signatureAndHashAlgorithm, signature); - sendCertificateVerifyMessage(certificateVerify); - - this.connection_state = CS_CERTIFICATE_VERIFY; - } - - sendChangeCipherSpecMessage(); - sendFinishedMessage(); - this.connection_state = CS_CLIENT_FINISHED; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - break; - } - case HandshakeType.server_key_exchange: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO: - { - handleSupplementalData(null); - // NB: Fall through to next case label - } - case CS_SERVER_SUPPLEMENTAL_DATA: - { - // There was no server certificate message; check it's OK - this.keyExchange.skipServerCredentials(); - this.authentication = null; - - // NB: Fall through to next case label - } - case CS_SERVER_CERTIFICATE: - case CS_CERTIFICATE_STATUS: - { - this.keyExchange.processServerKeyExchange(buf); - - assertEmpty(buf); - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - this.connection_state = CS_SERVER_KEY_EXCHANGE; - break; - } - case HandshakeType.certificate_request: - { - switch (this.connection_state) - { - case CS_SERVER_CERTIFICATE: - case CS_CERTIFICATE_STATUS: - { - // There was no server key exchange message; check it's OK - this.keyExchange.skipServerKeyExchange(); - - // NB: Fall through to next case label - } - case CS_SERVER_KEY_EXCHANGE: - { - if (this.authentication == null) - { - /* - * RFC 2246 7.4.4. It is a fatal handshake_failure alert for an anonymous server - * to request client identification. - */ - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - - this.certificateRequest = CertificateRequest.parse(getContext(), buf); - - assertEmpty(buf); - - this.keyExchange.validateCertificateRequest(this.certificateRequest); - - /* - * TODO Give the client a chance to immediately select the CertificateVerify hash - * algorithm here to avoid tracking the other hash algorithms unnecessarily? - */ - TlsUtils.trackHashAlgorithms(this.recordStream.getHandshakeHash(), - this.certificateRequest.getSupportedSignatureAlgorithms()); - - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - this.connection_state = CS_CERTIFICATE_REQUEST; - break; - } - case HandshakeType.session_ticket: - { - switch (this.connection_state) - { - case CS_CLIENT_FINISHED: - { - if (!this.expectSessionTicket) - { - /* - * RFC 5077 3.3. This message MUST NOT be sent if the server did not include a - * SessionTicket extension in the ServerHello. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - /* - * RFC 5077 3.4. If the client receives a session ticket from the server, then it - * discards any Session ID that was sent in the ServerHello. - */ - invalidateSession(); - - receiveNewSessionTicketMessage(buf); - this.connection_state = CS_SERVER_SESSION_TICKET; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - case HandshakeType.hello_request: - { - assertEmpty(buf); - - /* - * RFC 2246 7.4.1.1 Hello request This message will be ignored by the client if the - * client is currently negotiating a session. This message may be ignored by the client - * if it does not wish to renegotiate a session, or the client may, if it wishes, - * respond with a no_renegotiation alert. - */ - if (this.connection_state == CS_END) - { - /* - * RFC 5746 4.5 SSLv3 clients that refuse renegotiation SHOULD use a fatal - * handshake_failure alert. - */ - if (TlsUtils.isSSL(getContext())) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - - String message = "Renegotiation not supported"; - raiseWarning(AlertDescription.no_renegotiation, message); - } - break; - } - case HandshakeType.client_hello: - case HandshakeType.client_key_exchange: - case HandshakeType.certificate_verify: - case HandshakeType.hello_verify_request: - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - protected void handleSupplementalData(Vector serverSupplementalData) - throws IOException - { - this.tlsClient.processServerSupplementalData(serverSupplementalData); - this.connection_state = CS_SERVER_SUPPLEMENTAL_DATA; - - this.keyExchange = tlsClient.getKeyExchange(); - this.keyExchange.init(getContext()); - } - - protected void receiveNewSessionTicketMessage(ByteArrayInputStream buf) - throws IOException - { - NewSessionTicket newSessionTicket = NewSessionTicket.parse(buf); - - TlsProtocol.assertEmpty(buf); - - tlsClient.notifyNewSessionTicket(newSessionTicket); - } - - protected void receiveServerHelloMessage(ByteArrayInputStream buf) - throws IOException - { - ProtocolVersion server_version = TlsUtils.readVersion(buf); - if (server_version.isDTLS()) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - // Check that this matches what the server is sending in the record layer - if (!server_version.equals(this.recordStream.getReadVersion())) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - ProtocolVersion client_version = getContext().getClientVersion(); - if (!server_version.isEqualOrEarlierVersionOf(client_version)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.recordStream.setWriteVersion(server_version); - getContext().setServerVersion(server_version); - this.tlsClient.notifyServerVersion(server_version); - - /* - * Read the server random - */ - this.securityParameters.serverRandom = TlsUtils.readFully(32, buf); - - this.selectedSessionID = TlsUtils.readOpaque8(buf); - if (this.selectedSessionID.length > 32) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.tlsClient.notifySessionID(this.selectedSessionID); - - this.resumedSession = this.selectedSessionID.length > 0 && this.tlsSession != null - && Arrays.areEqual(this.selectedSessionID, this.tlsSession.getSessionID()); - - /* - * Find out which CipherSuite the server has chosen and check that it was one of the offered - * ones, and is a valid selection for the negotiated version. - */ - int selectedCipherSuite = TlsUtils.readUint16(buf); - if (!Arrays.contains(this.offeredCipherSuites, selectedCipherSuite) - || selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL - || selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV - || !TlsUtils.isValidCipherSuiteForVersion(selectedCipherSuite, server_version)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.tlsClient.notifySelectedCipherSuite(selectedCipherSuite); - - /* - * Find out which CompressionMethod the server has chosen and check that it was one of the - * offered ones. - */ - short selectedCompressionMethod = TlsUtils.readUint8(buf); - if (!Arrays.contains(this.offeredCompressionMethods, selectedCompressionMethod)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.tlsClient.notifySelectedCompressionMethod(selectedCompressionMethod); - - /* - * RFC3546 2.2 The extended server hello message format MAY be sent in place of the server - * hello message when the client has requested extended functionality via the extended - * client hello message specified in Section 2.1. ... Note that the extended server hello - * message is only sent in response to an extended client hello message. This prevents the - * possibility that the extended server hello message could "break" existing TLS 1.0 - * clients. - */ - this.serverExtensions = readExtensions(buf); - - /* - * RFC 3546 2.2 Note that the extended server hello message is only sent in response to an - * extended client hello message. - * - * However, see RFC 5746 exception below. We always include the SCSV, so an Extended Server - * Hello is always allowed. - */ - if (this.serverExtensions != null) - { - Enumeration e = this.serverExtensions.keys(); - while (e.hasMoreElements()) - { - Integer extType = (Integer)e.nextElement(); - - /* - * RFC 5746 3.6. Note that sending a "renegotiation_info" extension in response to a - * ClientHello containing only the SCSV is an explicit exception to the prohibition - * in RFC 5246, Section 7.4.1.4, on the server sending unsolicited extensions and is - * only allowed because the client is signaling its willingness to receive the - * extension via the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. - */ - if (extType.equals(EXT_RenegotiationInfo)) - { - continue; - } - - /* - * RFC 3546 2.3. If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions[.] - */ - if (this.resumedSession) - { - // TODO[compat-gnutls] GnuTLS test server sends server extensions e.g. ec_point_formats - // TODO[compat-openssl] OpenSSL test server sends server extensions e.g. ec_point_formats - // TODO[compat-polarssl] PolarSSL test server sends server extensions e.g. ec_point_formats -// throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - /* - * RFC 5246 7.4.1.4 An extension type MUST NOT appear in the ServerHello unless the - * same extension type appeared in the corresponding ClientHello. If a client - * receives an extension type in ServerHello that it did not request in the - * associated ClientHello, it MUST abort the handshake with an unsupported_extension - * fatal alert. - */ - if (null == TlsUtils.getExtensionData(this.clientExtensions, extType)) - { - throw new TlsFatalAlert(AlertDescription.unsupported_extension); - } - } - } - - /* - * RFC 5746 3.4. Client Behavior: Initial Handshake - */ - { - /* - * When a ServerHello is received, the client MUST check if it includes the - * "renegotiation_info" extension: - */ - byte[] renegExtData = TlsUtils.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo); - if (renegExtData != null) - { - /* - * If the extension is present, set the secure_renegotiation flag to TRUE. The - * client MUST then verify that the length of the "renegotiated_connection" - * field is zero, and if it is not, MUST abort the handshake (by sending a fatal - * handshake_failure alert). - */ - this.secure_renegotiation = true; - - if (!Arrays.constantTimeAreEqual(renegExtData, createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - } - - // TODO[compat-gnutls] GnuTLS test server fails to send renegotiation_info extension when resuming - this.tlsClient.notifySecureRenegotiation(this.secure_renegotiation); - - Hashtable sessionClientExtensions = clientExtensions, sessionServerExtensions = serverExtensions; - if (this.resumedSession) - { - if (selectedCipherSuite != this.sessionParameters.getCipherSuite() - || selectedCompressionMethod != this.sessionParameters.getCompressionAlgorithm()) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - sessionClientExtensions = null; - sessionServerExtensions = this.sessionParameters.readServerExtensions(); - } - - this.securityParameters.cipherSuite = selectedCipherSuite; - this.securityParameters.compressionAlgorithm = selectedCompressionMethod; - - if (sessionServerExtensions != null) - { - /* - * draft-ietf-tls-encrypt-then-mac-03 3. If a server receives an encrypt-then-MAC - * request extension from a client and then selects a stream or AEAD cipher suite, it - * MUST NOT send an encrypt-then-MAC response extension back to the client. - */ - boolean serverSentEncryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(sessionServerExtensions); - if (serverSentEncryptThenMAC && !TlsUtils.isBlockCipherSuite(selectedCipherSuite)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.securityParameters.encryptThenMAC = serverSentEncryptThenMAC; - - this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(sessionClientExtensions, - sessionServerExtensions, AlertDescription.illegal_parameter); - - this.securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(sessionServerExtensions); - - /* - * TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in - * a session resumption handshake. - */ - this.allowCertificateStatus = !this.resumedSession - && TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions, - TlsExtensionsUtils.EXT_status_request, AlertDescription.illegal_parameter); - - this.expectSessionTicket = !this.resumedSession - && TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions, TlsProtocol.EXT_SessionTicket, - AlertDescription.illegal_parameter); - } - - if (sessionClientExtensions != null) - { - this.tlsClient.processServerExtensions(sessionServerExtensions); - } - } - - protected void sendCertificateVerifyMessage(DigitallySigned certificateVerify) - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.certificate_verify); - - certificateVerify.encode(message); - - message.writeToRecordStream(); - } - - protected void sendClientHelloMessage() - throws IOException - { - this.recordStream.setWriteVersion(this.tlsClient.getClientHelloRecordLayerVersion()); - - ProtocolVersion client_version = this.tlsClient.getClientVersion(); - if (client_version.isDTLS()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - getContext().setClientVersion(client_version); - - /* - * TODO RFC 5077 3.4. When presenting a ticket, the client MAY generate and include a - * Session ID in the TLS ClientHello. - */ - byte[] session_id = TlsUtils.EMPTY_BYTES; - if (this.tlsSession != null) - { - session_id = this.tlsSession.getSessionID(); - if (session_id == null || session_id.length > 32) - { - session_id = TlsUtils.EMPTY_BYTES; - } - } - - this.offeredCipherSuites = this.tlsClient.getCipherSuites(); - - this.offeredCompressionMethods = this.tlsClient.getCompressionMethods(); - - if (session_id.length > 0 && this.sessionParameters != null) - { - if (!Arrays.contains(this.offeredCipherSuites, sessionParameters.getCipherSuite()) - || !Arrays.contains(this.offeredCompressionMethods, sessionParameters.getCompressionAlgorithm())) - { - session_id = TlsUtils.EMPTY_BYTES; - } - } - - this.clientExtensions = this.tlsClient.getClientExtensions(); - - HandshakeMessage message = new HandshakeMessage(HandshakeType.client_hello); - - TlsUtils.writeVersion(client_version, message); - - message.write(this.securityParameters.getClientRandom()); - - TlsUtils.writeOpaque8(session_id, message); - - // Cipher Suites (and SCSV) - { - /* - * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, - * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the - * ClientHello. Including both is NOT RECOMMENDED. - */ - byte[] renegExtData = TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo); - boolean noRenegExt = (null == renegExtData); - - boolean noSCSV = !Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV); - - if (noRenegExt && noSCSV) - { - // TODO Consider whether to default to a client extension instead -// this.clientExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(this.clientExtensions); -// this.clientExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(TlsUtils.EMPTY_BYTES)); - this.offeredCipherSuites = Arrays.append(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV); - } - - TlsUtils.writeUint16ArrayWithUint16Length(offeredCipherSuites, message); - } - - TlsUtils.writeUint8ArrayWithUint8Length(offeredCompressionMethods, message); - - if (clientExtensions != null) - { - writeExtensions(message, clientExtensions); - } - - message.writeToRecordStream(); - } - - protected void sendClientKeyExchangeMessage() - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.client_key_exchange); - - this.keyExchange.generateClientKeyExchange(message); - - message.writeToRecordStream(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCompression.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsCompression.java deleted file mode 100644 index cdeb7e33..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCompression.java +++ /dev/null @@ -1,10 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.OutputStream; - -public interface TlsCompression -{ - OutputStream compress(OutputStream output); - - OutputStream decompress(OutputStream output); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java deleted file mode 100644 index b3d7d985..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java +++ /dev/null @@ -1,45 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.security.SecureRandom; - -import org.bouncycastle.crypto.prng.RandomGenerator; - -public interface TlsContext -{ - RandomGenerator getNonceRandomGenerator(); - - SecureRandom getSecureRandom(); - - SecurityParameters getSecurityParameters(); - - boolean isServer(); - - ProtocolVersion getClientVersion(); - - ProtocolVersion getServerVersion(); - - /** - * Used to get the resumable session, if any, used by this connection. Only available after the - * handshake has successfully completed. - * - * @return A {@link TlsSession} representing the resumable session used by this connection, or - * null if no resumable session available. - * @see TlsPeer#notifyHandshakeComplete() - */ - TlsSession getResumableSession(); - - Object getUserObject(); - - void setUserObject(Object userObject); - - /** - * Export keying material according to RFC 5705: "Keying Material Exporters for TLS". - * - * @param asciiLabel indicates which application will use the exported keys. - * @param context_value allows the application using the exporter to mix its own data with the TLS PRF for - * the exporter output. - * @param length the number of bytes to generate - * @return a pseudorandom bit string of 'length' bytes generated from the master_secret. - */ - byte[] exportKeyingMaterial(String asciiLabel, byte[] context_value, int length); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsCredentials.java deleted file mode 100644 index b8a8747e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsCredentials.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public interface TlsCredentials -{ - Certificate getCertificate(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHEKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHEKeyExchange.java deleted file mode 100644 index 0abaee69..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHEKeyExchange.java +++ /dev/null @@ -1,115 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.util.Vector; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.util.io.TeeInputStream; - -public class TlsDHEKeyExchange - extends TlsDHKeyExchange -{ - protected TlsSignerCredentials serverCredentials = null; - - public TlsDHEKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, DHParameters dhParameters) - { - super(keyExchange, supportedSignatureAlgorithms, dhParameters); - } - - public void processServerCredentials(TlsCredentials serverCredentials) - throws IOException - { - if (!(serverCredentials instanceof TlsSignerCredentials)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - processServerCertificate(serverCredentials.getCertificate()); - - this.serverCredentials = (TlsSignerCredentials)serverCredentials; - } - - public byte[] generateServerKeyExchange() - throws IOException - { - if (this.dhParameters == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - DigestInputBuffer buf = new DigestInputBuffer(); - - this.dhAgreeServerPrivateKey = TlsDHUtils.generateEphemeralServerKeyExchange(context.getSecureRandom(), - this.dhParameters, buf); - - /* - * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 - */ - SignatureAndHashAlgorithm signatureAndHashAlgorithm; - Digest d; - - if (TlsUtils.isTLSv12(context)) - { - signatureAndHashAlgorithm = serverCredentials.getSignatureAndHashAlgorithm(); - if (signatureAndHashAlgorithm == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - d = TlsUtils.createHash(signatureAndHashAlgorithm.getHash()); - } - else - { - signatureAndHashAlgorithm = null; - d = new CombinedHash(); - } - - SecurityParameters securityParameters = context.getSecurityParameters(); - d.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length); - d.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length); - buf.updateDigest(d); - - byte[] hash = new byte[d.getDigestSize()]; - d.doFinal(hash, 0); - - byte[] signature = serverCredentials.generateCertificateSignature(hash); - - DigitallySigned signed_params = new DigitallySigned(signatureAndHashAlgorithm, signature); - signed_params.encode(buf); - - return buf.toByteArray(); - } - - public void processServerKeyExchange(InputStream input) - throws IOException - { - SecurityParameters securityParameters = context.getSecurityParameters(); - - SignerInputBuffer buf = new SignerInputBuffer(); - InputStream teeIn = new TeeInputStream(input, buf); - - ServerDHParams params = ServerDHParams.parse(teeIn); - - DigitallySigned signed_params = DigitallySigned.parse(context, input); - - Signer signer = initVerifyer(tlsSigner, signed_params.getAlgorithm(), securityParameters); - buf.updateSigner(signer); - if (!signer.verifySignature(signed_params.getSignature())) - { - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - - this.dhAgreeServerPublicKey = TlsDHUtils.validateDHPublicKey(params.getPublicKey()); - } - - protected Signer initVerifyer(TlsSigner tlsSigner, SignatureAndHashAlgorithm algorithm, SecurityParameters securityParameters) - { - Signer signer = tlsSigner.createVerifyer(algorithm, this.serverPublicKey); - signer.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length); - signer.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length); - return signer; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHKeyExchange.java deleted file mode 100644 index 7d79f6a4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHKeyExchange.java +++ /dev/null @@ -1,208 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.OutputStream; -import java.math.BigInteger; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.crypto.util.PublicKeyFactory; - -/** - * TLS 1.0/1.1 DH key exchange. - */ -public class TlsDHKeyExchange - extends AbstractTlsKeyExchange -{ - protected static final BigInteger ONE = BigInteger.valueOf(1); - protected static final BigInteger TWO = BigInteger.valueOf(2); - - protected TlsSigner tlsSigner; - protected DHParameters dhParameters; - - protected AsymmetricKeyParameter serverPublicKey; - protected DHPublicKeyParameters dhAgreeServerPublicKey; - protected TlsAgreementCredentials agreementCredentials; - protected DHPrivateKeyParameters dhAgreeClientPrivateKey; - - protected DHPrivateKeyParameters dhAgreeServerPrivateKey; - protected DHPublicKeyParameters dhAgreeClientPublicKey; - - public TlsDHKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, DHParameters dhParameters) - { - super(keyExchange, supportedSignatureAlgorithms); - - switch (keyExchange) - { - case KeyExchangeAlgorithm.DH_RSA: - case KeyExchangeAlgorithm.DH_DSS: - this.tlsSigner = null; - break; - case KeyExchangeAlgorithm.DHE_RSA: - this.tlsSigner = new TlsRSASigner(); - break; - case KeyExchangeAlgorithm.DHE_DSS: - this.tlsSigner = new TlsDSSSigner(); - break; - default: - throw new IllegalArgumentException("unsupported key exchange algorithm"); - } - - this.dhParameters = dhParameters; - } - - public void init(TlsContext context) - { - super.init(context); - - if (this.tlsSigner != null) - { - this.tlsSigner.init(context); - } - } - - public void skipServerCredentials() - throws IOException - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - public void processServerCertificate(Certificate serverCertificate) - throws IOException - { - if (serverCertificate.isEmpty()) - { - throw new TlsFatalAlert(AlertDescription.bad_certificate); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = serverCertificate.getCertificateAt(0); - - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - this.serverPublicKey = PublicKeyFactory.createKey(keyInfo); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - if (tlsSigner == null) - { - try - { - this.dhAgreeServerPublicKey = TlsDHUtils.validateDHPublicKey((DHPublicKeyParameters)this.serverPublicKey); - } - catch (ClassCastException e) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyAgreement); - } - else - { - if (!tlsSigner.isValidPublicKey(this.serverPublicKey)) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - } - - super.processServerCertificate(serverCertificate); - } - - public boolean requiresServerKeyExchange() - { - switch (keyExchange) - { - case KeyExchangeAlgorithm.DHE_DSS: - case KeyExchangeAlgorithm.DHE_RSA: - case KeyExchangeAlgorithm.DH_anon: - return true; - default: - return false; - } - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) - throws IOException - { - short[] types = certificateRequest.getCertificateTypes(); - for (int i = 0; i < types.length; ++i) - { - switch (types[i]) - { - case ClientCertificateType.rsa_sign: - case ClientCertificateType.dss_sign: - case ClientCertificateType.rsa_fixed_dh: - case ClientCertificateType.dss_fixed_dh: - case ClientCertificateType.ecdsa_sign: - break; - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public void processClientCredentials(TlsCredentials clientCredentials) - throws IOException - { - if (clientCredentials instanceof TlsAgreementCredentials) - { - // TODO Validate client cert has matching parameters (see 'areCompatibleParameters')? - - this.agreementCredentials = (TlsAgreementCredentials)clientCredentials; - } - else if (clientCredentials instanceof TlsSignerCredentials) - { - // OK - } - else - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void generateClientKeyExchange(OutputStream output) - throws IOException - { - /* - * RFC 2246 7.4.7.2 If the client certificate already contains a suitable Diffie-Hellman - * key, then Yc is implicit and does not need to be sent again. In this case, the Client Key - * Exchange message will be sent, but will be empty. - */ - if (agreementCredentials == null) - { - this.dhAgreeClientPrivateKey = TlsDHUtils.generateEphemeralClientKeyExchange(context.getSecureRandom(), - dhAgreeServerPublicKey.getParameters(), output); - } - } - - public byte[] generatePremasterSecret() - throws IOException - { - if (agreementCredentials != null) - { - return agreementCredentials.generateAgreement(dhAgreeServerPublicKey); - } - - if (dhAgreeServerPrivateKey != null) - { - return TlsDHUtils.calculateDHBasicAgreement(dhAgreeClientPublicKey, dhAgreeServerPrivateKey); - } - - if (dhAgreeClientPrivateKey != null) - { - return TlsDHUtils.calculateDHBasicAgreement(dhAgreeServerPublicKey, dhAgreeClientPrivateKey); - } - - throw new TlsFatalAlert(AlertDescription.internal_error); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHUtils.java deleted file mode 100644 index 748c8797..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDHUtils.java +++ /dev/null @@ -1,105 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.math.BigInteger; -import java.security.SecureRandom; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.agreement.DHBasicAgreement; -import org.bouncycastle.crypto.generators.DHBasicKeyPairGenerator; -import org.bouncycastle.crypto.params.DHKeyGenerationParameters; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.util.BigIntegers; - -public class TlsDHUtils -{ - static final BigInteger ONE = BigInteger.valueOf(1); - static final BigInteger TWO = BigInteger.valueOf(2); - - public static boolean areCompatibleParameters(DHParameters a, DHParameters b) - { - return a.getP().equals(b.getP()) && a.getG().equals(b.getG()); - } - - public static byte[] calculateDHBasicAgreement(DHPublicKeyParameters publicKey, DHPrivateKeyParameters privateKey) - { - DHBasicAgreement basicAgreement = new DHBasicAgreement(); - basicAgreement.init(privateKey); - BigInteger agreementValue = basicAgreement.calculateAgreement(publicKey); - - /* - * RFC 5246 8.1.2. Leading bytes of Z that contain all zero bits are stripped before it is - * used as the pre_master_secret. - */ - return BigIntegers.asUnsignedByteArray(agreementValue); - } - - public static AsymmetricCipherKeyPair generateDHKeyPair(SecureRandom random, DHParameters dhParams) - { - DHBasicKeyPairGenerator dhGen = new DHBasicKeyPairGenerator(); - dhGen.init(new DHKeyGenerationParameters(random, dhParams)); - return dhGen.generateKeyPair(); - } - - public static DHPrivateKeyParameters generateEphemeralClientKeyExchange(SecureRandom random, DHParameters dhParams, - OutputStream output) throws IOException - { - AsymmetricCipherKeyPair kp = generateDHKeyPair(random, dhParams); - - DHPublicKeyParameters dh_public = (DHPublicKeyParameters) kp.getPublic(); - writeDHParameter(dh_public.getY(), output); - - return (DHPrivateKeyParameters) kp.getPrivate(); - } - - public static DHPrivateKeyParameters generateEphemeralServerKeyExchange(SecureRandom random, DHParameters dhParams, - OutputStream output) throws IOException - { - AsymmetricCipherKeyPair kp = TlsDHUtils.generateDHKeyPair(random, dhParams); - - DHPublicKeyParameters dhPublicKey = (DHPublicKeyParameters)kp.getPublic(); - ServerDHParams params = new ServerDHParams(dhPublicKey); - params.encode(output); - - return (DHPrivateKeyParameters)kp.getPrivate(); - } - - public static DHPublicKeyParameters validateDHPublicKey(DHPublicKeyParameters key) throws IOException - { - BigInteger Y = key.getY(); - DHParameters params = key.getParameters(); - BigInteger p = params.getP(); - BigInteger g = params.getG(); - - if (!p.isProbablePrime(2)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - if (g.compareTo(TWO) < 0 || g.compareTo(p.subtract(TWO)) > 0) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - if (Y.compareTo(TWO) < 0 || Y.compareTo(p.subtract(ONE)) > 0) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - // TODO See RFC 2631 for more discussion of Diffie-Hellman validation - - return key; - } - - public static BigInteger readDHParameter(InputStream input) throws IOException - { - return new BigInteger(1, TlsUtils.readOpaque16(input)); - } - - public static void writeDHParameter(BigInteger x, OutputStream output) throws IOException - { - TlsUtils.writeOpaque16(BigIntegers.asUnsignedByteArray(x), output); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSASigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSASigner.java deleted file mode 100644 index caaad59a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSASigner.java +++ /dev/null @@ -1,92 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.digests.NullDigest; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.signers.DSADigestSigner; - -public abstract class TlsDSASigner - extends AbstractTlsSigner -{ - public byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, - AsymmetricKeyParameter privateKey, byte[] hash) - throws CryptoException - { - Signer signer = makeSigner(algorithm, true, true, - new ParametersWithRandom(privateKey, this.context.getSecureRandom())); - if (algorithm == null) - { - // Note: Only use the SHA1 part of the (MD5/SHA1) hash - signer.update(hash, 16, 20); - } - else - { - signer.update(hash, 0, hash.length); - } - return signer.generateSignature(); - } - - public boolean verifyRawSignature(SignatureAndHashAlgorithm algorithm, byte[] sigBytes, - AsymmetricKeyParameter publicKey, byte[] hash) - throws CryptoException - { - Signer signer = makeSigner(algorithm, true, false, publicKey); - if (algorithm == null) - { - // Note: Only use the SHA1 part of the (MD5/SHA1) hash - signer.update(hash, 16, 20); - } - else - { - signer.update(hash, 0, hash.length); - } - return signer.verifySignature(sigBytes); - } - - public Signer createSigner(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter privateKey) - { - return makeSigner(algorithm, false, true, privateKey); - } - - public Signer createVerifyer(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter publicKey) - { - return makeSigner(algorithm, false, false, publicKey); - } - - protected CipherParameters makeInitParameters(boolean forSigning, CipherParameters cp) - { - return cp; - } - - protected Signer makeSigner(SignatureAndHashAlgorithm algorithm, boolean raw, boolean forSigning, - CipherParameters cp) - { - if ((algorithm != null) != TlsUtils.isTLSv12(context)) - { - throw new IllegalStateException(); - } - - // TODO For TLS 1.2+, lift the SHA-1 restriction here - if (algorithm != null - && (algorithm.getHash() != HashAlgorithm.sha1 || algorithm.getSignature() != getSignatureAlgorithm())) - { - throw new IllegalStateException(); - } - - short hashAlgorithm = algorithm == null ? HashAlgorithm.sha1 : algorithm.getHash(); - Digest d = raw ? new NullDigest() : TlsUtils.createHash(hashAlgorithm); - - Signer s = new DSADigestSigner(createDSAImpl(hashAlgorithm), d); - s.init(forSigning, makeInitParameters(forSigning, cp)); - return s; - } - - protected abstract short getSignatureAlgorithm(); - - protected abstract DSA createDSAImpl(short hashAlgorithm); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSSSigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSSSigner.java deleted file mode 100644 index 2914b7e4..