/*
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package com.sun.crypto.provider;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.VarHandle;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.*;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Objects;
import javax.crypto.*;
import javax.crypto.spec.ChaCha20ParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import sun.security.util.DerValue;
/**
* Implementation of the ChaCha20 cipher, as described in RFC 7539.
*
* @since 11
*/
abstract class ChaCha20Cipher extends CipherSpi {
// Mode constants
private static final int MODE_NONE = 0;
private static final int MODE_AEAD = 1;
// Constants used in setting up the initial state
private static final int STATE_CONST_0 = 0x61707865;
private static final int STATE_CONST_1 = 0x3320646e;
private static final int STATE_CONST_2 = 0x79622d32;
private static final int STATE_CONST_3 = 0x6b206574;
// The keystream block size in bytes and as integers
private static final int KEYSTREAM_SIZE = 64;
private static final int KS_SIZE_INTS = KEYSTREAM_SIZE / Integer.BYTES;
private static final int CIPHERBUF_BASE = 1024;
// The initialization state of the cipher
private boolean initialized;
// The mode of operation for this object
protected int mode;
// The direction (encrypt vs. decrypt) for the data flow
private int direction;
// Has all AAD data been provided (i.e. have we called our first update)
private boolean aadDone = false;
// The key's encoding in bytes for this object
private byte[] keyBytes;
// The nonce used for this object
private byte[] nonce;
// The counter
private static final long MAX_UINT32 = 0x00000000FFFFFFFFL;
private long finalCounterValue;
private long counter;
// Two arrays, both implemented as 16-element integer arrays:
// The base state, created at initialization time, and a working
// state which is a clone of the start state, and is then modified
// with the counter and the ChaCha20 block function.
private final int[] startState = new int[KS_SIZE_INTS];
private final byte[] keyStream = new byte[KEYSTREAM_SIZE];
// The offset into the current keystream
private int keyStrOffset;
// AEAD-related fields and constants
private static final int TAG_LENGTH = 16;
private long aadLen;
private long dataLen;
// Have a buffer of zero padding that can be read all or in part
// by the authenticator.
private static final byte[] padBuf = new byte[TAG_LENGTH];
// Create a buffer for holding the AAD and Ciphertext lengths
private final byte[] lenBuf = new byte[TAG_LENGTH];
// The authenticator (Poly1305) when running in AEAD mode
protected String authAlgName;
private Poly1305 authenticator;
// The underlying engine for doing the ChaCha20/Poly1305 work
private ChaChaEngine engine;
// Use this VarHandle for converting the state elements into little-endian
// integer values for the ChaCha20 block function.
private static final VarHandle asIntLittleEndian =
MethodHandles.byteArrayViewVarHandle(int[].class,
ByteOrder.LITTLE_ENDIAN);
// Use this VarHandle for converting the AAD and data lengths into
// little-endian long values for AEAD tag computations.
private static final VarHandle asLongLittleEndian =
MethodHandles.byteArrayViewVarHandle(long[].class,
ByteOrder.LITTLE_ENDIAN);
// Use this for pulling in 8 bytes at a time as longs for XOR operations
private static final VarHandle asLongView =
MethodHandles.byteArrayViewVarHandle(long[].class,
ByteOrder.nativeOrder());
/**
* Default constructor.
*/
protected ChaCha20Cipher() { }
/**
* Set the mode of operation. Since this is a stream cipher, there
* is no mode of operation in the block-cipher sense of things. The
* protected {@code mode} field will only accept a value of {@code None}
* (case-insensitive).
*
* @param mode The mode value
*
* @throws NoSuchAlgorithmException if a mode of operation besides
* {@code None} is provided.
*/
@Override
protected void engineSetMode(String mode) throws NoSuchAlgorithmException {
if (mode.equalsIgnoreCase("None") == false) {
throw new NoSuchAlgorithmException("Mode must be None");
}
}
/**
* Set the padding scheme. Padding schemes do not make sense with stream
* ciphers, but allow {@code NoPadding}. See JCE spec.
*
* @param padding The padding type. The only allowed value is
* {@code NoPadding} case insensitive).
*
* @throws NoSuchPaddingException if a padding scheme besides
* {@code NoPadding} is provided.
*/
@Override
protected void engineSetPadding(String padding)
throws NoSuchPaddingException {
if (padding.equalsIgnoreCase("NoPadding") == false) {
throw new NoSuchPaddingException("Padding must be NoPadding");
}
}
/**
* Returns the block size. For a stream cipher like ChaCha20, this
* value will always be zero.
*
* @return This method always returns 0. See the JCE Specification.
*/
@Override
protected int engineGetBlockSize() {
return 0;
}
/**
* Get the output size required to hold the result of the next update or
* doFinal operation. In simple stream-cipher
* mode, the output size will equal the input size. For ChaCha20-Poly1305
* for encryption the output size will be the sum of the input length
* and tag length. For decryption, the output size will be the input
* length plus any previously unprocessed data minus the tag
* length, minimum zero.
*
* @param inputLen the length in bytes of the input
*
* @return the output length in bytes.
*/
@Override
protected int engineGetOutputSize(int inputLen) {
return engine.getOutputSize(inputLen, true);
}
/**
* Get the nonce value used.
*
* @return the nonce bytes. For ChaCha20 this will be a 12-byte value.
*/
@Override
protected byte[] engineGetIV() {
return nonce.clone();
}
/**
* Get the algorithm parameters for this cipher. For the ChaCha20
* cipher, this will always return {@code null} as there currently is
* no {@code AlgorithmParameters} implementation for ChaCha20. For
* ChaCha20-Poly1305, a {@code ChaCha20Poly1305Parameters} object will be
* created and initialized with the configured nonce value and returned
* to the caller.
