|
2
|
1 |
/*
|
|
5506
|
2 |
* Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
|
|
2
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
4 |
*
|
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
5506
|
7 |
* published by the Free Software Foundation. Oracle designates this
|
|
2
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
5506
|
9 |
* by Oracle in the LICENSE file that accompanied this code.
|
|
2
|
10 |
*
|
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
15 |
* accompanied this code).
|
|
|
16 |
*
|
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
20 |
*
|
|
5506
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
22 |
* or visit www.oracle.com if you need additional information or have any
|
|
|
23 |
* questions.
|
|
2
|
24 |
*/
|
|
|
25 |
|
|
|
26 |
/* $Id: Rijndael.java,v 1.6 2000/02/10 01:31:41 gelderen Exp $
|
|
|
27 |
*
|
|
|
28 |
* Copyright (C) 1995-2000 The Cryptix Foundation Limited.
|
|
|
29 |
* All rights reserved.
|
|
|
30 |
*
|
|
|
31 |
* Use, modification, copying and distribution of this softwareas is subject
|
|
|
32 |
* the terms and conditions of the Cryptix General Licence. You should have
|
|
|
33 |
* received a copy of the Cryptix General Licence along with this library;
|
|
|
34 |
* if not, you can download a copy from http://www.cryptix.org/ .
|
|
|
35 |
*/
|
|
|
36 |
|
|
|
37 |
package com.sun.crypto.provider;
|
|
|
38 |
|
|
|
39 |
import java.security.InvalidKeyException;
|
|
|
40 |
|
|
|
41 |
/**
|
|
|
42 |
* Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
|
|
|
43 |
* block size and variable key-size (128-, 192- and 256-bit).
|
|
|
44 |
* <p>
|
|
|
45 |
* Rijndael was designed by <a href="mailto:rijmen@esat.kuleuven.ac.be">Vincent
|
|
|
46 |
* Rijmen</a> and <a href="mailto:Joan.Daemen@village.uunet.be">Joan Daemen</a>.
|
|
|
47 |
*/
|
|
|
48 |
final class AESCrypt extends SymmetricCipher implements AESConstants
|
|
|
49 |
{
|
|
|
50 |
private boolean ROUNDS_12 = false;
|
|
|
51 |
private boolean ROUNDS_14 = false;
|
|
|
52 |
|
|
|
53 |
/** Session and Sub keys */
|
|
|
54 |
private Object[] sessionK = null;
|
|
|
55 |
private int[] K = null;
|
|
|
56 |
|
|
|
57 |
/** (ROUNDS-1) * 4 */
|
|
|
58 |
private int limit = 0;
|
|
|
59 |
|
|
|
60 |
AESCrypt() {
|
|
|
61 |
// empty
|
|
|
62 |
}
|
|
|
63 |
|
|
|
64 |
/**
|
|
|
65 |
* Returns this cipher's block size.
|
|
|
66 |
*
|
|
|
67 |
* @return this cipher's block size
|
|
|
68 |
*/
|
|
|
69 |
int getBlockSize() {
|
|
|
70 |
return AES_BLOCK_SIZE;
|
|
|
71 |
}
|
|
|
72 |
|
|
|
73 |
void init(boolean decrypting, String algorithm, byte[] key)
|
|
|
74 |
throws InvalidKeyException {
|
|
|
75 |
if (!algorithm.equalsIgnoreCase("AES")
|
|
|
76 |
&& !algorithm.equalsIgnoreCase("Rijndael")) {
|
|
|
77 |
throw new InvalidKeyException
|
|
|
78 |
("Wrong algorithm: AES or Rijndael required");
|
|
|
79 |
}
|
|
|
80 |
if (!isKeySizeValid(key.length)) {
|
|
|
81 |
throw new InvalidKeyException("Invalid AES key length: " +
|
|
|
82 |
key.length + " bytes");
|
|
|
83 |
}
|
|
|
84 |
|
|
|
85 |
// generate session key and reset sub key.