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsDSSSigner.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.crypto.signers.DSASigner; -import org.bouncycastle.crypto.signers.HMacDSAKCalculator; - -public class TlsDSSSigner - extends TlsDSASigner -{ - public boolean isValidPublicKey(AsymmetricKeyParameter publicKey) - { - return publicKey instanceof DSAPublicKeyParameters; - } - - protected DSA createDSAImpl(short hashAlgorithm) - { - return new DSASigner(new HMacDSAKCalculator(TlsUtils.createHash(hashAlgorithm))); - } - - protected short getSignatureAlgorithm() - { - return SignatureAlgorithm.dsa; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java deleted file mode 100644 index e9f96f06..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECCUtils.java +++ /dev/null @@ -1,690 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.math.BigInteger; -import java.security.SecureRandom; -import java.util.Hashtable; - -import org.bouncycastle.asn1.x9.ECNamedCurveTable; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.agreement.ECDHBasicAgreement; -import org.bouncycastle.crypto.ec.CustomNamedCurves; -import org.bouncycastle.crypto.generators.ECKeyPairGenerator; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECKeyGenerationParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.math.ec.ECAlgorithms; -import org.bouncycastle.math.ec.ECCurve; -import org.bouncycastle.math.ec.ECFieldElement; -import org.bouncycastle.math.ec.ECPoint; -import org.bouncycastle.math.field.PolynomialExtensionField; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.BigIntegers; -import org.bouncycastle.util.Integers; - -public class TlsECCUtils -{ - public static final Integer EXT_elliptic_curves = Integers.valueOf(ExtensionType.elliptic_curves); - public static final Integer EXT_ec_point_formats = Integers.valueOf(ExtensionType.ec_point_formats); - - private static final String[] curveNames = new String[] { "sect163k1", "sect163r1", "sect163r2", "sect193r1", - "sect193r2", "sect233k1", "sect233r1", "sect239k1", "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp192r1", "secp224k1", - "secp224r1", "secp256k1", "secp256r1", "secp384r1", "secp521r1", - "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"}; - - public static void addSupportedEllipticCurvesExtension(Hashtable extensions, int[] namedCurves) throws IOException - { - extensions.put(EXT_elliptic_curves, createSupportedEllipticCurvesExtension(namedCurves)); - } - - public static void addSupportedPointFormatsExtension(Hashtable extensions, short[] ecPointFormats) - throws IOException - { - extensions.put(EXT_ec_point_formats, createSupportedPointFormatsExtension(ecPointFormats)); - } - - public static int[] getSupportedEllipticCurvesExtension(Hashtable extensions) throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_elliptic_curves); - return extensionData == null ? null : readSupportedEllipticCurvesExtension(extensionData); - } - - public static short[] getSupportedPointFormatsExtension(Hashtable extensions) throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_ec_point_formats); - return extensionData == null ? null : readSupportedPointFormatsExtension(extensionData); - } - - public static byte[] createSupportedEllipticCurvesExtension(int[] namedCurves) throws IOException - { - if (namedCurves == null || namedCurves.length < 1) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return TlsUtils.encodeUint16ArrayWithUint16Length(namedCurves); - } - - public static byte[] createSupportedPointFormatsExtension(short[] ecPointFormats) throws IOException - { - if (ecPointFormats == null || !Arrays.contains(ecPointFormats, ECPointFormat.uncompressed)) - { - /* - * RFC 4492 5.1. If the Supported Point Formats Extension is indeed sent, it MUST - * contain the value 0 (uncompressed) as one of the items in the list of point formats. - */ - - // NOTE: We add it at the end (lowest preference) - ecPointFormats = Arrays.append(ecPointFormats, ECPointFormat.uncompressed); - } - - return TlsUtils.encodeUint8ArrayWithUint8Length(ecPointFormats); - } - - public static int[] readSupportedEllipticCurvesExtension(byte[] extensionData) throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - int length = TlsUtils.readUint16(buf); - if (length < 2 || (length & 1) != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int[] namedCurves = TlsUtils.readUint16Array(length / 2, buf); - - TlsProtocol.assertEmpty(buf); - - return namedCurves; - } - - public static short[] readSupportedPointFormatsExtension(byte[] extensionData) throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - short length = TlsUtils.readUint8(buf); - if (length < 1) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - short[] ecPointFormats = TlsUtils.readUint8Array(length, buf); - - TlsProtocol.assertEmpty(buf); - - if (!Arrays.contains(ecPointFormats, ECPointFormat.uncompressed)) - { - /* - * RFC 4492 5.1. If the Supported Point Formats Extension is indeed sent, it MUST - * contain the value 0 (uncompressed) as one of the items in the list of point formats. - */ - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return ecPointFormats; - } - - public static String getNameOfNamedCurve(int namedCurve) - { - return isSupportedNamedCurve(namedCurve) ? curveNames[namedCurve - 1] : null; - } - - public static ECDomainParameters getParametersForNamedCurve(int namedCurve) - { - String curveName = getNameOfNamedCurve(namedCurve); - if (curveName == null) - { - return null; - } - - // Parameters are lazily created the first time a particular curve is accessed - - X9ECParameters ecP = CustomNamedCurves.getByName(curveName); - if (ecP == null) - { - ecP = ECNamedCurveTable.getByName(curveName); - if (ecP == null) - { - return null; - } - } - - // It's a bit inefficient to do this conversion every time - return new ECDomainParameters(ecP.getCurve(), ecP.getG(), ecP.getN(), ecP.getH(), ecP.getSeed()); - } - - public static boolean hasAnySupportedNamedCurves() - { - return curveNames.length > 0; - } - - public static boolean containsECCCipherSuites(int[] cipherSuites) - { - for (int i = 0; i < cipherSuites.length; ++i) - { - if (isECCCipherSuite(cipherSuites[i])) - { - return true; - } - } - return false; - } - - public static boolean isECCCipherSuite(int cipherSuite) - { - switch (cipherSuite) - { - /* - * RFC 4492 - */ - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_AES_256_CBC_SHA: - - /* - * RFC 5289 - */ - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - - /* - * RFC 5489 - */ - case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_RC4_128_SHA: - - /* - * RFC 6367 - */ - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - - /* - * draft-agl-tls-chacha20poly1305-04 - */ - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - - /* - * draft-josefsson-salsa20-tls-04 - */ - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - - return true; - - default: - return false; - } - } - - public static boolean areOnSameCurve(ECDomainParameters a, ECDomainParameters b) - { - // TODO Move to ECDomainParameters.equals() or other utility method? - return a.getCurve().equals(b.getCurve()) && a.getG().equals(b.getG()) && a.getN().equals(b.getN()) - && a.getH().equals(b.getH()); - } - - public static boolean isSupportedNamedCurve(int namedCurve) - { - return (namedCurve > 0 && namedCurve <= curveNames.length); - } - - public static boolean isCompressionPreferred(short[] ecPointFormats, short compressionFormat) - { - if (ecPointFormats == null) - { - return false; - } - for (int i = 0; i < ecPointFormats.length; ++i) - { - short ecPointFormat = ecPointFormats[i]; - if (ecPointFormat == ECPointFormat.uncompressed) - { - return false; - } - if (ecPointFormat == compressionFormat) - { - return true; - } - } - return false; - } - - public static byte[] serializeECFieldElement(int fieldSize, BigInteger x) throws IOException - { - return BigIntegers.asUnsignedByteArray((fieldSize + 7) / 8, x); - } - - public static byte[] serializeECPoint(short[] ecPointFormats, ECPoint point) throws IOException - { - ECCurve curve = point.getCurve(); - - /* - * RFC 4492 5.7. ...an elliptic curve point in uncompressed or compressed format. Here, the - * format MUST conform to what the server has requested through a Supported Point Formats - * Extension if this extension was used, and MUST be uncompressed if this extension was not - * used. - */ - boolean compressed = false; - if (ECAlgorithms.isFpCurve(curve)) - { - compressed = isCompressionPreferred(ecPointFormats, ECPointFormat.ansiX962_compressed_prime); - } - else if (ECAlgorithms.isF2mCurve(curve)) - { - compressed = isCompressionPreferred(ecPointFormats, ECPointFormat.ansiX962_compressed_char2); - } - return point.getEncoded(compressed); - } - - public static byte[] serializeECPublicKey(short[] ecPointFormats, ECPublicKeyParameters keyParameters) - throws IOException - { - return serializeECPoint(ecPointFormats, keyParameters.getQ()); - } - - public static BigInteger deserializeECFieldElement(int fieldSize, byte[] encoding) throws IOException - { - int requiredLength = (fieldSize + 7) / 8; - if (encoding.length != requiredLength) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - return new BigInteger(1, encoding); - } - - public static ECPoint deserializeECPoint(short[] ecPointFormats, ECCurve curve, byte[] encoding) throws IOException - { - if (encoding == null || encoding.length < 1) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - short actualFormat; - switch (encoding[0]) - { - case 0x02: // compressed - case 0x03: // compressed - { - if (ECAlgorithms.isF2mCurve(curve)) - { - actualFormat = ECPointFormat.ansiX962_compressed_char2; - } - else if (ECAlgorithms.isFpCurve(curve)) - { - actualFormat = ECPointFormat.ansiX962_compressed_prime; - } - else - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - break; - } - case 0x04: // uncompressed - { - actualFormat = ECPointFormat.uncompressed; - break; - } - case 0x00: // infinity - case 0x06: // hybrid - case 0x07: // hybrid - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - if (!Arrays.contains(ecPointFormats, actualFormat)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return curve.decodePoint(encoding); - } - - public static ECPublicKeyParameters deserializeECPublicKey(short[] ecPointFormats, ECDomainParameters curve_params, - byte[] encoding) throws IOException - { - try - { - ECPoint Y = deserializeECPoint(ecPointFormats, curve_params.getCurve(), encoding); - return new ECPublicKeyParameters(Y, curve_params); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - public static byte[] calculateECDHBasicAgreement(ECPublicKeyParameters publicKey, ECPrivateKeyParameters privateKey) - { - ECDHBasicAgreement basicAgreement = new ECDHBasicAgreement(); - basicAgreement.init(privateKey); - BigInteger agreementValue = basicAgreement.calculateAgreement(publicKey); - - /* - * RFC 4492 5.10. Note that this octet string (Z in IEEE 1363 terminology) as output by - * FE2OSP, the Field Element to Octet String Conversion Primitive, has constant length for - * any given field; leading zeros found in this octet string MUST NOT be truncated. - */ - return BigIntegers.asUnsignedByteArray(basicAgreement.getFieldSize(), agreementValue); - } - - public static AsymmetricCipherKeyPair generateECKeyPair(SecureRandom random, ECDomainParameters ecParams) - { - ECKeyPairGenerator keyPairGenerator = new ECKeyPairGenerator(); - keyPairGenerator.init(new ECKeyGenerationParameters(ecParams, random)); - return keyPairGenerator.generateKeyPair(); - } - - public static ECPrivateKeyParameters generateEphemeralClientKeyExchange(SecureRandom random, short[] ecPointFormats, - ECDomainParameters ecParams, OutputStream output) throws IOException - { - AsymmetricCipherKeyPair kp = generateECKeyPair(random, ecParams); - - ECPublicKeyParameters ecPublicKey = (ECPublicKeyParameters) kp.getPublic(); - writeECPoint(ecPointFormats, ecPublicKey.getQ(), output); - - return (ECPrivateKeyParameters) kp.getPrivate(); - } - - public static ECPublicKeyParameters validateECPublicKey(ECPublicKeyParameters key) throws IOException - { - // TODO Check RFC 4492 for validation - return key; - } - - public static int readECExponent(int fieldSize, InputStream input) throws IOException - { - BigInteger K = readECParameter(input); - if (K.bitLength() < 32) - { - int k = K.intValue(); - if (k > 0 && k < fieldSize) - { - return k; - } - } - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - public static BigInteger readECFieldElement(int fieldSize, InputStream input) throws IOException - { - return deserializeECFieldElement(fieldSize, TlsUtils.readOpaque8(input)); - } - - public static BigInteger readECParameter(InputStream input) throws IOException - { - // TODO Are leading zeroes okay here? - return new BigInteger(1, TlsUtils.readOpaque8(input)); - } - - public static ECDomainParameters readECParameters(int[] namedCurves, short[] ecPointFormats, InputStream input) - throws IOException - { - try - { - short curveType = TlsUtils.readUint8(input); - - switch (curveType) - { - case ECCurveType.explicit_prime: - { - checkNamedCurve(namedCurves, NamedCurve.arbitrary_explicit_prime_curves); - - BigInteger prime_p = readECParameter(input); - BigInteger a = readECFieldElement(prime_p.bitLength(), input); - BigInteger b = readECFieldElement(prime_p.bitLength(), input); - byte[] baseEncoding = TlsUtils.readOpaque8(input); - BigInteger order = readECParameter(input); - BigInteger cofactor = readECParameter(input); - ECCurve curve = new ECCurve.Fp(prime_p, a, b, order, cofactor); - ECPoint base = deserializeECPoint(ecPointFormats, curve, baseEncoding); - return new ECDomainParameters(curve, base, order, cofactor); - } - case ECCurveType.explicit_char2: - { - checkNamedCurve(namedCurves, NamedCurve.arbitrary_explicit_char2_curves); - - int m = TlsUtils.readUint16(input); - short basis = TlsUtils.readUint8(input); - if (!ECBasisType.isValid(basis)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - int k1 = readECExponent(m, input), k2 = -1, k3 = -1; - if (basis == ECBasisType.ec_basis_pentanomial) - { - k2 = readECExponent(m, input); - k3 = readECExponent(m, input); - } - - BigInteger a = readECFieldElement(m, input); - BigInteger b = readECFieldElement(m, input); - byte[] baseEncoding = TlsUtils.readOpaque8(input); - BigInteger order = readECParameter(input); - BigInteger cofactor = readECParameter(input); - - ECCurve curve = (basis == ECBasisType.ec_basis_pentanomial) - ? new ECCurve.F2m(m, k1, k2, k3, a, b, order, cofactor) - : new ECCurve.F2m(m, k1, a, b, order, cofactor); - - ECPoint base = deserializeECPoint(ecPointFormats, curve, baseEncoding); - - return new ECDomainParameters(curve, base, order, cofactor); - } - case ECCurveType.named_curve: - { - int namedCurve = TlsUtils.readUint16(input); - if (!NamedCurve.refersToASpecificNamedCurve(namedCurve)) - { - /* - * RFC 4492 5.4. All those values of NamedCurve are allowed that refer to a - * specific curve. Values of NamedCurve that indicate support for a class of - * explicitly defined curves are not allowed here [...]. - */ - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - checkNamedCurve(namedCurves, namedCurve); - - return getParametersForNamedCurve(namedCurve); - } - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - private static void checkNamedCurve(int[] namedCurves, int namedCurve) throws IOException - { - if (namedCurves != null && !Arrays.contains(namedCurves, namedCurve)) - { - /* - * RFC 4492 4. [...] servers MUST NOT negotiate the use of an ECC cipher suite - * unless they can complete the handshake while respecting the choice of curves - * and compression techniques specified by the client. - */ - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - public static void writeECExponent(int k, OutputStream output) throws IOException - { - BigInteger K = BigInteger.valueOf(k); - writeECParameter(K, output); - } - - public static void writeECFieldElement(ECFieldElement x, OutputStream output) throws IOException - { - TlsUtils.writeOpaque8(x.getEncoded(), output); - } - - public static void writeECFieldElement(int fieldSize, BigInteger x, OutputStream output) throws IOException - { - TlsUtils.writeOpaque8(serializeECFieldElement(fieldSize, x), output); - } - - public static void writeECParameter(BigInteger x, OutputStream output) throws IOException - { - TlsUtils.writeOpaque8(BigIntegers.asUnsignedByteArray(x), output); - } - - public static void writeExplicitECParameters(short[] ecPointFormats, ECDomainParameters ecParameters, - OutputStream output) throws IOException - { - ECCurve curve = ecParameters.getCurve(); - - if (ECAlgorithms.isFpCurve(curve)) - { - TlsUtils.writeUint8(ECCurveType.explicit_prime, output); - - writeECParameter(curve.getField().getCharacteristic(), output); - } - else if (ECAlgorithms.isF2mCurve(curve)) - { - PolynomialExtensionField field = (PolynomialExtensionField)curve.getField(); - int[] exponents = field.getMinimalPolynomial().getExponentsPresent(); - - TlsUtils.writeUint8(ECCurveType.explicit_char2, output); - - int m = exponents[exponents.length - 1]; - TlsUtils.checkUint16(m); - TlsUtils.writeUint16(m, output); - - if (exponents.length == 3) - { - TlsUtils.writeUint8(ECBasisType.ec_basis_trinomial, output); - writeECExponent(exponents[1], output); - } - else if (exponents.length == 5) - { - TlsUtils.writeUint8(ECBasisType.ec_basis_pentanomial, output); - writeECExponent(exponents[1], output); - writeECExponent(exponents[2], output); - writeECExponent(exponents[3], output); - } - else - { - throw new IllegalArgumentException("Only trinomial and pentomial curves are supported"); - } - } - else - { - throw new IllegalArgumentException("'ecParameters' not a known curve type"); - } - - writeECFieldElement(curve.getA(), output); - writeECFieldElement(curve.getB(), output); - TlsUtils.writeOpaque8(serializeECPoint(ecPointFormats, ecParameters.getG()), output); - writeECParameter(ecParameters.getN(), output); - writeECParameter(ecParameters.getH(), output); - } - - public static void writeECPoint(short[] ecPointFormats, ECPoint point, OutputStream output) throws IOException - { - TlsUtils.writeOpaque8(serializeECPoint(ecPointFormats, point), output); - } - - public static void writeNamedECParameters(int namedCurve, OutputStream output) throws IOException - { - if (!NamedCurve.refersToASpecificNamedCurve(namedCurve)) - { - /* - * RFC 4492 5.4. All those values of NamedCurve are allowed that refer to a specific - * curve. Values of NamedCurve that indicate support for a class of explicitly defined - * curves are not allowed here [...]. - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - TlsUtils.writeUint8(ECCurveType.named_curve, output); - TlsUtils.checkUint16(namedCurve); - TlsUtils.writeUint16(namedCurve, output); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHEKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHEKeyExchange.java deleted file mode 100644 index b112af57..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHEKeyExchange.java +++ /dev/null @@ -1,221 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.util.Vector; - -import org.bouncycastle.crypto.AsymmetricCipherKeyPair; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.io.TeeInputStream; - -/** - * ECDHE key exchange (see RFC 4492) - */ -public class TlsECDHEKeyExchange - extends TlsECDHKeyExchange -{ - protected TlsSignerCredentials serverCredentials = null; - - public TlsECDHEKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, int[] namedCurves, - short[] clientECPointFormats, short[] serverECPointFormats) - { - super(keyExchange, supportedSignatureAlgorithms, namedCurves, clientECPointFormats, serverECPointFormats); - } - - public void processServerCredentials(TlsCredentials serverCredentials) - throws IOException - { - if (!(serverCredentials instanceof TlsSignerCredentials)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - processServerCertificate(serverCredentials.getCertificate()); - - this.serverCredentials = (TlsSignerCredentials)serverCredentials; - } - - public byte[] generateServerKeyExchange() - throws IOException - { - /* - * First we try to find a supported named curve from the client's list. - */ - int namedCurve = -1; - if (namedCurves == null) - { - // TODO Let the peer choose the default named curve - namedCurve = NamedCurve.secp256r1; - } - else - { - for (int i = 0; i < namedCurves.length; ++i) - { - int entry = namedCurves[i]; - if (NamedCurve.isValid(entry) && TlsECCUtils.isSupportedNamedCurve(entry)) - { - namedCurve = entry; - break; - } - } - } - - ECDomainParameters curve_params = null; - if (namedCurve >= 0) - { - curve_params = TlsECCUtils.getParametersForNamedCurve(namedCurve); - } - else - { - /* - * If no named curves are suitable, check if the client supports explicit curves. - */ - if (Arrays.contains(namedCurves, NamedCurve.arbitrary_explicit_prime_curves)) - { - curve_params = TlsECCUtils.getParametersForNamedCurve(NamedCurve.secp256r1); - } - else if (Arrays.contains(namedCurves, NamedCurve.arbitrary_explicit_char2_curves)) - { - curve_params = TlsECCUtils.getParametersForNamedCurve(NamedCurve.sect283r1); - } - } - - if (curve_params == null) - { - /* - * NOTE: We shouldn't have negotiated ECDHE key exchange since we apparently can't find - * a suitable curve. - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - AsymmetricCipherKeyPair kp = TlsECCUtils.generateECKeyPair(context.getSecureRandom(), curve_params); - this.ecAgreePrivateKey = (ECPrivateKeyParameters)kp.getPrivate(); - - DigestInputBuffer buf = new DigestInputBuffer(); - - if (namedCurve < 0) - { - TlsECCUtils.writeExplicitECParameters(clientECPointFormats, curve_params, buf); - } - else - { - TlsECCUtils.writeNamedECParameters(namedCurve, buf); - } - - ECPublicKeyParameters ecPublicKey = (ECPublicKeyParameters) kp.getPublic(); - TlsECCUtils.writeECPoint(clientECPointFormats, ecPublicKey.getQ(), buf); - - /* - * RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2 - */ - SignatureAndHashAlgorithm signatureAndHashAlgorithm; - Digest d; - - if (TlsUtils.isTLSv12(context)) - { - signatureAndHashAlgorithm = serverCredentials.getSignatureAndHashAlgorithm(); - if (signatureAndHashAlgorithm == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - d = TlsUtils.createHash(signatureAndHashAlgorithm.getHash()); - } - else - { - signatureAndHashAlgorithm = null; - d = new CombinedHash(); - } - - SecurityParameters securityParameters = context.getSecurityParameters(); - d.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length); - d.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length); - buf.updateDigest(d); - - byte[] hash = new byte[d.getDigestSize()]; - d.doFinal(hash, 0); - - byte[] signature = serverCredentials.generateCertificateSignature(hash); - - DigitallySigned signed_params = new DigitallySigned(signatureAndHashAlgorithm, signature); - signed_params.encode(buf); - - return buf.toByteArray(); - } - - public void processServerKeyExchange(InputStream input) - throws IOException - { - SecurityParameters securityParameters = context.getSecurityParameters(); - - SignerInputBuffer buf = new SignerInputBuffer(); - InputStream teeIn = new TeeInputStream(input, buf); - - ECDomainParameters curve_params = TlsECCUtils.readECParameters(namedCurves, clientECPointFormats, teeIn); - - byte[] point = TlsUtils.readOpaque8(teeIn); - - DigitallySigned signed_params = DigitallySigned.parse(context, input); - - Signer signer = initVerifyer(tlsSigner, signed_params.getAlgorithm(), securityParameters); - buf.updateSigner(signer); - if (!signer.verifySignature(signed_params.getSignature())) - { - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - - this.ecAgreePublicKey = TlsECCUtils.validateECPublicKey(TlsECCUtils.deserializeECPublicKey( - clientECPointFormats, curve_params, point)); - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) - throws IOException - { - /* - * RFC 4492 3. [...] The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable with - * ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is prohibited because - * the use of a long-term ECDH client key would jeopardize the forward secrecy property of - * these algorithms. - */ - short[] types = certificateRequest.getCertificateTypes(); - for (int i = 0; i < types.length; ++i) - { - switch (types[i]) - { - case ClientCertificateType.rsa_sign: - case ClientCertificateType.dss_sign: - case ClientCertificateType.ecdsa_sign: - break; - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public void processClientCredentials(TlsCredentials clientCredentials) - throws IOException - { - if (clientCredentials instanceof TlsSignerCredentials) - { - // OK - } - else - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - protected Signer initVerifyer(TlsSigner tlsSigner, SignatureAndHashAlgorithm algorithm, SecurityParameters securityParameters) - { - Signer signer = tlsSigner.createVerifyer(algorithm, this.serverPublicKey); - signer.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length); - signer.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length); - return signer; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHKeyExchange.java deleted file mode 100644 index 94563520..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDHKeyExchange.java +++ /dev/null @@ -1,219 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.util.PublicKeyFactory; - -/** - * ECDH key exchange (see RFC 4492) - */ -public class TlsECDHKeyExchange extends AbstractTlsKeyExchange -{ - protected TlsSigner tlsSigner; - protected int[] namedCurves; - protected short[] clientECPointFormats, serverECPointFormats; - - protected AsymmetricKeyParameter serverPublicKey; - protected TlsAgreementCredentials agreementCredentials; - - protected ECPrivateKeyParameters ecAgreePrivateKey; - protected ECPublicKeyParameters ecAgreePublicKey; - - public TlsECDHKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, int[] namedCurves, - short[] clientECPointFormats, short[] serverECPointFormats) - { - super(keyExchange, supportedSignatureAlgorithms); - - switch (keyExchange) - { - case KeyExchangeAlgorithm.ECDHE_RSA: - this.tlsSigner = new TlsRSASigner(); - break; - case KeyExchangeAlgorithm.ECDHE_ECDSA: - this.tlsSigner = new TlsECDSASigner(); - break; - case KeyExchangeAlgorithm.ECDH_RSA: - case KeyExchangeAlgorithm.ECDH_ECDSA: - this.tlsSigner = null; - break; - default: - throw new IllegalArgumentException("unsupported key exchange algorithm"); - } - - this.keyExchange = keyExchange; - this.namedCurves = namedCurves; - this.clientECPointFormats = clientECPointFormats; - this.serverECPointFormats = serverECPointFormats; - } - - public void init(TlsContext context) - { - super.init(context); - - if (this.tlsSigner != null) - { - this.tlsSigner.init(context); - } - } - - public void skipServerCredentials() throws IOException - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - public void processServerCertificate(Certificate serverCertificate) throws IOException - { - if (serverCertificate.isEmpty()) - { - throw new TlsFatalAlert(AlertDescription.bad_certificate); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = serverCertificate.getCertificateAt(0); - - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - this.serverPublicKey = PublicKeyFactory.createKey(keyInfo); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - if (tlsSigner == null) - { - try - { - this.ecAgreePublicKey = TlsECCUtils.validateECPublicKey((ECPublicKeyParameters) this.serverPublicKey); - } - catch (ClassCastException e) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyAgreement); - } - else - { - if (!tlsSigner.isValidPublicKey(this.serverPublicKey)) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - } - - super.processServerCertificate(serverCertificate); - } - - public boolean requiresServerKeyExchange() - { - switch (keyExchange) - { - case KeyExchangeAlgorithm.ECDHE_ECDSA: - case KeyExchangeAlgorithm.ECDHE_RSA: - case KeyExchangeAlgorithm.ECDH_anon: - return true; - default: - return false; - } - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) throws IOException - { - /* - * RFC 4492 3. [...] The ECDSA_fixed_ECDH and RSA_fixed_ECDH mechanisms are usable with - * ECDH_ECDSA and ECDH_RSA. Their use with ECDHE_ECDSA and ECDHE_RSA is prohibited because - * the use of a long-term ECDH client key would jeopardize the forward secrecy property of - * these algorithms. - */ - short[] types = certificateRequest.getCertificateTypes(); - for (int i = 0; i < types.length; ++i) - { - switch (types[i]) - { - case ClientCertificateType.rsa_sign: - case ClientCertificateType.dss_sign: - case ClientCertificateType.ecdsa_sign: - case ClientCertificateType.rsa_fixed_ecdh: - case ClientCertificateType.ecdsa_fixed_ecdh: - break; - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public void processClientCredentials(TlsCredentials clientCredentials) throws IOException - { - if (clientCredentials instanceof TlsAgreementCredentials) - { - // TODO Validate client cert has matching parameters (see 'TlsECCUtils.areOnSameCurve')? - - this.agreementCredentials = (TlsAgreementCredentials) clientCredentials; - } - else if (clientCredentials instanceof TlsSignerCredentials) - { - // OK - } - else - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void generateClientKeyExchange(OutputStream output) throws IOException - { - if (agreementCredentials == null) - { - this.ecAgreePrivateKey = TlsECCUtils.generateEphemeralClientKeyExchange(context.getSecureRandom(), - serverECPointFormats, ecAgreePublicKey.getParameters(), output); - } - } - - public void processClientCertificate(Certificate clientCertificate) throws IOException - { - // TODO Extract the public key - // TODO If the certificate is 'fixed', take the public key as ecAgreeClientPublicKey - } - - public void processClientKeyExchange(InputStream input) throws IOException - { - if (ecAgreePublicKey != null) - { - // For ecdsa_fixed_ecdh and rsa_fixed_ecdh, the key arrived in the client certificate - return; - } - - byte[] point = TlsUtils.readOpaque8(input); - - ECDomainParameters curve_params = this.ecAgreePrivateKey.getParameters(); - - this.ecAgreePublicKey = TlsECCUtils.validateECPublicKey(TlsECCUtils.deserializeECPublicKey( - serverECPointFormats, curve_params, point)); - } - - public byte[] generatePremasterSecret() throws IOException - { - if (agreementCredentials != null) - { - return agreementCredentials.generateAgreement(ecAgreePublicKey); - } - - if (ecAgreePrivateKey != null) - { - return TlsECCUtils.calculateECDHBasicAgreement(ecAgreePublicKey, ecAgreePrivateKey); - } - - throw new TlsFatalAlert(AlertDescription.internal_error); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDSASigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDSASigner.java deleted file mode 100644 index aa4c546e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsECDSASigner.java +++ /dev/null @@ -1,26 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.DSA; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.signers.ECDSASigner; -import org.bouncycastle.crypto.signers.HMacDSAKCalculator; - -public class TlsECDSASigner - extends TlsDSASigner -{ - public boolean isValidPublicKey(AsymmetricKeyParameter publicKey) - { - return publicKey instanceof ECPublicKeyParameters; - } - - protected DSA createDSAImpl(short hashAlgorithm) - { - return new ECDSASigner(new HMacDSAKCalculator(TlsUtils.createHash(hashAlgorithm))); - } - - protected short getSignatureAlgorithm() - { - return SignatureAlgorithm.ecdsa; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsEncryptionCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsEncryptionCredentials.java deleted file mode 100644 index f2928963..