*
* @return a {@code null} value if the ChaCha20 cipher is used (mode is
* MODE_NONE), or a {@code ChaCha20Poly1305Parameters} object containing
* the nonce if the mode is MODE_AEAD.
*/
@Override
protected AlgorithmParameters engineGetParameters() {
AlgorithmParameters params = null;
if (mode == MODE_AEAD) {
try {
// Place the 12-byte nonce into a DER-encoded OCTET_STRING
params = AlgorithmParameters.getInstance("ChaCha20-Poly1305");
params.init((new DerValue(
DerValue.tag_OctetString, nonce).toByteArray()));
} catch (NoSuchAlgorithmException | IOException exc) {
throw new RuntimeException(exc);
}
}
return params;
}
/**
* Initialize the engine using a key and secure random implementation. If
* a SecureRandom object is provided it will be used to create a random
* nonce value. If the {@code random} parameter is null an internal
* secure random source will be used to create the random nonce.
* The counter value will be set to 1.
*
* @param opmode the type of operation to do. This value may not be
* {@code Cipher.DECRYPT_MODE} or {@code Cipher.UNWRAP_MODE} mode
* because it must generate random parameters like the nonce.
* @param key a 256-bit key suitable for ChaCha20
* @param random a {@code SecureRandom} implementation used to create the
* random nonce. If {@code null} is used for the random object,
* then an internal secure random source will be used to create the
* nonce.
*
* @throws UnsupportedOperationException if the mode of operation
* is {@code Cipher.WRAP_MODE} or {@code Cipher.UNWRAP_MODE}
* (currently unsupported).
* @throws InvalidKeyException if the key is of the wrong type or is
* not 256-bits in length. This will also be thrown if the opmode
* parameter is {@code Cipher.DECRYPT_MODE}.
* {@code Cipher.UNWRAP_MODE} would normally be disallowed in this
* context but it is preempted by the UOE case above.
*/
@Override
protected void engineInit(int opmode, Key key, SecureRandom random)
throws InvalidKeyException {
if (opmode != Cipher.DECRYPT_MODE) {
byte[] newNonce = createRandomNonce(random);
counter = 1;
init(opmode, key, newNonce);
} else {
throw new InvalidKeyException("Default parameter generation " +
"disallowed in DECRYPT and UNWRAP modes");
}
}
/**
* Initialize the engine using a key and secure random implementation.
*
* @param opmode the type of operation to do. This value must be either
* {@code Cipher.ENCRYPT_MODE} or {@code Cipher.DECRYPT_MODE}
* @param key a 256-bit key suitable for ChaCha20
* @param params a {@code ChaCha20ParameterSpec} that will provide
* the nonce and initial block counter value.
* @param random a {@code SecureRandom} implementation, this parameter
* is not used in this form of the initializer.
*
* @throws UnsupportedOperationException if the mode of operation
* is {@code Cipher.WRAP_MODE} or {@code Cipher.UNWRAP_MODE}
* (currently unsupported).
* @throws InvalidKeyException if the key is of the wrong type or is
* not 256-bits in length. This will also be thrown if the opmode
* parameter is not {@code Cipher.ENCRYPT_MODE} or
* {@code Cipher.DECRYPT_MODE} (excepting the UOE case above).
* @throws InvalidAlgorithmParameterException if {@code params} is
* not a {@code ChaCha20ParameterSpec}
* @throws NullPointerException if {@code params} is {@code null}
*/
@Override
protected void engineInit(int opmode, Key key,
AlgorithmParameterSpec params, SecureRandom random)
throws InvalidKeyException, InvalidAlgorithmParameterException {
// If AlgorithmParameterSpec is null, then treat this like an init
// of the form (int, Key, SecureRandom)
if (params == null) {
engineInit(opmode, key, random);
return;
}
// We will ignore the secure random implementation and use the nonce
// from the AlgorithmParameterSpec instead.
byte[] newNonce = null;
switch (mode) {
case MODE_NONE:
if (!(params instanceof ChaCha20ParameterSpec)) {
throw new InvalidAlgorithmParameterException(
"ChaCha20 algorithm requires ChaCha20ParameterSpec");
}
ChaCha20ParameterSpec chaParams = (ChaCha20ParameterSpec)params;
newNonce = chaParams.getNonce();
counter = ((long)chaParams.getCounter()) & 0x00000000FFFFFFFFL;
break;
case MODE_AEAD:
if (!(params instanceof IvParameterSpec)) {
throw new InvalidAlgorithmParameterException(
"ChaCha20-Poly1305 requires IvParameterSpec");
}
IvParameterSpec ivParams = (IvParameterSpec)params;
newNonce = ivParams.getIV();
if (newNonce.length != 12) {
throw new InvalidAlgorithmParameterException(
"ChaCha20-Poly1305 nonce must be 12 bytes in length");
}
break;
default:
// Should never happen
throw new RuntimeException("ChaCha20 in unsupported mode");
}
init(opmode, key, newNonce);
}
/**
* Initialize the engine using the {@code AlgorithmParameter} initialization
* format. This cipher does supports initialization with
* {@code AlgorithmParameter} objects for ChaCha20-Poly1305 but not for
* ChaCha20 as a simple stream cipher. In the latter case, it will throw
* an {@code InvalidAlgorithmParameterException} if the value is non-null.
* If a null value is supplied for the {@code params} field
* the cipher will be initialized with the counter value set to 1 and
* a random nonce. If {@code null} is used for the random object,
* then an internal secure random source will be used to create the
* nonce.