|
|
|
86 |
sessionK = makeKey(key);
|
|
|
87 |
setSubKey(decrypting);
|
|
|
88 |
}
|
|
|
89 |
|
|
|
90 |
private void setSubKey(boolean decrypting) {
|
|
|
91 |
int[][] Kd = (int[][]) sessionK[decrypting ? 1 : 0];
|
|
|
92 |
int rounds = Kd.length;
|
|
|
93 |
this.K = new int[rounds*4];
|
|
|
94 |
for(int i=0; i<rounds; i++) {
|
|
|
95 |
for(int j=0; j<4; j++) {
|
|
|
96 |
K[i*4 + j] = Kd[i][j];
|
|
|
97 |
}
|
|
|
98 |
}
|
|
|
99 |
|
|
|
100 |
if (decrypting) {
|
|
|
101 |
int j0 = K[K.length-4];
|
|
|
102 |
int j1 = K[K.length-3];
|
|
|
103 |
int j2 = K[K.length-2];
|
|
|
104 |
int j3 = K[K.length-1];
|
|
|
105 |
|
|
|
106 |
for (int i=this.K.length-1; i>3; i--) {
|
|
|
107 |
this.K[i] = this.K[i-4];
|
|
|
108 |
}
|
|
|
109 |
K[0] = j0;
|
|
|
110 |
K[1] = j1;
|
|
|
111 |
K[2] = j2;
|
|
|
112 |
K[3] = j3;
|
|
|
113 |
}
|
|
|
114 |
|
|
|
115 |
ROUNDS_12 = (rounds>=13);
|
|
|
116 |
ROUNDS_14 = (rounds==15);
|
|
|
117 |
|
|
|
118 |
rounds--;
|
|
|
119 |
limit=rounds*4;
|
|
|
120 |
}
|
|
|
121 |
|
|
|
122 |
private static int[]
|
|
|
123 |
alog = new int[256],
|
|
|
124 |
log = new int[256];
|
|
|
125 |
|
|
|
126 |
private static final byte[]
|
|
|
127 |
S = new byte[256],
|
|
|
128 |
Si = new byte[256];
|
|
|
129 |
|
|
|
130 |
private static final int[]
|
|
|
131 |
T1 = new int[256],
|
|
|
132 |
T2 = new int[256],
|
|
|
133 |
T3 = new int[256],
|
|
|
134 |
T4 = new int[256],
|
|
|
135 |
T5 = new int[256],
|
|
|
136 |
T6 = new int[256],
|
|
|
137 |
T7 = new int[256],
|
|
|
138 |
T8 = new int[256];
|
|
|
139 |
|
|
|
140 |
private static final int[]
|
|
|
141 |
U1 = new int[256],
|
|
|
142 |
U2 = new int[256],
|
|
|
143 |
U3 = new int[256],
|
|
|
144 |
U4 = new int[256];
|
|
|
145 |
|
|
|
146 |
private static final byte[] rcon = new byte[30];
|
|
|
147 |
|
|
|
148 |
|
|
|
149 |
// Static code - to intialise S-boxes and T-boxes
|
|
|
150 |
static
|
|
|
151 |
{
|
|
|
152 |
int ROOT = 0x11B;
|
|
|
153 |
int i, j = 0;
|
|
|
154 |
|
|
|
155 |
//
|
|
|
156 |
// produce log and alog tables, needed for multiplying in the
|
|
|
157 |
// field GF(2^m) (generator = 3)
|
|
|
158 |
//
|
|
|
159 |
alog[0] = 1;
|
|
|
160 |
for (i = 1; i < 256; i++)
|
|
|
161 |
{
|
|
|
162 |
j = (alog[i-1] << 1) ^ alog[i-1];
|
|
|
163 |
if ((j & 0x100) != 0) {
|
|
|
164 |
j ^= ROOT;
|
|
|
165 |
}
|
|
|
166 |
alog[i] = j;
|
|
|
167 |
}
|
|
|
168 |
for (i = 1; i < 255; i++) {
|
|
|
169 |
log[alog[i]] = i;
|
|
|
170 |
}
|
|
|
171 |
byte[][] A = new byte[][]
|
|
|
172 |
{
|
|
|
173 |
{1, 1, 1, 1, 1, 0, 0, 0},
|
|
|
174 |
{0, 1, 1, 1, 1, 1, 0, 0},
