Extract BeAEADUtil.processAEADData,and processAeadKeyData functions.

Author: gefeili

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADSecretKeyEncryptorBuilder.java

@@ -7,24 +7,16 @@
 import org.bouncycastle.bcpg.PacketTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.S2K;
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.HKDFParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
-import org.bouncycastle.util.Arrays;
 
 public class BcAEADSecretKeyEncryptorBuilder
 {
 
     private int aeadAlgorithm;
     private int symmetricAlgorithm;
     private S2K.Argon2Params argon2Params;
+    private SecureRandom random = new SecureRandom();
 
     public BcAEADSecretKeyEncryptorBuilder(int aeadAlgorithm, int symmetricAlgorithm, S2K.Argon2Params argon2Params)
     {
@@ -33,9 +25,15 @@ public BcAEADSecretKeyEncryptorBuilder(int aeadAlgorithm, int symmetricAlgorithm
         this.argon2Params = argon2Params;
     }
 
-    public PBESecretKeyEncryptor build(char[] passphrase, final PublicKeyPacket pubKey)
+    public BcAEADSecretKeyEncryptorBuilder setSecureRandom(SecureRandom random)
     {
-        return new PBESecretKeyEncryptor(symmetricAlgorithm, aeadAlgorithm, argon2Params, new SecureRandom(), passphrase)
+        this.random = random;
+        return this;
+    }
+
+    public PBESecretKeyEncryptor build(char[] passphrase, PublicKeyPacket pubKey)
+    {
+        return new PBESecretKeyEncryptor(symmetricAlgorithm, aeadAlgorithm, argon2Params, random, passphrase)
         {
             private byte[] iv;
 
@@ -48,49 +46,24 @@ public PBESecretKeyEncryptor build(char[] passphrase, final PublicKeyPacket pubK
             public byte[] encryptKeyData(byte[] key, byte[] keyData, int keyOff, int keyLen)
                 throws PGPException
             {
-                int packetTag = pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY;
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag),
-                    (byte) pubKey.getVersion(),
-                    (byte) symmetricAlgorithm,
-                    (byte) aeadAlgorithm
-                };
-
-                HKDFParameters hkdfParameters = new HKDFParameters(
-                    getKey(),
-                    null,
-                    hkdfInfo);
-
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
                 try
                 {
-                    byte[] aad = Arrays.prepend(pubKey.getEncodedContents(), (byte) (0xC0 | packetTag));
-                    AEADBlockCipher cipher = BcAEADUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                    cipher.init(true, new AEADParameters(
-                        new KeyParameter(key),
-                        128,
+                    return BcAEADUtil.processAeadKeyData(true,
+                        encAlgorithm,
+                        aeadAlgorithm,
+                        getKey(),
                         getCipherIV(),
-                        aad
-                    ));
-                    int dataLen = cipher.getOutputSize(keyData.length);
-                    byte[] encKey = new byte[dataLen];
-                    dataLen = cipher.processBytes(keyData, 0, keyData.length, encKey, 0);
-
-                    cipher.doFinal(encKey, dataLen);
-                    return encKey;
+                        pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY,
+                        pubKey.getVersion(),
+                        keyData,
+                        keyOff,
+                        keyLen,
+                        pubKey.getEncodedContents());
                 }
                 catch (IOException e)
                 {
                       throw new PGPException("Exception AEAD protecting private key material", e);
                 }
-                catch (InvalidCipherTextException e)
-                {
-                    throw new PGPException("Exception AEAD protecting private key material", e);
-                }
             }
 
             @Override

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADUtil.java

@@ -34,6 +34,9 @@
 
 public class BcAEADUtil
 {
+    final static String RecoverAEADEncryptedSessionDataErrorMessage = "Exception recovering session info";
+    private final static String ProcessAeadKeyDataErrorMessage = "Exception recovering AEAD protected private key material";
+    final static String GetEskAndTagErrorMessage = "cannot encrypt session info";
     /**
      * Generate a nonce by xor-ing the given iv with the chunk index.
      *
@@ -275,6 +278,45 @@ public PGPDigestCalculator getIntegrityCalculator()
         };
     }
 
