bcgit
diff --git a/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADSecretKeyEncryptorBuilder.java‎
Lines changed: 18 additions & 45 deletions b/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADSecretKeyEncryptorBuilder.java‎
Lines changed: 18 additions & 45 deletions
diff --git a/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADUtil.java‎
Lines changed: 48 additions & 14 deletions b/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADUtil.java‎
Lines changed: 48 additions & 14 deletions
diff --git a/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEDataDecryptorFactory.java‎
Lines changed: 9 additions & 42 deletions b/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEDataDecryptorFactory.java‎
Lines changed: 9 additions & 42 deletions
diff --git a/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEKeyEncryptionMethodGenerator.java‎
Lines changed: 2 additions & 27 deletions b/‎pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEKeyEncryptionMethodGenerator.java‎
Lines changed: 2 additions & 27 deletions
@@ -7,24 +7,16 @@
 import org.bouncycastle.bcpg.PacketTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.S2K;
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.HKDFParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
-import org.bouncycastle.util.Arrays;
 
 public class BcAEADSecretKeyEncryptorBuilder
 {
 
     private int aeadAlgorithm;
     private int symmetricAlgorithm;
     private S2K.Argon2Params argon2Params;
+    private SecureRandom random = new SecureRandom();
 
     public BcAEADSecretKeyEncryptorBuilder(int aeadAlgorithm, int symmetricAlgorithm, S2K.Argon2Params argon2Params)
     {
@@ -33,9 +25,15 @@ public BcAEADSecretKeyEncryptorBuilder(int aeadAlgorithm, int symmetricAlgorithm
         this.argon2Params = argon2Params;
     }
 
+    public BcAEADSecretKeyEncryptorBuilder setSecureRandom(SecureRandom random)
+    {
+        this.random = random;
+        return this;
+    }
+
     public PBESecretKeyEncryptor build(char[] passphrase, final PublicKeyPacket pubKey)
     {
-        return new PBESecretKeyEncryptor(symmetricAlgorithm, aeadAlgorithm, argon2Params, new SecureRandom(), passphrase)
+        return new PBESecretKeyEncryptor(symmetricAlgorithm, aeadAlgorithm, argon2Params, random, passphrase)
         {
             private byte[] iv;
 
@@ -48,46 +46,21 @@ public PBESecretKeyEncryptor build(char[] passphrase, final PublicKeyPacket pubK
             public byte[] encryptKeyData(byte[] key, byte[] keyData, int keyOff, int keyLen)
                 throws PGPException
             {
-                int packetTag = pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY;
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag),
-                    (byte) pubKey.getVersion(),
-                    (byte) symmetricAlgorithm,
-                    (byte) aeadAlgorithm
-                };
-
-                HKDFParameters hkdfParameters = new HKDFParameters(
-                    getKey(),
-                    null,
-                    hkdfInfo);
-
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
                 try
                 {
-                    byte[] aad = Arrays.prepend(pubKey.getEncodedContents(), (byte) (0xC0 | packetTag));
-                    AEADBlockCipher cipher = BcAEADUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                    cipher.init(true, new AEADParameters(
-                        new KeyParameter(key),
-                        128,
+                    return BcAEADUtil.processAeadKeyData(true,
+                        encAlgorithm,
+                        aeadAlgorithm,
+                        getKey(),
                         getCipherIV(),
-                        aad
-                    ));
-                    int dataLen = cipher.getOutputSize(keyData.length);
-                    byte[] encKey = new byte[dataLen];
-                    dataLen = cipher.processBytes(keyData, 0, keyData.length, encKey, 0);
-
-                    cipher.doFinal(encKey, dataLen);
-                    return encKey;
+                        pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY,
+                        pubKey.getVersion(),
+                        keyData,
+                        keyOff,
+                        keyLen,
+                        pubKey.getEncodedContents());
                 }
                 catch (IOException e)
-                {
-                      throw new PGPException("Exception AEAD protecting private key material", e);
-                }
-                catch (InvalidCipherTextException e)
                 {
                     throw new PGPException("Exception AEAD protecting private key material", e);
                 }
 
@@ -34,6 +34,9 @@
 
 public class BcAEADUtil
 {
+    final static String RecoverAEADEncryptedSessionDataErrorMessage = "Exception recovering session info";
+    private final static String ProcessAeadKeyDataErrorMessage = "Exception recovering AEAD protected private key material";
+    final static String GetEskAndTagErrorMessage = "cannot encrypt session info";
     /**
      * Generate a nonce by xor-ing the given iv with the chunk index.
      *
@@ -275,6 +278,45 @@ public PGPDigestCalculator getIntegrityCalculator()
         };
     }
 
