Updated HKDF to handle list of ikms/salts (relates to github #2209)

Author: royb

prov/src/main/jdk25/org/bouncycastle/jcajce/provider/kdf/hkdf/HKDFSpi.java

@@ -16,6 +16,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.List;
+import org.bouncycastle.util.Arrays;
 
 class HKDFSpi
         extends KDFSpi
@@ -67,7 +68,6 @@ protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec)
             throw new InvalidAlgorithmParameterException("Invalid AlgorithmParameterSpec provided");
         }
 
-        // TODO: deal with the multi ikm/salt thing
         HKDFParameters hkdfParameters = null;
         int derivedDataLength = 0;
         if (derivationSpec instanceof HKDFParameterSpec.ExtractThenExpand)
@@ -77,7 +77,10 @@ protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec)
             List<SecretKey> ikms = spec.ikms();
             List<SecretKey> salts = spec.salts();
 
-            hkdfParameters = new HKDFParameters(ikms.get(0).getEncoded(), salts.get(0).getEncoded(), spec.info());
+            byte[] salt = flattenSecretKeys(salts);
+            byte[] ikm = flattenSecretKeys(ikms);
+
+            hkdfParameters = new HKDFParameters(ikm, salt, spec.info());
             derivedDataLength = spec.length();
 
             hkdf.init(hkdfParameters);
@@ -94,7 +97,10 @@ else if (derivationSpec instanceof HKDFParameterSpec.Extract)
             List<SecretKey> ikms = spec.ikms();
             List<SecretKey> salts = spec.salts();
 
-            return hkdf.extractPRK(salts.get(0).getEncoded(), ikms.get(0).getEncoded());
+            byte[] salt = flattenSecretKeys(salts);
+            byte[] ikm = flattenSecretKeys(ikms);
+
+            return hkdf.extractPRK(salt, ikm);
         }
         else if (derivationSpec instanceof org.bouncycastle.jcajce.spec.HKDFParameterSpec)
         {
@@ -126,6 +132,24 @@ private static KDFParameters requireNull(KDFParameters kdfParameters,
         return null;
     }
 
+    private byte[] flattenSecretKeys(List<SecretKey> keys)
+    {
+        int len = 0;
+        int off = 0;
+        for (SecretKey key: keys)
+        {
+            len += key.getEncoded().length;
+        }
+        byte[] res = new byte[len];
+        for (SecretKey key: keys)
+        {
+            byte[] encoded = key.getEncoded();
+            System.arraycopy(encoded, 0, res, off, encoded.length);
+            off += encoded.length;
+        }
+        return res;
+    }
+
     public static class HKDFwithSHA256 extends HKDFSpi
     {
         public HKDFwithSHA256(KDFParameters kdfParameters) throws InvalidAlgorithmParameterException

prov/src/test/jdk25/org/bouncycastle/jcajce/provider/kdf/test/HKDFTest.java

@@ -46,7 +46,7 @@ public void testKDF()
         byte[] okm = Hex.decode("2124ffb29fac4e0fbbc7d5d87492bff3");
         byte[] genOkm;
         HKDFParameterSpec.ExtractThenExpand hkdfParams1 = HKDFParameterSpec.ofExtract().addIKM(ikm)
-                                                                          .addSalt(salt).thenExpand(info, okm.length);
+                .addSalt(salt).thenExpand(info, okm.length);
 
         genOkm = kdfHkdf.deriveData(hkdfParams1);
 
@@ -77,12 +77,13 @@ public void testKDF()
         //kdf.init(new KDFParameter(new SHA1Digest()));
         //kdf.deriveData(hkdfParams);
     }
+
     private boolean doComparison(String algorithm, byte[] ikm, byte[] salt, byte[] info)
             throws Exception
     {
         KDF kdf = KDF.getInstance(algorithm, "BC");
         HKDFParameterSpec.ExtractThenExpand spec = HKDFParameterSpec.ofExtract().addIKM(ikm)
-                                                                          .addSalt(salt).thenExpand(info, ikm.length);
+                .addSalt(salt).thenExpand(info, ikm.length);
 