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsEncryptionCredentials.java +++ /dev/null @@ -1,9 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsEncryptionCredentials extends TlsCredentials -{ - byte[] decryptPreMasterSecret(byte[] encryptedPreMasterSecret) - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsExtensionsUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsExtensionsUtils.java deleted file mode 100644 index a59a1d5a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsExtensionsUtils.java +++ /dev/null @@ -1,267 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.util.Integers; - -public class TlsExtensionsUtils -{ - public static final Integer EXT_encrypt_then_mac = Integers.valueOf(ExtensionType.encrypt_then_mac); - public static final Integer EXT_heartbeat = Integers.valueOf(ExtensionType.heartbeat); - public static final Integer EXT_max_fragment_length = Integers.valueOf(ExtensionType.max_fragment_length); - public static final Integer EXT_server_name = Integers.valueOf(ExtensionType.server_name); - public static final Integer EXT_status_request = Integers.valueOf(ExtensionType.status_request); - public static final Integer EXT_truncated_hmac = Integers.valueOf(ExtensionType.truncated_hmac); - - public static Hashtable ensureExtensionsInitialised(Hashtable extensions) - { - return extensions == null ? new Hashtable() : extensions; - } - - public static void addEncryptThenMACExtension(Hashtable extensions) - { - extensions.put(EXT_encrypt_then_mac, createEncryptThenMACExtension()); - } - - public static void addHeartbeatExtension(Hashtable extensions, HeartbeatExtension heartbeatExtension) - throws IOException - { - extensions.put(EXT_heartbeat, createHeartbeatExtension(heartbeatExtension)); - } - - public static void addMaxFragmentLengthExtension(Hashtable extensions, short maxFragmentLength) - throws IOException - { - extensions.put(EXT_max_fragment_length, createMaxFragmentLengthExtension(maxFragmentLength)); - } - - public static void addServerNameExtension(Hashtable extensions, ServerNameList serverNameList) - throws IOException - { - extensions.put(EXT_server_name, createServerNameExtension(serverNameList)); - } - - public static void addStatusRequestExtension(Hashtable extensions, CertificateStatusRequest statusRequest) - throws IOException - { - extensions.put(EXT_status_request, createStatusRequestExtension(statusRequest)); - } - - public static void addTruncatedHMacExtension(Hashtable extensions) - { - extensions.put(EXT_truncated_hmac, createTruncatedHMacExtension()); - } - - public static HeartbeatExtension getHeartbeatExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_heartbeat); - return extensionData == null ? null : readHeartbeatExtension(extensionData); - } - - public static short getMaxFragmentLengthExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_max_fragment_length); - return extensionData == null ? -1 : readMaxFragmentLengthExtension(extensionData); - } - - public static ServerNameList getServerNameExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_server_name); - return extensionData == null ? null : readServerNameExtension(extensionData); - } - - public static CertificateStatusRequest getStatusRequestExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_status_request); - return extensionData == null ? null : readStatusRequestExtension(extensionData); - } - - public static boolean hasEncryptThenMACExtension(Hashtable extensions) throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_encrypt_then_mac); - return extensionData == null ? false : readEncryptThenMACExtension(extensionData); - } - - public static boolean hasTruncatedHMacExtension(Hashtable extensions) throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_truncated_hmac); - return extensionData == null ? false : readTruncatedHMacExtension(extensionData); - } - - public static byte[] createEmptyExtensionData() - { - return TlsUtils.EMPTY_BYTES; - } - - public static byte[] createEncryptThenMACExtension() - { - return createEmptyExtensionData(); - } - - public static byte[] createHeartbeatExtension(HeartbeatExtension heartbeatExtension) - throws IOException - { - if (heartbeatExtension == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - heartbeatExtension.encode(buf); - - return buf.toByteArray(); - } - - public static byte[] createMaxFragmentLengthExtension(short maxFragmentLength) - throws IOException - { - if (!MaxFragmentLength.isValid(maxFragmentLength)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return new byte[]{ (byte)maxFragmentLength }; - } - - public static byte[] createServerNameExtension(ServerNameList serverNameList) - throws IOException - { - if (serverNameList == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - serverNameList.encode(buf); - - return buf.toByteArray(); - } - - public static byte[] createStatusRequestExtension(CertificateStatusRequest statusRequest) - throws IOException - { - if (statusRequest == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - statusRequest.encode(buf); - - return buf.toByteArray(); - } - - public static byte[] createTruncatedHMacExtension() - { - return createEmptyExtensionData(); - } - - private static boolean readEmptyExtensionData(byte[] extensionData) throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - if (extensionData.length != 0) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return true; - } - - public static boolean readEncryptThenMACExtension(byte[] extensionData) throws IOException - { - return readEmptyExtensionData(extensionData); - } - - public static HeartbeatExtension readHeartbeatExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - HeartbeatExtension heartbeatExtension = HeartbeatExtension.parse(buf); - - TlsProtocol.assertEmpty(buf); - - return heartbeatExtension; - } - - public static short readMaxFragmentLengthExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - if (extensionData.length != 1) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - short maxFragmentLength = (short)extensionData[0]; - - if (!MaxFragmentLength.isValid(maxFragmentLength)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return maxFragmentLength; - } - - public static ServerNameList readServerNameExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - ServerNameList serverNameList = ServerNameList.parse(buf); - - TlsProtocol.assertEmpty(buf); - - return serverNameList; - } - - public static CertificateStatusRequest readStatusRequestExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - CertificateStatusRequest statusRequest = CertificateStatusRequest.parse(buf); - - TlsProtocol.assertEmpty(buf); - - return statusRequest; - } - - public static boolean readTruncatedHMacExtension(byte[] extensionData) throws IOException - { - return readEmptyExtensionData(extensionData); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsFatalAlert.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsFatalAlert.java deleted file mode 100644 index 61cec318..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsFatalAlert.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public class TlsFatalAlert - extends IOException -{ - private static final long serialVersionUID = 3584313123679111168L; - - private short alertDescription; - - public TlsFatalAlert(short alertDescription) - { - this.alertDescription = alertDescription; - } - - public short getAlertDescription() - { - return alertDescription; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsHandshakeHash.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsHandshakeHash.java deleted file mode 100644 index 4ccfe72b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsHandshakeHash.java +++ /dev/null @@ -1,21 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.Digest; - -public interface TlsHandshakeHash - extends Digest -{ - void init(TlsContext context); - - TlsHandshakeHash notifyPRFDetermined(); - - void trackHashAlgorithm(short hashAlgorithm); - - void sealHashAlgorithms(); - - TlsHandshakeHash stopTracking(); - - Digest forkPRFHash(); - - byte[] getFinalHash(short hashAlgorithm); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsInputStream.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsInputStream.java deleted file mode 100644 index a2cf74e8..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsInputStream.java +++ /dev/null @@ -1,47 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; - -/** - * An InputStream for an TLS 1.0 connection. - */ -class TlsInputStream - extends InputStream -{ - private byte[] buf = new byte[1]; - private TlsProtocol handler = null; - - TlsInputStream(TlsProtocol handler) - { - this.handler = handler; - } - - public int available() - throws IOException - { - return this.handler.applicationDataAvailable(); - } - - public int read(byte[] buf, int offset, int len) - throws IOException - { - return this.handler.readApplicationData(buf, offset, len); - } - - public int read() - throws IOException - { - if (this.read(buf) < 0) - { - return -1; - } - return buf[0] & 0xff; - } - - public void close() - throws IOException - { - handler.close(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsKeyExchange.java deleted file mode 100644 index 50455907..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsKeyExchange.java +++ /dev/null @@ -1,54 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -/** - * A generic interface for key exchange implementations in TLS 1.0/1.1. - */ -public interface TlsKeyExchange -{ - void init(TlsContext context); - - void skipServerCredentials() - throws IOException; - - void processServerCredentials(TlsCredentials serverCredentials) - throws IOException; - - void processServerCertificate(Certificate serverCertificate) - throws IOException; - - boolean requiresServerKeyExchange(); - - byte[] generateServerKeyExchange() - throws IOException; - - void skipServerKeyExchange() - throws IOException; - - void processServerKeyExchange(InputStream input) - throws IOException; - - void validateCertificateRequest(CertificateRequest certificateRequest) - throws IOException; - - void skipClientCredentials() - throws IOException; - - void processClientCredentials(TlsCredentials clientCredentials) - throws IOException; - - void processClientCertificate(Certificate clientCertificate) - throws IOException; - - void generateClientKeyExchange(OutputStream output) - throws IOException; - - void processClientKeyExchange(InputStream input) - throws IOException; - - byte[] generatePremasterSecret() - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsMac.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsMac.java deleted file mode 100644 index 00e0c79f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsMac.java +++ /dev/null @@ -1,172 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Mac; -import org.bouncycastle.crypto.digests.LongDigest; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.util.Arrays; - -/** - * A generic TLS MAC implementation, acting as an HMAC based on some underlying Digest. - */ -public class TlsMac -{ - protected TlsContext context; - protected byte[] secret; - protected Mac mac; - protected int digestBlockSize; - protected int digestOverhead; - protected int macLength; - - /** - * Generate a new instance of an TlsMac. - * - * @param context the TLS client context - * @param digest The digest to use. - * @param key A byte-array where the key for this MAC is located. - * @param keyOff The number of bytes to skip, before the key starts in the buffer. - * @param keyLen The length of the key. - */ - public TlsMac(TlsContext context, Digest digest, byte[] key, int keyOff, int keyLen) - { - this.context = context; - - KeyParameter keyParameter = new KeyParameter(key, keyOff, keyLen); - - this.secret = Arrays.clone(keyParameter.getKey()); - - // TODO This should check the actual algorithm, not rely on the engine type - if (digest instanceof LongDigest) - { - this.digestBlockSize = 128; - this.digestOverhead = 16; - } - else - { - this.digestBlockSize = 64; - this.digestOverhead = 8; - } - - if (TlsUtils.isSSL(context)) - { - this.mac = new SSL3Mac(digest); - - // TODO This should check the actual algorithm, not assume based on the digest size - if (digest.getDigestSize() == 20) - { - /* - * NOTE: When SHA-1 is used with the SSL 3.0 MAC, the secret + input pad is not - * digest block-aligned. - */ - this.digestOverhead = 4; - } - } - else - { - this.mac = new HMac(digest); - - // NOTE: The input pad for HMAC is always a full digest block - } - - this.mac.init(keyParameter); - - this.macLength = mac.getMacSize(); - if (context.getSecurityParameters().truncatedHMac) - { - this.macLength = Math.min(this.macLength, 10); - } - } - - /** - * @return the MAC write secret - */ - public byte[] getMACSecret() - { - return this.secret; - } - - /** - * @return The output length of this MAC. - */ - public int getSize() - { - return macLength; - } - - /** - * Calculate the MAC for some given data. - * - * @param type The message type of the message. - * @param message A byte-buffer containing the message. - * @param offset The number of bytes to skip, before the message starts. - * @param length The length of the message. - * @return A new byte-buffer containing the MAC value. - */ - public byte[] calculateMac(long seqNo, short type, byte[] message, int offset, int length) - { - ProtocolVersion serverVersion = context.getServerVersion(); - boolean isSSL = serverVersion.isSSL(); - - byte[] macHeader = new byte[isSSL ? 11 : 13]; - TlsUtils.writeUint64(seqNo, macHeader, 0); - TlsUtils.writeUint8(type, macHeader, 8); - if (!isSSL) - { - TlsUtils.writeVersion(serverVersion, macHeader, 9); - } - TlsUtils.writeUint16(length, macHeader, macHeader.length - 2); - - mac.update(macHeader, 0, macHeader.length); - mac.update(message, offset, length); - - byte[] result = new byte[mac.getMacSize()]; - mac.doFinal(result, 0); - return truncate(result); - } - - public byte[] calculateMacConstantTime(long seqNo, short type, byte[] message, int offset, int length, - int fullLength, byte[] dummyData) - { - /* - * Actual MAC only calculated on 'length' bytes... - */ - byte[] result = calculateMac(seqNo, type, message, offset, length); - - /* - * ...but ensure a constant number of complete digest blocks are processed (as many as would - * be needed for 'fullLength' bytes of input). - */ - int headerLength = TlsUtils.isSSL(context) ? 11 : 13; - - // How many extra full blocks do we need to calculate? - int extra = getDigestBlockCount(headerLength + fullLength) - getDigestBlockCount(headerLength + length); - - while (--extra >= 0) - { - mac.update(dummyData, 0, digestBlockSize); - } - - // One more byte in case the implementation is "lazy" about processing blocks - mac.update(dummyData[0]); - mac.reset(); - - return result; - } - - protected int getDigestBlockCount(int inputLength) - { - // NOTE: This calculation assumes a minimum of 1 pad byte - return (inputLength + digestOverhead) / digestBlockSize; - } - - protected byte[] truncate(byte[] bs) - { - if (bs.length <= macLength) - { - return bs; - } - - return Arrays.copyOf(bs, macLength); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCipher.java deleted file mode 100644 index d1f6986b..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCipher.java +++ /dev/null @@ -1,123 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.util.Arrays; - -/** - * A NULL CipherSuite with optional MAC - */ -public class TlsNullCipher - implements TlsCipher -{ - protected TlsContext context; - - protected TlsMac writeMac; - protected TlsMac readMac; - - public TlsNullCipher(TlsContext context) - { - this.context = context; - this.writeMac = null; - this.readMac = null; - } - - public TlsNullCipher(TlsContext context, Digest clientWriteDigest, Digest serverWriteDigest) - throws IOException - { - if ((clientWriteDigest == null) != (serverWriteDigest == null)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.context = context; - - TlsMac clientWriteMac = null, serverWriteMac = null; - - if (clientWriteDigest != null) - { - int key_block_size = clientWriteDigest.getDigestSize() - + serverWriteDigest.getDigestSize(); - byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size); - - int offset = 0; - - clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, - clientWriteDigest.getDigestSize()); - offset += clientWriteDigest.getDigestSize(); - - serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, - serverWriteDigest.getDigestSize()); - offset += serverWriteDigest.getDigestSize(); - - if (offset != key_block_size) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - if (context.isServer()) - { - writeMac = serverWriteMac; - readMac = clientWriteMac; - } - else - { - writeMac = clientWriteMac; - readMac = serverWriteMac; - } - } - - public int getPlaintextLimit(int ciphertextLimit) - { - int result = ciphertextLimit; - if (writeMac != null) - { - result -= writeMac.getSize(); - } - return result; - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - throws IOException - { - if (writeMac == null) - { - return Arrays.copyOfRange(plaintext, offset, offset + len); - } - - byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); - byte[] ciphertext = new byte[len + mac.length]; - System.arraycopy(plaintext, offset, ciphertext, 0, len); - System.arraycopy(mac, 0, ciphertext, len, mac.length); - return ciphertext; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException - { - if (readMac == null) - { - return Arrays.copyOfRange(ciphertext, offset, offset + len); - } - - int macSize = readMac.getSize(); - if (len < macSize) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int macInputLen = len - macSize; - - byte[] receivedMac = Arrays.copyOfRange(ciphertext, offset + macInputLen, offset + len); - byte[] computedMac = readMac.calculateMac(seqNo, type, ciphertext, offset, macInputLen); - - if (!Arrays.constantTimeAreEqual(receivedMac, computedMac)) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - - return Arrays.copyOfRange(ciphertext, offset, offset + macInputLen); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCompression.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCompression.java deleted file mode 100644 index 13a85abf..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsNullCompression.java +++ /dev/null @@ -1,17 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.OutputStream; - -public class TlsNullCompression - implements TlsCompression -{ - public OutputStream compress(OutputStream output) - { - return output; - } - - public OutputStream decompress(OutputStream output) - { - return output; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsOutputStream.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsOutputStream.java deleted file mode 100644 index d9532414..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsOutputStream.java +++ /dev/null @@ -1,44 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.OutputStream; - -/** - * An OutputStream for an TLS connection. - */ -class TlsOutputStream - extends OutputStream -{ - private byte[] buf = new byte[1]; - private TlsProtocol handler; - - TlsOutputStream(TlsProtocol handler) - { - this.handler = handler; - } - - public void write(byte buf[], int offset, int len) - throws IOException - { - this.handler.writeData(buf, offset, len); - } - - public void write(int arg0) - throws IOException - { - buf[0] = (byte)arg0; - this.write(buf, 0, 1); - } - - public void close() - throws IOException - { - handler.close(); - } - - public void flush() - throws IOException - { - handler.flush(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKIdentity.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKIdentity.java deleted file mode 100644 index 2f6eea26..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKIdentity.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public interface TlsPSKIdentity -{ - void skipIdentityHint(); - - void notifyIdentityHint(byte[] psk_identity_hint); - - byte[] getPSKIdentity(); - - byte[] getPSK(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKKeyExchange.java deleted file mode 100644 index 7217bac6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPSKKeyExchange.java +++ /dev/null @@ -1,285 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.util.PublicKeyFactory; - -/** - * TLS 1.0 PSK key exchange (RFC 4279). - */ -public class TlsPSKKeyExchange - extends AbstractTlsKeyExchange -{ - protected TlsPSKIdentity pskIdentity; - protected DHParameters dhParameters; - protected int[] namedCurves; - protected short[] clientECPointFormats, serverECPointFormats; - - protected byte[] psk_identity_hint = null; - - protected DHPrivateKeyParameters dhAgreePrivateKey = null; - protected DHPublicKeyParameters dhAgreePublicKey = null; - - protected AsymmetricKeyParameter serverPublicKey = null; - protected RSAKeyParameters rsaServerPublicKey = null; - protected TlsEncryptionCredentials serverCredentials = null; - protected byte[] premasterSecret; - - public TlsPSKKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, TlsPSKIdentity pskIdentity, - DHParameters dhParameters, int[] namedCurves, short[] clientECPointFormats, short[] serverECPointFormats) - { - super(keyExchange, supportedSignatureAlgorithms); - - switch (keyExchange) - { - case KeyExchangeAlgorithm.DHE_PSK: - case KeyExchangeAlgorithm.ECDHE_PSK: - case KeyExchangeAlgorithm.PSK: - case KeyExchangeAlgorithm.RSA_PSK: - break; - default: - throw new IllegalArgumentException("unsupported key exchange algorithm"); - } - - this.pskIdentity = pskIdentity; - this.dhParameters = dhParameters; - this.namedCurves = namedCurves; - this.clientECPointFormats = clientECPointFormats; - this.serverECPointFormats = serverECPointFormats; - } - - public void skipServerCredentials() - throws IOException - { - if (keyExchange == KeyExchangeAlgorithm.RSA_PSK) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public void processServerCredentials(TlsCredentials serverCredentials) - throws IOException - { - if (!(serverCredentials instanceof TlsEncryptionCredentials)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - processServerCertificate(serverCredentials.getCertificate()); - - this.serverCredentials = (TlsEncryptionCredentials)serverCredentials; - } - - public byte[] generateServerKeyExchange() throws IOException - { - // TODO[RFC 4279] Need a server-side PSK API to determine hint and resolve identities to keys - this.psk_identity_hint = null; - - if (this.psk_identity_hint == null && !requiresServerKeyExchange()) - { - return null; - } - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - if (this.psk_identity_hint == null) - { - TlsUtils.writeOpaque16(TlsUtils.EMPTY_BYTES, buf); - } - else - { - TlsUtils.writeOpaque16(this.psk_identity_hint, buf); - } - - if (this.keyExchange == KeyExchangeAlgorithm.DHE_PSK) - { - if (this.dhParameters == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.dhAgreePrivateKey = TlsDHUtils.generateEphemeralServerKeyExchange(context.getSecureRandom(), - this.dhParameters, buf); - } - else if (this.keyExchange == KeyExchangeAlgorithm.ECDHE_PSK) - { - // TODO[RFC 5489] - } - - return buf.toByteArray(); - } - - public void processServerCertificate(Certificate serverCertificate) - throws IOException - { - if (keyExchange != KeyExchangeAlgorithm.RSA_PSK) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - if (serverCertificate.isEmpty()) - { - throw new TlsFatalAlert(AlertDescription.bad_certificate); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = serverCertificate.getCertificateAt(0); - - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - this.serverPublicKey = PublicKeyFactory.createKey(keyInfo); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - // Sanity check the PublicKeyFactory - if (this.serverPublicKey.isPrivate()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.rsaServerPublicKey = validateRSAPublicKey((RSAKeyParameters)this.serverPublicKey); - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyEncipherment); - - super.processServerCertificate(serverCertificate); - } - - public boolean requiresServerKeyExchange() - { - switch (keyExchange) - { - case KeyExchangeAlgorithm.DHE_PSK: - case KeyExchangeAlgorithm.ECDHE_PSK: - return true; - default: - return false; - } - } - - public void processServerKeyExchange(InputStream input) - throws IOException - { - this.psk_identity_hint = TlsUtils.readOpaque16(input); - - if (this.keyExchange == KeyExchangeAlgorithm.DHE_PSK) - { - ServerDHParams serverDHParams = ServerDHParams.parse(input); - - this.dhAgreePublicKey = TlsDHUtils.validateDHPublicKey(serverDHParams.getPublicKey()); - } - else if (this.keyExchange == KeyExchangeAlgorithm.ECDHE_PSK) - { - // TODO[RFC 5489] - } - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) - throws IOException - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - public void processClientCredentials(TlsCredentials clientCredentials) - throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - public void generateClientKeyExchange(OutputStream output) - throws IOException - { - if (psk_identity_hint == null) - { - pskIdentity.skipIdentityHint(); - } - else - { - pskIdentity.notifyIdentityHint(psk_identity_hint); - } - - byte[] psk_identity = pskIdentity.getPSKIdentity(); - - TlsUtils.writeOpaque16(psk_identity, output); - - if (this.keyExchange == KeyExchangeAlgorithm.DHE_PSK) - { - this.dhAgreePrivateKey = TlsDHUtils.generateEphemeralClientKeyExchange(context.getSecureRandom(), - dhAgreePublicKey.getParameters(), output); - } - else if (this.keyExchange == KeyExchangeAlgorithm.ECDHE_PSK) - { - // TODO[RFC 5489] - throw new TlsFatalAlert(AlertDescription.internal_error); - } - else if (this.keyExchange == KeyExchangeAlgorithm.RSA_PSK) - { - this.premasterSecret = TlsRSAUtils.generateEncryptedPreMasterSecret(context, this.rsaServerPublicKey, - output); - } - } - - public byte[] generatePremasterSecret() - throws IOException - { - byte[] psk = pskIdentity.getPSK(); - byte[] other_secret = generateOtherSecret(psk.length); - - ByteArrayOutputStream buf = new ByteArrayOutputStream(4 + other_secret.length + psk.length); - TlsUtils.writeOpaque16(other_secret, buf); - TlsUtils.writeOpaque16(psk, buf); - return buf.toByteArray(); - } - - protected byte[] generateOtherSecret(int pskLength) throws IOException - { - if (this.keyExchange == KeyExchangeAlgorithm.DHE_PSK) - { - if (dhAgreePrivateKey != null) - { - return TlsDHUtils.calculateDHBasicAgreement(dhAgreePublicKey, dhAgreePrivateKey); - } - - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - if (this.keyExchange == KeyExchangeAlgorithm.ECDHE_PSK) - { - // TODO[RFC 5489] - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - if (this.keyExchange == KeyExchangeAlgorithm.RSA_PSK) - { - return this.premasterSecret; - } - - return new byte[pskLength]; - } - - protected RSAKeyParameters validateRSAPublicKey(RSAKeyParameters key) - throws IOException - { - // TODO What is the minimum bit length required? - // key.getModulus().bitLength(); - - if (!key.getExponent().isProbablePrime(2)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPeer.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsPeer.java deleted file mode 100644 index 1ee2e5fa..