*
* @param opmode the type of operation to do. This value must be either
* {@code Cipher.ENCRYPT_MODE} or {@code Cipher.DECRYPT_MODE}
* @param key a 256-bit key suitable for ChaCha20
* @param params a {@code null} value if the algorithm is ChaCha20, or
* the appropriate {@code AlgorithmParameters} object containing the
* nonce information if the algorithm is ChaCha20-Poly1305.
* @param random a {@code SecureRandom} implementation, may be {@code null}.
*
* @throws UnsupportedOperationException if the mode of operation
* is {@code Cipher.WRAP_MODE} or {@code Cipher.UNWRAP_MODE}
* (currently unsupported).
* @throws InvalidKeyException if the key is of the wrong type or is
* not 256-bits in length. This will also be thrown if the opmode
* parameter is not {@code Cipher.ENCRYPT_MODE} or
* {@code Cipher.DECRYPT_MODE} (excepting the UOE case above).
* @throws InvalidAlgorithmParameterException if {@code params} is
* non-null and the algorithm is ChaCha20. This exception will be
* also thrown if the algorithm is ChaCha20-Poly1305 and an incorrect
* {@code AlgorithmParameters} object is supplied.
*/
@Override
protected void engineInit(int opmode, Key key,
AlgorithmParameters params, SecureRandom random)
throws InvalidKeyException, InvalidAlgorithmParameterException {
// If AlgorithmParameters is null, then treat this like an init
// of the form (int, Key, SecureRandom)
if (params == null) {
engineInit(opmode, key, random);
return;
}
byte[] newNonce = null;
switch (mode) {
case MODE_NONE:
throw new InvalidAlgorithmParameterException(
"AlgorithmParameters not supported");
case MODE_AEAD:
String paramAlg = params.getAlgorithm();
if (!paramAlg.equalsIgnoreCase("ChaCha20-Poly1305")) {
throw new InvalidAlgorithmParameterException(
"Invalid parameter type: " + paramAlg);
}
try {
DerValue dv = new DerValue(params.getEncoded());
newNonce = dv.getOctetString();
if (newNonce.length != 12) {
throw new InvalidAlgorithmParameterException(
"ChaCha20-Poly1305 nonce must be " +
"12 bytes in length");
}
} catch (IOException ioe) {
throw new InvalidAlgorithmParameterException(ioe);
}
break;
default:
throw new RuntimeException("Invalid mode: " + mode);
}
// If after all the above processing we still don't have a nonce value
// then supply a random one provided a random source has been given.
if (newNonce == null) {
newNonce = createRandomNonce(random);
}
// Continue with initialization
init(opmode, key, newNonce);
}
/**
* Update additional authenticated data (AAD).
*
* @param src the byte array containing the authentication data.
* @param offset the starting offset in the buffer to update.
* @param len the amount of authentication data to update.
*
* @throws IllegalStateException if the cipher has not been initialized,
* {@code engineUpdate} has been called, or the cipher is running
* in a non-AEAD mode of operation. It will also throw this
* exception if the submitted AAD would overflow a 64-bit length
* counter.
*/
@Override
protected void engineUpdateAAD(byte[] src, int offset, int len) {
if (!initialized) {
// We know that the cipher has not been initialized if the key
// is still null.
throw new IllegalStateException(
"Attempted to update AAD on uninitialized Cipher");
} else if (aadDone) {
// No AAD updates allowed after the PT/CT update method is called
throw new IllegalStateException("Attempted to update AAD on " +
"Cipher after plaintext/ciphertext update");
} else if (mode != MODE_AEAD) {
throw new IllegalStateException(
"Cipher is running in non-AEAD mode");
} else {
try {
aadLen = Math.addExact(aadLen, len);
authUpdate(src, offset, len);
} catch (ArithmeticException ae) {
throw new IllegalStateException("AAD overflow", ae);
}
}
}
/**
* Update additional authenticated data (AAD).
*
* @param src the ByteBuffer containing the authentication data.
*
* @throws IllegalStateException if the cipher has not been initialized,
* {@code engineUpdate} has been called, or the cipher is running
* in a non-AEAD mode of operation. It will also throw this
* exception if the submitted AAD would overflow a 64-bit length
* counter.
*/
@Override
protected void engineUpdateAAD(ByteBuffer src) {
if (!initialized) {
// We know that the cipher has not been initialized if the key
// is still null.
throw new IllegalStateException(
"Attempted to update AAD on uninitialized Cipher");
} else if (aadDone) {
// No AAD updates allowed after the PT/CT update method is called
throw new IllegalStateException("Attempted to update AAD on " +
"Cipher after plaintext/ciphertext update");
} else if (mode != MODE_AEAD) {
throw new IllegalStateException(
"Cipher is running in non-AEAD mode");
} else {
try {
aadLen = Math.addExact(aadLen, (src.limit() - src.position()));
authenticator.engineUpdate(src);
} catch (ArithmeticException ae) {
throw new IllegalStateException("AAD overflow", ae);
}
}
}
/**
* Create a random 12-byte nonce.
*
* @param random a {@code SecureRandom} object. If {@code null} is
* provided a new {@code SecureRandom} object will be instantiated.
*
* @return a 12-byte array containing the random nonce.
*/
private byte[] createRandomNonce(SecureRandom random) {
byte[] newNonce = new byte[12];
SecureRandom rand = (random != null) ? random : new SecureRandom();
rand.nextBytes(newNonce);
return newNonce;
}
/**
* Perform additional initialization actions based on the key and operation
* type.
*
* @param opmode the type of operation to do. This value must be either
* {@code Cipher.ENCRYPT_MODE} or {@code Cipher.DECRYPT_MODE}
* @param key a 256-bit key suitable for ChaCha20
* @param newNonce the new nonce value for this initialization.
*
* @throws UnsupportedOperationException if the {@code opmode} parameter
* is {@code Cipher.WRAP_MODE} or {@code Cipher.UNWRAP_MODE}
* (currently unsupported).
