added EncodableService interface, added Memoable/EncodableService to KMAC.

dghgit · dghgit · commit 0fb2d2639979 · 2025-07-27T13:14:47.000+10:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/EncodableService.java b/core/src/main/java/org/bouncycastle/crypto/EncodableService.java
@@ -0,0 +1,17 @@
+package org.bouncycastle.crypto;
+
+/**
+ *  Encodable services allow you to download an encoded copy of their internal state. This is useful for the situation where
+ *  you need to generate a signature on an external device and it allows for "sign with last round", so a copy of the
+ *  internal state of the digest, plus the last few blocks of the message are all that needs to be sent, rather than the
+ *  entire message.
+ */
+public interface EncodableService
+{
+    /**
+     * Return an encoded byte array for the services's internal state
+     *
+     * @return an encoding of the services internal state.
+     */
+    byte[] getEncodedState();
+}
diff --git a/core/src/main/java/org/bouncycastle/crypto/digests/EncodableDigest.java b/core/src/main/java/org/bouncycastle/crypto/digests/EncodableDigest.java
@@ -1,12 +1,15 @@
 package org.bouncycastle.crypto.digests;
 
+import org.bouncycastle.crypto.EncodableService;
+
 /**
  *  Encodable digests allow you to download an encoded copy of their internal state. This is useful for the situation where
  *  you need to generate a signature on an external device and it allows for "sign with last round", so a copy of the
  *  internal state of the digest, plus the last few blocks of the message are all that needs to be sent, rather than the
  *  entire message.
  */
 public interface EncodableDigest
+    extends EncodableService
 {
     /**
      * Return an encoded byte array for the digest's internal state
diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/KMAC.java b/core/src/main/java/org/bouncycastle/crypto/macs/KMAC.java
@@ -5,9 +5,12 @@
 import org.bouncycastle.crypto.Mac;
 import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.crypto.digests.CSHAKEDigest;
+import org.bouncycastle.crypto.digests.EncodableDigest;
 import org.bouncycastle.crypto.digests.XofUtils;
 import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Memoable;
+import org.bouncycastle.util.Pack;
 import org.bouncycastle.util.Strings;
 
 /**
@@ -17,13 +20,14 @@
  * </p>
  */
 public class KMAC
-    implements Mac, Xof
+    implements Mac, Xof, Memoable, EncodableDigest
 {
     private static final byte[] padding = new byte[100];
 
     private final CSHAKEDigest cshake;
-    private final int bitLength;
-    private final int outputLength;
+    
+    private int bitLength;
+    private int outputLength;
 
     private byte[] key;
     private boolean initialised;
@@ -42,12 +46,48 @@ public KMAC(int bitLength, byte[] S)
         this.outputLength = bitLength * 2 / 8;
     }
 
+    public KMAC(KMAC original)
+    {
+        this.cshake = new CSHAKEDigest(original.cshake);
+        this.bitLength = original.bitLength;
+        this.outputLength = original.outputLength;
+        this.key = original.key;
+        this.initialised = original.initialised;
+        this.firstOutput = original.firstOutput;
+    }
+
+    public KMAC(byte[] state)
+    {
+        this.key = new byte[state[0] & 0xff];
+        System.arraycopy(state, 1, key, 0, key.length);
+        this.cshake = new CSHAKEDigest(Arrays.copyOfRange(state, 1 + key.length, state.length - 10));
+                
+        this.bitLength = Pack.bigEndianToInt(state, state.length - 10);
+        this.outputLength = Pack.bigEndianToInt(state, state.length - 6);
+        this.initialised = state[state.length - 2] != 0;
+        this.firstOutput = state[state.length - 1] != 0;
+    }
+
+    private void copyIn(KMAC original)
+    {
+        this.cshake.reset(original.cshake);
+        this.bitLength = original.bitLength;
+        this.outputLength = original.outputLength;
+        this.initialised = original.initialised;
+        this.firstOutput = original.firstOutput;
+    }
+
     public void init(CipherParameters params)
         throws IllegalArgumentException
     {
         KeyParameter kParam = (KeyParameter)params;
 
         this.key = Arrays.clone(kParam.getKey());
+        if (this.key.length > 255)  // 2^2040
+        {
+            throw new IllegalArgumentException("key length must be between 0 and 2040 bits");
+        }
+
         this.initialised = true;
 
         reset();
@@ -201,4 +241,39 @@ private static byte[] encode(byte[] X)
     {
         return Arrays.concatenate(XofUtils.leftEncode(X.length * 8), X);
     }
+
+    public byte[] getEncodedState()
+    {
+        if (!this.initialised)
+        {
+            throw new IllegalStateException("KMAC not initialised");
+        }
+
+        byte[] cshakeState = this.cshake.getEncodedState();
+        byte[] extraState = new byte[4 + 4 + 2];
+
+        Pack.intToBigEndian(this.bitLength, extraState, 0);
+        Pack.intToBigEndian(this.outputLength, extraState, 4);
+        extraState[8] = this.initialised ? (byte)1 : (byte)0;
+        extraState[9] = this.firstOutput ? (byte)1 : (byte)0;
+
+        byte[] enc = new byte[1 + key.length + cshakeState.length + extraState.length];
+
+        enc[0] = (byte)key.length; // key capped at 255 bytes.
+        System.arraycopy(key, 0, enc, 1, key.length);
+        System.arraycopy(cshakeState, 0, enc, 1 + key.length, cshakeState.length);
+        System.arraycopy(extraState, 0, enc, 1 + key.length + cshakeState.length, extraState.length);
+
+        return enc;
+    }
+
+    public Memoable copy()
+    {
+        return new KMAC(this);
+    }
+
+    public void reset(Memoable other)
+    {
+        copyIn((KMAC)other);
+    }
 }
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/KMACTest.java b/core/src/test/java/org/bouncycastle/crypto/test/KMACTest.java
@@ -1,8 +1,11 @@
 package org.bouncycastle.crypto.test;
 