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsPeer.java +++ /dev/null @@ -1,46 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsPeer -{ - /** - * draft-mathewson-no-gmtunixtime-00 2. "If existing users of a TLS implementation may rely on - * gmt_unix_time containing the current time, we recommend that implementors MAY provide the - * ability to set gmt_unix_time as an option only, off by default." - * - * @return <code>true</code> if the current time should be used in the gmt_unix_time field of - * Random, or <code>false</code> if gmt_unix_time should contain a cryptographically - * random value. - */ - boolean shouldUseGMTUnixTime(); - - void notifySecureRenegotiation(boolean secureNegotiation) throws IOException; - - TlsCompression getCompression() throws IOException; - - TlsCipher getCipher() throws IOException; - - /** - * This method will be called when an alert is raised by the protocol. - * - * @param alertLevel {@link AlertLevel} - * @param alertDescription {@link AlertDescription} - * @param message A human-readable message explaining what caused this alert. May be null. - * @param cause The exception that caused this alert to be raised. May be null. - */ - void notifyAlertRaised(short alertLevel, short alertDescription, String message, Exception cause); - - /** - * This method will be called when an alert is received from the remote peer. - * - * @param alertLevel {@link AlertLevel} - * @param alertDescription {@link AlertDescription} - */ - void notifyAlertReceived(short alertLevel, short alertDescription); - - /** - * Notifies the peer that the handshake has been successfully completed. - */ - void notifyHandshakeComplete() throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java deleted file mode 100644 index 02629056..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java +++ /dev/null @@ -1,1184 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.EOFException; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; -import java.util.Enumeration; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.prng.RandomGenerator; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Integers; - -/** - * An implementation of all high level protocols in TLS 1.0/1.1. - */ -public abstract class TlsProtocol -{ - protected static final Integer EXT_RenegotiationInfo = Integers.valueOf(ExtensionType.renegotiation_info); - protected static final Integer EXT_SessionTicket = Integers.valueOf(ExtensionType.session_ticket); - - private static final String TLS_ERROR_MESSAGE = "Internal TLS error, this could be an attack"; - - /* - * Our Connection states - */ - protected static final short CS_START = 0; - protected static final short CS_CLIENT_HELLO = 1; - protected static final short CS_SERVER_HELLO = 2; - protected static final short CS_SERVER_SUPPLEMENTAL_DATA = 3; - protected static final short CS_SERVER_CERTIFICATE = 4; - protected static final short CS_CERTIFICATE_STATUS = 5; - protected static final short CS_SERVER_KEY_EXCHANGE = 6; - protected static final short CS_CERTIFICATE_REQUEST = 7; - protected static final short CS_SERVER_HELLO_DONE = 8; - protected static final short CS_CLIENT_SUPPLEMENTAL_DATA = 9; - protected static final short CS_CLIENT_CERTIFICATE = 10; - protected static final short CS_CLIENT_KEY_EXCHANGE = 11; - protected static final short CS_CERTIFICATE_VERIFY = 12; - protected static final short CS_CLIENT_FINISHED = 13; - protected static final short CS_SERVER_SESSION_TICKET = 14; - protected static final short CS_SERVER_FINISHED = 15; - protected static final short CS_END = 16; - - /* - * Queues for data from some protocols. - */ - private ByteQueue applicationDataQueue = new ByteQueue(); - private ByteQueue alertQueue = new ByteQueue(2); - private ByteQueue handshakeQueue = new ByteQueue(); -// private ByteQueue heartbeatQueue = new ByteQueue(); - - /* - * The Record Stream we use - */ - protected RecordStream recordStream; - protected SecureRandom secureRandom; - - private TlsInputStream tlsInputStream = null; - private TlsOutputStream tlsOutputStream = null; - - private volatile boolean closed = false; - private volatile boolean failedWithError = false; - private volatile boolean appDataReady = false; - private volatile boolean splitApplicationDataRecords = true; - private byte[] expected_verify_data = null; - - protected TlsSession tlsSession = null; - protected SessionParameters sessionParameters = null; - protected SecurityParameters securityParameters = null; - protected Certificate peerCertificate = null; - - protected int[] offeredCipherSuites = null; - protected short[] offeredCompressionMethods = null; - protected Hashtable clientExtensions = null; - protected Hashtable serverExtensions = null; - - protected short connection_state = CS_START; - protected boolean resumedSession = false; - protected boolean receivedChangeCipherSpec = false; - protected boolean secure_renegotiation = false; - protected boolean allowCertificateStatus = false; - protected boolean expectSessionTicket = false; - - public TlsProtocol(InputStream input, OutputStream output, SecureRandom secureRandom) - { - this.recordStream = new RecordStream(this, input, output); - this.secureRandom = secureRandom; - } - - protected abstract AbstractTlsContext getContext(); - - protected abstract TlsPeer getPeer(); - - protected void handleChangeCipherSpecMessage() throws IOException - { - } - - protected abstract void handleHandshakeMessage(short type, byte[] buf) - throws IOException; - - protected void handleWarningMessage(short description) - throws IOException - { - } - - protected void cleanupHandshake() - { - if (this.expected_verify_data != null) - { - Arrays.fill(this.expected_verify_data, (byte)0); - this.expected_verify_data = null; - } - - this.securityParameters.clear(); - this.peerCertificate = null; - - this.offeredCipherSuites = null; - this.offeredCompressionMethods = null; - this.clientExtensions = null; - this.serverExtensions = null; - - this.resumedSession = false; - this.receivedChangeCipherSpec = false; - this.secure_renegotiation = false; - this.allowCertificateStatus = false; - this.expectSessionTicket = false; - } - - protected void completeHandshake() - throws IOException - { - try - { - /* - * We will now read data, until we have completed the handshake. - */ - while (this.connection_state != CS_END) - { - if (this.closed) - { - // TODO What kind of exception/alert? - } - - safeReadRecord(); - } - - this.recordStream.finaliseHandshake(); - - this.splitApplicationDataRecords = !TlsUtils.isTLSv11(getContext()); - - /* - * If this was an initial handshake, we are now ready to send and receive application data. - */ - if (!appDataReady) - { - this.appDataReady = true; - - this.tlsInputStream = new TlsInputStream(this); - this.tlsOutputStream = new TlsOutputStream(this); - } - - if (this.tlsSession != null) - { - if (this.sessionParameters == null) - { - this.sessionParameters = new SessionParameters.Builder() - .setCipherSuite(this.securityParameters.cipherSuite) - .setCompressionAlgorithm(this.securityParameters.compressionAlgorithm) - .setMasterSecret(this.securityParameters.masterSecret) - .setPeerCertificate(this.peerCertificate) - // TODO Consider filtering extensions that aren't relevant to resumed sessions - .setServerExtensions(this.serverExtensions) - .build(); - - this.tlsSession = new TlsSessionImpl(this.tlsSession.getSessionID(), this.sessionParameters); - } - - getContext().setResumableSession(this.tlsSession); - } - - getPeer().notifyHandshakeComplete(); - } - finally - { - cleanupHandshake(); - } - } - - protected void processRecord(short protocol, byte[] buf, int offset, int len) - throws IOException - { - /* - * Have a look at the protocol type, and add it to the correct queue. - */ - switch (protocol) - { - case ContentType.alert: - { - alertQueue.addData(buf, offset, len); - processAlert(); - break; - } - case ContentType.application_data: - { - if (!appDataReady) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - applicationDataQueue.addData(buf, offset, len); - processApplicationData(); - break; - } - case ContentType.change_cipher_spec: - { - processChangeCipherSpec(buf, offset, len); - break; - } - case ContentType.handshake: - { - handshakeQueue.addData(buf, offset, len); - processHandshake(); - break; - } - case ContentType.heartbeat: - { - if (!appDataReady) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - // TODO[RFC 6520] -// heartbeatQueue.addData(buf, offset, len); -// processHeartbeat(); - } - default: - /* - * Uh, we don't know this protocol. - * - * RFC2246 defines on page 13, that we should ignore this. - */ - } - } - - private void processHandshake() - throws IOException - { - boolean read; - do - { - read = false; - /* - * We need the first 4 bytes, they contain type and length of the message. - */ - if (handshakeQueue.size() >= 4) - { - byte[] beginning = new byte[4]; - handshakeQueue.read(beginning, 0, 4, 0); - ByteArrayInputStream bis = new ByteArrayInputStream(beginning); - short type = TlsUtils.readUint8(bis); - int len = TlsUtils.readUint24(bis); - - /* - * Check if we have enough bytes in the buffer to read the full message. - */ - if (handshakeQueue.size() >= (len + 4)) - { - /* - * Read the message. - */ - byte[] buf = handshakeQueue.removeData(len, 4); - - /* - * RFC 2246 7.4.9. The value handshake_messages includes all handshake messages - * starting at client hello up to, but not including, this finished message. - * [..] Note: [Also,] Hello Request messages are omitted from handshake hashes. - */ - switch (type) - { - case HandshakeType.hello_request: - break; - case HandshakeType.finished: - { - if (this.expected_verify_data == null) - { - this.expected_verify_data = createVerifyData(!getContext().isServer()); - } - - // NB: Fall through to next case label - } - default: - recordStream.updateHandshakeData(beginning, 0, 4); - recordStream.updateHandshakeData(buf, 0, len); - break; - } - - /* - * Now, parse the message. - */ - handleHandshakeMessage(type, buf); - read = true; - } - } - } - while (read); - } - - private void processApplicationData() - { - /* - * There is nothing we need to do here. - * - * This function could be used for callbacks when application data arrives in the future. - */ - } - - private void processAlert() - throws IOException - { - while (alertQueue.size() >= 2) - { - /* - * An alert is always 2 bytes. Read the alert. - */ - byte[] tmp = alertQueue.removeData(2, 0); - short level = tmp[0]; - short description = tmp[1]; - - getPeer().notifyAlertReceived(level, description); - - if (level == AlertLevel.fatal) - { - /* - * RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated - * without proper close_notify messages with level equal to warning. - */ - invalidateSession(); - - this.failedWithError = true; - this.closed = true; - - recordStream.safeClose(); - - throw new IOException(TLS_ERROR_MESSAGE); - } - else - { - - /* - * RFC 5246 7.2.1. The other party MUST respond with a close_notify alert of its own - * and close down the connection immediately, discarding any pending writes. - */ - // TODO Can close_notify be a fatal alert? - if (description == AlertDescription.close_notify) - { - handleClose(false); - } - - /* - * If it is just a warning, we continue. - */ - handleWarningMessage(description); - } - } - } - - /** - * This method is called, when a change cipher spec message is received. - * - * @throws IOException If the message has an invalid content or the handshake is not in the correct - * state. - */ - private void processChangeCipherSpec(byte[] buf, int off, int len) - throws IOException - { - for (int i = 0; i < len; ++i) - { - short message = TlsUtils.readUint8(buf, off + i); - - if (message != ChangeCipherSpec.change_cipher_spec) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - if (this.receivedChangeCipherSpec - || alertQueue.size() > 0 - || handshakeQueue.size() > 0) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - recordStream.receivedReadCipherSpec(); - - this.receivedChangeCipherSpec = true; - - handleChangeCipherSpecMessage(); - } - } - - protected int applicationDataAvailable() - throws IOException - { - return applicationDataQueue.size(); - } - - /** - * Read data from the network. The method will return immediately, if there is still some data - * left in the buffer, or block until some application data has been read from the network. - * - * @param buf The buffer where the data will be copied to. - * @param offset The position where the data will be placed in the buffer. - * @param len The maximum number of bytes to read. - * @return The number of bytes read. - * @throws IOException If something goes wrong during reading data. - */ - protected int readApplicationData(byte[] buf, int offset, int len) - throws IOException - { - if (len < 1) - { - return 0; - } - - while (applicationDataQueue.size() == 0) - { - /* - * We need to read some data. - */ - if (this.closed) - { - if (this.failedWithError) - { - /* - * Something went terribly wrong, we should throw an IOException - */ - throw new IOException(TLS_ERROR_MESSAGE); - } - - /* - * Connection has been closed, there is no more data to read. - */ - return -1; - } - - safeReadRecord(); - } - - len = Math.min(len, applicationDataQueue.size()); - applicationDataQueue.removeData(buf, offset, len, 0); - return len; - } - - protected void safeReadRecord() - throws IOException - { - try - { - if (!recordStream.readRecord()) - { - // TODO It would be nicer to allow graceful connection close if between records -// this.failWithError(AlertLevel.warning, AlertDescription.close_notify); - throw new EOFException(); - } - } - catch (TlsFatalAlert e) - { - if (!this.closed) - { - this.failWithError(AlertLevel.fatal, e.getAlertDescription(), "Failed to read record", e); - } - throw e; - } - catch (IOException e) - { - if (!this.closed) - { - this.failWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to read record", e); - } - throw e; - } - catch (RuntimeException e) - { - if (!this.closed) - { - this.failWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to read record", e); - } - throw e; - } - } - - protected void safeWriteRecord(short type, byte[] buf, int offset, int len) - throws IOException - { - try - { - recordStream.writeRecord(type, buf, offset, len); - } - catch (TlsFatalAlert e) - { - if (!this.closed) - { - this.failWithError(AlertLevel.fatal, e.getAlertDescription(), "Failed to write record", e); - } - throw e; - } - catch (IOException e) - { - if (!closed) - { - this.failWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to write record", e); - } - throw e; - } - catch (RuntimeException e) - { - if (!closed) - { - this.failWithError(AlertLevel.fatal, AlertDescription.internal_error, "Failed to write record", e); - } - throw e; - } - } - - /** - * Send some application data to the remote system. - * <p/> - * The method will handle fragmentation internally. - * - * @param buf The buffer with the data. - * @param offset The position in the buffer where the data is placed. - * @param len The length of the data. - * @throws IOException If something goes wrong during sending. - */ - protected void writeData(byte[] buf, int offset, int len) - throws IOException - { - if (this.closed) - { - if (this.failedWithError) - { - throw new IOException(TLS_ERROR_MESSAGE); - } - - throw new IOException("Sorry, connection has been closed, you cannot write more data"); - } - - while (len > 0) - { - /* - * RFC 5246 6.2.1. Zero-length fragments of Application data MAY be sent as they are - * potentially useful as a traffic analysis countermeasure. - * - * NOTE: Actually, implementations appear to have settled on 1/n-1 record splitting. - */ - - if (this.splitApplicationDataRecords) - { - /* - * Protect against known IV attack! - * - * DO NOT REMOVE THIS CODE, EXCEPT YOU KNOW EXACTLY WHAT YOU ARE DOING HERE. - */ - safeWriteRecord(ContentType.application_data, buf, offset, 1); - ++offset; - --len; - } - - if (len > 0) - { - // Fragment data according to the current fragment limit. - int toWrite = Math.min(len, recordStream.getPlaintextLimit()); - safeWriteRecord(ContentType.application_data, buf, offset, toWrite); - offset += toWrite; - len -= toWrite; - } - } - } - - protected void writeHandshakeMessage(byte[] buf, int off, int len) throws IOException - { - while (len > 0) - { - // Fragment data according to the current fragment limit. - int toWrite = Math.min(len, recordStream.getPlaintextLimit()); - safeWriteRecord(ContentType.handshake, buf, off, toWrite); - off += toWrite; - len -= toWrite; - } - } - - /** - * @return An OutputStream which can be used to send data. - */ - public OutputStream getOutputStream() - { - return this.tlsOutputStream; - } - - /** - * @return An InputStream which can be used to read data. - */ - public InputStream getInputStream() - { - return this.tlsInputStream; - } - - /** - * Terminate this connection with an alert. Can be used for normal closure too. - * - * @param alertLevel - * See {@link AlertLevel} for values. - * @param alertDescription - * See {@link AlertDescription} for values. - * @throws IOException - * If alert was fatal. - */ - protected void failWithError(short alertLevel, short alertDescription, String message, Exception cause) - throws IOException - { - /* - * Check if the connection is still open. - */ - if (!closed) - { - /* - * Prepare the message - */ - this.closed = true; - - if (alertLevel == AlertLevel.fatal) - { - /* - * RFC 2246 7.2.1. The session becomes unresumable if any connection is terminated - * without proper close_notify messages with level equal to warning. - */ - // TODO This isn't quite in the right place. Also, as of TLS 1.1 the above is obsolete. - invalidateSession(); - - this.failedWithError = true; - } - raiseAlert(alertLevel, alertDescription, message, cause); - recordStream.safeClose(); - if (alertLevel != AlertLevel.fatal) - { - return; - } - } - - throw new IOException(TLS_ERROR_MESSAGE); - } - - protected void invalidateSession() - { - if (this.sessionParameters != null) - { - this.sessionParameters.clear(); - this.sessionParameters = null; - } - - if (this.tlsSession != null) - { - this.tlsSession.invalidate(); - this.tlsSession = null; - } - } - - protected void processFinishedMessage(ByteArrayInputStream buf) - throws IOException - { - byte[] verify_data = TlsUtils.readFully(expected_verify_data.length, buf); - - assertEmpty(buf); - - /* - * Compare both checksums. - */ - if (!Arrays.constantTimeAreEqual(expected_verify_data, verify_data)) - { - /* - * Wrong checksum in the finished message. - */ - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - } - - protected void raiseAlert(short alertLevel, short alertDescription, String message, Exception cause) - throws IOException - { - getPeer().notifyAlertRaised(alertLevel, alertDescription, message, cause); - - byte[] error = new byte[2]; - error[0] = (byte)alertLevel; - error[1] = (byte)alertDescription; - - safeWriteRecord(ContentType.alert, error, 0, 2); - } - - protected void raiseWarning(short alertDescription, String message) - throws IOException - { - raiseAlert(AlertLevel.warning, alertDescription, message, null); - } - - protected void sendCertificateMessage(Certificate certificate) - throws IOException - { - if (certificate == null) - { - certificate = Certificate.EMPTY_CHAIN; - } - - if (certificate.getLength() == 0) - { - TlsContext context = getContext(); - if (!context.isServer()) - { - ProtocolVersion serverVersion = getContext().getServerVersion(); - if (serverVersion.isSSL()) - { - String message = serverVersion.toString() + " client didn't provide credentials"; - raiseWarning(AlertDescription.no_certificate, message); - return; - } - } - } - - HandshakeMessage message = new HandshakeMessage(HandshakeType.certificate); - - certificate.encode(message); - - message.writeToRecordStream(); - } - - protected void sendChangeCipherSpecMessage() - throws IOException - { - byte[] message = new byte[]{ 1 }; - safeWriteRecord(ContentType.change_cipher_spec, message, 0, message.length); - recordStream.sentWriteCipherSpec(); - } - - protected void sendFinishedMessage() - throws IOException - { - byte[] verify_data = createVerifyData(getContext().isServer()); - - HandshakeMessage message = new HandshakeMessage(HandshakeType.finished, verify_data.length); - - message.write(verify_data); - - message.writeToRecordStream(); - } - - protected void sendSupplementalDataMessage(Vector supplementalData) - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.supplemental_data); - - writeSupplementalData(message, supplementalData); - - message.writeToRecordStream(); - } - - protected byte[] createVerifyData(boolean isServer) - { - TlsContext context = getContext(); - - if (isServer) - { - return TlsUtils.calculateVerifyData(context, ExporterLabel.server_finished, - getCurrentPRFHash(getContext(), recordStream.getHandshakeHash(), TlsUtils.SSL_SERVER)); - } - - return TlsUtils.calculateVerifyData(context, ExporterLabel.client_finished, - getCurrentPRFHash(getContext(), recordStream.getHandshakeHash(), TlsUtils.SSL_CLIENT)); - } - - /** - * Closes this connection. - * - * @throws IOException If something goes wrong during closing. - */ - public void close() - throws IOException - { - handleClose(true); - } - - protected void handleClose(boolean user_canceled) - throws IOException - { - if (!closed) - { - if (user_canceled && !appDataReady) - { - raiseWarning(AlertDescription.user_canceled, "User canceled handshake"); - } - this.failWithError(AlertLevel.warning, AlertDescription.close_notify, "Connection closed", null); - } - } - - protected void flush() - throws IOException - { - recordStream.flush(); - } - - protected short processMaxFragmentLengthExtension(Hashtable clientExtensions, Hashtable serverExtensions, short alertDescription) - throws IOException - { - short maxFragmentLength = TlsExtensionsUtils.getMaxFragmentLengthExtension(serverExtensions); - if (maxFragmentLength >= 0 && !this.resumedSession) - { - if (maxFragmentLength != TlsExtensionsUtils.getMaxFragmentLengthExtension(clientExtensions)) - { - throw new TlsFatalAlert(alertDescription); - } - } - return maxFragmentLength; - } - - /** - * Make sure the InputStream 'buf' now empty. Fail otherwise. - * - * @param buf The InputStream to check. - * @throws IOException If 'buf' is not empty. - */ - protected static void assertEmpty(ByteArrayInputStream buf) - throws IOException - { - if (buf.available() > 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - } - - protected static byte[] createRandomBlock(boolean useGMTUnixTime, RandomGenerator randomGenerator) - { - byte[] result = new byte[32]; - randomGenerator.nextBytes(result); - - if (useGMTUnixTime) - { - TlsUtils.writeGMTUnixTime(result, 0); - } - - return result; - } - - protected static byte[] createRenegotiationInfo(byte[] renegotiated_connection) - throws IOException - { - return TlsUtils.encodeOpaque8(renegotiated_connection); - } - - protected static void establishMasterSecret(TlsContext context, TlsKeyExchange keyExchange) - throws IOException - { - byte[] pre_master_secret = keyExchange.generatePremasterSecret(); - - try - { - context.getSecurityParameters().masterSecret = TlsUtils.calculateMasterSecret(context, pre_master_secret); - } - finally - { - // TODO Is there a way to ensure the data is really overwritten? - /* - * RFC 2246 8.1. The pre_master_secret should be deleted from memory once the - * master_secret has been computed. - */ - if (pre_master_secret != null) - { - Arrays.fill(pre_master_secret, (byte)0); - } - } - } - - /** - * 'sender' only relevant to SSLv3 - */ - protected static byte[] getCurrentPRFHash(TlsContext context, TlsHandshakeHash handshakeHash, byte[] sslSender) - { - Digest d = handshakeHash.forkPRFHash(); - - if (sslSender != null && TlsUtils.isSSL(context)) - { - d.update(sslSender, 0, sslSender.length); - } - - byte[] bs = new byte[d.getDigestSize()]; - d.doFinal(bs, 0); - return bs; - } - - protected static Hashtable readExtensions(ByteArrayInputStream input) - throws IOException - { - if (input.available() < 1) - { - return null; - } - - byte[] extBytes = TlsUtils.readOpaque16(input); - - assertEmpty(input); - - ByteArrayInputStream buf = new ByteArrayInputStream(extBytes); - - // Integer -> byte[] - Hashtable extensions = new Hashtable(); - - while (buf.available() > 0) - { - Integer extension_type = Integers.valueOf(TlsUtils.readUint16(buf)); - byte[] extension_data = TlsUtils.readOpaque16(buf); - - /* - * RFC 3546 2.3 There MUST NOT be more than one extension of the same type. - */ - if (null != extensions.put(extension_type, extension_data)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - return extensions; - } - - protected static Vector readSupplementalDataMessage(ByteArrayInputStream input) - throws IOException - { - byte[] supp_data = TlsUtils.readOpaque24(input); - - assertEmpty(input); - - ByteArrayInputStream buf = new ByteArrayInputStream(supp_data); - - Vector supplementalData = new Vector(); - - while (buf.available() > 0) - { - int supp_data_type = TlsUtils.readUint16(buf); - byte[] data = TlsUtils.readOpaque16(buf); - - supplementalData.addElement(new SupplementalDataEntry(supp_data_type, data)); - } - - return supplementalData; - } - - protected static void writeExtensions(OutputStream output, Hashtable extensions) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - Enumeration keys = extensions.keys(); - while (keys.hasMoreElements()) - { - Integer key = (Integer)keys.nextElement(); - int extension_type = key.intValue(); - byte[] extension_data = (byte[])extensions.get(key); - - TlsUtils.checkUint16(extension_type); - TlsUtils.writeUint16(extension_type, buf); - TlsUtils.writeOpaque16(extension_data, buf); - } - - byte[] extBytes = buf.toByteArray(); - - TlsUtils.writeOpaque16(extBytes, output); - } - - protected static void writeSupplementalData(OutputStream output, Vector supplementalData) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - for (int i = 0; i < supplementalData.size(); ++i) - { - SupplementalDataEntry entry = (SupplementalDataEntry)supplementalData.elementAt(i); - - int supp_data_type = entry.getDataType(); - TlsUtils.checkUint16(supp_data_type); - TlsUtils.writeUint16(supp_data_type, buf); - TlsUtils.writeOpaque16(entry.getData(), buf); - } - - byte[] supp_data = buf.toByteArray(); - - TlsUtils.writeOpaque24(supp_data, output); - } - - protected static int getPRFAlgorithm(TlsContext context, int ciphersuite) throws IOException - { - boolean isTLSv12 = TlsUtils.isTLSv12(context); - - switch (ciphersuite) - { - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - { - if (isTLSv12) - { - return PRFAlgorithm.tls_prf_sha256; - } - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - { - if (isTLSv12) - { - return PRFAlgorithm.tls_prf_sha384; - } - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: - { - if (isTLSv12) - { - return PRFAlgorithm.tls_prf_sha384; - } - return PRFAlgorithm.tls_prf_legacy; - } - - default: - { - if (isTLSv12) - { - return PRFAlgorithm.tls_prf_sha256; - } - return PRFAlgorithm.tls_prf_legacy; - } - } - } - - class HandshakeMessage extends ByteArrayOutputStream - { - HandshakeMessage(short handshakeType) throws IOException - { - this(handshakeType, 60); - } - - HandshakeMessage(short handshakeType, int length) throws IOException - { - super(length + 4); - TlsUtils.writeUint8(handshakeType, this); - // Reserve space for length - count += 3; - } - - void writeToRecordStream() throws IOException - { - // Patch actual length back in - int length = count - 4; - TlsUtils.checkUint24(length); - TlsUtils.writeUint24(length, buf, 1); - writeHandshakeMessage(buf, 0, count); - buf = null; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocolHandler.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocolHandler.java deleted file mode 100644 index 6b9e8eb0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocolHandler.java +++ /dev/null @@ -1,22 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; - -/** - * @deprecated use TlsClientProtocol instead - */ -public class TlsProtocolHandler - extends TlsClientProtocol -{ - public TlsProtocolHandler(InputStream is, OutputStream os) - { - super(is, os); - } - - public TlsProtocolHandler(InputStream is, OutputStream os, SecureRandom sr) - { - super(is, os, sr); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAKeyExchange.java deleted file mode 100644 index cd3eb0c3..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAKeyExchange.java +++ /dev/null @@ -1,191 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.util.PublicKeyFactory; -import org.bouncycastle.util.io.Streams; - -/** - * TLS 1.0/1.1 and SSLv3 RSA key exchange. - */ -public class TlsRSAKeyExchange - extends AbstractTlsKeyExchange -{ - protected AsymmetricKeyParameter serverPublicKey = null; - - protected RSAKeyParameters rsaServerPublicKey = null; - - protected TlsEncryptionCredentials serverCredentials = null; - - protected byte[] premasterSecret; - - public TlsRSAKeyExchange(Vector supportedSignatureAlgorithms) - { - super(KeyExchangeAlgorithm.RSA, supportedSignatureAlgorithms); - } - - public void skipServerCredentials() - throws IOException - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - public void processServerCredentials(TlsCredentials serverCredentials) - throws IOException - { - if (!(serverCredentials instanceof TlsEncryptionCredentials)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - processServerCertificate(serverCredentials.getCertificate()); - - this.serverCredentials = (TlsEncryptionCredentials)serverCredentials; - } - - public void processServerCertificate(Certificate serverCertificate) - throws IOException - { - if (serverCertificate.isEmpty()) - { - throw new TlsFatalAlert(AlertDescription.bad_certificate); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = serverCertificate.getCertificateAt(0); - - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - this.serverPublicKey = PublicKeyFactory.createKey(keyInfo); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - // Sanity check the PublicKeyFactory - if (this.serverPublicKey.isPrivate()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - this.rsaServerPublicKey = validateRSAPublicKey((RSAKeyParameters)this.serverPublicKey); - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.keyEncipherment); - - super.processServerCertificate(serverCertificate); - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) - throws IOException - { - short[] types = certificateRequest.getCertificateTypes(); - for (int i = 0; i < types.length; ++i) - { - switch (types[i]) - { - case ClientCertificateType.rsa_sign: - case ClientCertificateType.dss_sign: - case ClientCertificateType.ecdsa_sign: - break; - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - } - - public void processClientCredentials(TlsCredentials clientCredentials) - throws IOException - { - if (!