+    static byte[] processAEADData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] key, byte[] iv, byte[] aad, byte[] msg, int off, int len, String errorMessage)
+        throws PGPException
+    {
+        AEADBlockCipher cipher = createAEADCipher(encAlgorithm, aeadAlgorithm);
+        try
+        {
+            return processAEADData(forEncryption, cipher, new KeyParameter(key), iv, aad, msg, off, len);
+        }
+        catch (InvalidCipherTextException e)
+        {
+            throw new PGPException(errorMessage, e);
+        }
+    }
+
+    static byte[] processAEADData(boolean forEncryption, AEADBlockCipher cipher, KeyParameter key, byte[] iv, byte[] aad, byte[] msg, int off, int msgLen)
+        throws InvalidCipherTextException
+    {
+        cipher.init(forEncryption, new AEADParameters(key, 128, iv, aad));
+        int dataLen = cipher.getOutputSize(msgLen);
+        byte[] data = new byte[dataLen];
+        dataLen = cipher.processBytes(msg, off, msgLen, data, 0);
+        cipher.doFinal(data, dataLen);
+        return data;
+    }
+
+    static byte[] processAeadKeyData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv,
+                                     int packetTag, int keyVersion, byte[] keyData, int keyOff, int keyLen, byte[] pubkeyData)
+        throws PGPException
+    {
+        byte[] key = generateHKDFBytes(s2kKey,
+            null,
+            new byte[]{
+                (byte)(0xC0 | packetTag), (byte)keyVersion, (byte)encAlgorithm, (byte)aeadAlgorithm
+            },
+            SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm));
+        byte[] aad = Arrays.prepend(pubkeyData, (byte)(0xC0 | packetTag));
+        return processAEADData(forEncryption, encAlgorithm, aeadAlgorithm, key, iv, aad, keyData, keyOff, keyLen, ProcessAeadKeyDataErrorMessage);
+    }
+
     protected static class PGPAeadInputStream
         extends InputStream
     {
@@ -422,16 +464,10 @@ private byte[] readBlock()
                 xorChunkId(adata, chunkIndex);
             }
 
-            byte[] decData = new byte[dataLen];
+            byte[] decData;
             try
             {
-                c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-
-                c.processAADBytes(adata, 0, adata.length);
-
-                int len = c.processBytes(buf, 0, dataLen + tagLen, decData, 0);
-
-                c.doFinal(decData, len);
+                decData = processAEADData(false, c, secretKey, getNonce(iv, chunkIndex), adata, buf, 0, dataLen + tagLen);
             }
             catch (InvalidCipherTextException e)
             {
@@ -449,9 +485,8 @@ private byte[] readBlock()
 
                 try
                 {
-                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
+                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
-                    c.processAADBytes(adata, 0, adata.length);
                     if (isV5StyleAEAD)
                     {
                         c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);
@@ -625,8 +660,7 @@ private void writeBlock()
 
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
                 int len = c.processBytes(data, 0, dataOff, data, 0);
                 out.write(data, 0, len);
@@ -655,8 +689,8 @@ private void finish()
             byte[] adata = PGPAeadInputStream.getAdata(v5StyleAEAD, aaData, chunkIndex, totalBytes);
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
+
                 if (v5StyleAEAD)
                 {
                     c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);
 
@@ -7,16 +7,12 @@
 import org.bouncycastle.bcpg.SymmetricKeyUtils;
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
 import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.BufferedBlockCipher;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
+import org.bouncycastle.util.Arrays;
 
 /**
  * A {@link PBEDataDecryptorFactory} for handling PBE decryption operations using the Bouncy Castle
@@ -55,15 +51,7 @@ public byte[] recoverSessionData(int keyAlgorithm, byte[] key, byte[] secKeyData
             if (secKeyData != null && secKeyData.length > 0)
             {
                 BlockCipher engine = BcImplProvider.createBlockCipher(keyAlgorithm);
-                BufferedBlockCipher cipher = BcUtil.createSymmetricKeyWrapper(false, engine, key, new byte[engine.getBlockSize()]);
-
-                byte[] out = new byte[secKeyData.length];
-
-                int len = cipher.processBytes(secKeyData, 0, secKeyData.length, out, 0);
-
-                len += cipher.doFinal(out, len);
-
-                return out;
+                return BcUtil.processBufferedBlockCipher(false, engine, key, new byte[engine.getBlockSize()], secKeyData, 0, secKeyData.length);
             }
             else
             {
@@ -92,50 +80,29 @@ public byte[] recoverAEADEncryptedSessionData(SymmetricKeyEncSessionPacket keyDa
 