         org.bouncycastle.jcajce.spec.HKDFParameterSpec pre25spec = new org.bouncycastle.jcajce.spec.HKDFParameterSpec(ikm, salt, info, ikm.length);
         byte[] kdfSecret = kdf.deriveData(spec);
@@ -97,7 +98,7 @@ public void testSecretKeyFactoryComparison()
             throws Exception
     {
         setUp();
-        String[] algorithms = new String[] {
+        String[] algorithms = new String[]{
                 "HKDF-SHA256",
                 "HKDF-SHA384",
                 "HKDF-SHA512",
@@ -106,12 +107,12 @@ public void testSecretKeyFactoryComparison()
         byte[] salt = new byte[16];
         byte[] info = new byte[16];
         SecureRandom random = new SecureRandom();
-        for (String algorithm: algorithms)
+        for (String algorithm : algorithms)
         {
             random.nextBytes(ikm);
             random.nextBytes(salt);
             random.nextBytes(info);
-            if(!doComparison(algorithm, ikm, salt, info))
+            if (!doComparison(algorithm, ikm, salt, info))
             {
                 fail("failed to generate same secret using kdf and secret key factory for: " + algorithm);
             }
@@ -183,6 +184,79 @@ public void testExceptionHandling()
 //        }
     }
 
+    public void testExtractWithConcatenatedIKMAndSalts()
+            throws Exception
+    {
+        setUp();
+        KDF kdfHkdf = KDF.getInstance("HKDF-SHA256", "BC");
+
+        byte[][] ikms = new byte[][]
+                {
+                        Hex.decode("000102030405060708090a0b0c0d0e0f"),
+                        Hex.decode("101112131415161718191a1b1c1d1e1f"),
+                        Hex.decode("202122232425262728292a2b2c2d2e2f"),
+                        Hex.decode("303132333435363738393a3b3c3d3e3f"),
+                        Hex.decode("404142434445464748494a4b4c4d4e4f"),
+                };
+
+        byte[][] salts = new byte[][]
+                {
+                        Hex.decode("606162636465666768696a6b6c6d6e6f"),
+                        Hex.decode("707172737475767778797a7b7c7d7e7f"),
+                        Hex.decode("808182838485868788898a8b8c8d8e8f"),
+                        Hex.decode("909192939495969798999a9b9c9d9e9f"),
+                        Hex.decode("a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"),
+                };
+        byte[] info = Hex.decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+                + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+                + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+                + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+                + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+        byte[] okm = Hex.decode(
+                "b11e398dc80327a1c8e7f78c596a4934" +
+                        "4f012eda2d4efad8a050cc4c19afa97c" +
+                        "59045a99cac7827271cb41c65e590e09" +
+                        "da3275600c2f09b8367793a9aca3db71" +
+                        "cc30c58179ec3e87c14c01d5c1f3434f" +
+                        "1d87");
+
+        HKDFParameterSpec.ExtractThenExpand hkdfParams1 = HKDFParameterSpec.ofExtract()
+                .addIKM(ikms[0]).addIKM(ikms[1]).addIKM(ikms[2]).addIKM(ikms[3]).addIKM(ikms[4])
+                .addSalt(salts[0]).addSalt(salts[1]).addSalt(salts[2]).addSalt(salts[3]).addSalt(salts[4])
+                .thenExpand(info, okm.length);
+
+        byte[] genOkm = kdfHkdf.deriveData(hkdfParams1);
+
+        if (!areEqual(genOkm, okm))
+        {
+            fail("HKDF failed for multiple ikms/salts");
+        }
+
+        HKDFParameterSpec.Extract hkdfParams2 = HKDFParameterSpec.ofExtract()
+                .addIKM(ikms[0]).addIKM(ikms[1]).addIKM(ikms[2]).addIKM(ikms[3]).addIKM(ikms[4])
+                .addSalt(salts[0]).addSalt(salts[1]).addSalt(salts[2]).addSalt(salts[3]).addSalt(salts[4])
+                .extractOnly();
+
+        okm = Hex.decode("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244");
+        genOkm = kdfHkdf.deriveData(hkdfParams2);
+
+        if (!areEqual(genOkm, okm))
+        {
+            fail("HKDF failed for multiple ikms/salts");
+        }
+    }
+
+    /**
+     * Helper method to concatenate two byte arrays.
+     */
+    private byte[] concatenate(byte[] first, byte[] second)
+    {
+        byte[] result = new byte[first.length + second.length];
+        System.arraycopy(first, 0, result, 0, first.length);
+        System.arraycopy(second, 0, result, first.length, second.length);
+        return result;
+    }
+
     private static class InvalidKDFParameters
             implements KDFParameters
     {