(clientCredentials instanceof TlsSignerCredentials)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public void generateClientKeyExchange(OutputStream output) - throws IOException - { - this.premasterSecret = TlsRSAUtils.generateEncryptedPreMasterSecret(context, rsaServerPublicKey, output); - } - - public void processClientKeyExchange(InputStream input) - throws IOException - { - byte[] encryptedPreMasterSecret; - if (TlsUtils.isSSL(context)) - { - // TODO Do any SSLv3 clients actually include the length? - encryptedPreMasterSecret = Streams.readAll(input); - } - else - { - encryptedPreMasterSecret = TlsUtils.readOpaque16(input); - } - - this.premasterSecret = serverCredentials.decryptPreMasterSecret(encryptedPreMasterSecret); - } - - public byte[] generatePremasterSecret() - throws IOException - { - if (this.premasterSecret == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - byte[] tmp = this.premasterSecret; - this.premasterSecret = null; - return tmp; - } - - // Would be needed to process RSA_EXPORT server key exchange - // protected void processRSAServerKeyExchange(InputStream is, Signer signer) throws IOException - // { - // InputStream sigIn = is; - // if (signer != null) - // { - // sigIn = new SignerInputStream(is, signer); - // } - // - // byte[] modulusBytes = TlsUtils.readOpaque16(sigIn); - // byte[] exponentBytes = TlsUtils.readOpaque16(sigIn); - // - // if (signer != null) - // { - // byte[] sigByte = TlsUtils.readOpaque16(is); - // - // if (!signer.verifySignature(sigByte)) - // { - // handler.failWithError(AlertLevel.fatal, AlertDescription.bad_certificate); - // } - // } - // - // BigInteger modulus = new BigInteger(1, modulusBytes); - // BigInteger exponent = new BigInteger(1, exponentBytes); - // - // this.rsaServerPublicKey = validateRSAPublicKey(new RSAKeyParameters(false, modulus, - // exponent)); - // } - - protected RSAKeyParameters validateRSAPublicKey(RSAKeyParameters key) - throws IOException - { - // TODO What is the minimum bit length required? - // key.getModulus().bitLength(); - - if (!key.getExponent().isProbablePrime(2)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return key; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSASigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSASigner.java deleted file mode 100644 index 35538a70..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSASigner.java +++ /dev/null @@ -1,112 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.AsymmetricBlockCipher; -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.digests.NullDigest; -import org.bouncycastle.crypto.encodings.PKCS1Encoding; -import org.bouncycastle.crypto.engines.RSABlindedEngine; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.signers.GenericSigner; -import org.bouncycastle.crypto.signers.RSADigestSigner; - -public class TlsRSASigner - extends AbstractTlsSigner -{ - public byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, - AsymmetricKeyParameter privateKey, byte[] hash) - throws CryptoException - { - Signer signer = makeSigner(algorithm, true, true, - new ParametersWithRandom(privateKey, this.context.getSecureRandom())); - signer.update(hash, 0, hash.length); - return signer.generateSignature(); - } - - public boolean verifyRawSignature(SignatureAndHashAlgorithm algorithm, byte[] sigBytes, - AsymmetricKeyParameter publicKey, byte[] hash) - throws CryptoException - { - Signer signer = makeSigner(algorithm, true, false, publicKey); - signer.update(hash, 0, hash.length); - return signer.verifySignature(sigBytes); - } - - public Signer createSigner(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter privateKey) - { - return makeSigner(algorithm, false, true, new ParametersWithRandom(privateKey, this.context.getSecureRandom())); - } - - public Signer createVerifyer(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter publicKey) - { - return makeSigner(algorithm, false, false, publicKey); - } - - public boolean isValidPublicKey(AsymmetricKeyParameter publicKey) - { - return publicKey instanceof RSAKeyParameters && !publicKey.isPrivate(); - } - - protected Signer makeSigner(SignatureAndHashAlgorithm algorithm, boolean raw, boolean forSigning, - CipherParameters cp) - { - if ((algorithm != null) != TlsUtils.isTLSv12(context)) - { - throw new IllegalStateException(); - } - - if (algorithm != null && algorithm.getSignature() != SignatureAlgorithm.rsa) - { - throw new IllegalStateException(); - } - - Digest d; - if (raw) - { - d = new NullDigest(); - } - else if (algorithm == null) - { - d = new CombinedHash(); - } - else - { - d = TlsUtils.createHash(algorithm.getHash()); - } - - Signer s; - if (algorithm != null) - { - /* - * RFC 5246 4.7. In RSA signing, the opaque vector contains the signature generated - * using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1]. - */ - s = new RSADigestSigner(d, TlsUtils.getOIDForHashAlgorithm(algorithm.getHash())); - } - else - { - /* - * RFC 5246 4.7. Note that earlier versions of TLS used a different RSA signature scheme - * that did not include a DigestInfo encoding. - */ - s = new GenericSigner(createRSAImpl(), d); - } - s.init(forSigning, cp); - return s; - } - - protected AsymmetricBlockCipher createRSAImpl() - { - /* - * RFC 5264 7.4.7.1. Implementation note: It is now known that remote timing-based attacks - * on TLS are possible, at least when the client and server are on the same LAN. - * Accordingly, implementations that use static RSA keys MUST use RSA blinding or some other - * anti-timing technique, as described in [TIMING]. - */ - return new PKCS1Encoding(new RSABlindedEngine()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAUtils.java deleted file mode 100644 index 1fe4fa52..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsRSAUtils.java +++ /dev/null @@ -1,140 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.OutputStream; - -import org.bouncycastle.crypto.InvalidCipherTextException; -import org.bouncycastle.crypto.encodings.PKCS1Encoding; -import org.bouncycastle.crypto.engines.RSABlindedEngine; -import org.bouncycastle.crypto.params.ParametersWithRandom; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.util.Arrays; - -public class TlsRSAUtils -{ - public static byte[] generateEncryptedPreMasterSecret(TlsContext context, RSAKeyParameters rsaServerPublicKey, - OutputStream output) throws IOException - { - /* - * Choose a PremasterSecret and send it encrypted to the server - */ - byte[] premasterSecret = new byte[48]; - context.getSecureRandom().nextBytes(premasterSecret); - TlsUtils.writeVersion(context.getClientVersion(), premasterSecret, 0); - - PKCS1Encoding encoding = new PKCS1Encoding(new RSABlindedEngine()); - encoding.init(true, new ParametersWithRandom(rsaServerPublicKey, context.getSecureRandom())); - - try - { - byte[] encryptedPreMasterSecret = encoding.processBlock(premasterSecret, 0, premasterSecret.length); - - if (TlsUtils.isSSL(context)) - { - // TODO Do any SSLv3 servers actually expect the length? - output.write(encryptedPreMasterSecret); - } - else - { - TlsUtils.writeOpaque16(encryptedPreMasterSecret, output); - } - } - catch (InvalidCipherTextException e) - { - /* - * This should never happen, only during decryption. - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return premasterSecret; - } - - /** - * @deprecated {@link TlsEncryptionCredentials#decryptPreMasterSecret(byte[])} is expected to decrypt safely - */ - public static byte[] safeDecryptPreMasterSecret(TlsContext context, TlsEncryptionCredentials encryptionCredentials, - byte[] encryptedPreMasterSecret) throws IOException - { - return encryptionCredentials.decryptPreMasterSecret(encryptedPreMasterSecret); - } - - public static byte[] safeDecryptPreMasterSecret(TlsContext context, RSAKeyParameters rsaServerPrivateKey, - byte[] encryptedPreMasterSecret) - { - /* - * RFC 5246 7.4.7.1. - */ - ProtocolVersion clientVersion = context.getClientVersion(); - - // TODO Provide as configuration option? - boolean versionNumberCheckDisabled = false; - - /* - * Generate 48 random bytes we can use as a Pre-Master-Secret, if the - * PKCS1 padding check should fail. - */ - byte[] fallback = new byte[48]; - context.getSecureRandom().nextBytes(fallback); - - byte[] M = Arrays.clone(fallback); - try - { - PKCS1Encoding encoding = new PKCS1Encoding(new RSABlindedEngine(), fallback); - encoding.init(false, - new ParametersWithRandom(rsaServerPrivateKey, context.getSecureRandom())); - - M = encoding.processBlock(encryptedPreMasterSecret, 0, encryptedPreMasterSecret.length); - } - catch (Exception e) - { - /* - * This should never happen since the decryption should never throw an exception - * and return a random value instead. - * - * In any case, a TLS server MUST NOT generate an alert if processing an - * RSA-encrypted premaster secret message fails, or the version number is not as - * expected. Instead, it MUST continue the handshake with a randomly generated - * premaster secret. - */ - } - - /* - * If ClientHello.client_version is TLS 1.1 or higher, server implementations MUST - * check the version number [..]. - */ - if (versionNumberCheckDisabled && clientVersion.isEqualOrEarlierVersionOf(ProtocolVersion.TLSv10)) - { - /* - * If the version number is TLS 1.0 or earlier, server - * implementations SHOULD check the version number, but MAY have a - * configuration option to disable the check. - * - * So there is nothing to do here. - */ - } - else - { - /* - * OK, we need to compare the version number in the decrypted Pre-Master-Secret with the - * clientVersion received during the handshake. If they don't match, we replace the - * decrypted Pre-Master-Secret with a random one. - */ - int correct = (clientVersion.getMajorVersion() ^ (M[0] & 0xff)) - | (clientVersion.getMinorVersion() ^ (M[1] & 0xff)); - correct |= correct >> 1; - correct |= correct >> 2; - correct |= correct >> 4; - int mask = ~((correct & 1) - 1); - - /* - * mask will be all bits set to 0xff if the version number differed. - */ - for (int i = 0; i < 48; i++) - { - M[i] = (byte)((M[i] & (~mask)) | (fallback[i] & mask)); - } - } - return M; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPKeyExchange.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPKeyExchange.java deleted file mode 100644 index 9e81fe67..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPKeyExchange.java +++ /dev/null @@ -1,205 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.math.BigInteger; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.agreement.srp.SRP6Client; -import org.bouncycastle.crypto.agreement.srp.SRP6Util; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.util.PublicKeyFactory; -import org.bouncycastle.util.BigIntegers; -import org.bouncycastle.util.io.TeeInputStream; - -/** - * TLS 1.1 SRP key exchange (RFC 5054). - */ -public class TlsSRPKeyExchange extends AbstractTlsKeyExchange -{ - protected TlsSigner tlsSigner; - protected byte[] identity; - protected byte[] password; - - protected AsymmetricKeyParameter serverPublicKey = null; - - protected byte[] s = null; - protected BigInteger B = null; - protected SRP6Client srpClient = new SRP6Client(); - - public TlsSRPKeyExchange(int keyExchange, Vector supportedSignatureAlgorithms, byte[] identity, byte[] password) - { - super(keyExchange, supportedSignatureAlgorithms); - - switch (keyExchange) - { - case KeyExchangeAlgorithm.SRP: - this.tlsSigner = null; - break; - case KeyExchangeAlgorithm.SRP_RSA: - this.tlsSigner = new TlsRSASigner(); - break; - case KeyExchangeAlgorithm.SRP_DSS: - this.tlsSigner = new TlsDSSSigner(); - break; - default: - throw new IllegalArgumentException("unsupported key exchange algorithm"); - } - - this.keyExchange = keyExchange; - this.identity = identity; - this.password = password; - } - - public void init(TlsContext context) - { - super.init(context); - - if (this.tlsSigner != null) { - this.tlsSigner.init(context); - } - } - - public void skipServerCredentials() throws IOException - { - if (tlsSigner != null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - public void processServerCertificate(Certificate serverCertificate) throws IOException - { - if (tlsSigner == null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - if (serverCertificate.isEmpty()) - { - throw new TlsFatalAlert(AlertDescription.bad_certificate); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = serverCertificate.getCertificateAt(0); - - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - this.serverPublicKey = PublicKeyFactory.createKey(keyInfo); - } - catch (RuntimeException e) - { - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - if (!tlsSigner.isValidPublicKey(this.serverPublicKey)) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - - TlsUtils.validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - - super.processServerCertificate(serverCertificate); - } - - public boolean requiresServerKeyExchange() - { - return true; - } - - public void processServerKeyExchange(InputStream input) throws IOException - { - SecurityParameters securityParameters = context.getSecurityParameters(); - - SignerInputBuffer buf = null; - InputStream teeIn = input; - - if (tlsSigner != null) - { - buf = new SignerInputBuffer(); - teeIn = new TeeInputStream(input, buf); - } - - byte[] NBytes = TlsUtils.readOpaque16(teeIn); - byte[] gBytes = TlsUtils.readOpaque16(teeIn); - byte[] sBytes = TlsUtils.readOpaque8(teeIn); - byte[] BBytes = TlsUtils.readOpaque16(teeIn); - - if (buf != null) - { - DigitallySigned signed_params = DigitallySigned.parse(context, input); - - Signer signer = initVerifyer(tlsSigner, signed_params.getAlgorithm(), securityParameters); - buf.updateSigner(signer); - if (!signer.verifySignature(signed_params.getSignature())) - { - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - } - - BigInteger N = new BigInteger(1, NBytes); - BigInteger g = new BigInteger(1, gBytes); - - // TODO Validate group parameters (see RFC 5054) -// throw new TlsFatalAlert(AlertDescription.insufficient_security); - - this.s = sBytes; - - /* - * RFC 5054 2.5.3: The client MUST abort the handshake with an "illegal_parameter" alert if - * B % N = 0. - */ - try - { - this.B = SRP6Util.validatePublicValue(N, new BigInteger(1, BBytes)); - } - catch (CryptoException e) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - this.srpClient.init(N, g, TlsUtils.createHash(HashAlgorithm.sha1), context.getSecureRandom()); - } - - public void validateCertificateRequest(CertificateRequest certificateRequest) throws IOException - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - public void processClientCredentials(TlsCredentials clientCredentials) throws IOException - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - public void generateClientKeyExchange(OutputStream output) throws IOException - { - BigInteger A = srpClient.generateClientCredentials(s, this.identity, this.password); - TlsUtils.writeOpaque16(BigIntegers.asUnsignedByteArray(A), output); - } - - public byte[] generatePremasterSecret() throws IOException - { - try - { - // TODO Check if this needs to be a fixed size - return BigIntegers.asUnsignedByteArray(srpClient.calculateSecret(B)); - } - catch (CryptoException e) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - } - - protected Signer initVerifyer(TlsSigner tlsSigner, SignatureAndHashAlgorithm algorithm, SecurityParameters securityParameters) - { - Signer signer = tlsSigner.createVerifyer(algorithm, this.serverPublicKey); - signer.update(securityParameters.clientRandom, 0, securityParameters.clientRandom.length); - signer.update(securityParameters.serverRandom, 0, securityParameters.serverRandom.length); - return signer; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPUtils.java deleted file mode 100644 index c1b3365e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRPUtils.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.util.Integers; - -public class TlsSRPUtils -{ - public static final Integer EXT_SRP = Integers.valueOf(ExtensionType.srp); - - public static void addSRPExtension(Hashtable extensions, byte[] identity) throws IOException - { - extensions.put(EXT_SRP, createSRPExtension(identity)); - } - - public static byte[] getSRPExtension(Hashtable extensions) throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_SRP); - return extensionData == null ? null : readSRPExtension(extensionData); - } - - public static byte[] createSRPExtension(byte[] identity) throws IOException - { - if (identity == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - return TlsUtils.encodeOpaque8(identity); - } - - public static byte[] readSRPExtension(byte[] extensionData) throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - byte[] identity = TlsUtils.readOpaque8(buf); - - TlsProtocol.assertEmpty(buf); - - return identity; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRTPUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRTPUtils.java deleted file mode 100644 index da98b7a1..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSRTPUtils.java +++ /dev/null @@ -1,74 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.util.Hashtable; - -import org.bouncycastle.util.Integers; - -/** - * RFC 5764 DTLS Extension to Establish Keys for SRTP. - */ -public class TlsSRTPUtils -{ - public static final Integer EXT_use_srtp = Integers.valueOf(ExtensionType.use_srtp); - - public static void addUseSRTPExtension(Hashtable extensions, UseSRTPData useSRTPData) - throws IOException - { - extensions.put(EXT_use_srtp, createUseSRTPExtension(useSRTPData)); - } - - public static UseSRTPData getUseSRTPExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = TlsUtils.getExtensionData(extensions, EXT_use_srtp); - return extensionData == null ? null : readUseSRTPExtension(extensionData); - } - - public static byte[] createUseSRTPExtension(UseSRTPData useSRTPData) - throws IOException - { - if (useSRTPData == null) - { - throw new IllegalArgumentException("'useSRTPData' cannot be null"); - } - - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - // SRTPProtectionProfiles - TlsUtils.writeUint16ArrayWithUint16Length(useSRTPData.getProtectionProfiles(), buf); - - // srtp_mki - TlsUtils.writeOpaque8(useSRTPData.getMki(), buf); - - return buf.toByteArray(); - } - - public static UseSRTPData readUseSRTPExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - // SRTPProtectionProfiles - int length = TlsUtils.readUint16(buf); - if (length < 2 || (length & 1) != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - int[] protectionProfiles = TlsUtils.readUint16Array(length / 2, buf); - - // srtp_mki - byte[] mki = TlsUtils.readOpaque8(buf); - - TlsProtocol.assertEmpty(buf); - - return new UseSRTPData(protectionProfiles, mki); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServer.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServer.java deleted file mode 100644 index d97c16d5..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServer.java +++ /dev/null @@ -1,90 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.util.Hashtable; -import java.util.Vector; - -public interface TlsServer - extends TlsPeer -{ - void init(TlsServerContext context); - - void notifyClientVersion(ProtocolVersion clientVersion) throws IOException; - - void notifyOfferedCipherSuites(int[] offeredCipherSuites) - throws IOException; - - void notifyOfferedCompressionMethods(short[] offeredCompressionMethods) - throws IOException; - - // Hashtable is (Integer -> byte[]) - void processClientExtensions(Hashtable clientExtensions) - throws IOException; - - ProtocolVersion getServerVersion() - throws IOException; - - int getSelectedCipherSuite() - throws IOException; - - short getSelectedCompressionMethod() - throws IOException; - - // Hashtable is (Integer -> byte[]) - Hashtable getServerExtensions() - throws IOException; - - // Vector is (SupplementalDataEntry) - Vector getServerSupplementalData() - throws IOException; - - TlsCredentials getCredentials() - throws IOException; - - /** - * This method will be called (only) if the server included an extension of type - * "status_request" with empty "extension_data" in the extended server hello. See <i>RFC 3546 - * 3.6. Certificate Status Request</i>. If a non-null {@link CertificateStatus} is returned, it - * is sent to the client as a handshake message of type "certificate_status". - * - * @return A {@link CertificateStatus} to be sent to the client (or null for none). - * @throws IOException - */ - CertificateStatus getCertificateStatus() - throws IOException; - - TlsKeyExchange getKeyExchange() - throws IOException; - - CertificateRequest getCertificateRequest() - throws IOException; - - // Vector is (SupplementalDataEntry) - void processClientSupplementalData(Vector clientSupplementalData) - throws IOException; - - /** - * Called by the protocol handler to report the client certificate, only if - * {@link #getCertificateRequest()} returned non-null. - * - * Note: this method is responsible for certificate verification and validation. - * - * @param clientCertificate - * the effective client certificate (may be an empty chain). - * @throws IOException - */ - void notifyClientCertificate(Certificate clientCertificate) - throws IOException; - - /** - * RFC 5077 3.3. NewSessionTicket Handshake Message. - * <p> - * This method will be called (only) if a NewSessionTicket extension was sent by the server. See - * <i>RFC 5077 4. Recommended Ticket Construction</i> for recommended format and protection. - * - * @return The ticket. - * @throws IOException - */ - NewSessionTicket getNewSessionTicket() - throws IOException; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContext.java deleted file mode 100644 index 37a0c952..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContext.java +++ /dev/null @@ -1,6 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public interface TlsServerContext - extends TlsContext -{ -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContextImpl.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContextImpl.java deleted file mode 100644 index 48f028a0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerContextImpl.java +++ /dev/null @@ -1,18 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.security.SecureRandom; - -class TlsServerContextImpl - extends AbstractTlsContext - implements TlsServerContext -{ - TlsServerContextImpl(SecureRandom secureRandom, SecurityParameters securityParameters) - { - super(secureRandom, securityParameters); - } - - public boolean isServer() - { - return true; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java deleted file mode 100644 index 8499b83e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java +++ /dev/null @@ -1,778 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.SecureRandom; -import java.util.Vector; - -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.util.PublicKeyFactory; -import org.bouncycastle.util.Arrays; - -public class TlsServerProtocol - extends TlsProtocol -{ - protected TlsServer tlsServer = null; - protected TlsServerContextImpl tlsServerContext = null; - - protected TlsKeyExchange keyExchange = null; - protected TlsCredentials serverCredentials = null; - protected CertificateRequest certificateRequest = null; - - protected short clientCertificateType = -1; - protected TlsHandshakeHash prepareFinishHash = null; - - public TlsServerProtocol(InputStream input, OutputStream output, SecureRandom secureRandom) - { - super(input, output, secureRandom); - } - - /** - * Receives a TLS handshake in the role of server - * - * @param tlsServer - * @throws IOException If handshake was not successful. - */ - public void accept(TlsServer tlsServer) - throws IOException - { - if (tlsServer == null) - { - throw new IllegalArgumentException("'tlsServer' cannot be null"); - } - if (this.tlsServer != null) - { - throw new IllegalStateException("'accept' can only be called once"); - } - - this.tlsServer = tlsServer; - - this.securityParameters = new SecurityParameters(); - this.securityParameters.entity = ConnectionEnd.server; - - this.tlsServerContext = new TlsServerContextImpl(secureRandom, securityParameters); - - this.securityParameters.serverRandom = createRandomBlock(tlsServer.shouldUseGMTUnixTime(), - tlsServerContext.getNonceRandomGenerator()); - - this.tlsServer.init(tlsServerContext); - this.recordStream.init(tlsServerContext); - - this.recordStream.setRestrictReadVersion(false); - - completeHandshake(); - } - - protected void cleanupHandshake() - { - super.cleanupHandshake(); - - this.keyExchange = null; - this.serverCredentials = null; - this.certificateRequest = null; - this.prepareFinishHash = null; - } - - protected AbstractTlsContext getContext() - { - return tlsServerContext; - } - - protected TlsPeer getPeer() - { - return tlsServer; - } - - protected void handleHandshakeMessage(short type, byte[] data) - throws IOException - { - ByteArrayInputStream buf = new ByteArrayInputStream(data); - - switch (type) - { - case HandshakeType.client_hello: - { - switch (this.connection_state) - { - case CS_START: - { - receiveClientHelloMessage(buf); - this.connection_state = CS_CLIENT_HELLO; - - sendServerHelloMessage(); - this.connection_state = CS_SERVER_HELLO; - - Vector serverSupplementalData = tlsServer.getServerSupplementalData(); - if (serverSupplementalData != null) - { - sendSupplementalDataMessage(serverSupplementalData); - } - this.connection_state = CS_SERVER_SUPPLEMENTAL_DATA; - - this.keyExchange = tlsServer.getKeyExchange(); - this.keyExchange.init(getContext()); - - this.serverCredentials = tlsServer.getCredentials(); - - Certificate serverCertificate = null; - - if (this.serverCredentials == null) - { - this.keyExchange.skipServerCredentials(); - } - else - { - this.keyExchange.processServerCredentials(this.serverCredentials); - - serverCertificate = this.serverCredentials.getCertificate(); - sendCertificateMessage(serverCertificate); - } - this.connection_state = CS_SERVER_CERTIFICATE; - - // TODO[RFC 3546] Check whether empty certificates is possible, allowed, or excludes CertificateStatus - if (serverCertificate == null || serverCertificate.isEmpty()) - { - this.allowCertificateStatus = false; - } - - if (this.allowCertificateStatus) - { - CertificateStatus certificateStatus = tlsServer.getCertificateStatus(); - if (certificateStatus != null) - { - sendCertificateStatusMessage(certificateStatus); - } - } - - this.connection_state = CS_CERTIFICATE_STATUS; - - byte[] serverKeyExchange = this.keyExchange.generateServerKeyExchange(); - if (serverKeyExchange != null) - { - sendServerKeyExchangeMessage(serverKeyExchange); - } - this.connection_state = CS_SERVER_KEY_EXCHANGE; - - if (this.serverCredentials != null) - { - this.certificateRequest = tlsServer.getCertificateRequest(); - if (this.certificateRequest != null) - { - this.keyExchange.validateCertificateRequest(certificateRequest); - - sendCertificateRequestMessage(certificateRequest); - - TlsUtils.trackHashAlgorithms(this.recordStream.getHandshakeHash(), - this.certificateRequest.getSupportedSignatureAlgorithms()); - } - } - this.connection_state = CS_CERTIFICATE_REQUEST; - - sendServerHelloDoneMessage(); - this.connection_state = CS_SERVER_HELLO_DONE; - - this.recordStream.getHandshakeHash().sealHashAlgorithms(); - - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.supplemental_data: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO_DONE: - { - tlsServer.processClientSupplementalData(readSupplementalDataMessage(buf)); - this.connection_state = CS_CLIENT_SUPPLEMENTAL_DATA; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.certificate: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO_DONE: - { - tlsServer.processClientSupplementalData(null); - // NB: Fall through to next case label - } - case CS_CLIENT_SUPPLEMENTAL_DATA: - { - if (this.certificateRequest == null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - receiveCertificateMessage(buf); - this.connection_state = CS_CLIENT_CERTIFICATE; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.client_key_exchange: - { - switch (this.connection_state) - { - case CS_SERVER_HELLO_DONE: - { - tlsServer.processClientSupplementalData(null); - // NB: Fall through to next case label - } - case CS_CLIENT_SUPPLEMENTAL_DATA: - { - if (this.certificateRequest == null) - { - this.keyExchange.skipClientCredentials(); - } - else - { - if (TlsUtils.isTLSv12(getContext())) - { - /* - * RFC 5246 If no suitable certificate is available, the client MUST send a - * certificate message containing no certificates. - * - * NOTE: In previous RFCs, this was SHOULD instead of MUST. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - else if (TlsUtils.isSSL(getContext())) - { - if (this.peerCertificate == null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - else - { - notifyClientCertificate(Certificate.EMPTY_CHAIN); - } - } - // NB: Fall through to next case label - } - case CS_CLIENT_CERTIFICATE: - { - receiveClientKeyExchangeMessage(buf); - this.connection_state = CS_CLIENT_KEY_EXCHANGE; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.certificate_verify: - { - switch (this.connection_state) - { - case CS_CLIENT_KEY_EXCHANGE: - { - /* - * RFC 5246 7.4.8 This message is only sent following a client certificate that has - * signing capability (i.e., all certificates except those containing fixed - * Diffie-Hellman parameters). - */ - if (!expectCertificateVerifyMessage()) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - receiveCertificateVerifyMessage(buf); - this.connection_state = CS_CERTIFICATE_VERIFY; - - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.finished: - { - switch (this.connection_state) - { - case CS_CLIENT_KEY_EXCHANGE: - { - if (expectCertificateVerifyMessage()) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - // NB: Fall through to next case label - } - case CS_CERTIFICATE_VERIFY: - { - processFinishedMessage(buf); - this.connection_state = CS_CLIENT_FINISHED; - - if (this.expectSessionTicket) - { - sendNewSessionTicketMessage(tlsServer.getNewSessionTicket()); - sendChangeCipherSpecMessage(); - } - this.connection_state = CS_SERVER_SESSION_TICKET; - - sendFinishedMessage(); - this.connection_state = CS_SERVER_FINISHED; - this.connection_state = CS_END; - break; - } - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - break; - } - case HandshakeType.hello_request: - case HandshakeType.hello_verify_request: - case HandshakeType.server_hello: - case HandshakeType.server_key_exchange: - case HandshakeType.certificate_request: - case HandshakeType.server_hello_done: - case HandshakeType.session_ticket: - default: - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - } - - protected void handleWarningMessage(short description) - throws IOException - { - switch (description) - { - case AlertDescription.no_certificate: - { - /* - * SSL 3.0 If the server has sent a certificate request Message, the client must send - * either the certificate message or a no_certificate alert. - */ - if (TlsUtils.isSSL(getContext()) && certificateRequest != null) - { - notifyClientCertificate(Certificate.EMPTY_CHAIN); - } - break; - } - default: - { - super.handleWarningMessage(description); - } - } - } - - protected void notifyClientCertificate(Certificate clientCertificate) - throws IOException - { - if (certificateRequest == null) - { - throw new IllegalStateException(); - } - - if (this.peerCertificate != null) - { - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - this.peerCertificate = clientCertificate; - - if (clientCertificate.isEmpty()) - { - this.keyExchange.skipClientCredentials(); - } - else - { - - /* - * TODO RFC 5246 7.4.6. If the certificate_authorities list in the certificate request - * message was non-empty, one of the certificates in the certificate chain SHOULD be - * issued by one of the listed CAs. - */ - - this.