* @throws InvalidKeyException if the {@code opmode} parameter is not
* {@code Cipher.ENCRYPT_MODE} or {@code Cipher.DECRYPT_MODE}, or
* if the key format is not {@code RAW}.
*/
private void init(int opmode, Key key, byte[] newNonce)
throws InvalidKeyException {
if ((opmode == Cipher.WRAP_MODE) || (opmode == Cipher.UNWRAP_MODE)) {
throw new UnsupportedOperationException(
"WRAP_MODE and UNWRAP_MODE are not currently supported");
} else if ((opmode != Cipher.ENCRYPT_MODE) &&
(opmode != Cipher.DECRYPT_MODE)) {
throw new InvalidKeyException("Unknown opmode: " + opmode);
}
// Make sure that the provided key and nonce are unique before
// assigning them to the object.
byte[] newKeyBytes = getEncodedKey(key);
checkKeyAndNonce(newKeyBytes, newNonce);
this.keyBytes = newKeyBytes;
nonce = newNonce;
// Now that we have the key and nonce, we can build the initial state
setInitialState();
if (mode == MODE_NONE) {
engine = new EngineStreamOnly();
} else if (mode == MODE_AEAD) {
if (opmode == Cipher.ENCRYPT_MODE) {
engine = new EngineAEADEnc();
} else if (opmode == Cipher.DECRYPT_MODE) {
engine = new EngineAEADDec();
} else {
throw new InvalidKeyException("Not encrypt or decrypt mode");
}
}
// We can also get one block's worth of keystream created
finalCounterValue = counter + MAX_UINT32;
generateKeystream();
direction = opmode;
aadDone = false;
this.keyStrOffset = 0;
initialized = true;
}
/**
* Check the key and nonce bytes to make sure that they do not repeat
* across reinitialization.
*
* @param newKeyBytes the byte encoding for the newly provided key
* @param newNonce the new nonce to be used with this initialization
*
* @throws InvalidKeyException if both the key and nonce match the
* previous initialization.
*
*/
private void checkKeyAndNonce(byte[] newKeyBytes, byte[] newNonce)
throws InvalidKeyException {
// A new initialization must have either a different key or nonce
// so the starting state for each block is not the same as the
// previous initialization.
if (MessageDigest.isEqual(newKeyBytes, keyBytes) &&
MessageDigest.isEqual(newNonce, nonce)) {
throw new InvalidKeyException(
"Matching key and nonce from previous initialization");
}
}
/**
* Return the encoded key as a byte array
*
* @param key the {@code Key} object used for this {@code Cipher}
*
* @return the key bytes
*
* @throws InvalidKeyException if the key is of the wrong type or length,
* or if the key encoding format is not {@code RAW}.
*/
private static byte[] getEncodedKey(Key key) throws InvalidKeyException {
if ("RAW".equals(key.getFormat()) == false) {
throw new InvalidKeyException("Key encoding format must be RAW");
}
byte[] encodedKey = key.getEncoded();
if (encodedKey == null || encodedKey.length != 32) {
throw new InvalidKeyException("Key length must be 256 bits");
}
return encodedKey;
}
/**
* Update the currently running operation with additional data
*
* @param in the plaintext or ciphertext input bytes (depending on the
* operation type).
* @param inOfs the offset into the input array
* @param inLen the length of the data to use for the update operation.
*
* @return the resulting plaintext or ciphertext bytes (depending on
* the operation type)
*/
@Override
protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) {
byte[] out = new byte[engine.getOutputSize(inLen, false)];
try {
engine.doUpdate(in, inOfs, inLen, out, 0);
} catch (ShortBufferException | KeyException exc) {
throw new RuntimeException(exc);
}
return out;
}
/**
* Update the currently running operation with additional data
*
* @param in the plaintext or ciphertext input bytes (depending on the
* operation type).
* @param inOfs the offset into the input array
* @param inLen the length of the data to use for the update operation.
* @param out the byte array that will hold the resulting data. The array
* must be large enough to hold the resulting data.
* @param outOfs the offset for the {@code out} buffer to begin writing
* the resulting data.
*
* @return the length in bytes of the data written into the {@code out}
* buffer.
*
* @throws ShortBufferException if the buffer {@code out} does not have
* enough space to hold the resulting data.
*/
@Override
protected int engineUpdate(byte[] in, int inOfs, int inLen,
byte[] out, int outOfs) throws ShortBufferException {
int bytesUpdated = 0;
try {
bytesUpdated = engine.doUpdate(in, inOfs, inLen, out, outOfs);
} catch (KeyException ke) {
throw new RuntimeException(ke);
}
return bytesUpdated;
}
/**
* Complete the currently running operation using any final
* data provided by the caller.
*
* @param in the plaintext or ciphertext input bytes (depending on the
* operation type).
* @param inOfs the offset into the input array
* @param inLen the length of the data to use for the update operation.
*
* @return the resulting plaintext or ciphertext bytes (depending on
* the operation type)
*
* @throws AEADBadTagException if, during decryption, the provided tag
* does not match the calculated tag.
*/
@Override
protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen)
throws AEADBadTagException {
byte[] output = new byte[engine.getOutputSize(inLen, true)];
try {
engine.doFinal(in, inOfs, inLen, output, 0);
} catch (ShortBufferException | KeyException exc) {
throw new RuntimeException(exc);
} finally {
// Regardless of what happens, the cipher cannot be used for
// further processing until it has been freshly initialized.
initialized = false;
}
return output;
}
/**
* Complete the currently running operation using any final
* data provided by the caller.
*
* @param in the plaintext or ciphertext input bytes (depending on the
* operation type).