         byte[] hkdfInfo = keyData.getAAData(); // Between v5 and v6, these bytes differ
 
-        KeyParameter secretKey;
+        byte[] kek;
         if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_5)
         {
-            secretKey = new KeyParameter(ikm);
+            kek = ikm;
         }
         else if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_6)
         {
             // HKDF
             // secretKey := HKDF_sha256(ikm, hkdfInfo).generate()
             int kekLen = SymmetricKeyUtils.getKeyLengthInOctets(keyData.getEncAlgorithm());
-            byte[] kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
-            secretKey = new KeyParameter(kek);
+            kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
         }
         else
         {
             throw new UnsupportedPacketVersionException("Unsupported SKESK packet version encountered: " + keyData.getVersion());
         }
 
         // AEAD
-        AEADBlockCipher aead = BcAEADUtil.createAEADCipher(keyData.getEncAlgorithm(), keyData.getAeadAlgorithm());
-        int aeadMacLen = 128;
-        byte[] authTag = keyData.getAuthTag();
-        byte[] aeadIv = keyData.getIv();
-        byte[] encSessionKey = keyData.getSecKeyData();
-
         // sessionData := AEAD(secretKey).decrypt(encSessionKey || authTag)
-        AEADParameters parameters = new AEADParameters(secretKey,
-            aeadMacLen, aeadIv, keyData.getAAData());
-        aead.init(false, parameters);
-        int sessionKeyLen = aead.getOutputSize(encSessionKey.length + authTag.length);
-        byte[] sessionData = new byte[sessionKeyLen];
-        int dataLen = aead.processBytes(encSessionKey, 0, encSessionKey.length, sessionData, 0);
-        dataLen += aead.processBytes(authTag, 0, authTag.length, sessionData, dataLen);
-
-        try
-        {
-            aead.doFinal(sessionData, dataLen);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("Exception recovering session info", e);
-        }
-
-        return sessionData;
+        byte[] data = Arrays.concatenate(keyData.getSecKeyData(), keyData.getAuthTag());
+        return BcAEADUtil.processAEADData(false, keyData.getEncAlgorithm(), keyData.getAeadAlgorithm(), kek,
+            keyData.getIv(), keyData.getAAData(), data, 0, data.length,
+            BcAEADUtil.RecoverAEADEncryptedSessionDataErrorMessage);
     }
 
     // OpenPGP v4
 
@@ -5,11 +5,7 @@
 import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SymmetricKeyUtils;
 import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
@@ -92,15 +88,7 @@ protected byte[] encryptSessionInfo(int encAlgorithm, byte[] key, byte[] session
         try
         {
             BlockCipher engine = BcImplProvider.createBlockCipher(encAlgorithm);
-            BufferedBlockCipher cipher = BcUtil.createSymmetricKeyWrapper(true, engine, key, new byte[engine.getBlockSize()]);
-
-            byte[] out = new byte[sessionInfo.length];
-
-            int len = cipher.processBytes(sessionInfo, 0, sessionInfo.length, out, 0);
-
-            len += cipher.doFinal(out, len);
-
-            return out;
+            return BcUtil.processBufferedBlockCipher(true, engine, key, new byte[engine.getBlockSize()], sessionInfo, 0, sessionInfo.length);
         }
         catch (InvalidCipherTextException e)
         {
@@ -116,19 +104,6 @@ protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)
     protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
         throws PGPException
     {
-        AEADCipher aeadCipher = BcAEADUtil.createAEADCipher(kekAlgorithm, aeadAlgorithm);
-        aeadCipher.init(true, new AEADParameters(new KeyParameter(key), 128, iv, info));
-        int outLen = aeadCipher.getOutputSize(sessionKey.length);
-        byte[] eskAndTag = new byte[outLen];
-        int len = aeadCipher.processBytes(sessionKey, 0, sessionKey.length, eskAndTag, 0);
-        try
-        {
-            len += aeadCipher.doFinal(eskAndTag, len);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("cannot encrypt session info", e);
-        }
-        return eskAndTag;
+        return BcAEADUtil.processAEADData(true, kekAlgorithm, aeadAlgorithm, key, iv, info, sessionKey, 0, sessionKey.length, BcAEADUtil.GetEskAndTagErrorMessage);
     }
 }