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, - this.serverCredentials.getCertificate()); - - this.keyExchange.processClientCertificate(clientCertificate); - } - - /* - * RFC 5246 7.4.6. If the client does not send any certificates, the server MAY at its - * discretion either continue the handshake without client authentication, or respond with a - * fatal handshake_failure alert. Also, if some aspect of the certificate chain was - * unacceptable (e.g., it was not signed by a known, trusted CA), the server MAY at its - * discretion either continue the handshake (considering the client unauthenticated) or send - * a fatal alert. - */ - this.tlsServer.notifyClientCertificate(clientCertificate); - } - - protected void receiveCertificateMessage(ByteArrayInputStream buf) - throws IOException - { - Certificate clientCertificate = Certificate.parse(buf); - - assertEmpty(buf); - - notifyClientCertificate(clientCertificate); - } - - protected void receiveCertificateVerifyMessage(ByteArrayInputStream buf) - throws IOException - { - DigitallySigned clientCertificateVerify = DigitallySigned.parse(getContext(), buf); - - assertEmpty(buf); - - // Verify the CertificateVerify message contains a correct signature. - boolean verified = false; - try - { - byte[] certificateVerifyHash; - if (TlsUtils.isTLSv12(getContext())) - { - certificateVerifyHash = prepareFinishHash.getFinalHash(clientCertificateVerify.getAlgorithm().getHash()); - } - else - { - certificateVerifyHash = TlsProtocol.getCurrentPRFHash(getContext(), prepareFinishHash, null); - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = this.peerCertificate.getCertificateAt(0); - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - AsymmetricKeyParameter publicKey = PublicKeyFactory.createKey(keyInfo); - - TlsSigner tlsSigner = TlsUtils.createTlsSigner(this.clientCertificateType); - tlsSigner.init(getContext()); - verified = tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(), - clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash); - } - catch (Exception e) - { - } - - if (!verified) - { - throw new TlsFatalAlert(AlertDescription.decrypt_error); - } - } - - protected void receiveClientHelloMessage(ByteArrayInputStream buf) - throws IOException - { - ProtocolVersion client_version = TlsUtils.readVersion(buf); - if (client_version.isDTLS()) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - byte[] client_random = TlsUtils.readFully(32, buf); - - /* - * TODO RFC 5077 3.4. If a ticket is presented by the client, the server MUST NOT attempt to - * use the Session ID in the ClientHello for stateful session resumption. - */ - byte[] sessionID = TlsUtils.readOpaque8(buf); - if (sessionID.length > 32) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - /* - * TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session - * resumption request), this vector MUST include at least the cipher_suite from that - * session. - */ - int cipher_suites_length = TlsUtils.readUint16(buf); - if (cipher_suites_length < 2 || (cipher_suites_length & 1) != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - this.offeredCipherSuites = TlsUtils.readUint16Array(cipher_suites_length / 2, buf); - - /* - * TODO RFC 5246 7.4.1.2. If the session_id field is not empty (implying a session - * resumption request), it MUST include the compression_method from that session. - */ - int compression_methods_length = TlsUtils.readUint8(buf); - if (compression_methods_length < 1) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - this.offeredCompressionMethods = TlsUtils.readUint8Array(compression_methods_length, buf); - - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ - this.clientExtensions = readExtensions(buf); - - getContext().setClientVersion(client_version); - - tlsServer.notifyClientVersion(client_version); - - securityParameters.clientRandom = client_random; - - tlsServer.notifyOfferedCipherSuites(offeredCipherSuites); - tlsServer.notifyOfferedCompressionMethods(offeredCompressionMethods); - - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ - { - /* - * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension, - * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the - * ClientHello. Including both is NOT RECOMMENDED. - */ - - /* - * When a ClientHello is received, the server MUST check if it includes the - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag - * to TRUE. - */ - if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) - { - this.secure_renegotiation = true; - } - - /* - * The server MUST check if the "renegotiation_info" extension is included in the - * ClientHello. - */ - byte[] renegExtData = TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo); - if (renegExtData != null) - { - /* - * If the extension is present, set secure_renegotiation flag to TRUE. The - * server MUST then verify that the length of the "renegotiated_connection" - * field is zero, and if it is not, MUST abort the handshake. - */ - this.secure_renegotiation = true; - - if (!Arrays.constantTimeAreEqual(renegExtData, createRenegotiationInfo(TlsUtils.EMPTY_BYTES))) - { - throw new TlsFatalAlert(AlertDescription.handshake_failure); - } - } - } - - tlsServer.notifySecureRenegotiation(this.secure_renegotiation); - - if (clientExtensions != null) - { - tlsServer.processClientExtensions(clientExtensions); - } - } - - protected void receiveClientKeyExchangeMessage(ByteArrayInputStream buf) - throws IOException - { - this.keyExchange.processClientKeyExchange(buf); - - assertEmpty(buf); - - establishMasterSecret(getContext(), keyExchange); - recordStream.setPendingConnectionState(getPeer().getCompression(), getPeer().getCipher()); - - this.prepareFinishHash = recordStream.prepareToFinish(); - - if (!expectSessionTicket) - { - sendChangeCipherSpecMessage(); - } - } - - protected void sendCertificateRequestMessage(CertificateRequest certificateRequest) - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.certificate_request); - - certificateRequest.encode(message); - - message.writeToRecordStream(); - } - - protected void sendCertificateStatusMessage(CertificateStatus certificateStatus) - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.certificate_status); - - certificateStatus.encode(message); - - message.writeToRecordStream(); - } - - protected void sendNewSessionTicketMessage(NewSessionTicket newSessionTicket) - throws IOException - { - if (newSessionTicket == null) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - HandshakeMessage message = new HandshakeMessage(HandshakeType.session_ticket); - - newSessionTicket.encode(message); - - message.writeToRecordStream(); - } - - protected void sendServerHelloMessage() - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.server_hello); - - ProtocolVersion server_version = tlsServer.getServerVersion(); - if (!server_version.isEqualOrEarlierVersionOf(getContext().getClientVersion())) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - recordStream.setReadVersion(server_version); - recordStream.setWriteVersion(server_version); - recordStream.setRestrictReadVersion(true); - getContext().setServerVersion(server_version); - - TlsUtils.writeVersion(server_version, message); - - message.write(this.securityParameters.serverRandom); - - /* - * The server may return an empty session_id to indicate that the session will not be cached - * and therefore cannot be resumed. - */ - TlsUtils.writeOpaque8(TlsUtils.EMPTY_BYTES, message); - - int selectedCipherSuite = tlsServer.getSelectedCipherSuite(); - if (!Arrays.contains(this.offeredCipherSuites, selectedCipherSuite) - || selectedCipherSuite == CipherSuite.TLS_NULL_WITH_NULL_NULL - || selectedCipherSuite == CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV - || !TlsUtils.isValidCipherSuiteForVersion(selectedCipherSuite, server_version)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - securityParameters.cipherSuite = selectedCipherSuite; - - short selectedCompressionMethod = tlsServer.getSelectedCompressionMethod(); - if (!Arrays.contains(this.offeredCompressionMethods, selectedCompressionMethod)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - securityParameters.compressionAlgorithm = selectedCompressionMethod; - - TlsUtils.writeUint16(selectedCipherSuite, message); - TlsUtils.writeUint8(selectedCompressionMethod, message); - - this.serverExtensions = tlsServer.getServerExtensions(); - - /* - * RFC 5746 3.6. Server Behavior: Initial Handshake - */ - if (this.secure_renegotiation) - { - byte[] renegExtData = TlsUtils.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo); - boolean noRenegExt = (null == renegExtData); - - if (noRenegExt) - { - /* - * Note that sending a "renegotiation_info" extension in response to a ClientHello - * containing only the SCSV is an explicit exception to the prohibition in RFC 5246, - * Section 7.4.1.4, on the server sending unsolicited extensions and is only allowed - * because the client is signaling its willingness to receive the extension via the - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. - */ - - /* - * If the secure_renegotiation flag is set to TRUE, the server MUST include an empty - * "renegotiation_info" extension in the ServerHello message. - */ - this.serverExtensions = TlsExtensionsUtils.ensureExtensionsInitialised(this.serverExtensions); - this.serverExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(TlsUtils.EMPTY_BYTES)); - } - } - - /* - * TODO RFC 3546 2.3 If [...] the older session is resumed, then the server MUST ignore - * extensions appearing in the client hello, and send a server hello containing no - * extensions. - */ - - if (this.serverExtensions != null) - { - this.securityParameters.encryptThenMAC = TlsExtensionsUtils.hasEncryptThenMACExtension(this.serverExtensions); - - this.securityParameters.maxFragmentLength = processMaxFragmentLengthExtension(clientExtensions, - this.serverExtensions, AlertDescription.internal_error); - - this.securityParameters.truncatedHMac = TlsExtensionsUtils.hasTruncatedHMacExtension(this.serverExtensions); - - /* - * TODO It's surprising that there's no provision to allow a 'fresh' CertificateStatus to be sent in - * a session resumption handshake. - */ - this.allowCertificateStatus = !this.resumedSession - && TlsUtils.hasExpectedEmptyExtensionData(this.serverExtensions, TlsExtensionsUtils.EXT_status_request, - AlertDescription.internal_error); - - this.expectSessionTicket = !this.resumedSession - && TlsUtils.hasExpectedEmptyExtensionData(this.serverExtensions, TlsProtocol.EXT_SessionTicket, - AlertDescription.internal_error); - - writeExtensions(message, this.serverExtensions); - } - - if (this.securityParameters.maxFragmentLength >= 0) - { - int plainTextLimit = 1 << (8 + this.securityParameters.maxFragmentLength); - recordStream.setPlaintextLimit(plainTextLimit); - } - - securityParameters.prfAlgorithm = getPRFAlgorithm(getContext(), securityParameters.getCipherSuite()); - - /* - * RFC 5264 7.4.9. Any cipher suite which does not explicitly specify verify_data_length has - * a verify_data_length equal to 12. This includes all existing cipher suites. - */ - securityParameters.verifyDataLength = 12; - - message.writeToRecordStream(); - - this.recordStream.notifyHelloComplete(); - } - - protected void sendServerHelloDoneMessage() - throws IOException - { - byte[] message = new byte[4]; - TlsUtils.writeUint8(HandshakeType.server_hello_done, message, 0); - TlsUtils.writeUint24(0, message, 1); - - writeHandshakeMessage(message, 0, message.length); - } - - protected void sendServerKeyExchangeMessage(byte[] serverKeyExchange) - throws IOException - { - HandshakeMessage message = new HandshakeMessage(HandshakeType.server_key_exchange, serverKeyExchange.length); - - message.write(serverKeyExchange); - - message.writeToRecordStream(); - } - - protected boolean expectCertificateVerifyMessage() - { - return this.clientCertificateType >= 0 && TlsUtils.hasSigningCapability(this.clientCertificateType); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSession.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSession.java deleted file mode 100644 index 9b5ad460..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSession.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -public interface TlsSession -{ - SessionParameters exportSessionParameters(); - - byte[] getSessionID(); - - void invalidate(); - - boolean isResumable(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSessionImpl.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSessionImpl.java deleted file mode 100644 index 615c4424..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSessionImpl.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.util.Arrays; - -class TlsSessionImpl implements TlsSession -{ - final byte[] sessionID; - SessionParameters sessionParameters; - - TlsSessionImpl(byte[] sessionID, SessionParameters sessionParameters) - { - if (sessionID == null) - { - throw new IllegalArgumentException("'sessionID' cannot be null"); - } - if (sessionID.length < 1 || sessionID.length > 32) - { - throw new IllegalArgumentException("'sessionID' must have length between 1 and 32 bytes, inclusive"); - } - - this.sessionID = Arrays.clone(sessionID); - this.sessionParameters = sessionParameters; - } - - public synchronized SessionParameters exportSessionParameters() - { - return this.sessionParameters == null ? null : this.sessionParameters.copy(); - } - - public synchronized byte[] getSessionID() - { - return sessionID; - } - - public synchronized void invalidate() - { - if (this.sessionParameters != null) - { - this.sessionParameters.clear(); - this.sessionParameters = null; - } - } - - public synchronized boolean isResumable() - { - return this.sessionParameters != null; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSigner.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSigner.java deleted file mode 100644 index 68826d2a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSigner.java +++ /dev/null @@ -1,34 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import org.bouncycastle.crypto.CryptoException; -import org.bouncycastle.crypto.Signer; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; - -public interface TlsSigner -{ - void init(TlsContext context); - - byte[] generateRawSignature(AsymmetricKeyParameter privateKey, byte[] md5AndSha1) - throws CryptoException; - - byte[] generateRawSignature(SignatureAndHashAlgorithm algorithm, - AsymmetricKeyParameter privateKey, byte[] hash) - throws CryptoException; - - boolean verifyRawSignature(byte[] sigBytes, AsymmetricKeyParameter publicKey, byte[] md5AndSha1) - throws CryptoException; - - boolean verifyRawSignature(SignatureAndHashAlgorithm algorithm, byte[] sigBytes, - AsymmetricKeyParameter publicKey, byte[] hash) - throws CryptoException; - - Signer createSigner(AsymmetricKeyParameter privateKey); - - Signer createSigner(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter privateKey); - - Signer createVerifyer(AsymmetricKeyParameter publicKey); - - Signer createVerifyer(SignatureAndHashAlgorithm algorithm, AsymmetricKeyParameter publicKey); - - boolean isValidPublicKey(AsymmetricKeyParameter publicKey); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSignerCredentials.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsSignerCredentials.java deleted file mode 100644 index 39ee99c0..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsSignerCredentials.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -public interface TlsSignerCredentials - extends TlsCredentials -{ - byte[] generateCertificateSignature(byte[] hash) - throws IOException; - - SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(); -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java deleted file mode 100644 index f8077aa6..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsStreamCipher.java +++ /dev/null @@ -1,178 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; - -import org.bouncycastle.crypto.CipherParameters; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.StreamCipher; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.ParametersWithIV; -import org.bouncycastle.util.Arrays; - -public class TlsStreamCipher - implements TlsCipher -{ - protected TlsContext context; - - protected StreamCipher encryptCipher; - protected StreamCipher decryptCipher; - - protected TlsMac writeMac; - protected TlsMac readMac; - - protected boolean usesNonce; - - /** - * @deprecated Use version with additional 'usesNonce' argument - */ - public TlsStreamCipher(TlsContext context, StreamCipher clientWriteCipher, - StreamCipher serverWriteCipher, Digest clientWriteDigest, Digest serverWriteDigest, - int cipherKeySize) throws IOException - { - this(context, clientWriteCipher, serverWriteCipher, clientWriteDigest, serverWriteDigest, cipherKeySize, false); - } - - public TlsStreamCipher(TlsContext context, StreamCipher clientWriteCipher, - StreamCipher serverWriteCipher, Digest clientWriteDigest, Digest serverWriteDigest, - int cipherKeySize, boolean usesNonce) throws IOException - { - boolean isServer = context.isServer(); - - this.context = context; - this.usesNonce = usesNonce; - - this.encryptCipher = clientWriteCipher; - this.decryptCipher = serverWriteCipher; - - int key_block_size = (2 * cipherKeySize) + clientWriteDigest.getDigestSize() - + serverWriteDigest.getDigestSize(); - - byte[] key_block = TlsUtils.calculateKeyBlock(context, key_block_size); - - int offset = 0; - - // Init MACs - TlsMac clientWriteMac = new TlsMac(context, clientWriteDigest, key_block, offset, - clientWriteDigest.getDigestSize()); - offset += clientWriteDigest.getDigestSize(); - TlsMac serverWriteMac = new TlsMac(context, serverWriteDigest, key_block, offset, - serverWriteDigest.getDigestSize()); - offset += serverWriteDigest.getDigestSize(); - - // Build keys - KeyParameter clientWriteKey = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - KeyParameter serverWriteKey = new KeyParameter(key_block, offset, cipherKeySize); - offset += cipherKeySize; - - if (offset != key_block_size) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - CipherParameters encryptParams, decryptParams; - if (isServer) - { - this.writeMac = serverWriteMac; - this.readMac = clientWriteMac; - this.encryptCipher = serverWriteCipher; - this.decryptCipher = clientWriteCipher; - encryptParams = serverWriteKey; - decryptParams = clientWriteKey; - } - else - { - this.writeMac = clientWriteMac; - this.readMac = serverWriteMac; - this.encryptCipher = clientWriteCipher; - this.decryptCipher = serverWriteCipher; - encryptParams = clientWriteKey; - decryptParams = serverWriteKey; - } - - if (usesNonce) - { - byte[] dummyNonce = new byte[8]; - encryptParams = new ParametersWithIV(encryptParams, dummyNonce); - decryptParams = new ParametersWithIV(decryptParams, dummyNonce); - } - - this.encryptCipher.init(true, encryptParams); - this.decryptCipher.init(false, decryptParams); - } - - public int getPlaintextLimit(int ciphertextLimit) - { - return ciphertextLimit - writeMac.getSize(); - } - - public byte[] encodePlaintext(long seqNo, short type, byte[] plaintext, int offset, int len) - { - /* - * draft-josefsson-salsa20-tls-04 2.1 Note that Salsa20 requires a 64-bit nonce. That - * nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS - * record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation - * of the 16-bit epoch with the 48-bit sequence number. - */ - if (usesNonce) - { - updateIV(encryptCipher, true, seqNo); - } - - byte[] outBuf = new byte[len + writeMac.getSize()]; - - encryptCipher.processBytes(plaintext, offset, len, outBuf, 0); - - byte[] mac = writeMac.calculateMac(seqNo, type, plaintext, offset, len); - encryptCipher.processBytes(mac, 0, mac.length, outBuf, len); - - return outBuf; - } - - public byte[] decodeCiphertext(long seqNo, short type, byte[] ciphertext, int offset, int len) - throws IOException - { - /* - * draft-josefsson-salsa20-tls-04 2.1 Note that Salsa20 requires a 64-bit nonce. That - * nonce is updated on the encryption of every TLS record, and is set to be the 64-bit TLS - * record sequence number. In case of DTLS the 64-bit nonce is formed as the concatenation - * of the 16-bit epoch with the 48-bit sequence number. - */ - if (usesNonce) - { - updateIV(decryptCipher, false, seqNo); - } - - int macSize = readMac.getSize(); - if (len < macSize) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - - int plaintextLength = len - macSize; - - byte[] deciphered = new byte[len]; - decryptCipher.processBytes(ciphertext, offset, len, deciphered, 0); - checkMAC(seqNo, type, deciphered, plaintextLength, len, deciphered, 0, plaintextLength); - return Arrays.copyOfRange(deciphered, 0, plaintextLength); - } - - private void checkMAC(long seqNo, short type, byte[] recBuf, int recStart, int recEnd, byte[] calcBuf, int calcOff, int calcLen) - throws IOException - { - byte[] receivedMac = Arrays.copyOfRange(recBuf, recStart, recEnd); - byte[] computedMac = readMac.calculateMac(seqNo, type, calcBuf, calcOff, calcLen); - - if (!Arrays.constantTimeAreEqual(receivedMac, computedMac)) - { - throw new TlsFatalAlert(AlertDescription.bad_record_mac); - } - } - - private void updateIV(StreamCipher cipher, boolean forEncryption, long seqNo) - { - byte[] nonce = new byte[8]; - TlsUtils.writeUint64(seqNo, nonce, 0); - cipher.init(forEncryption, new ParametersWithIV(null, nonce)); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java deleted file mode 100644 index 7986647f..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java +++ /dev/null @@ -1,1780 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.EOFException; -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; -import java.util.Hashtable; -import java.util.Vector; - -import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.x509.Extensions; -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.digests.MD5Digest; -import org.bouncycastle.crypto.digests.SHA1Digest; -import org.bouncycastle.crypto.digests.SHA224Digest; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.digests.SHA384Digest; -import org.bouncycastle.crypto.digests.SHA512Digest; -import org.bouncycastle.crypto.macs.HMac; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.util.PublicKeyFactory; -import org.bouncycastle.util.Arrays; -import org.bouncycastle.util.Integers; -import org.bouncycastle.util.Strings; -import org.bouncycastle.util.io.Streams; - -/** - * Some helper functions for MicroTLS. - */ -public class TlsUtils -{ - public static final byte[] EMPTY_BYTES = new byte[0]; - - public static final Integer EXT_signature_algorithms = Integers.valueOf(ExtensionType.signature_algorithms); - - public static void checkUint8(short i) throws IOException - { - if (!isValidUint8(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint8(int i) throws IOException - { - if (!isValidUint8(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint8(long i) throws IOException - { - if (!isValidUint8(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint16(int i) throws IOException - { - if (!isValidUint16(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint16(long i) throws IOException - { - if (!isValidUint16(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint24(int i) throws IOException - { - if (!isValidUint24(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint24(long i) throws IOException - { - if (!isValidUint24(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint32(long i) throws IOException - { - if (!isValidUint32(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint48(long i) throws IOException - { - if (!isValidUint48(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static void checkUint64(long i) throws IOException - { - if (!isValidUint64(i)) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static boolean isValidUint8(short i) - { - return (i & 0xFF) == i; - } - - public static boolean isValidUint8(int i) - { - return (i & 0xFF) == i; - } - - public static boolean isValidUint8(long i) - { - return (i & 0xFFL) == i; - } - - public static boolean isValidUint16(int i) - { - return (i & 0xFFFF) == i; - } - - public static boolean isValidUint16(long i) - { - return (i & 0xFFFFL) == i; - } - - public static boolean isValidUint24(int i) - { - return (i & 0xFFFFFF) == i; - } - - public static boolean isValidUint24(long i) - { - return (i & 0xFFFFFFL) == i; - } - - public static boolean isValidUint32(long i) - { - return (i & 0xFFFFFFFFL) == i; - } - - public static boolean isValidUint48(long i) - { - return (i & 0xFFFFFFFFFFFFL) == i; - } - - public static boolean isValidUint64(long i) - { - return true; - } - - public static boolean isSSL(TlsContext context) - { - return context.getServerVersion().isSSL(); - } - - public static boolean isTLSv11(TlsContext context) - { - return ProtocolVersion.TLSv11.isEqualOrEarlierVersionOf(context.getServerVersion().getEquivalentTLSVersion()); - } - - public static boolean isTLSv12(TlsContext context) - { - return ProtocolVersion.TLSv12.isEqualOrEarlierVersionOf(context.getServerVersion().getEquivalentTLSVersion()); - } - - public static void writeUint8(short i, OutputStream output) - throws IOException - { - output.write(i); - } - - public static void writeUint8(int i, OutputStream output) - throws IOException - { - output.write(i); - } - - public static void writeUint8(short i, byte[] buf, int offset) - { - buf[offset] = (byte)i; - } - - public static void writeUint8(int i, byte[] buf, int offset) - { - buf[offset] = (byte)i; - } - - public static void writeUint16(int i, OutputStream output) - throws IOException - { - output.write(i >>> 8); - output.write(i); - } - - public static void writeUint16(int i, byte[] buf, int offset) - { - buf[offset] = (byte)(i >>> 8); - buf[offset + 1] = (byte)i; - } - - public static void writeUint24(int i, OutputStream output) - throws IOException - { - output.write((byte)(i >>> 16)); - output.write((byte)(i >>> 8)); - output.write((byte)i); - } - - public static void writeUint24(int i, byte[] buf, int offset) - { - buf[offset] = (byte)(i >>> 16); - buf[offset + 1] = (byte)(i >>> 8); - buf[offset + 2] = (byte)i; - } - - public static void writeUint32(long i, OutputStream output) - throws IOException - { - output.write((byte)(i >>> 24)); - output.write((byte)(i >>> 16)); - output.write((byte)(i >>> 8)); - output.write((byte)i); - } - - public static void writeUint32(long i, byte[] buf, int offset) - { - buf[offset] = (byte)(i >>> 24); - buf[offset + 1] = (byte)(i >>> 16); - buf[offset + 2] = (byte)(i >>> 8); - buf[offset + 3] = (byte)i; - } - - public static void writeUint48(long i, OutputStream output) - throws IOException - { - output.write((byte)(i >>> 40)); - output.write((byte)(i >>> 32)); - output.write((byte)(i >>> 24)); - output.write((byte)(i >>> 16)); - output.write((byte)(i >>> 8)); - output.write((byte)i); - } - - public static void writeUint48(long i, byte[] buf, int offset) - { - buf[offset] = (byte)(i >>> 40); - buf[offset + 1] = (byte)(i >>> 32); - buf[offset + 2] = (byte)(i >>> 24); - buf[offset + 3] = (byte)(i >>> 16); - buf[offset + 4] = (byte)(i >>> 8); - buf[offset + 5] = (byte)i; - } - - public static void writeUint64(long i, OutputStream output) - throws IOException - { - output.write((byte)(i >>> 56)); - output.write((byte)(i >>> 48)); - output.write((byte)(i >>> 40)); - output.write((byte)(i >>> 32)); - output.write((byte)(i >>> 24)); - output.write((byte)(i >>> 16)); - output.write((byte)(i >>> 8)); - output.write((byte)i); - } - - public static void writeUint64(long i, byte[] buf, int offset) - { - buf[offset] = (byte)(i >>> 56); - buf[offset + 1] = (byte)(i >>> 48); - buf[offset + 2] = (byte)(i >>> 40); - buf[offset + 3] = (byte)(i >>> 32); - buf[offset + 4] = (byte)(i >>> 24); - buf[offset + 5] = (byte)(i >>> 16); - buf[offset + 6] = (byte)(i >>> 8); - buf[offset + 7] = (byte)i; - } - - public static void writeOpaque8(byte[] buf, OutputStream output) - throws IOException - { - checkUint8(buf.length); - writeUint8(buf.length, output); - output.write(buf); - } - - public static void writeOpaque16(byte[] buf, OutputStream output) - throws IOException - { - checkUint16(buf.length); - writeUint16(buf.length, output); - output.write(buf); - } - - public static void writeOpaque24(byte[] buf, OutputStream output) - throws IOException - { - checkUint24(buf.length); - writeUint24(buf.length, output); - output.write(buf); - } - - public static void writeUint8Array(short[] uints, OutputStream output) - throws IOException - { - for (int i = 0; i < uints.length; ++i) - { - writeUint8(uints[i], output); - } - } - - public static void writeUint8Array(short[] uints, byte[] buf, int offset) - throws IOException - { - for (int i = 0; i < uints.length; ++i) - { - writeUint8(uints[i], buf, offset); - ++offset; - } - } - - public static void writeUint8ArrayWithUint8Length(short[] uints, OutputStream output) - throws IOException - { - checkUint8(uints.length); - writeUint8(uints.length, output); - writeUint8Array(uints, output); - } - - public static void writeUint8ArrayWithUint8Length(short[] uints, byte[] buf, int offset) - throws IOException - { - checkUint8(uints.length); - writeUint8(uints.length, buf, offset); - writeUint8Array(uints, buf, offset + 1); - } - - public static void writeUint16Array(int[] uints, OutputStream output) - throws IOException - { - for (int i = 0; i < uints.length; ++i) - { - writeUint16(uints[i], output); - } - } - - public static void