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.EncodableService;
 import org.bouncycastle.crypto.macs.KMAC;
 import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Memoable;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
@@ -137,7 +140,15 @@ public void performTest()
         checkKMAC(256, new KMAC(256, null), Hex.decode("eeaabeef"));
         checkKMAC(128, new KMAC(128, new byte[0]), Hex.decode("eeaabeef"));
         checkKMAC(128, new KMAC(128, null), Hex.decode("eeaabeef"));
-        checkKMAC(256, new KMAC(256,  null), Hex.decode("eeaabeef"));
+        checkKMAC(256, new KMAC(256, null), Hex.decode("eeaabeef"));
+
+        byte[] resBuf = new byte[32];
+        byte[] message = Hex.decode("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F");
+        byte[] expected = Hex.decode("059a2eb4961b482ff5bb6a0278d3ad2117b20aafb2f0df33e7748176648c8192");
+
+        testClone(resBuf, message, expected, new KMAC(128, new byte[0]), Hex.decode("eeaabeef"));
+        testMemo(resBuf, message, expected, new KMAC(128, new byte[0]), Hex.decode("eeaabeef"));
+        testEncodedState(resBuf, message, expected, new KMAC(128, new byte[0]), Hex.decode("eeaabeef"));
     }
 
     private void doFinalTest()
@@ -146,7 +157,7 @@ private void doFinalTest()
 
         kmac.init(new KeyParameter(Hex.decode(
             "404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F")));
-        
+
         kmac.update(Hex.decode("00010203"), 0, 4);
 
         byte[] res = new byte[32];
@@ -236,7 +247,7 @@ private void checkKMAC(int bitSize, KMAC kmac, byte[] msg)
 
         ref.init(new KeyParameter(new byte[0]));
         kmac.init(new KeyParameter(new byte[0]));
-        
+
         ref.update(msg, 0, msg.length);
         kmac.update(msg, 0, msg.length);
 
@@ -249,6 +260,110 @@ private void checkKMAC(int bitSize, KMAC kmac, byte[] msg)
         isTrue(Arrays.areEqual(res1, res2));
     }
 
+    private void testEncodedState(byte[] resBuf, byte[] input, byte[] expected, KMAC kmac, byte[] key)
+    {
+        kmac.init(new KeyParameter(key));
+
+        // test state encoding;
+        kmac.update(input, 0, input.length / 2);
+
+        // copy the Digest
+        Digest copy1 = new KMAC(((EncodableService)kmac).getEncodedState());
+        Digest copy2 = new KMAC(((EncodableService)copy1).getEncodedState());
+
+        kmac.update(input, input.length / 2, input.length - input.length / 2);
+
+        kmac.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing state vector test", expected, new String(Hex.encode(resBuf)));
+        }
+
+        copy1.update(input, input.length / 2, input.length - input.length / 2);
+        copy1.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing state copy1 vector test", expected, new String(Hex.encode(resBuf)));
+        }
+
+        copy2.update(input, input.length / 2, input.length - input.length / 2);
+        copy2.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing state copy2 vector test", expected, new String(Hex.encode(resBuf)));
+        }
+    }
+
+    private void testMemo(byte[] resBuf, byte[] input, byte[] expected, KMAC kmac, byte[] key)
+    {
+        kmac.init(new KeyParameter(key));
+
+        Memoable m = (Memoable)kmac;
+
+        kmac.update(input, 0, input.length / 2);
+
+        // copy the Digest
+        Memoable copy1 = m.copy();
+        Memoable copy2 = copy1.copy();
+
+        kmac.update(input, input.length / 2, input.length - input.length / 2);
+        kmac.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing memo vector test", Hex.toHexString(expected), Hex.toHexString(resBuf));
+        }
+
+        m.reset(copy1);
+
+        kmac.update(input, input.length / 2, input.length - input.length / 2);
+        kmac.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing memo reset vector test", Hex.toHexString(expected), Hex.toHexString(resBuf));
+        }
+
+        KMAC md = (KMAC)copy2;
+
+        md.update(input, input.length / 2, input.length - input.length / 2);
+        md.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing memo copy vector test", Hex.toHexString(expected), Hex.toHexString(resBuf));
+        }
+    }
+
+    private void testClone(byte[] resBuf, byte[] input, byte[] expected, KMAC kmac, byte[] key)
+    {
+        kmac.init(new KeyParameter(key));
+
+        kmac.update(input, 0, input.length / 2);
+
+        // clone the Digest
+        KMAC d = new KMAC(kmac);
+
+        kmac.update(input, input.length / 2, input.length - input.length / 2);
+        kmac.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing clone vector test", Hex.toHexString(expected), Hex.toHexString(resBuf));
+        }
+
+        d.update(input, input.length / 2, input.length - input.length / 2);
+        d.doFinal(resBuf, 0);
+
+        if (!areEqual(expected, resBuf))
+        {
+            fail("failing second clone vector test", Hex.toHexString(expected), Hex.toHexString(resBuf));
+        }
+    }
+
     public static void main(
         String[] args)
     {