+    static byte[] processAEADData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] key, byte[] iv, byte[] aad, byte[] msg, int off, int len, String errorMessage)
+        throws PGPException
+    {
+        AEADBlockCipher cipher = createAEADCipher(encAlgorithm, aeadAlgorithm);
+        try
+        {
+            return processAEADData(forEncryption, cipher, new KeyParameter(key), iv, aad, msg, off, len);
+        }
+        catch (InvalidCipherTextException e)
+        {
+            throw new PGPException(errorMessage, e);
+        }
+    }
+
+    static byte[] processAEADData(boolean forEncryption, AEADBlockCipher cipher, KeyParameter key, byte[] iv, byte[] aad, byte[] msg, int off, int msgLen)
+        throws InvalidCipherTextException
+    {
+        cipher.init(forEncryption, new AEADParameters(key, 128, iv, aad));
+        int dataLen = cipher.getOutputSize(msgLen);
+        byte[] data = new byte[dataLen];
+        dataLen = cipher.processBytes(msg, off, msgLen, data, 0);
+        cipher.doFinal(data, dataLen);
+        return data;
+    }
+
+    static byte[] processAeadKeyData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv,
+                                     int packetTag, int keyVersion, byte[] keyData, int keyOff, int keyLen, byte[] pubkeyData)
+        throws PGPException
+    {
+        byte[] key = generateHKDFBytes(s2kKey,
+            null,
+            new byte[]{
+                (byte)(0xC0 | packetTag), (byte)keyVersion, (byte)encAlgorithm, (byte)aeadAlgorithm
+            },
+            SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm));
+        byte[] aad = Arrays.prepend(pubkeyData, (byte)(0xC0 | packetTag));
+        return processAEADData(forEncryption, encAlgorithm, aeadAlgorithm, key, iv, aad, keyData, keyOff, keyLen, ProcessAeadKeyDataErrorMessage);
+    }
+
     protected static class PGPAeadInputStream
         extends InputStream
     {
@@ -422,16 +464,10 @@ private byte[] readBlock()
                 xorChunkId(adata, chunkIndex);
             }
 
-            byte[] decData = new byte[dataLen];
+            byte[] decData;
             try
             {
-                c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-
-                c.processAADBytes(adata, 0, adata.length);
-
-                int len = c.processBytes(buf, 0, dataLen + tagLen, decData, 0);
-
-                c.doFinal(decData, len);
+                decData = processAEADData(false, c, secretKey, getNonce(iv, chunkIndex), adata, buf, 0, dataLen + tagLen);
             }
             catch (InvalidCipherTextException e)
             {
@@ -449,9 +485,8 @@ private byte[] readBlock()
 
                 try
                 {
-                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
+                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
-                    c.processAADBytes(adata, 0, adata.length);
                     if (isV5StyleAEAD)
                     {
                         c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);
@@ -625,8 +660,7 @@ private void writeBlock()
 
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
                 int len = c.processBytes(data, 0, dataOff, data, 0);
                 out.write(data, 0, len);
@@ -655,8 +689,8 @@ private void finish()
             byte[] adata = PGPAeadInputStream.getAdata(v5StyleAEAD, aaData, chunkIndex, totalBytes);
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
+
                 if (v5StyleAEAD)
                 {
                     c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEDataDecryptorFactory.java

@@ -8,15 +8,11 @@
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
 import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.BufferedBlockCipher;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
-import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
+import org.bouncycastle.util.Arrays;
 
 /**
  * A {@link PBEDataDecryptorFactory} for handling PBE decryption operations using the Bouncy Castle
@@ -31,7 +27,7 @@ public class BcPBEDataDecryptorFactory
      * @param pass               the passphrase to use as the primary source of key material.
      * @param calculatorProvider a digest calculator provider to provide calculators to support the key generation calculation required.
      */
-    public BcPBEDataDecryptorFactory(char[] pass, PGPDigestCalculatorProvider calculatorProvider)
+    public BcPBEDataDecryptorFactory(char[] pass, BcPGPDigestCalculatorProvider calculatorProvider)
     {
         super(pass, calculatorProvider);
     }
@@ -92,50 +88,29 @@ public byte[] recoverAEADEncryptedSessionData(SymmetricKeyEncSessionPacket keyDa
 
         byte[] hkdfInfo = keyData.getAAData(); // Between v5 and v6, these bytes differ
 
-        KeyParameter secretKey;
+        byte[] kek;
         if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_5)
         {
-            secretKey = new KeyParameter(ikm);
+            kek = ikm;
         }
         else if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_6)
         {
             // HKDF
             // secretKey := HKDF_sha256(ikm, hkdfInfo).generate()
             int kekLen = SymmetricKeyUtils.getKeyLengthInOctets(keyData.getEncAlgorithm());
-            byte[] kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
-            secretKey = new KeyParameter(kek);
+            kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
         }
         else
         {
             throw new UnsupportedPacketVersionException("Unsupported SKESK packet version encountered: " + keyData.getVersion());
         }
 