|
|
|
175 |
{0, 0, 1, 1, 1, 1, 1, 0},
|
|
|
176 |
{0, 0, 0, 1, 1, 1, 1, 1},
|
|
|
177 |
{1, 0, 0, 0, 1, 1, 1, 1},
|
|
|
178 |
{1, 1, 0, 0, 0, 1, 1, 1},
|
|
|
179 |
{1, 1, 1, 0, 0, 0, 1, 1},
|
|
|
180 |
{1, 1, 1, 1, 0, 0, 0, 1}
|
|
|
181 |
};
|
|
|
182 |
byte[] B = new byte[] { 0, 1, 1, 0, 0, 0, 1, 1};
|
|
|
183 |
|
|
|
184 |
//
|
|
|
185 |
// substitution box based on F^{-1}(x)
|
|
|
186 |
//
|
|
|
187 |
int t;
|
|
|
188 |
byte[][] box = new byte[256][8];
|
|
|
189 |
box[1][7] = 1;
|
|
|
190 |
for (i = 2; i < 256; i++) {
|
|
|
191 |
j = alog[255 - log[i]];
|
|
|
192 |
for (t = 0; t < 8; t++) {
|
|
|
193 |
box[i][t] = (byte)((j >>> (7 - t)) & 0x01);
|
|
|
194 |
}
|
|
|
195 |
}
|
|
|
196 |
//
|
|
|
197 |
// affine transform: box[i] <- B + A*box[i]
|
|
|
198 |
//
|
|
|
199 |
byte[][] cox = new byte[256][8];
|
|
|
200 |
for (i = 0; i < 256; i++) {
|
|
|
201 |
for (t = 0; t < 8; t++) {
|
|
|
202 |
cox[i][t] = B[t];
|
|
|
203 |
for (j = 0; j < 8; j++) {
|
|
|
204 |
cox[i][t] ^= A[t][j] * box[i][j];
|
|
|
205 |
}
|
|
|
206 |
}
|
|
|
207 |
}
|
|
|
208 |
//
|
|
|
209 |
// S-boxes and inverse S-boxes
|
|
|
210 |
//
|
|
|
211 |
for (i = 0; i < 256; i++) {
|
|
|
212 |
S[i] = (byte)(cox[i][0] << 7);
|
|
|
213 |
for (t = 1; t < 8; t++) {
|
|
|
214 |
S[i] ^= cox[i][t] << (7-t);
|
|
|
215 |
}
|
|
|
216 |
Si[S[i] & 0xFF] = (byte) i;
|
|
|
217 |
}
|
|
|
218 |
//
|
|
|
219 |
// T-boxes
|
|
|
220 |
//
|
|
|
221 |
byte[][] G = new byte[][] {
|
|
|
222 |
{2, 1, 1, 3},
|
|
|
223 |
{3, 2, 1, 1},
|
|
|
224 |
{1, 3, 2, 1},
|
|
|
225 |
{1, 1, 3, 2}
|
|
|
226 |
};
|
|
|
227 |
byte[][] AA = new byte[4][8];
|
|
|
228 |
for (i = 0; i < 4; i++) {
|
|
|
229 |
for (j = 0; j < 4; j++) AA[i][j] = G[i][j];
|
|
|
230 |
AA[i][i+4] = 1;
|
|
|
231 |
}
|
|
|
232 |
byte pivot, tmp;
|
|
|
233 |
byte[][] iG = new byte[4][4];
|
|
|
234 |
for (i = 0; i < 4; i++) {
|
|
|
235 |
pivot = AA[i][i];
|
|
|
236 |
if (pivot == 0) {
|
|
|
237 |
t = i + 1;
|
|
|
238 |
while ((AA[t][i] == 0) && (t < 4)) {
|
|
|
239 |
t++;
|
|
|
240 |
}
|
|
|
241 |
if (t == 4) {
|
|
|
242 |
throw new RuntimeException("G matrix is not invertible");
|
|
|
243 |
}
|
|
|
244 |
else {
|
|
|
245 |
for (j = 0; j < 8; j++) {
|
|
|
246 |
tmp = AA[i][j];
|
|
|
247 |
AA[i][j] = AA[t][j];
|
|
|
248 |
AA[t][j] = (byte) tmp;
|
|
|
249 |
}
|
|
|
250 |
pivot = AA[i][i];
|
|
|
251 |
}
|
|
|
252 |
}
|
|
|
253 |
for (j = 0; j < 8; j++) {
|
|
|
254 |
if (AA[i][j] != 0) {
|
|
|
255 |
AA[i][j] = (byte)
|
|
|
256 |
alog[(255 + log[AA[i][j] & 0xFF] - log[pivot & 0xFF]) % 255];
|
|
|
257 |