* @param inOfs the offset into the input array
* @param inLen the length of the data to use for the update operation.
* @param out the byte array that will hold the resulting data. The array
* must be large enough to hold the resulting data.
* @param outOfs the offset for the {@code out} buffer to begin writing
* the resulting data.
*
* @return the length in bytes of the data written into the {@code out}
* buffer.
*
* @throws ShortBufferException if the buffer {@code out} does not have
* enough space to hold the resulting data.
* @throws AEADBadTagException if, during decryption, the provided tag
* does not match the calculated tag.
*/
@Override
protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out,
int outOfs) throws ShortBufferException, AEADBadTagException {
int bytesUpdated = 0;
try {
bytesUpdated = engine.doFinal(in, inOfs, inLen, out, outOfs);
} catch (KeyException ke) {
throw new RuntimeException(ke);
} finally {
// Regardless of what happens, the cipher cannot be used for
// further processing until it has been freshly initialized.
initialized = false;
}
return bytesUpdated;
}
/**
* Wrap a {@code Key} using this Cipher's current encryption parameters.
*
* @param key the key to wrap. The data that will be encrypted will
* be the provided {@code Key} in its encoded form.
*
* @return a byte array consisting of the wrapped key.
*
* @throws UnsupportedOperationException this will (currently) always
* be thrown, as this method is not currently supported.
*/
@Override
protected byte[] engineWrap(Key key) throws IllegalBlockSizeException,
InvalidKeyException {
throw new UnsupportedOperationException(
"Wrap operations are not supported");
}
/**
* Unwrap a {@code Key} using this Cipher's current encryption parameters.
*
* @param wrappedKey the key to unwrap.
* @param algorithm the algorithm associated with the wrapped key
* @param type the type of the wrapped key. This is one of
* {@code SECRET_KEY}, {@code PRIVATE_KEY}, or {@code PUBLIC_KEY}.
*
* @return the unwrapped key as a {@code Key} object.
*
* @throws UnsupportedOperationException this will (currently) always
* be thrown, as this method is not currently supported.
*/
@Override
protected Key engineUnwrap(byte[] wrappedKey, String algorithm,
int type) throws InvalidKeyException, NoSuchAlgorithmException {
throw new UnsupportedOperationException(
"Unwrap operations are not supported");
}
/**
* Get the length of a provided key in bits.
*
* @param key the key to be evaluated
*
* @return the length of the key in bits
*
* @throws InvalidKeyException if the key is invalid or does not
* have an encoded form.
*/
@Override
protected int engineGetKeySize(Key key) throws InvalidKeyException {
byte[] encodedKey = getEncodedKey(key);
return encodedKey.length << 3;
}
/**
* Set the initial state. This will populate the state array and put the
* key and nonce into their proper locations. The counter field is not
* set here.
*
* @throws IllegalArgumentException if the key or nonce are not in
* their proper lengths (32 bytes for the key, 12 bytes for the
* nonce).
* @throws InvalidKeyException if the key does not support an encoded form.
*/
private void setInitialState() throws InvalidKeyException {
// Apply constants to first 4 words
startState[0] = STATE_CONST_0;
startState[1] = STATE_CONST_1;
startState[2] = STATE_CONST_2;
startState[3] = STATE_CONST_3;
// Apply the key bytes as 8 32-bit little endian ints (4 through 11)
for (int i = 0; i < 32; i += 4) {
startState[(i / 4) + 4] = (keyBytes[i] & 0x000000FF) |
((keyBytes[i + 1] << 8) & 0x0000FF00) |
((keyBytes[i + 2] << 16) & 0x00FF0000) |
((keyBytes[i + 3] << 24) & 0xFF000000);
}
startState[12] = 0;
// The final integers for the state are from the nonce
// interpreted as 3 little endian integers
for (int i = 0; i < 12; i += 4) {
startState[(i / 4) + 13] = (nonce[i] & 0x000000FF) |
((nonce[i + 1] << 8) & 0x0000FF00) |
((nonce[i + 2] << 16) & 0x00FF0000) |
((nonce[i + 3] << 24) & 0xFF000000);
}
}
/**
* Using the current state and counter create the next set of keystream
* bytes. This method will generate the next 512 bits of keystream and
* return it in the {@code keyStream} parameter. Following the
* block function the counter will be incremented.
*/
private void generateKeystream() {
chaCha20Block(startState, counter, keyStream);
counter++;
}
/**
* Perform a full 20-round ChaCha20 transform on the initial state.
*
* @param initState the starting state, not including the counter
* value.
* @param counter the counter value to apply
* @param result the array that will hold the result of the ChaCha20
* block function.
*
* @note it is the caller's responsibility to ensure that the workState
* is sized the same as the initState, no checking is performed internally.
