1 /*

     2  * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.

     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

     4  *

     5  * This code is free software; you can redistribute it and/or modify it

     6  * under the terms of the GNU General Public License version 2 only, as

     7  * published by the Free Software Foundation.  Oracle designates this

     8  * particular file as subject to the "Classpath" exception as provided

     9  * by Oracle in the LICENSE file that accompanied this code.

    10  *

    11  * This code is distributed in the hope that it will be useful, but WITHOUT

    12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

    13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

    14  * version 2 for more details (a copy is included in the LICENSE file that

    15  * accompanied this code).

    16  *

    17  * You should have received a copy of the GNU General Public License version

    18  * 2 along with this work; if not, write to the Free Software Foundation,

    19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

    20  *

    21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

    22  * or visit www.oracle.com if you need additional information or have any

    23  * questions.

    24  */

    25 

    26 package sun.security.provider;

    27 

    28 import javax.crypto.Mac;

    29 import javax.crypto.spec.SecretKeySpec;

    30 import java.security.InvalidKeyException;

    31 import java.security.NoSuchAlgorithmException;

    32 import java.security.NoSuchProviderException;

    33 import java.security.SecureRandomParameters;

    34 import java.util.Arrays;

    35 import java.util.Collections;

    36 import java.util.List;

    37 

    38 public class HmacDrbg extends AbstractHashDrbg {

    39 

    40     private Mac mac;

    41 

    42     private String macAlg;

    43 

    44     private byte[] v;

    45     private byte[] k;

    46 

    47     public HmacDrbg(SecureRandomParameters params) {

    48         mechName = "HMAC_DRBG";

    49         configure(params);

    50     }

    51 

    52     private void status() {

    53         if (debug != null) {

    54             debug.println(this, "V = " + hex(v));

    55             debug.println(this, "Key = " + hex(k));

    56             debug.println(this, "reseed counter = " + reseedCounter);

    57         }

    58     }

    59 

    60     // 800-90Ar1 10.1.2.2: HMAC_DRBG Update Process

    61     private void update(List<byte[]> inputs) {

    62         try {

    63             // Step 1. K = HMAC (K, V || 0x00 || provided_data).

    64             mac.init(new SecretKeySpec(k, macAlg));

    65             mac.update(v);

    66             mac.update((byte) 0);

    67             for (byte[] input: inputs) {

    68                 mac.update(input);

    69             }

    70             k = mac.doFinal();

    71 

    72             // Step 2. V = HMAC (K, V).

    73             mac.init(new SecretKeySpec(k, macAlg));

    74             v = mac.doFinal(v);

    75 

    76             if (!inputs.isEmpty()) {

    77                 // Step 4. K = HMAC (K, V || 0x01 || provided_data).

    78                 mac.update(v);

    79                 mac.update((byte) 1);

    80                 for (byte[] input: inputs) {

    81                     mac.update(input);

    82                 }

    83                 k = mac.doFinal();

    84 

    85                 // Step 5. V=HMAC(K,V).

    86                 mac.init(new SecretKeySpec(k, macAlg));

    87                 v = mac.doFinal(v);

    88             } // else Step 3

    89 

    90             // Step 6. Return

    91         } catch (InvalidKeyException e) {

    92             throw new InternalError(e);

    93         }

    94     }

    95 

    96     /**

    97      * This call, used by the constructors, instantiates the digest.

    98      */

    99     @Override

   100     protected void initEngine() {

   101         macAlg = "HmacSHA" + algorithm.substring(4);

   102         try {

   103             /*

   104              * Use the local SunJCE implementation to avoid native

   105              * performance overhead.

   106              */

   107             mac = Mac.getInstance(macAlg, "SunJCE");

   108         } catch (NoSuchProviderException | NoSuchAlgorithmException e) {

   109             // Fallback to any available.

   110             try {

   111                 mac = Mac.getInstance(macAlg);

   112             } catch (NoSuchAlgorithmException exc) {

   113                 throw new InternalError(

   114                     "internal error: " + macAlg + " not available.", exc);

   115             }

   116         }

   117     }

   118 

   119     // This method is used by both instantiation and reseeding.

   120     @Override

   121     protected final synchronized void hashReseedInternal(List<byte[]> input) {

   122 

   123         // 800-90Ar1 10.1.2.3: Instantiate Process.

   124         // 800-90Ar1 10.1.2.4: Reseed Process.

   125         if (v == null) {

   126             k = new byte[outLen];

   127             v = new byte[outLen];

   128             Arrays.fill(v, (byte) 1);

   129         }

   130 

   131         // Step 2: HMAC_DRBG_Update

   132         update(input);

   133 

   134         // Step 3: reseed_counter = 1.

   135         reseedCounter = 1;

   136         //status();

   137 

   138         // Step 4: Return

   139     }

   140 

   141     /**

   142      * Generates a user-specified number of random bytes.

   143      *

   144      * @param result the array to be filled in with random bytes.

   145      */

   146     @Override

   147     public synchronized void generateAlgorithm(

   148             byte[] result, byte[] additionalInput) {

   149 

   150         if (debug != null) {

   151             debug.println(this, "generateAlgorithm");

   152         }

   153 

   154         // 800-90Ar1 10.1.2.5: HMAC_DRBG_Generate Process

   155 

   156         // Step 1: Check reseed_counter. Will not fail. Already checked in

   157         // AbstractDrbg#engineNextBytes.

   158 

   159         // Step 2. HMAC_DRBG_Update

   160         if (additionalInput != null) {

   161             update(Collections.singletonList(additionalInput));

   162         }

   163 

   164         // Step 3. temp = Null.

   165         int pos = 0;

   166         int len = result.length;

   167 

   168         // Step 4. Loop

   169         while (len > 0) {

   170             // Step 4.1 V = HMAC (Key, V).

   171             try {

   172                 mac.init(new SecretKeySpec(k, macAlg));

   173             } catch (InvalidKeyException e) {

   174                 throw new InternalError(e);

   175             }

   176             v = mac.doFinal(v);

   177             // Step 4.2 temp = temp || V.

   178             System.arraycopy(v, 0, result, pos,

   179                     len > outLen ? outLen : len);

   180 

   181             len -= outLen;

   182             if (len <= 0) {

   183                 // shortcut, so that pos needn't be updated

   184                 break;

   185             }

   186             pos += outLen;

   187         }

   188 

   189         // Step 5: No need to truncate

   190 

   191         // Step 6. HMAC_DRBG_Update (additional_input, Key, V).

   192         if (additionalInput != null) {

   193             update(Collections.singletonList(additionalInput));

   194         } else {

   195             update(Collections.emptyList());

   196         }

   197 

   198         // Step 7. reseed_counter = reseed_counter + 1.

   199         reseedCounter++;

   200 

   201         //status();

   202 

   203         // Step 8. Return

   204     }

   205 }