}
|
|
|
258 |
}
|
|
|
259 |
for (t = 0; t < 4; t++) {
|
|
|
260 |
if (i != t) {
|
|
|
261 |
for (j = i+1; j < 8; j++) {
|
|
|
262 |
AA[t][j] ^= mul(AA[i][j], AA[t][i]);
|
|
|
263 |
}
|
|
|
264 |
AA[t][i] = 0;
|
|
|
265 |
}
|
|
|
266 |
}
|
|
|
267 |
}
|
|
|
268 |
for (i = 0; i < 4; i++) {
|
|
|
269 |
for (j = 0; j < 4; j++) {
|
|
|
270 |
iG[i][j] = AA[i][j + 4];
|
|
|
271 |
}
|
|
|
272 |
}
|
|
|
273 |
|
|
|
274 |
int s;
|
|
|
275 |
for (t = 0; t < 256; t++) {
|
|
|
276 |
s = S[t];
|
|
|
277 |
T1[t] = mul4(s, G[0]);
|
|
|
278 |
T2[t] = mul4(s, G[1]);
|
|
|
279 |
T3[t] = mul4(s, G[2]);
|
|
|
280 |
T4[t] = mul4(s, G[3]);
|
|
|
281 |
|
|
|
282 |
s = Si[t];
|
|
|
283 |
T5[t] = mul4(s, iG[0]);
|
|
|
284 |
T6[t] = mul4(s, iG[1]);
|
|
|
285 |
T7[t] = mul4(s, iG[2]);
|
|
|
286 |
T8[t] = mul4(s, iG[3]);
|
|
|
287 |
|
|
|
288 |
U1[t] = mul4(t, iG[0]);
|
|
|
289 |
U2[t] = mul4(t, iG[1]);
|
|
|
290 |
U3[t] = mul4(t, iG[2]);
|
|
|
291 |
U4[t] = mul4(t, iG[3]);
|
|
|
292 |
}
|
|
|
293 |
//
|
|
|
294 |
// round constants
|
|
|
295 |
//
|
|
|
296 |
rcon[0] = 1;
|
|
|
297 |
int r = 1;
|
|
|
298 |
for (t = 1; t < 30; t++) {
|
|
|
299 |
r = mul(2, r);
|
|
|
300 |
rcon[t] = (byte) r;
|
|
|
301 |
}
|
|
|
302 |
log = null;
|
|
|
303 |
alog = null;
|
|
|
304 |
}
|
|
|
305 |
|
|
|
306 |
// multiply two elements of GF(2^m)
|
|
|
307 |
private static final int mul (int a, int b) {
|
|
|
308 |
return (a != 0 && b != 0) ?
|
|
|
309 |
alog[(log[a & 0xFF] + log[b & 0xFF]) % 255] :
|
|
|
310 |
0;
|
|
|
311 |
}
|
|
|
312 |
|
|
|
313 |
// convenience method used in generating Transposition boxes
|
|
|
314 |
private static final int mul4 (int a, byte[] b) {
|
|
|
315 |
if (a == 0) return 0;
|
|
|
316 |
a = log[a & 0xFF];
|
|
|
317 |
int a0 = (b[0] != 0) ? alog[(a + log[b[0] & 0xFF]) % 255] & 0xFF : 0;
|
|
|
318 |
int a1 = (b[1] != 0) ? alog[(a + log[b[1] & 0xFF]) % 255] & 0xFF : 0;
|
|
|
319 |
int a2 = (b[2] != 0) ? alog[(a + log[b[2] & 0xFF]) % 255] & 0xFF : 0;
|
|
|
320 |
int a3 = (b[3] != 0) ? alog[(a + log[b[3] & 0xFF]) % 255] & 0xFF : 0;
|
|
|
321 |
return a0 << 24 | a1 << 16 | a2 << 8 | a3;
|
|
|
322 |
}
|
|
|
323 |
|
|
|
324 |
// check if the specified length (in bytes) is a valid keysize for AES
|
|
|
325 |
static final boolean isKeySizeValid(int len) {
|
|
|
326 |
for (int i = 0; i < AES_KEYSIZES.length; i++) {
|
|
|
327 |
if (len == AES_KEYSIZES[i]) {
|
|
|
328 |
return true;
|
|
|
329 |
}
|
|
|
330 |
}
|
|
|
331 |
return false;
|
|
|
332 |
}
|
|
|
333 |
|
|
|
334 |
/**
|
|
|
335 |
* Encrypt exactly one block of plaintext.