         // AEAD
-        AEADBlockCipher aead = BcAEADUtil.createAEADCipher(keyData.getEncAlgorithm(), keyData.getAeadAlgorithm());
-        int aeadMacLen = 128;
-        byte[] authTag = keyData.getAuthTag();
-        byte[] aeadIv = keyData.getIv();
-        byte[] encSessionKey = keyData.getSecKeyData();
-
         // sessionData := AEAD(secretKey).decrypt(encSessionKey || authTag)
-        AEADParameters parameters = new AEADParameters(secretKey,
-            aeadMacLen, aeadIv, keyData.getAAData());
-        aead.init(false, parameters);
-        int sessionKeyLen = aead.getOutputSize(encSessionKey.length + authTag.length);
-        byte[] sessionData = new byte[sessionKeyLen];
-        int dataLen = aead.processBytes(encSessionKey, 0, encSessionKey.length, sessionData, 0);
-        dataLen += aead.processBytes(authTag, 0, authTag.length, sessionData, dataLen);
-
-        try
-        {
-            aead.doFinal(sessionData, dataLen);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("Exception recovering session info", e);
-        }
-
-        return sessionData;
+        byte[] data = Arrays.concatenate(keyData.getSecKeyData(), keyData.getAuthTag());
+        return BcAEADUtil.processAEADData(false, keyData.getEncAlgorithm(), keyData.getAeadAlgorithm(), kek,
+            keyData.getIv(), keyData.getAAData(), data, 0, data.length,
+            BcAEADUtil.RecoverAEADEncryptedSessionDataErrorMessage);
     }
 
     // OpenPGP v4

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEKeyEncryptionMethodGenerator.java

@@ -7,9 +7,6 @@
 import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
@@ -113,22 +110,11 @@ protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)
         return BcAEADUtil.generateHKDFBytes(ikm, null, info, SymmetricKeyUtils.getKeyLengthInOctets(kekAlgorithm));
     }
 
-    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
+    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo, byte[] key, byte[] iv, byte[] info)
         throws PGPException
     {
-        AEADCipher aeadCipher = BcAEADUtil.createAEADCipher(kekAlgorithm, aeadAlgorithm);
-        aeadCipher.init(true, new AEADParameters(new KeyParameter(key), 128, iv, info));
-        int outLen = aeadCipher.getOutputSize(sessionKey.length);
-        byte[] eskAndTag = new byte[outLen];
-        int len = aeadCipher.processBytes(sessionKey, 0, sessionKey.length, eskAndTag, 0);
-        try
-        {
-            len += aeadCipher.doFinal(eskAndTag, len);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("cannot encrypt session info", e);
-        }
-        return eskAndTag;
+        byte[] sessionKey = new byte[sessionInfo.length - 3];
+        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
+        return BcAEADUtil.processAEADData(true, kekAlgorithm, aeadAlgorithm, key, iv, info, sessionKey, 0, sessionKey.length, BcAEADUtil.GetEskAndTagErrorMessage);
     }
 }

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBESecretKeyDecryptorBuilder.java

@@ -1,18 +1,10 @@
 package org.bouncycastle.openpgp.operator.bc;
 
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
 import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.HKDFParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
-import org.bouncycastle.util.Arrays;
 
 public class BcPBESecretKeyDecryptorBuilder
 {
@@ -50,37 +42,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] key
             @Override
             public byte[] recoverKeyData(int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, byte[] pubkeyData) throws PGPException
             {
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag), (byte) keyVersion, (byte) encAlgorithm, (byte) aeadAlgorithm
-                };
-
-                HKDFParameters hkdfParameters = new HKDFParameters(s2kKey, null, hkdfInfo);
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                byte[] key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
-                byte[] aad = Arrays.prepend(pubkeyData, (byte) (0xC0 | packetTag));
-                AEADBlockCipher cipher = BcAEADUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                cipher.init(false, new AEADParameters(
-                    new KeyParameter(key),
-                    128,
-                    iv,
-                    aad
-                ));
-                int dataLen = cipher.getOutputSize(keyData.length);
-                byte[] data = new byte[dataLen];
-                dataLen = cipher.processBytes(keyData, 0, keyData.length, data, 0);
-
-                try
-                {
-                    cipher.doFinal(data, dataLen);
-                    return data;
-                }
-                catch (InvalidCipherTextException e)
-                {
-                    throw new PGPException("Exception recovering AEAD protected private key material", e);
-                }
+                return BcAEADUtil.processAeadKeyData(false, encAlgorithm, aeadAlgorithm, s2kKey, iv, packetTag, keyVersion, keyData, 0, keyData.length, pubkeyData);
             }
         };
     }