*/
private static void chaCha20Block(int[] initState, long counter,
byte[] result) {
// Create an initial state and clone a working copy
int ws00 = STATE_CONST_0;
int ws01 = STATE_CONST_1;
int ws02 = STATE_CONST_2;
int ws03 = STATE_CONST_3;
int ws04 = initState[4];
int ws05 = initState[5];
int ws06 = initState[6];
int ws07 = initState[7];
int ws08 = initState[8];
int ws09 = initState[9];
int ws10 = initState[10];
int ws11 = initState[11];
int ws12 = (int)counter;
int ws13 = initState[13];
int ws14 = initState[14];
int ws15 = initState[15];
// Peform 10 iterations of the 8 quarter round set
for (int round = 0; round < 10; round++) {
ws00 += ws04;
ws12 = Integer.rotateLeft(ws12 ^ ws00, 16);
ws08 += ws12;
ws04 = Integer.rotateLeft(ws04 ^ ws08, 12);
ws00 += ws04;
ws12 = Integer.rotateLeft(ws12 ^ ws00, 8);
ws08 += ws12;
ws04 = Integer.rotateLeft(ws04 ^ ws08, 7);
ws01 += ws05;
ws13 = Integer.rotateLeft(ws13 ^ ws01, 16);
ws09 += ws13;
ws05 = Integer.rotateLeft(ws05 ^ ws09, 12);
ws01 += ws05;
ws13 = Integer.rotateLeft(ws13 ^ ws01, 8);
ws09 += ws13;
ws05 = Integer.rotateLeft(ws05 ^ ws09, 7);
ws02 += ws06;
ws14 = Integer.rotateLeft(ws14 ^ ws02, 16);
ws10 += ws14;
ws06 = Integer.rotateLeft(ws06 ^ ws10, 12);
ws02 += ws06;
ws14 = Integer.rotateLeft(ws14 ^ ws02, 8);
ws10 += ws14;
ws06 = Integer.rotateLeft(ws06 ^ ws10, 7);
ws03 += ws07;
ws15 = Integer.rotateLeft(ws15 ^ ws03, 16);
ws11 += ws15;
ws07 = Integer.rotateLeft(ws07 ^ ws11, 12);
ws03 += ws07;
ws15 = Integer.rotateLeft(ws15 ^ ws03, 8);
ws11 += ws15;
ws07 = Integer.rotateLeft(ws07 ^ ws11, 7);
ws00 += ws05;
ws15 = Integer.rotateLeft(ws15 ^ ws00, 16);
ws10 += ws15;
ws05 = Integer.rotateLeft(ws05 ^ ws10, 12);
ws00 += ws05;
ws15 = Integer.rotateLeft(ws15 ^ ws00, 8);
ws10 += ws15;
ws05 = Integer.rotateLeft(ws05 ^ ws10, 7);
ws01 += ws06;
ws12 = Integer.rotateLeft(ws12 ^ ws01, 16);
ws11 += ws12;
ws06 = Integer.rotateLeft(ws06 ^ ws11, 12);
ws01 += ws06;
ws12 = Integer.rotateLeft(ws12 ^ ws01, 8);
ws11 += ws12;
ws06 = Integer.rotateLeft(ws06 ^ ws11, 7);
ws02 += ws07;
ws13 = Integer.rotateLeft(ws13 ^ ws02, 16);
ws08 += ws13;
ws07 = Integer.rotateLeft(ws07 ^ ws08, 12);
ws02 += ws07;
ws13 = Integer.rotateLeft(ws13 ^ ws02, 8);
ws08 += ws13;
ws07 = Integer.rotateLeft(ws07 ^ ws08, 7);
ws03 += ws04;
ws14 = Integer.rotateLeft(ws14 ^ ws03, 16);
ws09 += ws14;
ws04 = Integer.rotateLeft(ws04 ^ ws09, 12);
ws03 += ws04;
ws14 = Integer.rotateLeft(ws14 ^ ws03, 8);
ws09 += ws14;
ws04 = Integer.rotateLeft(ws04 ^ ws09, 7);
}
// Add the end working state back into the original state
asIntLittleEndian.set(result, 0, ws00 + STATE_CONST_0);
asIntLittleEndian.set(result, 4, ws01 + STATE_CONST_1);
asIntLittleEndian.set(result, 8, ws02 + STATE_CONST_2);
asIntLittleEndian.set(result, 12, ws03 + STATE_CONST_3);
asIntLittleEndian.set(result, 16, ws04 + initState[4]);
asIntLittleEndian.set(result, 20, ws05 + initState[5]);
asIntLittleEndian.set(result, 24, ws06 + initState[6]);
asIntLittleEndian.set(result, 28, ws07 + initState[7]);
asIntLittleEndian.set(result, 32, ws08 + initState[8]);
asIntLittleEndian.set(result, 36, ws09 + initState[9]);
asIntLittleEndian.set(result, 40, ws10 + initState[10]);
asIntLittleEndian.set(result, 44, ws11 + initState[11]);
// Add the counter back into workState[12]
asIntLittleEndian.set(result, 48, ws12 + (int)counter);
asIntLittleEndian.set(result, 52, ws13 + initState[13]);
asIntLittleEndian.set(result, 56, ws14 + initState[14]);
asIntLittleEndian.set(result, 60, ws15 + initState[15]);
}
/**
* Perform the ChaCha20 transform.
*
* @param in the array of bytes for the input
* @param inOff the offset into the input array to start the transform
* @param inLen the length of the data to perform the transform on.
* @param out the output array. It must be large enough to hold the
* resulting data
* @param outOff the offset into the output array to place the resulting
* data.
*/
private void chaCha20Transform(byte[] in, int inOff, int inLen,
byte[] out, int outOff) throws KeyException {
int remainingData = inLen;
while (remainingData > 0) {
int ksRemain = keyStream.length - keyStrOffset;
if (ksRemain <= 0) {
if (counter <= finalCounterValue) {
generateKeystream();
keyStrOffset = 0;
ksRemain = keyStream.length;
} else {
throw new KeyException("Counter exhausted. " +
"Reinitialize with new key and/or nonce");
}
}
// XOR each byte in the keystream against the input
int xformLen = Math.min(remainingData, ksRemain);
xor(keyStream, keyStrOffset, in, inOff, out, outOff, xformLen);
outOff += xformLen;
inOff += xformLen;
keyStrOffset += xformLen;
remainingData -= xformLen;
}
}
private static void xor(byte[] in1, int off1, byte[] in2, int off2,
byte[] out, int outOff, int len) {
while (len >= 8) {
long v1 = (long) asLongView.get(in1, off1);
long v2 = (long) asLongView.get(in2, off2);
asLongView.set(out, outOff, v1 ^ v2);
off1 += 8;
off2 += 8;
outOff += 8;
len -= 8;
}
while (len > 0) {
out[outOff] = (byte) (in1[off1] ^ in2[off2]);
off1++;
off2++;
outOff++;
len--;
}
}
/**
* Perform initialization steps for the authenticator
*
* @throws InvalidKeyException if the key is unusable for some reason
* (invalid length, etc.)