|
|
|
336 |
*/
|
|
|
337 |
void encryptBlock(byte[] in, int inOffset,
|
|
|
338 |
byte[] out, int outOffset)
|
|
|
339 |
{
|
|
|
340 |
int keyOffset = 0;
|
|
|
341 |
int t0 = ((in[inOffset++] ) << 24 |
|
|
|
342 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
343 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
344 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
345 |
int t1 = ((in[inOffset++] ) << 24 |
|
|
|
346 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
347 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
348 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
349 |
int t2 = ((in[inOffset++] ) << 24 |
|
|
|
350 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
351 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
352 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
353 |
int t3 = ((in[inOffset++] ) << 24 |
|
|
|
354 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
355 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
356 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
357 |
|
|
|
358 |
// apply round transforms
|
|
|
359 |
while( keyOffset < limit )
|
|
|
360 |
{
|
|
|
361 |
int a0, a1, a2;
|
|
|
362 |
a0 = T1[(t0 >>> 24) ] ^
|
|
|
363 |
T2[(t1 >>> 16) & 0xFF] ^
|
|
|
364 |
T3[(t2 >>> 8) & 0xFF] ^
|
|
|
365 |
T4[(t3 ) & 0xFF] ^ K[keyOffset++];
|
|
|
366 |
a1 = T1[(t1 >>> 24) ] ^
|
|
|
367 |
T2[(t2 >>> 16) & 0xFF] ^
|
|
|
368 |
T3[(t3 >>> 8) & 0xFF] ^
|
|
|
369 |
T4[(t0 ) & 0xFF] ^ K[keyOffset++];
|
|
|
370 |
a2 = T1[(t2 >>> 24) ] ^
|
|
|
371 |
T2[(t3 >>> 16) & 0xFF] ^
|
|
|
372 |
T3[(t0 >>> 8) & 0xFF] ^
|
|
|
373 |
T4[(t1 ) & 0xFF] ^ K[keyOffset++];
|
|
|
374 |
t3 = T1[(t3 >>> 24) ] ^
|
|
|
375 |
T2[(t0 >>> 16) & 0xFF] ^
|
|
|
376 |
T3[(t1 >>> 8) & 0xFF] ^
|
|
|
377 |
T4[(t2 ) & 0xFF] ^ K[keyOffset++];
|
|
|
378 |
t0 = a0; t1 = a1; t2 = a2;
|
|
|
379 |
}
|
|
|
380 |
|
|
|
381 |
// last round is special
|
|
|
382 |
int tt = K[keyOffset++];
|
|
|
383 |
out[outOffset++] = (byte)(S[(t0 >>> 24) ] ^ (tt >>> 24));
|
|
|
384 |
out[outOffset++] = (byte)(S[(t1 >>> 16) & 0xFF] ^ (tt >>> 16));
|
|
|
385 |
out[outOffset++] = (byte)(S[(t2 >>> 8) & 0xFF] ^ (tt >>> 8));
|
|
|
386 |
out[outOffset++] = (byte)(S[(t3 ) & 0xFF] ^ (tt ));
|
|
|
387 |
tt = K[keyOffset++];
|
|
|
388 |
out[outOffset++] = (byte)(S[(t1 >>> 24) ] ^ (tt >>> 24));
|
|
|
389 |
out[outOffset++] = (byte)(S[(t2 >>> 16) & 0xFF] ^ (tt >>> 16));
|
|
|
390 |
out[outOffset++] = (byte)(S[(t3 >>> 8) & 0xFF] ^ (tt >>> 8));
|
|
|
391 |
out[outOffset++] = (byte)(S[(t0 ) & 0xFF] ^ (tt ));
|
|
|
392 |
tt = K[keyOffset++];
|
|
|
393 |
out[outOffset++] = (byte)(S[(t2 >>> 24) ] ^ (tt >>> 24));
|
|
|
394 |
out[outOffset++] = (byte)(S[(t3 >>> 16) & 0xFF] ^ (tt >>> 16));
|
|
|
395 |
out[outOffset++] = (byte)(S[(t0 >>> 8) & 0xFF] ^ (tt >>> 8));
|
|
|
396 |
out[outOffset++] = (byte)(S[(t1 ) & 0xFF] ^ (tt ));
|
|
|
397 |
tt = K[keyOffset++];
|
|
|
398 |
out[outOffset++] = (byte)(S[(t3 >>> 24) ] ^ (tt >>> 24));
|
|
|
399 |
out[outOffset++] = (byte)(S[(t0 >>> 16) & 0xFF] ^ (tt >>> 16));
|
|
|
400 |
out[outOffset++] = (byte)(S[(t1 >>> 8) & 0xFF] ^ (tt >>> 8));
|
|
|
401 |
out[outOffset ] = (byte)(S[(t2 ) & 0xFF] ^ (tt ));
|
|
|
402 |
}
|
|
|
403 |
|
|
|
404 |
|
|
|
405 |
/**
|
|
|
406 |
* Decrypt exactly one block of plaintext.
|
|
|
407 |
*/
|
|
|
408 |
void decryptBlock(byte[] in, int inOffset,
|
|
|
409 |
byte[] out, int outOffset)
|
|
|
410 |
{
|
|
|
411 |
int keyOffset = 4;
|
|
|
412 |
int t0 = ((in[inOffset++] ) << 24 |
|
|
|
413 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
414 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
415 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
416 |
int t1 = ((in[inOffset++] ) << 24 |
|
|
|
417 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
418 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
419 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
420 |