writeUint16Array(int[] uints, byte[] buf, int offset) - throws IOException - { - for (int i = 0; i < uints.length; ++i) - { - writeUint16(uints[i], buf, offset); - offset += 2; - } - } - - public static void writeUint16ArrayWithUint16Length(int[] uints, OutputStream output) - throws IOException - { - int length = 2 * uints.length; - checkUint16(length); - writeUint16(length, output); - writeUint16Array(uints, output); - } - - public static void writeUint16ArrayWithUint16Length(int[] uints, byte[] buf, int offset) - throws IOException - { - int length = 2 * uints.length; - checkUint16(length); - writeUint16(length, buf, offset); - writeUint16Array(uints, buf, offset + 2); - } - - public static byte[] encodeOpaque8(byte[] buf) - throws IOException - { - checkUint8(buf.length); - return Arrays.prepend(buf, (byte)buf.length); - } - - public static byte[] encodeUint8ArrayWithUint8Length(short[] uints) throws IOException - { - byte[] result = new byte[1 + uints.length]; - writeUint8ArrayWithUint8Length(uints, result, 0); - return result; - } - - public static byte[] encodeUint16ArrayWithUint16Length(int[] uints) throws IOException - { - int length = 2 * uints.length; - byte[] result = new byte[2 + length]; - writeUint16ArrayWithUint16Length(uints, result, 0); - return result; - } - - public static short readUint8(InputStream input) - throws IOException - { - int i = input.read(); - if (i < 0) - { - throw new EOFException(); - } - return (short)i; - } - - public static short readUint8(byte[] buf, int offset) - { - return (short)buf[offset]; - } - - public static int readUint16(InputStream input) - throws IOException - { - int i1 = input.read(); - int i2 = input.read(); - if (i2 < 0) - { - throw new EOFException(); - } - return i1 << 8 | i2; - } - - public static int readUint16(byte[] buf, int offset) - { - int n = (buf[offset] & 0xff) << 8; - n |= (buf[++offset] & 0xff); - return n; - } - - public static int readUint24(InputStream input) - throws IOException - { - int i1 = input.read(); - int i2 = input.read(); - int i3 = input.read(); - if (i3 < 0) - { - throw new EOFException(); - } - return (i1 << 16) | (i2 << 8) | i3; - } - - public static int readUint24(byte[] buf, int offset) - { - int n = (buf[offset] & 0xff) << 16; - n |= (buf[++offset] & 0xff) << 8; - n |= (buf[++offset] & 0xff); - return n; - } - - public static long readUint32(InputStream input) - throws IOException - { - int i1 = input.read(); - int i2 = input.read(); - int i3 = input.read(); - int i4 = input.read(); - if (i4 < 0) - { - throw new EOFException(); - } - return ((i1 << 2) | (i2 << 16) | (i3 << 8) | i4) & 0xFFFFFFFFL; - } - - public static long readUint32(byte[] buf, int offset) - { - int n = (buf[offset] & 0xff) << 24; - n |= (buf[++offset] & 0xff) << 16; - n |= (buf[++offset] & 0xff) << 8; - n |= (buf[++offset] & 0xff); - return n & 0xFFFFFFFFL; - } - - public static long readUint48(InputStream input) - throws IOException - { - int hi = readUint24(input); - int lo = readUint24(input); - return ((long)(hi & 0xffffffffL) << 24) | (long)(lo & 0xffffffffL); - } - - public static long readUint48(byte[] buf, int offset) - { - int hi = readUint24(buf, offset); - int lo = readUint24(buf, offset + 3); - return ((long)(hi & 0xffffffffL) << 24) | (long)(lo & 0xffffffffL); - } - - public static byte[] readAllOrNothing(int length, InputStream input) - throws IOException - { - if (length < 1) - { - return EMPTY_BYTES; - } - byte[] buf = new byte[length]; - int read = Streams.readFully(input, buf); - if (read == 0) - { - return null; - } - if (read != length) - { - throw new EOFException(); - } - return buf; - } - - public static byte[] readFully(int length, InputStream input) - throws IOException - { - if (length < 1) - { - return EMPTY_BYTES; - } - byte[] buf = new byte[length]; - if (length != Streams.readFully(input, buf)) - { - throw new EOFException(); - } - return buf; - } - - public static void readFully(byte[] buf, InputStream input) - throws IOException - { - int length = buf.length; - if (length > 0 && length != Streams.readFully(input, buf)) - { - throw new EOFException(); - } - } - - public static byte[] readOpaque8(InputStream input) - throws IOException - { - short length = readUint8(input); - return readFully(length, input); - } - - public static byte[] readOpaque16(InputStream input) - throws IOException - { - int length = readUint16(input); - return readFully(length, input); - } - - public static byte[] readOpaque24(InputStream input) - throws IOException - { - int length = readUint24(input); - return readFully(length, input); - } - - public static short[] readUint8Array(int count, InputStream input) - throws IOException - { - short[] uints = new short[count]; - for (int i = 0; i < count; ++i) - { - uints[i] = readUint8(input); - } - return uints; - } - - public static int[] readUint16Array(int count, InputStream input) - throws IOException - { - int[] uints = new int[count]; - for (int i = 0; i < count; ++i) - { - uints[i] = readUint16(input); - } - return uints; - } - - public static ProtocolVersion readVersion(byte[] buf, int offset) - throws IOException - { - return ProtocolVersion.get(buf[offset] & 0xFF, buf[offset + 1] & 0xFF); - } - - public static ProtocolVersion readVersion(InputStream input) - throws IOException - { - int i1 = input.read(); - int i2 = input.read(); - if (i2 < 0) - { - throw new EOFException(); - } - return ProtocolVersion.get(i1, i2); - } - - public static int readVersionRaw(byte[] buf, int offset) - throws IOException - { - return (buf[offset] << 8) | buf[offset + 1]; - } - - public static int readVersionRaw(InputStream input) - throws IOException - { - int i1 = input.read(); - int i2 = input.read(); - if (i2 < 0) - { - throw new EOFException(); - } - return (i1 << 8) | i2; - } - - public static ASN1Primitive readASN1Object(byte[] encoding) throws IOException - { - ASN1InputStream asn1 = new ASN1InputStream(encoding); - ASN1Primitive result = asn1.readObject(); - if (null == result) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - if (null != asn1.readObject()) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - return result; - } - - public static ASN1Primitive readDERObject(byte[] encoding) throws IOException - { - /* - * NOTE: The current ASN.1 parsing code can't enforce DER-only parsing, but since DER is - * canonical, we can check it by re-encoding the result and comparing to the original. - */ - ASN1Primitive result = readASN1Object(encoding); - byte[] check = result.getEncoded(ASN1Encoding.DER); - if (!Arrays.areEqual(check, encoding)) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - return result; - } - - public static void writeGMTUnixTime(byte[] buf, int offset) - { - int t = (int)(System.currentTimeMillis() / 1000L); - buf[offset] = (byte)(t >>> 24); - buf[offset + 1] = (byte)(t >>> 16); - buf[offset + 2] = (byte)(t >>> 8); - buf[offset + 3] = (byte)t; - } - - public static void writeVersion(ProtocolVersion version, OutputStream output) - throws IOException - { - output.write(version.getMajorVersion()); - output.write(version.getMinorVersion()); - } - - public static void writeVersion(ProtocolVersion version, byte[] buf, int offset) - { - buf[offset] = (byte)version.getMajorVersion(); - buf[offset + 1] = (byte)version.getMinorVersion(); - } - - public static Vector getDefaultDSSSignatureAlgorithms() - { - return vectorOfOne(new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.dsa)); - } - - public static Vector getDefaultECDSASignatureAlgorithms() - { - return vectorOfOne(new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa)); - } - - public static Vector getDefaultRSASignatureAlgorithms() - { - return vectorOfOne(new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa)); - } - - public static byte[] getExtensionData(Hashtable extensions, Integer extensionType) - { - return extensions == null ? null : (byte[])extensions.get(extensionType); - } - - public static boolean hasExpectedEmptyExtensionData(Hashtable extensions, Integer extensionType, - short alertDescription) throws IOException - { - byte[] extension_data = getExtensionData(extensions, extensionType); - if (extension_data == null) - { - return false; - } - if (extension_data.length != 0) - { - throw new TlsFatalAlert(alertDescription); - } - return true; - } - - public static TlsSession importSession(byte[] sessionID, SessionParameters sessionParameters) - { - return new TlsSessionImpl(sessionID, sessionParameters); - } - - public static boolean isSignatureAlgorithmsExtensionAllowed(ProtocolVersion clientVersion) - { - return ProtocolVersion.TLSv12.isEqualOrEarlierVersionOf(clientVersion.getEquivalentTLSVersion()); - } - - /** - * Add a 'signature_algorithms' extension to existing extensions. - * - * @param extensions A {@link Hashtable} to add the extension to. - * @param supportedSignatureAlgorithms {@link Vector} containing at least 1 {@link SignatureAndHashAlgorithm}. - * @throws IOException - */ - public static void addSignatureAlgorithmsExtension(Hashtable extensions, Vector supportedSignatureAlgorithms) - throws IOException - { - extensions.put(EXT_signature_algorithms, createSignatureAlgorithmsExtension(supportedSignatureAlgorithms)); - } - - /** - * Get a 'signature_algorithms' extension from extensions. - * - * @param extensions A {@link Hashtable} to get the extension from, if it is present. - * @return A {@link Vector} containing at least 1 {@link SignatureAndHashAlgorithm}, or null. - * @throws IOException - */ - public static Vector getSignatureAlgorithmsExtension(Hashtable extensions) - throws IOException - { - byte[] extensionData = getExtensionData(extensions, EXT_signature_algorithms); - return extensionData == null ? null : readSignatureAlgorithmsExtension(extensionData); - } - - /** - * Create a 'signature_algorithms' extension value. - * - * @param supportedSignatureAlgorithms A {@link Vector} containing at least 1 {@link SignatureAndHashAlgorithm}. - * @return A byte array suitable for use as an extension value. - * @throws IOException - */ - public static byte[] createSignatureAlgorithmsExtension(Vector supportedSignatureAlgorithms) - throws IOException - { - ByteArrayOutputStream buf = new ByteArrayOutputStream(); - - // supported_signature_algorithms - encodeSupportedSignatureAlgorithms(supportedSignatureAlgorithms, false, buf); - - return buf.toByteArray(); - } - - /** - * Read 'signature_algorithms' extension data. - * - * @param extensionData The extension data. - * @return A {@link Vector} containing at least 1 {@link SignatureAndHashAlgorithm}. - * @throws IOException - */ - public static Vector readSignatureAlgorithmsExtension(byte[] extensionData) - throws IOException - { - if (extensionData == null) - { - throw new IllegalArgumentException("'extensionData' cannot be null"); - } - - ByteArrayInputStream buf = new ByteArrayInputStream(extensionData); - - // supported_signature_algorithms - Vector supported_signature_algorithms = parseSupportedSignatureAlgorithms(false, buf); - - TlsProtocol.assertEmpty(buf); - - return supported_signature_algorithms; - } - - public static void encodeSupportedSignatureAlgorithms(Vector supportedSignatureAlgorithms, boolean allowAnonymous, - OutputStream output) throws IOException - { - if (supportedSignatureAlgorithms == null || supportedSignatureAlgorithms.size() < 1 - || supportedSignatureAlgorithms.size() >= (1 << 15)) - { - throw new IllegalArgumentException( - "'supportedSignatureAlgorithms' must have length from 1 to (2^15 - 1)"); - } - - // supported_signature_algorithms - int length = 2 * supportedSignatureAlgorithms.size(); - TlsUtils.checkUint16(length); - TlsUtils.writeUint16(length, output); - for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) - { - SignatureAndHashAlgorithm entry = (SignatureAndHashAlgorithm)supportedSignatureAlgorithms.elementAt(i); - if (!allowAnonymous && entry.getSignature() == SignatureAlgorithm.anonymous) - { - /* - * RFC 5246 7.4.1.4.1 The "anonymous" value is meaningless in this context but used - * in Section 7.4.3. It MUST NOT appear in this extension. - */ - throw new IllegalArgumentException( - "SignatureAlgorithm.anonymous MUST NOT appear in the signature_algorithms extension"); - } - entry.encode(output); - } - } - - public static Vector parseSupportedSignatureAlgorithms(boolean allowAnonymous, InputStream input) - throws IOException - { - // supported_signature_algorithms - int length = TlsUtils.readUint16(input); - if (length < 2 || (length & 1) != 0) - { - throw new TlsFatalAlert(AlertDescription.decode_error); - } - int count = length / 2; - Vector supportedSignatureAlgorithms = new Vector(count); - for (int i = 0; i < count; ++i) - { - SignatureAndHashAlgorithm entry = SignatureAndHashAlgorithm.parse(input); - if (!allowAnonymous && entry.getSignature() == SignatureAlgorithm.anonymous) - { - /* - * RFC 5246 7.4.1.4.1 The "anonymous" value is meaningless in this context but used - * in Section 7.4.3. It MUST NOT appear in this extension. - */ - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - supportedSignatureAlgorithms.addElement(entry); - } - return supportedSignatureAlgorithms; - } - - public static byte[] PRF(TlsContext context, byte[] secret, String asciiLabel, byte[] seed, int size) - { - ProtocolVersion version = context.getServerVersion(); - - if (version.isSSL()) - { - throw new IllegalStateException("No PRF available for SSLv3 session"); - } - - byte[] label = Strings.toByteArray(asciiLabel); - byte[] labelSeed = concat(label, seed); - - int prfAlgorithm = context.getSecurityParameters().getPrfAlgorithm(); - - if (prfAlgorithm == PRFAlgorithm.tls_prf_legacy) - { - return PRF_legacy(secret, label, labelSeed, size); - } - - Digest prfDigest = createPRFHash(prfAlgorithm); - byte[] buf = new byte[size]; - hmac_hash(prfDigest, secret, labelSeed, buf); - return buf; - } - - public static byte[] PRF_legacy(byte[] secret, String asciiLabel, byte[] seed, int size) - { - byte[] label = Strings.toByteArray(asciiLabel); - byte[] labelSeed = concat(label, seed); - - return PRF_legacy(secret, label, labelSeed, size); - } - - static byte[] PRF_legacy(byte[] secret, byte[] label, byte[] labelSeed, int size) - { - int s_half = (secret.length + 1) / 2; - byte[] s1 = new byte[s_half]; - byte[] s2 = new byte[s_half]; - System.arraycopy(secret, 0, s1, 0, s_half); - System.arraycopy(secret, secret.length - s_half, s2, 0, s_half); - - byte[] b1 = new byte[size]; - byte[] b2 = new byte[size]; - hmac_hash(createHash(HashAlgorithm.md5), s1, labelSeed, b1); - hmac_hash(createHash(HashAlgorithm.sha1), s2, labelSeed, b2); - for (int i = 0; i < size; i++) - { - b1[i] ^= b2[i]; - } - return b1; - } - - static byte[] concat(byte[] a, byte[] b) - { - byte[] c = new byte[a.length + b.length]; - System.arraycopy(a, 0, c, 0, a.length); - System.arraycopy(b, 0, c, a.length, b.length); - return c; - } - - static void hmac_hash(Digest digest, byte[] secret, byte[] seed, byte[] out) - { - HMac mac = new HMac(digest); - mac.init(new KeyParameter(secret)); - byte[] a = seed; - int size = digest.getDigestSize(); - int iterations = (out.length + size - 1) / size; - byte[] buf = new byte[mac.getMacSize()]; - byte[] buf2 = new byte[mac.getMacSize()]; - for (int i = 0; i < iterations; i++) - { - mac.update(a, 0, a.length); - mac.doFinal(buf, 0); - a = buf; - mac.update(a, 0, a.length); - mac.update(seed, 0, seed.length); - mac.doFinal(buf2, 0); - System.arraycopy(buf2, 0, out, (size * i), Math.min(size, out.length - (size * i))); - } - } - - static void validateKeyUsage(org.bouncycastle.asn1.x509.Certificate c, int keyUsageBits) - throws IOException - { - Extensions exts = c.getTBSCertificate().getExtensions(); - if (exts != null) - { - KeyUsage ku = KeyUsage.fromExtensions(exts); - if (ku != null) - { - int bits = ku.getBytes()[0] & 0xff; - if ((bits & keyUsageBits) != keyUsageBits) - { - throw new TlsFatalAlert(AlertDescription.certificate_unknown); - } - } - } - } - - static byte[] calculateKeyBlock(TlsContext context, int size) - { - SecurityParameters securityParameters = context.getSecurityParameters(); - byte[] master_secret = securityParameters.getMasterSecret(); - byte[] seed = concat(securityParameters.getServerRandom(), - securityParameters.getClientRandom()); - - if (isSSL(context)) - { - return calculateKeyBlock_SSL(master_secret, seed, size); - } - - return PRF(context, master_secret, ExporterLabel.key_expansion, seed, size); - } - - static byte[] calculateKeyBlock_SSL(byte[] master_secret, byte[] random, int size) - { - Digest md5 = createHash(HashAlgorithm.md5); - Digest sha1 = createHash(HashAlgorithm.sha1); - int md5Size = md5.getDigestSize(); - byte[] shatmp = new byte[sha1.getDigestSize()]; - byte[] tmp = new byte[size + md5Size]; - - int i = 0, pos = 0; - while (pos < size) - { - byte[] ssl3Const = SSL3_CONST[i]; - - sha1.update(ssl3Const, 0, ssl3Const.length); - sha1.update(master_secret, 0, master_secret.length); - sha1.update(random, 0, random.length); - sha1.doFinal(shatmp, 0); - - md5.update(master_secret, 0, master_secret.length); - md5.update(shatmp, 0, shatmp.length); - md5.doFinal(tmp, pos); - - pos += md5Size; - ++i; - } - - byte rval[] = new byte[size]; - System.arraycopy(tmp, 0, rval, 0, size); - return rval; - } - - static byte[] calculateMasterSecret(TlsContext context, byte[] pre_master_secret) - { - SecurityParameters securityParameters = context.getSecurityParameters(); - byte[] seed = concat(securityParameters.getClientRandom(), securityParameters.getServerRandom()); - - if (isSSL(context)) - { - return calculateMasterSecret_SSL(pre_master_secret, seed); - } - - return PRF(context, pre_master_secret, ExporterLabel.master_secret, seed, 48); - } - - static byte[] calculateMasterSecret_SSL(byte[] pre_master_secret, byte[] random) - { - Digest md5 = createHash(HashAlgorithm.md5); - Digest sha1 = createHash(HashAlgorithm.sha1); - int md5Size = md5.getDigestSize(); - byte[] shatmp = new byte[sha1.getDigestSize()]; - - byte[] rval = new byte[md5Size * 3]; - int pos = 0; - - for (int i = 0; i < 3; ++i) - { - byte[] ssl3Const = SSL3_CONST[i]; - - sha1.update(ssl3Const, 0, ssl3Const.length); - sha1.update(pre_master_secret, 0, pre_master_secret.length); - sha1.update(random, 0, random.length); - sha1.doFinal(shatmp, 0); - - md5.update(pre_master_secret, 0, pre_master_secret.length); - md5.update(shatmp, 0, shatmp.length); - md5.doFinal(rval, pos); - - pos += md5Size; - } - - return rval; - } - - static byte[] calculateVerifyData(TlsContext context, String asciiLabel, byte[] handshakeHash) - { - if (isSSL(context)) - { - return handshakeHash; - } - - SecurityParameters securityParameters = context.getSecurityParameters(); - byte[] master_secret = securityParameters.getMasterSecret(); - int verify_data_length = securityParameters.getVerifyDataLength(); - - return PRF(context, master_secret, asciiLabel, handshakeHash, verify_data_length); - } - - public static Digest createHash(short hashAlgorithm) - { - switch (hashAlgorithm) - { - case HashAlgorithm.md5: - return new MD5Digest(); - case HashAlgorithm.sha1: - return new SHA1Digest(); - case HashAlgorithm.sha224: - return new SHA224Digest(); - case HashAlgorithm.sha256: - return new SHA256Digest(); - case HashAlgorithm.sha384: - return new SHA384Digest(); - case HashAlgorithm.sha512: - return new SHA512Digest(); - default: - throw new IllegalArgumentException("unknown HashAlgorithm"); - } - } - - public static Digest cloneHash(short hashAlgorithm, Digest hash) - { - switch (hashAlgorithm) - { - case HashAlgorithm.md5: - return new MD5Digest((MD5Digest)hash); - case HashAlgorithm.sha1: - return new SHA1Digest((SHA1Digest)hash); - case HashAlgorithm.sha224: - return new SHA224Digest((SHA224Digest)hash); - case HashAlgorithm.sha256: - return new SHA256Digest((SHA256Digest)hash); - case HashAlgorithm.sha384: - return new SHA384Digest((SHA384Digest)hash); - case HashAlgorithm.sha512: - return new SHA512Digest((SHA512Digest)hash); - default: - throw new IllegalArgumentException("unknown HashAlgorithm"); - } - } - - public static Digest createPRFHash(int prfAlgorithm) - { - switch (prfAlgorithm) - { - case PRFAlgorithm.tls_prf_legacy: - return new CombinedHash(); - default: - return createHash(getHashAlgorithmForPRFAlgorithm(prfAlgorithm)); - } - } - - public static Digest clonePRFHash(int prfAlgorithm, Digest hash) - { - switch (prfAlgorithm) - { - case PRFAlgorithm.tls_prf_legacy: - return new CombinedHash((CombinedHash)hash); - default: - return cloneHash(getHashAlgorithmForPRFAlgorithm(prfAlgorithm), hash); - } - } - - public static short getHashAlgorithmForPRFAlgorithm(int prfAlgorithm) - { - switch (prfAlgorithm) - { - case PRFAlgorithm.tls_prf_legacy: - throw new IllegalArgumentException("legacy PRF not a valid algorithm"); - case PRFAlgorithm.tls_prf_sha256: - return HashAlgorithm.sha256; - case PRFAlgorithm.tls_prf_sha384: - return HashAlgorithm.sha384; - default: - throw new IllegalArgumentException("unknown PRFAlgorithm"); - } - } - - public static ASN1ObjectIdentifier getOIDForHashAlgorithm(short hashAlgorithm) - { - switch (hashAlgorithm) - { - case HashAlgorithm.md5: - return PKCSObjectIdentifiers.md5; - case HashAlgorithm.sha1: - return X509ObjectIdentifiers.id_SHA1; - case HashAlgorithm.sha224: - return NISTObjectIdentifiers.id_sha224; - case HashAlgorithm.sha256: - return NISTObjectIdentifiers.id_sha256; - case HashAlgorithm.sha384: - return NISTObjectIdentifiers.id_sha384; - case HashAlgorithm.sha512: - return NISTObjectIdentifiers.id_sha512; - default: - throw new IllegalArgumentException("unknown HashAlgorithm"); - } - } - - static short getClientCertificateType(Certificate clientCertificate, Certificate serverCertificate) - throws IOException - { - if (clientCertificate.isEmpty()) - { - return -1; - } - - org.bouncycastle.asn1.x509.Certificate x509Cert = clientCertificate.getCertificateAt(0); - SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo(); - try - { - AsymmetricKeyParameter publicKey = PublicKeyFactory.createKey(keyInfo); - if (publicKey.isPrivate()) - { - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - /* - * TODO RFC 5246 7.4.6. The certificates MUST be signed using an acceptable hash/ - * signature algorithm pair, as described in Section 7.4.4. Note that this relaxes the - * constraints on certificate-signing algorithms found in prior versions of TLS. - */ - - /* - * RFC 5246 7.4.6. Client Certificate - */ - - /* - * RSA public key; the certificate MUST allow the key to be used for signing with the - * signature scheme and hash algorithm that will be employed in the certificate verify - * message. - */ - if (publicKey instanceof RSAKeyParameters) - { - validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - return ClientCertificateType.rsa_sign; - } - - /* - * DSA public key; the certificate MUST allow the key to be used for signing with the - * hash algorithm that will be employed in the certificate verify message. - */ - if (publicKey instanceof DSAPublicKeyParameters) - { - validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - return ClientCertificateType.dss_sign; - } - - /* - * ECDSA-capable public key; the certificate MUST allow the key to be used for signing - * with the hash algorithm that will be employed in the certificate verify message; the - * public key MUST use a curve and point format supported by the server. - */ - if (publicKey instanceof ECPublicKeyParameters) - { - validateKeyUsage(x509Cert, KeyUsage.digitalSignature); - // TODO Check the curve and point format - return ClientCertificateType.ecdsa_sign; - } - - // TODO Add support for ClientCertificateType.*_fixed_* - - } - catch (Exception e) - { - } - - throw new TlsFatalAlert(AlertDescription.unsupported_certificate); - } - - static void trackHashAlgorithms(TlsHandshakeHash handshakeHash, Vector supportedSignatureAlgorithms) - { - if (supportedSignatureAlgorithms != null) - { - for (int i = 0; i < supportedSignatureAlgorithms.size(); ++i) - { - SignatureAndHashAlgorithm signatureAndHashAlgorithm = (SignatureAndHashAlgorithm) - supportedSignatureAlgorithms.elementAt(i); - short hashAlgorithm = signatureAndHashAlgorithm.getHash(); - handshakeHash.trackHashAlgorithm(hashAlgorithm); - } - } - } - - public static boolean hasSigningCapability(short clientCertificateType) - { - switch (clientCertificateType) - { - case ClientCertificateType.dss_sign: - case ClientCertificateType.ecdsa_sign: - case ClientCertificateType.rsa_sign: - return true; - default: - return false; - } - } - - public static TlsSigner createTlsSigner(short clientCertificateType) - { - switch (clientCertificateType) - { - case ClientCertificateType.dss_sign: - return new TlsDSSSigner(); - case ClientCertificateType.ecdsa_sign: - return new TlsECDSASigner(); - case ClientCertificateType.rsa_sign: - return new TlsRSASigner(); - default: - throw new IllegalArgumentException("'clientCertificateType' is not a type with signing capability"); - } - } - - static final byte[] SSL_CLIENT = {0x43, 0x4C, 0x4E, 0x54}; - static final byte[] SSL_SERVER = {0x53, 0x52, 0x56, 0x52}; - - // SSL3 magic mix constants ("A", "BB", "CCC", ...) - static final byte[][] SSL3_CONST = genConst(); - - private static byte[][] genConst() - { - int n = 10; - byte[][] arr = new byte[n][]; - for (int i = 0; i < n; i++) - { - byte[] b = new byte[i + 1]; - Arrays.fill(b, (byte)('A' + i)); - arr[i] = b; - } - return arr; - } - - private static Vector vectorOfOne(Object obj) - { - Vector v = new Vector(1); - v.addElement(obj); - return v; - } - - public static int getCipherType(int ciphersuite) throws IOException - { - switch (getEncryptionAlgorithm(ciphersuite)) - { - case EncryptionAlgorithm.AES_128_GCM: - case EncryptionAlgorithm.AES_256_GCM: - case EncryptionAlgorithm.AES_128_CCM: - case EncryptionAlgorithm.AES_128_CCM_8: - case EncryptionAlgorithm.AES_256_CCM: - case EncryptionAlgorithm.AES_256_CCM_8: - case EncryptionAlgorithm.CAMELLIA_128_GCM: - case EncryptionAlgorithm.CAMELLIA_256_GCM: - case EncryptionAlgorithm.AEAD_CHACHA20_POLY1305: - return CipherType.aead; - - case EncryptionAlgorithm.RC2_CBC_40: - case EncryptionAlgorithm.IDEA_CBC: - case EncryptionAlgorithm.DES40_CBC: - case EncryptionAlgorithm.DES_CBC: - case EncryptionAlgorithm._3DES_EDE_CBC: - case EncryptionAlgorithm.AES_128_CBC: - case EncryptionAlgorithm.AES_256_CBC: - case EncryptionAlgorithm.CAMELLIA_128_CBC: - case EncryptionAlgorithm.CAMELLIA_256_CBC: - case EncryptionAlgorithm.SEED_CBC: - return CipherType.block; - - case EncryptionAlgorithm.RC4_40: - case EncryptionAlgorithm.RC4_128: - case EncryptionAlgorithm.ESTREAM_SALSA20: - case EncryptionAlgorithm.SALSA20: - return CipherType.stream; - - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static int getEncryptionAlgorithm(int ciphersuite) throws IOException - { - switch (ciphersuite) - { - case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: - return EncryptionAlgorithm._3DES_EDE_CBC; - - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - return EncryptionAlgorithm.AEAD_CHACHA20_POLY1305; - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA: - return EncryptionAlgorithm.AES_128_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - return EncryptionAlgorithm.AES_128_CBC; - - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - return EncryptionAlgorithm.AES_128_CCM; - - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - return EncryptionAlgorithm.AES_128_CCM_8; - - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - return EncryptionAlgorithm.AES_128_GCM; - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: - case CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA: - return EncryptionAlgorithm.AES_256_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - return EncryptionAlgorithm.AES_256_CBC; - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: - return EncryptionAlgorithm.AES_256_CBC; - - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - return EncryptionAlgorithm.AES_256_CCM; - - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - return EncryptionAlgorithm.AES_256_CCM_8; - - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - return EncryptionAlgorithm.AES_256_GCM; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: - return EncryptionAlgorithm.CAMELLIA_128_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - return EncryptionAlgorithm.CAMELLIA_128_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - return EncryptionAlgorithm.CAMELLIA_128_GCM; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: - return EncryptionAlgorithm.CAMELLIA_256_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - return EncryptionAlgorithm.CAMELLIA_256_CBC; - - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: - return EncryptionAlgorithm.CAMELLIA_256_CBC; - - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - return EncryptionAlgorithm.CAMELLIA_256_GCM; - - case CipherSuite.TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_ESTREAM_SALSA20_SHA1: - return EncryptionAlgorithm.ESTREAM_SALSA20; - - case CipherSuite.TLS_RSA_WITH_NULL_MD5: - return EncryptionAlgorithm.NULL; - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_NULL_SHA: - case CipherSuite.TLS_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA: - case CipherSuite.TLS_RSA_WITH_NULL_SHA: - return EncryptionAlgorithm.NULL; - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA256: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - return EncryptionAlgorithm.NULL; - - case CipherSuite.TLS_DHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_ECDHE_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_PSK_WITH_NULL_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_NULL_SHA384: - return EncryptionAlgorithm.NULL; - - case CipherSuite.TLS_DH_anon_WITH_RC4_128_MD5: - case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: - return EncryptionAlgorithm.RC4_128; - - case CipherSuite.TLS_DHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_anon_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDH_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_PSK_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: - case CipherSuite.TLS_RSA_PSK_WITH_RC4_128_SHA: - return EncryptionAlgorithm.RC4_128; - - case CipherSuite.TLS_DHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_DHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_ECDHE_RSA_WITH_SALSA20_SHA1: - case CipherSuite.TLS_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_PSK_WITH_SALSA20_SHA1: - case CipherSuite.TLS_RSA_WITH_SALSA20_SHA1: - return EncryptionAlgorithm.SALSA20; - - case CipherSuite.TLS_DH_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DH_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_DSS_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_DHE_RSA_WITH_SEED_CBC_SHA: - case CipherSuite.TLS_RSA_WITH_SEED_CBC_SHA: - return EncryptionAlgorithm.SEED_CBC; - - default: - throw new TlsFatalAlert(AlertDescription.internal_error); - } - } - - public static ProtocolVersion getMinimumVersion(int ciphersuite) - { - switch (ciphersuite) - { - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: - case CipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM: - case CipherSuite.TLS_PSK_WITH_AES_128_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM: - case CipherSuite.TLS_PSK_WITH_AES_256_CCM_8: - case CipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM: - case CipherSuite.TLS_RSA_WITH_AES_128_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM: - case CipherSuite.TLS_RSA_WITH_AES_256_CCM_8: - case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: - case CipherSuite.TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: - case CipherSuite.TLS_RSA_WITH_NULL_SHA256: - return ProtocolVersion.TLSv12; - - default: - return ProtocolVersion.SSLv3; - } - } - - public static boolean isAEADCipherSuite(int ciphersuite) throws IOException - { - return CipherType.aead == getCipherType(ciphersuite); - } - - public static boolean isBlockCipherSuite(int ciphersuite) throws IOException - { - return CipherType.block == getCipherType(ciphersuite); - } - - public static boolean isStreamCipherSuite(int ciphersuite) throws IOException - { - return CipherType.stream == getCipherType(ciphersuite); - } - - public static boolean isValidCipherSuiteForVersion(int cipherSuite, ProtocolVersion serverVersion) - { - return getMinimumVersion(cipherSuite).isEqualOrEarlierVersionOf(serverVersion.getEquivalentTLSVersion()); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/UDPTransport.java b/core/src/main/java/org/bouncycastle/crypto/tls/UDPTransport.java deleted file mode 100644 index d5f0769e..