*/
private void initAuthenticator() throws InvalidKeyException {
authenticator = new Poly1305();
// Derive the Poly1305 key from the starting state
byte[] serializedKey = new byte[KEYSTREAM_SIZE];
chaCha20Block(startState, 0, serializedKey);
authenticator.engineInit(new SecretKeySpec(serializedKey, 0, 32,
authAlgName), null);
aadLen = 0;
dataLen = 0;
}
/**
* Update the authenticator state with data. This routine can be used
* to add data to the authenticator, whether AAD or application data.
*
* @param data the data to stir into the authenticator.
* @param offset the offset into the data.
* @param length the length of data to add to the authenticator.
*
* @return the number of bytes processed by this method.
*/
private int authUpdate(byte[] data, int offset, int length) {
Objects.checkFromIndexSize(offset, length, data.length);
authenticator.engineUpdate(data, offset, length);
return length;
}
/**
* Finalize the data and return the tag.
*
* @param data an array containing any remaining data to process.
* @param dataOff the offset into the data.
* @param length the length of the data to process.
* @param out the array to write the resulting tag into
* @param outOff the offset to begin writing the data.
*
* @throws ShortBufferException if there is insufficient room to
* write the tag.
*/
private void authFinalizeData(byte[] data, int dataOff, int length,
byte[] out, int outOff) throws ShortBufferException {
// Update with the final chunk of ciphertext, then pad to a
// multiple of 16.
if (data != null) {
dataLen += authUpdate(data, dataOff, length);
}
authPad16(dataLen);
// Also write the AAD and ciphertext data lengths as little-endian
// 64-bit values.
authWriteLengths(aadLen, dataLen, lenBuf);
authenticator.engineUpdate(lenBuf, 0, lenBuf.length);
byte[] tag = authenticator.engineDoFinal();
Objects.checkFromIndexSize(outOff, tag.length, out.length);
System.arraycopy(tag, 0, out, outOff, tag.length);
aadLen = 0;
dataLen = 0;
}
/**
* Based on a given length of data, make the authenticator process
* zero bytes that will pad the length out to a multiple of 16.
*
* @param dataLen the starting length to be padded.
*/
private void authPad16(long dataLen) {
// Pad out the AAD or data to a multiple of 16 bytes
authenticator.engineUpdate(padBuf, 0,
(TAG_LENGTH - ((int)dataLen & 15)) & 15);
}
/**
* Write the two 64-bit little-endian length fields into an array
* for processing by the poly1305 authenticator.
*
* @param aLen the length of the AAD.
* @param dLen the length of the application data.
* @param buf the buffer to write the two lengths into.
*
* @note it is the caller's responsibility to provide an array large
* enough to hold the two longs.
*/
private void authWriteLengths(long aLen, long dLen, byte[] buf) {
asLongLittleEndian.set(buf, 0, aLen);
asLongLittleEndian.set(buf, Long.BYTES, dLen);
}
/**
* Interface for the underlying processing engines for ChaCha20
*/
interface ChaChaEngine {
/**
* Size an output buffer based on the input and where applicable
* the current state of the engine in a multipart operation.
*
* @param inLength the input length.
* @param isFinal true if this is invoked from a doFinal call.
*
* @return the recommended size for the output buffer.
*/
int getOutputSize(int inLength, boolean isFinal);
/**
* Perform a multi-part update for ChaCha20.
*
* @param in the input data.
* @param inOff the offset into the input.
* @param inLen the length of the data to process.
* @param out the output buffer.
* @param outOff the offset at which to write the output data.
*
* @return the number of output bytes written.
*
* @throws ShortBufferException if the output buffer does not
* provide enough space.
* @throws KeyException if the counter value has been exhausted.
*/
int doUpdate(byte[] in, int inOff, int inLen, byte[] out, int outOff)
throws ShortBufferException, KeyException;
/**
* Finalize a multi-part or single-part ChaCha20 operation.
*
* @param in the input data.
* @param inOff the offset into the input.
* @param inLen the length of the data to process.
* @param out the output buffer.
* @param outOff the offset at which to write the output data.
*
* @return the number of output bytes written.
*
* @throws ShortBufferException if the output buffer does not
* provide enough space.
* @throws AEADBadTagException if in decryption mode the provided
* tag and calculated tag do not match.
* @throws KeyException if the counter value has been exhausted.
*/
int doFinal(byte[] in, int inOff, int inLen, byte[] out, int outOff)
throws ShortBufferException, AEADBadTagException, KeyException;
}
private final class EngineStreamOnly implements ChaChaEngine {
private EngineStreamOnly () { }
@Override
public int getOutputSize(int inLength, boolean isFinal) {
// The isFinal parameter is not relevant in this kind of engine
return inLength;
}
@Override
public int doUpdate(byte[] in, int inOff, int inLen, byte[] out,
int outOff) throws ShortBufferException, KeyException {
if (initialized) {
try {
if (out != null) {
Objects.checkFromIndexSize(outOff, inLen, out.length);
} else {
throw new ShortBufferException(
"Output buffer too small");
}
} catch (IndexOutOfBoundsException iobe) {
throw new ShortBufferException("Output buffer too small");
}
if (in != null) {
Objects.checkFromIndexSize(inOff, inLen, in.length);
chaCha20Transform(in, inOff, inLen, out, outOff);
}
return inLen;
} else {
throw new IllegalStateException(
"Must use either a different key or iv.");
}
}
@Override
public int doFinal(byte[] in, int inOff, int inLen, byte[] out,
int outOff) throws ShortBufferException, KeyException {
return doUpdate(in, inOff, inLen, out, outOff);
}
}
private final class EngineAEADEnc implements ChaChaEngine {
@Override
public int getOutputSize(int inLength, boolean isFinal) {
return (isFinal ? Math.addExact(inLength, TAG_LENGTH) : inLength);
}
private EngineAEADEnc() throws InvalidKeyException {
initAuthenticator();
counter = 1;
}
@Override
public int doUpdate(byte[] in, int inOff, int inLen, byte[] out,
int outOff) throws ShortBufferException, KeyException {
if (initialized) {
// If this is the first update since AAD updates, signal that
// we're done processing AAD info and pad the AAD to a multiple
// of 16 bytes.