int t2 = ((in[inOffset++] ) << 24 |
|
|
|
421 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
422 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
423 |
(in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
|
|
|
424 |
int t3 = ((in[inOffset++] ) << 24 |
|
|
|
425 |
(in[inOffset++] & 0xFF) << 16 |
|
|
|
426 |
(in[inOffset++] & 0xFF) << 8 |
|
|
|
427 |
(in[inOffset ] & 0xFF) ) ^ K[keyOffset++];
|
|
|
428 |
|
|
|
429 |
int a0, a1, a2;
|
|
|
430 |
if(ROUNDS_12)
|
|
|
431 |
{
|
|
|
432 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
433 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
434 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
435 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
436 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
437 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
438 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
439 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
440 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
441 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
442 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
443 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
444 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
445 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
446 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
447 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
448 |
|
|
|
449 |
if(ROUNDS_14)
|
|
|
450 |
{
|
|
|
451 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
452 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
453 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
454 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
455 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
456 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
457 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
458 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
459 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
460 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
461 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
462 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
463 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
464 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
465 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
466 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
467 |
}
|
|
|
468 |
}
|
|
|
469 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
470 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
471 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
472 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
473 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
474 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
475 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
476 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
477 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
478 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
479 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
480 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
481 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
482 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
483 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
484 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
485 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
486 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
487 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
488 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
489 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
490 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
491 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
492 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
493 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