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/UDPTransport.java +++ /dev/null @@ -1,75 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.net.DatagramPacket; -import java.net.DatagramSocket; - -public class UDPTransport - implements DatagramTransport -{ - protected final static int MIN_IP_OVERHEAD = 20; - protected final static int MAX_IP_OVERHEAD = MIN_IP_OVERHEAD + 64; - protected final static int UDP_OVERHEAD = 8; - - protected final DatagramSocket socket; - protected final int receiveLimit, sendLimit; - - public UDPTransport(DatagramSocket socket, int mtu) - throws IOException - { - if (!socket.isBound() || !socket.isConnected()) - { - throw new IllegalArgumentException("'socket' must be bound and connected"); - } - - this.socket = socket; - - // NOTE: As of JDK 1.6, can use NetworkInterface.getMTU - - this.receiveLimit = mtu - MIN_IP_OVERHEAD - UDP_OVERHEAD; - this.sendLimit = mtu - MAX_IP_OVERHEAD - UDP_OVERHEAD; - } - - public int getReceiveLimit() - { - return receiveLimit; - } - - public int getSendLimit() - { - // TODO[DTLS] Implement Path-MTU discovery? - return sendLimit; - } - - public int receive(byte[] buf, int off, int len, int waitMillis) - throws IOException - { - socket.setSoTimeout(waitMillis); - DatagramPacket packet = new DatagramPacket(buf, off, len); - socket.receive(packet); - return packet.getLength(); - } - - public void send(byte[] buf, int off, int len) - throws IOException - { - if (len > getSendLimit()) - { - /* - * RFC 4347 4.1.1. "If the application attempts to send a record larger than the MTU, - * the DTLS implementation SHOULD generate an error, thus avoiding sending a packet - * which will be fragmented." - */ - throw new TlsFatalAlert(AlertDescription.internal_error); - } - - DatagramPacket packet = new DatagramPacket(buf, off, len); - socket.send(packet); - } - - public void close() - throws IOException - { - socket.close(); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/URLAndHash.java b/core/src/main/java/org/bouncycastle/crypto/tls/URLAndHash.java deleted file mode 100644 index c32a904a..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/URLAndHash.java +++ /dev/null @@ -1,104 +0,0 @@ -package org.bouncycastle.crypto.tls; - -import java.io.IOException; -import java.io.InputStream; -import java.io.OutputStream; - -import org.bouncycastle.util.Strings; - -/** - * RFC 6066 5. - */ -public class URLAndHash -{ - protected String url; - protected byte[] sha1Hash; - - public URLAndHash(String url, byte[] sha1Hash) - { - if (url == null || url.length() < 1 || url.length() >= (1 << 16)) - { - throw new IllegalArgumentException("'url' must have length from 1 to (2^16 - 1)"); - } - if (sha1Hash != null && sha1Hash.length != 20) - { - throw new IllegalArgumentException("'sha1Hash' must have length == 20, if present"); - } - - this.url = url; - this.sha1Hash = sha1Hash; - } - - public String getURL() - { - return url; - } - - public byte[] getSHA1Hash() - { - return sha1Hash; - } - - /** - * Encode this {@link URLAndHash} to an {@link OutputStream}. - * - * @param output the {@link OutputStream} to encode to. - * @throws IOException - */ - public void encode(OutputStream output) - throws IOException - { - byte[] urlEncoding = Strings.toByteArray(this.url); - TlsUtils.writeOpaque16(urlEncoding, output); - - if (this.sha1Hash == null) - { - TlsUtils.writeUint8(0, output); - } - else - { - TlsUtils.writeUint8(1, output); - output.write(this.sha1Hash); - } - } - - /** - * Parse a {@link URLAndHash} from an {@link InputStream}. - * - * @param context - * the {@link TlsContext} of the current connection. - * @param input - * the {@link InputStream} to parse from. - * @return a {@link URLAndHash} object. - * @throws IOException - */ - public static URLAndHash parse(TlsContext context, InputStream input) - throws IOException - { - byte[] urlEncoding = TlsUtils.readOpaque16(input); - if (urlEncoding.length < 1) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - String url = Strings.fromByteArray(urlEncoding); - - byte[] sha1Hash = null; - short padding = TlsUtils.readUint8(input); - switch (padding) - { - case 0: - if (TlsUtils.isTLSv12(context)) - { - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - break; - case 1: - sha1Hash = TlsUtils.readFully(20, input); - break; - default: - throw new TlsFatalAlert(AlertDescription.illegal_parameter); - } - - return new URLAndHash(url, sha1Hash); - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/UseSRTPData.java b/core/src/main/java/org/bouncycastle/crypto/tls/UseSRTPData.java deleted file mode 100644 index bc2cf10c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/UseSRTPData.java +++ /dev/null @@ -1,52 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 5764 4.1.1 - */ -public class UseSRTPData -{ - private int[] protectionProfiles; - private byte[] mki; - - /** - * @param protectionProfiles see {@link SRTPProtectionProfile} for valid constants. - * @param mki valid lengths from 0 to 255. - */ - public UseSRTPData(int[] protectionProfiles, byte[] mki) - { - if (protectionProfiles == null || protectionProfiles.length < 1 - || protectionProfiles.length >= (1 << 15)) - { - throw new IllegalArgumentException( - "'protectionProfiles' must have length from 1 to (2^15 - 1)"); - } - - if (mki == null) - { - mki = TlsUtils.EMPTY_BYTES; - } - else if (mki.length > 255) - { - throw new IllegalArgumentException("'mki' cannot be longer than 255 bytes"); - } - - this.protectionProfiles = protectionProfiles; - this.mki = mki; - } - - /** - * @return see {@link SRTPProtectionProfile} for valid constants. - */ - public int[] getProtectionProfiles() - { - return protectionProfiles; - } - - /** - * @return valid lengths from 0 to 255. - */ - public byte[] getMki() - { - return mki; - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/UserMappingType.java b/core/src/main/java/org/bouncycastle/crypto/tls/UserMappingType.java deleted file mode 100644 index 8f6ae7ba..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/tls/UserMappingType.java +++ /dev/null @@ -1,12 +0,0 @@ -package org.bouncycastle.crypto.tls; - -/** - * RFC 4681 - */ -public class UserMappingType -{ - /* - * RFC 4681 - */ - public static final short upn_domain_hint = 64; -} diff --git a/core/src/main/java/org/bouncycastle/crypto/util/Pack.java b/core/src/main/java/org/bouncycastle/crypto/util/Pack.java deleted file mode 100644 index 2ded8efc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/util/Pack.java +++ /dev/null @@ -1,204 +0,0 @@ -package org.bouncycastle.crypto.util; - -/** - * @deprecated use org.bouncycastle.util.pack - */ -public abstract class Pack -{ - public static int bigEndianToInt(byte[] bs, int off) - { - int n = bs[ off] << 24; - n |= (bs[++off] & 0xff) << 16; - n |= (bs[++off] & 0xff) << 8; - n |= (bs[++off] & 0xff); - return n; - } - - public static void bigEndianToInt(byte[] bs, int off, int[] ns) - { - for (int i = 0; i < ns.length; ++i) - { - ns[i] = bigEndianToInt(bs, off); - off += 4; - } - } - - public static byte[] intToBigEndian(int n) - { - byte[] bs = new byte[4]; - intToBigEndian(n, bs, 0); - return bs; - } - - public static void intToBigEndian(int n, byte[] bs, int off) - { - bs[ off] = (byte)(n >>> 24); - bs[++off] = (byte)(n >>> 16); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n ); - } - - public static byte[] intToBigEndian(int[] ns) - { - byte[] bs = new byte[4 * ns.length]; - intToBigEndian(ns, bs, 0); - return bs; - } - - public static void intToBigEndian(int[] ns, byte[] bs, int off) - { - for (int i = 0; i < ns.length; ++i) - { - intToBigEndian(ns[i], bs, off); - off += 4; - } - } - - public static long bigEndianToLong(byte[] bs, int off) - { - int hi = bigEndianToInt(bs, off); - int lo = bigEndianToInt(bs, off + 4); - return ((long)(hi & 0xffffffffL) << 32) | (long)(lo & 0xffffffffL); - } - - public static void bigEndianToLong(byte[] bs, int off, long[] ns) - { - for (int i = 0; i < ns.length; ++i) - { - ns[i] = bigEndianToLong(bs, off); - off += 8; - } - } - - public static byte[] longToBigEndian(long n) - { - byte[] bs = new byte[8]; - longToBigEndian(n, bs, 0); - return bs; - } - - public static void longToBigEndian(long n, byte[] bs, int off) - { - intToBigEndian((int)(n >>> 32), bs, off); - intToBigEndian((int)(n & 0xffffffffL), bs, off + 4); - } - - public static byte[] longToBigEndian(long[] ns) - { - byte[] bs = new byte[8 * ns.length]; - longToBigEndian(ns, bs, 0); - return bs; - } - - public static void longToBigEndian(long[] ns, byte[] bs, int off) - { - for (int i = 0; i < ns.length; ++i) - { - longToBigEndian(ns[i], bs, off); - off += 8; - } - } - - public static int littleEndianToInt(byte[] bs, int off) - { - int n = bs[ off] & 0xff; - n |= (bs[++off] & 0xff) << 8; - n |= (bs[++off] & 0xff) << 16; - n |= bs[++off] << 24; - return n; - } - - public static void littleEndianToInt(byte[] bs, int off, int[] ns) - { - for (int i = 0; i < ns.length; ++i) - { - ns[i] = littleEndianToInt(bs, off); - off += 4; - } - } - - public static void littleEndianToInt(byte[] bs, int bOff, int[] ns, int nOff, int count) - { - for (int i = 0; i < count; ++i) - { - ns[nOff + i] = littleEndianToInt(bs, bOff); - bOff += 4; - } - } - - public static byte[] intToLittleEndian(int n) - { - byte[] bs = new byte[4]; - intToLittleEndian(n, bs, 0); - return bs; - } - - public static void intToLittleEndian(int n, byte[] bs, int off) - { - bs[ off] = (byte)(n ); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n >>> 16); - bs[++off] = (byte)(n >>> 24); - } - - public static byte[] intToLittleEndian(int[] ns) - { - byte[] bs = new byte[4 * ns.length]; - intToLittleEndian(ns, bs, 0); - return bs; - } - - public static void intToLittleEndian(int[] ns, byte[] bs, int off) - { - for (int i = 0; i < ns.length; ++i) - { - intToLittleEndian(ns[i], bs, off); - off += 4; - } - } - - public static long littleEndianToLong(byte[] bs, int off) - { - int lo = littleEndianToInt(bs, off); - int hi = littleEndianToInt(bs, off + 4); - return ((long)(hi & 0xffffffffL) << 32) | (long)(lo & 0xffffffffL); - } - - public static void littleEndianToLong(byte[] bs, int off, long[] ns) - { - for (int i = 0; i < ns.length; ++i) - { - ns[i] = littleEndianToLong(bs, off); - off += 8; - } - } - - public static byte[] longToLittleEndian(long n) - { - byte[] bs = new byte[8]; - longToLittleEndian(n, bs, 0); - return bs; - } - - public static void longToLittleEndian(long n, byte[] bs, int off) - { - intToLittleEndian((int)(n & 0xffffffffL), bs, off); - intToLittleEndian((int)(n >>> 32), bs, off + 4); - } - - public static byte[] longToLittleEndian(long[] ns) - { - byte[] bs = new byte[8 * ns.length]; - longToLittleEndian(ns, bs, 0); - return bs; - } - - public static void longToLittleEndian(long[] ns, byte[] bs, int off) - { - for (int i = 0; i < ns.length; ++i) - { - longToLittleEndian(ns[i], bs, off); - off += 8; - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyFactory.java b/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyFactory.java deleted file mode 100644 index 92684ecc..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyFactory.java +++ /dev/null @@ -1,159 +0,0 @@ -package org.bouncycastle.crypto.util; - -import java.io.IOException; -import java.io.InputStream; -import java.math.BigInteger; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.oiw.ElGamalParameter; -import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.DHParameter; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.asn1.pkcs.RSAPrivateKey; -import org.bouncycastle.asn1.sec.ECPrivateKey; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.DSAParameter; -import org.bouncycastle.asn1.x9.ECNamedCurveTable; -import org.bouncycastle.asn1.x9.X962Parameters; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.crypto.ec.CustomNamedCurves; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECNamedDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.ElGamalParameters; -import org.bouncycastle.crypto.params.ElGamalPrivateKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; - -/** - * Factory for creating private key objects from PKCS8 PrivateKeyInfo objects. - */ -public class PrivateKeyFactory -{ - /** - * Create a private key parameter from a PKCS8 PrivateKeyInfo encoding. - * - * @param privateKeyInfoData the PrivateKeyInfo encoding - * @return a suitable private key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(byte[] privateKeyInfoData) throws IOException - { - return createKey(PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(privateKeyInfoData))); - } - - /** - * Create a private key parameter from a PKCS8 PrivateKeyInfo encoding read from a - * stream. - * - * @param inStr the stream to read the PrivateKeyInfo encoding from - * @return a suitable private key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(InputStream inStr) throws IOException - { - return createKey(PrivateKeyInfo.getInstance(new ASN1InputStream(inStr).readObject())); - } - - /** - * Create a private key parameter from the passed in PKCS8 PrivateKeyInfo object. - * - * @param keyInfo the PrivateKeyInfo object containing the key material - * @return a suitable private key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(PrivateKeyInfo keyInfo) throws IOException - { - AlgorithmIdentifier algId = keyInfo.getPrivateKeyAlgorithm(); - - if (algId.getAlgorithm().equals(PKCSObjectIdentifiers.rsaEncryption)) - { - RSAPrivateKey keyStructure = RSAPrivateKey.getInstance(keyInfo.parsePrivateKey()); - - return new RSAPrivateCrtKeyParameters(keyStructure.getModulus(), - keyStructure.getPublicExponent(), keyStructure.getPrivateExponent(), - keyStructure.getPrime1(), keyStructure.getPrime2(), keyStructure.getExponent1(), - keyStructure.getExponent2(), keyStructure.getCoefficient()); - } - // TODO? -// else if (algId.getObjectId().equals(X9ObjectIdentifiers.dhpublicnumber)) - else if (algId.getAlgorithm().equals(PKCSObjectIdentifiers.dhKeyAgreement)) - { - DHParameter params = DHParameter.getInstance(algId.getParameters()); - ASN1Integer derX = (ASN1Integer)keyInfo.parsePrivateKey(); - - BigInteger lVal = params.getL(); - int l = lVal == null ? 0 : lVal.intValue(); - DHParameters dhParams = new DHParameters(params.getP(), params.getG(), null, l); - - return new DHPrivateKeyParameters(derX.getValue(), dhParams); - } - else if (algId.getAlgorithm().equals(OIWObjectIdentifiers.elGamalAlgorithm)) - { - ElGamalParameter params = ElGamalParameter.getInstance(algId.getParameters()); - ASN1Integer derX = (ASN1Integer)keyInfo.parsePrivateKey(); - - return new ElGamalPrivateKeyParameters(derX.getValue(), new ElGamalParameters( - params.getP(), params.getG())); - } - else if (algId.getAlgorithm().equals(X9ObjectIdentifiers.id_dsa)) - { - ASN1Integer derX = (ASN1Integer)keyInfo.parsePrivateKey(); - ASN1Encodable de = algId.getParameters(); - - DSAParameters parameters = null; - if (de != null) - { - DSAParameter params = DSAParameter.getInstance(de.toASN1Primitive()); - parameters = new DSAParameters(params.getP(), params.getQ(), params.getG()); - } - - return new DSAPrivateKeyParameters(derX.getValue(), parameters); - } - else if (algId.getAlgorithm().equals(X9ObjectIdentifiers.id_ecPublicKey)) - { - X962Parameters params = new X962Parameters((ASN1Primitive)algId.getParameters()); - - X9ECParameters x9; - ECDomainParameters dParams; - - if (params.isNamedCurve()) - { - ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters(); - - x9 = CustomNamedCurves.getByOID(oid); - if (x9 == null) - { - x9 = ECNamedCurveTable.getByOID(oid); - } - dParams = new ECNamedDomainParameters( - oid, x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed()); - } - else - { - x9 = X9ECParameters.getInstance(params.getParameters()); - dParams = new ECDomainParameters( - x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed()); - } - - ECPrivateKey ec = ECPrivateKey.getInstance(keyInfo.parsePrivateKey()); - BigInteger d = ec.getKey(); - - return new ECPrivateKeyParameters(d, dParams); - } - else - { - throw new RuntimeException("algorithm identifier in key not recognised"); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyInfoFactory.java b/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyInfoFactory.java deleted file mode 100644 index 9f791f4c..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyInfoFactory.java +++ /dev/null @@ -1,86 +0,0 @@ -package org.bouncycastle.crypto.util; - -import java.io.IOException; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.asn1.pkcs.RSAPrivateKey; -import org.bouncycastle.asn1.sec.ECPrivateKey; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.DSAParameter; -import org.bouncycastle.asn1.x9.X962Parameters; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECNamedDomainParameters; -import org.bouncycastle.crypto.params.ECPrivateKeyParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; -import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters; - -/** - * Factory to create ASN.1 private key info objects from lightweight private keys. - */ -public class PrivateKeyInfoFactory -{ - /** - * Create a PrivateKeyInfo representation of a private key. - * - * @param privateKey the SubjectPublicKeyInfo encoding - * @return the appropriate key parameter - * @throws java.io.IOException on an error encoding the key - */ - public static PrivateKeyInfo createPrivateKeyInfo(AsymmetricKeyParameter privateKey) throws IOException - { - if (privateKey instanceof RSAKeyParameters) - { - RSAPrivateCrtKeyParameters priv = (RSAPrivateCrtKeyParameters)privateKey; - - return new PrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new RSAPrivateKey(priv.getModulus(), priv.getPublicExponent(), priv.getExponent(), priv.getP(), priv.getQ(), priv.getDP(), priv.getDQ(), priv.getQInv())); - } - else if (privateKey instanceof DSAPrivateKeyParameters) - { - DSAPrivateKeyParameters priv = (DSAPrivateKeyParameters)privateKey; - DSAParameters params = priv.getParameters(); - - return new PrivateKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa, new DSAParameter(params.getP(), params.getQ(), params.getG())), new ASN1Integer(priv.getX())); - } - else if (privateKey instanceof ECPrivateKeyParameters) - { - ECPrivateKeyParameters priv = (ECPrivateKeyParameters)privateKey; - ECDomainParameters domainParams = priv.getParameters(); - ASN1Encodable params; - - if (domainParams == null) - { - params = new X962Parameters(DERNull.INSTANCE); // Implicitly CA - } - else if (domainParams instanceof ECNamedDomainParameters) - { - params = new X962Parameters(((ECNamedDomainParameters)domainParams).getName()); - } - else - { - X9ECParameters ecP = new X9ECParameters( - domainParams.getCurve(), - domainParams.getG(), - domainParams.getN(), - domainParams.getH(), - domainParams.getSeed()); - - params = new X962Parameters(ecP); - } - - return new PrivateKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params), new ECPrivateKey(priv.getD(), params)); - } - else - { - throw new IOException("key parameters not recognised."); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/util/PublicKeyFactory.java b/core/src/main/java/org/bouncycastle/crypto/util/PublicKeyFactory.java deleted file mode 100644 index cb130954..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/util/PublicKeyFactory.java +++ /dev/null @@ -1,195 +0,0 @@ -package org.bouncycastle.crypto.util; - -import java.io.IOException; -import java.io.InputStream; -import java.math.BigInteger; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.oiw.ElGamalParameter; -import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.DHParameter; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.RSAPublicKey; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.DSAParameter; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; -import org.bouncycastle.asn1.x9.DHDomainParameters; -import org.bouncycastle.asn1.x9.DHPublicKey; -import org.bouncycastle.asn1.x9.DHValidationParms; -import org.bouncycastle.asn1.x9.ECNamedCurveTable; -import org.bouncycastle.asn1.x9.X962Parameters; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.asn1.x9.X9ECPoint; -import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.crypto.ec.CustomNamedCurves; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; -import org.bouncycastle.crypto.params.DHValidationParameters; -import org.bouncycastle.crypto.params.DSAParameters; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECNamedDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.ElGamalParameters; -import org.bouncycastle.crypto.params.ElGamalPublicKeyParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -/** - * Factory to create asymmetric public key parameters for asymmetric ciphers from range of - * ASN.1 encoded SubjectPublicKeyInfo objects. - */ -public class PublicKeyFactory -{ - /** - * Create a public key from a SubjectPublicKeyInfo encoding - * - * @param keyInfoData the SubjectPublicKeyInfo encoding - * @return the appropriate key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(byte[] keyInfoData) throws IOException - { - return createKey(SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(keyInfoData))); - } - - /** - * Create a public key from a SubjectPublicKeyInfo encoding read from a stream - * - * @param inStr the stream to read the SubjectPublicKeyInfo encoding from - * @return the appropriate key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(InputStream inStr) throws IOException - { - return createKey(SubjectPublicKeyInfo.getInstance(new ASN1InputStream(inStr).readObject())); - } - - /** - * Create a public key from the passed in SubjectPublicKeyInfo - * - * @param keyInfo the SubjectPublicKeyInfo containing the key data - * @return the appropriate key parameter - * @throws IOException on an error decoding the key - */ - public static AsymmetricKeyParameter createKey(SubjectPublicKeyInfo keyInfo) throws IOException - { - AlgorithmIdentifier algId = keyInfo.getAlgorithm(); - - if (algId.getAlgorithm().equals(PKCSObjectIdentifiers.rsaEncryption) - || algId.getAlgorithm().equals(X509ObjectIdentifiers.id_ea_rsa)) - { - RSAPublicKey pubKey = RSAPublicKey.getInstance(keyInfo.parsePublicKey()); - - return new RSAKeyParameters(false, pubKey.getModulus(), pubKey.getPublicExponent()); - } - else if (algId.getAlgorithm().equals(X9ObjectIdentifiers.dhpublicnumber)) - { - DHPublicKey dhPublicKey = DHPublicKey.getInstance(keyInfo.parsePublicKey()); - - BigInteger y = dhPublicKey.getY().getValue(); - - DHDomainParameters dhParams = DHDomainParameters.getInstance(algId.getParameters()); - - BigInteger p = dhParams.getP().getValue(); - BigInteger g = dhParams.getG().getValue(); - BigInteger q = dhParams.getQ().getValue(); - - BigInteger j = null; - if (dhParams.getJ() != null) - { - j = dhParams.getJ().getValue(); - } - - DHValidationParameters validation = null; - DHValidationParms dhValidationParms = dhParams.getValidationParms(); - if (dhValidationParms != null) - { - byte[] seed = dhValidationParms.getSeed().getBytes(); - BigInteger pgenCounter = dhValidationParms.getPgenCounter().getValue(); - - // TODO Check pgenCounter size? - - validation = new DHValidationParameters(seed, pgenCounter.intValue()); - } - - return new DHPublicKeyParameters(y, new DHParameters(p, g, q, j, validation)); - } - else if (algId.getAlgorithm().equals(PKCSObjectIdentifiers.dhKeyAgreement)) - { - DHParameter params = DHParameter.getInstance(algId.getParameters()); - ASN1Integer derY = (ASN1Integer)keyInfo.parsePublicKey(); - - BigInteger lVal = params.getL(); - int l = lVal == null ? 0 : lVal.intValue(); - DHParameters dhParams = new DHParameters(params.getP(), params.getG(), null, l); - - return new DHPublicKeyParameters(derY.getValue(), dhParams); - } - else if (algId.getAlgorithm().equals(OIWObjectIdentifiers.elGamalAlgorithm)) - { - ElGamalParameter params = ElGamalParameter.getInstance(algId.getParameters()); - ASN1Integer derY = (ASN1Integer)keyInfo.parsePublicKey(); - - return new ElGamalPublicKeyParameters(derY.getValue(), new ElGamalParameters( - params.getP(), params.getG())); - } - else if (algId.getAlgorithm().equals(X9ObjectIdentifiers.id_dsa) - || algId.getAlgorithm().equals(OIWObjectIdentifiers.dsaWithSHA1)) - { - ASN1Integer derY = (ASN1Integer)keyInfo.parsePublicKey(); - ASN1Encodable de = algId.getParameters(); - - DSAParameters parameters = null; - if (de != null) - { - DSAParameter params = DSAParameter.getInstance(de.toASN1Primitive()); - parameters = new DSAParameters(params.getP(), params.getQ(), params.getG()); - } - - return new DSAPublicKeyParameters(derY.getValue(), parameters); - } - else if (algId.getAlgorithm().equals(X9ObjectIdentifiers.id_ecPublicKey)) - { - X962Parameters params = X962Parameters.getInstance(algId.getParameters()); - - X9ECParameters x9; - ECDomainParameters dParams; - - if (params.isNamedCurve()) - { - ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters(); - - x9 = CustomNamedCurves.getByOID(oid); - if (x9 == null) - { - x9 = ECNamedCurveTable.getByOID(oid); - } - dParams = new ECNamedDomainParameters( - oid, x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed()); - } - else - { - x9 = X9ECParameters.getInstance(params.getParameters()); - dParams = new ECDomainParameters( - x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed()); - } - - ASN1OctetString key = new DEROctetString(keyInfo.getPublicKeyData().getBytes()); - X9ECPoint derQ = new X9ECPoint(x9.getCurve(), key); - - return new ECPublicKeyParameters(derQ.getPoint(), dParams); - } - else - { - throw new RuntimeException("algorithm identifier in key not recognised"); - } - } -} diff --git a/core/src/main/java/org/bouncycastle/crypto/util/SubjectPublicKeyInfoFactory.java b/core/src/main/java/org/bouncycastle/crypto/util/SubjectPublicKeyInfoFactory.java deleted file mode 100644 index d2d42037..00000000 --- a/core/src/main/java/org/bouncycastle/crypto/util/SubjectPublicKeyInfoFactory.java +++ /dev/null @@ -1,85 +0,0 @@ -package org.bouncycastle.crypto.util; - -import java.io.IOException; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Integer; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.RSAPublicKey; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x9.X962Parameters; -import org.bouncycastle.asn1.x9.X9ECParameters; -import org.bouncycastle.asn1.x9.X9ECPoint; -import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; -import org.bouncycastle.crypto.params.DSAPublicKeyParameters; -import org.bouncycastle.crypto.params.ECDomainParameters; -import org.bouncycastle.crypto.params.ECNamedDomainParameters; -import org.bouncycastle.crypto.params.ECPublicKeyParameters; -import org.bouncycastle.crypto.params.RSAKeyParameters; - -/** - * Factory to create ASN.1 subject public key info objects from lightweight public keys. - */ -public class SubjectPublicKeyInfoFactory -{ - /** - * Create a SubjectPublicKeyInfo public key. - * - * @param publicKey the SubjectPublicKeyInfo encoding - * @return the appropriate key parameter - * @throws java.io.IOException on an error encoding the key - */ - public static SubjectPublicKeyInfo createSubjectPublicKeyInfo(AsymmetricKeyParameter publicKey) throws IOException - { - if (publicKey instanceof RSAKeyParameters) - { - RSAKeyParameters pub = (RSAKeyParameters)publicKey; - - return new SubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), new RSAPublicKey(pub.getModulus(), pub.getExponent())); - } - else if (publicKey instanceof DSAPublicKeyParameters) - { - DSAPublicKeyParameters pub = (DSAPublicKeyParameters)publicKey; - - return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_dsa), new ASN1Integer(pub.getY())); - } - else if (publicKey instanceof ECPublicKeyParameters) - { - ECPublicKeyParameters pub = (ECPublicKeyParameters)publicKey; - ECDomainParameters domainParams = pub.getParameters(); - ASN1Encodable params; - - if (domainParams == null) - { - params = new X962Parameters(DERNull.INSTANCE); // Implicitly CA - } - else if (domainParams instanceof ECNamedDomainParameters) - { - params = new X962Parameters(((ECNamedDomainParameters)domainParams).getName()); - } - else - { - X9ECParameters ecP = new X9ECParameters( - domainParams.getCurve(), - domainParams.getG(), - domainParams.getN(), - domainParams.getH(), - domainParams.getSeed()); - - params = new X962Parameters(ecP); - } - - ASN1OctetString p = (ASN1OctetString)new X9ECPoint(pub.getQ()).toASN1Primitive(); - - return new SubjectPublicKeyInfo(new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, params), p.getOctets()); - } - else - { - throw new IOException("key parameters not recognised."); - } - } -} |