if (!aadDone) {
authPad16(aadLen);
aadDone = true;
}
try {
if (out != null) {
Objects.checkFromIndexSize(outOff, inLen, out.length);
} else {
throw new ShortBufferException(
"Output buffer too small");
}
} catch (IndexOutOfBoundsException iobe) {
throw new ShortBufferException("Output buffer too small");
}
if (in != null) {
Objects.checkFromIndexSize(inOff, inLen, in.length);
chaCha20Transform(in, inOff, inLen, out, outOff);
dataLen += authUpdate(out, outOff, inLen);
}
return inLen;
} else {
throw new IllegalStateException(
"Must use either a different key or iv.");
}
}
@Override
public int doFinal(byte[] in, int inOff, int inLen, byte[] out,
int outOff) throws ShortBufferException, KeyException {
// Make sure we have enough room for the remaining data (if any)
// and the tag.
if ((inLen + TAG_LENGTH) > (out.length - outOff)) {
throw new ShortBufferException("Output buffer too small");
}
doUpdate(in, inOff, inLen, out, outOff);
authFinalizeData(null, 0, 0, out, outOff + inLen);
aadDone = false;
return inLen + TAG_LENGTH;
}
}
private final class EngineAEADDec implements ChaChaEngine {
private final ByteArrayOutputStream cipherBuf;
private final byte[] tag;
@Override
public int getOutputSize(int inLen, boolean isFinal) {
// If we are performing a decrypt-update we should always return
// zero length since we cannot return any data until the tag has
// been consumed and verified. CipherSpi.engineGetOutputSize will
// always set isFinal to true to get the required output buffer
// size.
return (isFinal ?
Integer.max(Math.addExact((inLen - TAG_LENGTH),
cipherBuf.size()), 0) : 0);
}
private EngineAEADDec() throws InvalidKeyException {
initAuthenticator();
counter = 1;
cipherBuf = new ByteArrayOutputStream(CIPHERBUF_BASE);
tag = new byte[TAG_LENGTH];
}
@Override
public int doUpdate(byte[] in, int inOff, int inLen, byte[] out,
int outOff) {
if (initialized) {
// If this is the first update since AAD updates, signal that
// we're done processing AAD info and pad the AAD to a multiple
// of 16 bytes.
if (!aadDone) {
authPad16(aadLen);
aadDone = true;
}
if (in != null) {
Objects.checkFromIndexSize(inOff, inLen, in.length);
cipherBuf.write(in, inOff, inLen);
}
} else {
throw new IllegalStateException(
"Must use either a different key or iv.");
}
return 0;
}
@Override
public int doFinal(byte[] in, int inOff, int inLen, byte[] out,
int outOff) throws ShortBufferException, AEADBadTagException,
KeyException {
byte[] ctPlusTag;
int ctPlusTagLen;
if (cipherBuf.size() == 0 && inOff == 0) {
// No previous data has been seen before doFinal, so we do
// not need to hold any ciphertext in a buffer. We can
// process it directly from the "in" parameter.
doUpdate(null, inOff, inLen, out, outOff);
ctPlusTag = in;
ctPlusTagLen = inLen;
} else {
doUpdate(in, inOff, inLen, out, outOff);
ctPlusTag = cipherBuf.toByteArray();
ctPlusTagLen = ctPlusTag.length;
}
cipherBuf.reset();
// There must at least be a tag length's worth of ciphertext
// data in the buffered input.
if (ctPlusTagLen < TAG_LENGTH) {
throw new AEADBadTagException("Input too short - need tag");
}
int ctLen = ctPlusTagLen - TAG_LENGTH;
// Make sure we will have enough room for the output buffer
try {
Objects.checkFromIndexSize(outOff, ctLen, out.length);
} catch (IndexOutOfBoundsException ioobe) {
throw new ShortBufferException("Output buffer too small");
}
// Calculate and compare the tag. Only do the decryption
// if and only if the tag matches.
authFinalizeData(ctPlusTag, 0, ctLen, tag, 0);
long tagCompare = ((long)asLongView.get(ctPlusTag, ctLen) ^
(long)asLongView.get(tag, 0)) |
((long)asLongView.get(ctPlusTag, ctLen + Long.BYTES) ^
(long)asLongView.get(tag, Long.BYTES));
if (tagCompare != 0) {
throw new AEADBadTagException("Tag mismatch");
}
chaCha20Transform(ctPlusTag, 0, ctLen, out, outOff);
aadDone = false;
return ctLen;
}
}
public static final class ChaCha20Only extends ChaCha20Cipher {
public ChaCha20Only() {
mode = MODE_NONE;
}
}
public static final class ChaCha20Poly1305 extends ChaCha20Cipher {
public ChaCha20Poly1305() {
mode = MODE_AEAD;
authAlgName = "Poly1305";
}
}
}