494 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
495 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
496 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
497 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
498 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
499 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
500 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
501 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
502 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
503 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
504 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
505 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
506 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
507 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
508 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
509 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
510 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
511 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
512 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
513 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
514 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
515 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
516 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
517 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
518 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
519 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
520 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
521 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
522 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
523 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
524 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
525 |
t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
526 |
T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
|
|
|
527 |
t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
|
|
|
528 |
T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
|
|
|
529 |
t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
|
|
|
530 |
T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
531 |
t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
|
|
|
532 |
T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
|
|
|
533 |
a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
|
|
|
534 |
T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
|
|
|
535 |
a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
|
|
|
536 |
T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
|
|
|
537 |
a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
|
|
|
538 |
T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
|
|
|
539 |
t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
|
|
|
540 |
T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
|
|
|
541 |
|
|
|
542 |
t1 = K[0];
|
|
|
543 |
out[outOffset++] = (byte)(Si[(a0 >>> 24) ] ^ (t1 >>> 24));
|
|
|
544 |
out[outOffset++] = (byte)(Si[(t3 >>> 16) & 0xFF] ^ (t1 >>> 16));
|
|
|
545 |
out[outOffset++] = (byte)(Si[(a2 >>> 8) & 0xFF] ^ (t1 >>> 8));
|
|
|
546 |
out[outOffset++] = (byte)(Si[(a1 ) & 0xFF] ^ (t1 ));
|
|
|
547 |
t1 = K[1];
|
|
|
548 |
out[outOffset++] = (byte)(Si[(a1 >>> 24) ] ^ (t1 >>> 24));
|
|
|
549 |
out[outOffset++] = (byte)(Si[(a0 >>> 16) & 0xFF] ^ (t1 >>> 16));
|
|
|
550 |
out[outOffset++] = (byte)(Si[(t3 >>> 8) & 0xFF] ^ (t1 >>> 8));
|
|
|
551 |
out[outOffset++] = (byte)(Si[(a2 ) & 0xFF] ^ (t1 ));
|
|
|
552 |
t1 = K[2];
|
|
|
553 |
out[outOffset++] = (byte)(Si[(a2 >>> 24) ] ^ (t1 >>> 24));
|
|
|
554 |
out[outOffset++] = (byte)(Si[(a1 >>> 16) & 0xFF] ^ (t1 >>> 16));
|
|
|
555 |
out[outOffset++] = (byte)(Si[(a0 >>> 8) & 0xFF] ^ (t1 >>> 8));
|
|
|
556 |
out[outOffset++] = (byte)(Si[(t3 ) & 0xFF] ^ (t1 ));
|
|
|
557 |
t1 = K[3];
|
|
|
558 |
out[outOffset++] = (byte)(Si[(t3 >>> 24) ] ^ (t1 >>> 24));
|
|
|
559 |
out[outOffset++] = (byte)(Si[(a2 >>> 16) & 0xFF] ^ (t1 >>> 16));
|
|
|
560 |
out[outOffset++] = (byte)(Si[(a1 >>> 8) & 0xFF] ^ (t1 >>> 8));
|
|
|
561 |
out[outOffset ] = (byte)(Si[(a0 ) & 0xFF] ^ (t1 ));
|
|
|
562 |
}
|
|
|
563 |
|
|
|
564 |
|
|
|
565 |
/**
|
|
|
566 |
* Expand a user-supplied key material into a session key.
|
|
|
567 |
*
|
|
|
568 |
* @param key The 128/192/256-bit user-key to use.
|
|
|
569 |
* @exception InvalidKeyException If the key is invalid.
|
|
|
570 |
*/
|
|
|
571 |
private static Object[] makeKey(byte[] k) throws InvalidKeyException {
|
|
|
572 |
if (k == null) {
|
|
|
573 |
throw new InvalidKeyException("Empty key");
|
|
|
574 |
}
|
|
|
575 |
if (!isKeySizeValid(k.length)) {
|
|
|
576 |
throw new InvalidKeyException("Invalid AES key length: " +
|
|
|
577 |
k.length + " bytes");
|
|
|
578 |
}
|
|
|
579 |
int ROUNDS = getRounds(k.length);
|
|
|
580 |
int ROUND_KEY_COUNT = (ROUNDS + 1) * 4;
|
|
|
581 |
|
|
|
582 |
int BC = 4;
|
|
|
583 |
int[][] Ke = new int[ROUNDS + 1][4]; // encryption round keys
|
|
|
584 |
int[][] Kd = new int[ROUNDS + 1][4]; // decryption round keys
|
|
|
585 |
|
|
|
586 |
int KC = k.length/4; // keylen in 32-bit elements
|
|
|
587 |
|
|
|
588 |
int[] tk = new int[KC];
|
|
|
589 |
int i, j;
|
|
|
590 |
|
|
|
591 |
// copy user material bytes into temporary ints
|
|
|
592 |
for (i = 0, j = 0; i < KC; i++, j+=4) {
|
|
|
593 |
tk[i] = (k[j] ) << 24 |
|
|
|
594 |
(k[j+1] & 0xFF) << 16 |
|
|
|
595 |
(k[j+2] & 0xFF) << 8 |
|
|
|
596 |
(k[j+3] & 0xFF);
|
|
|
597 |
}
|
|
|
598 |
|
|
|
599 |
// copy values into round key arrays
|
|
|
600 |
int t = 0;
|
|
|
601 |
for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) {
|
|
|
602 |
Ke[t / 4][t % 4] = tk[j];
|
|
|
603 |
Kd[ROUNDS - (t / 4)][t % 4] = tk[j];
|
|
|
604 |
}
|
|
|
605 |
int tt, rconpointer = 0;
|
|
|
606 |
while (t < ROUND_KEY_COUNT) {
|
|
|
607 |
// extrapolate using phi (the round key evolution function)
|
|
|
608 |
tt = tk[KC - 1];
|
|
|
609 |
tk[0] ^= (S[(tt >>> 16) & 0xFF] ) << 24 ^
|
|
|
610 |
(S[(tt >>> 8) & 0xFF] & 0xFF) << 16 ^
|
|
|
611 |
(S[(tt ) & 0xFF] & 0xFF) << 8 ^
|
|
|
612 |
(S[(tt >>> 24) ] & 0xFF) ^
|
|
|
613 |
(rcon[rconpointer++] ) << 24;
|
|
|
614 |
if (KC != 8)
|
|
|
615 |
for (i = 1, j = 0; i < KC; i++, j++) tk[i] ^= tk[j];
|
|
|
616 |
else {
|
|
|
617 |
for (i = 1, j = 0; i < KC / 2; i++, j++) tk[i] ^= tk[j];
|
|
|
618 |
tt = tk[KC / 2 - 1];
|
|
|
619 |
tk[KC / 2] ^= (S[(tt ) & 0xFF] & 0xFF) ^
|
|
|
620 |
(S[(tt >>> 8) & 0xFF] & 0xFF) << 8 ^
|
|
|
621 |
(S[(tt >>> 16) & 0xFF] & 0xFF) << 16 ^
|
|
|
622 |
(S[(tt >>> 24) ] ) << 24;
|
|
|
623 |
for (j = KC / 2, i = j + 1; i < KC; i++, j++) tk[i] ^= tk[j];
|
|
|
624 |
}
|
|
|
625 |
// copy values into round key arrays
|
|
|
626 |
for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) {
|
|
|
627 |
Ke[t / 4][t % 4] = tk[j];
|
|
|
628 |
Kd[ROUNDS - (t / 4)][t % 4] = tk[j];
|
|
|
629 |
}
|
|
|
630 |
}
|
|
|
631 |
for (int r = 1; r < ROUNDS; r++) {
|
|
|
632 |
// inverse MixColumn where needed
|
|
|
633 |
for (j = 0; j < BC; j++) {
|
|
|
634 |
tt = Kd[r][j];
|
|
|
635 |
Kd[r][j] = U1[(tt >>> 24) & 0xFF] ^
|
|
|
636 |
U2[(tt >>> 16) & 0xFF] ^
|
|
|
637 |
U3[(tt >>> 8) & 0xFF] ^
|
|
|
638 |
U4[ tt & 0xFF];
|
|
|
639 |
}
|
|
|
640 |
}
|
|
|
641 |
// assemble the encryption (Ke) and decryption (Kd) round keys into
|
|
|
642 |
// one sessionKey object
|
|
|
643 |
Object[] result = new Object[] {Ke, Kd};
|
|
|
644 |
return result;
|
|
|
645 |
}
|
|
|
646 |
|
|
|
647 |
|
|
|
648 |
/**
|
|
|
649 |
* Return The number of rounds for a given Rijndael keysize.
|
|
|
650 |
*
|
|
|
651 |
* @param keySize The size of the user key material in bytes.
|
|
|
652 |
* MUST be one of (16, 24, 32).
|
|
|
653 |
* @return The number of rounds.
|
|
|
654 |
*/
|
|
|
655 |
private static int getRounds(int keySize) {
|
|
|
656 |
return (keySize >> 2) + 6;
|
|
|
657 |
}
|
|
|
658 |
}
|