Extract BcUtil.processBufferedBlockCipher function

Author: gefeili

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcAEADUtil.java

@@ -34,6 +34,9 @@
 
 public class BcAEADUtil
 {
+    final static String RecoverAEADEncryptedSessionDataErrorMessage = "Exception recovering session info";
+    private final static String ProcessAeadKeyDataErrorMessage = "Exception recovering AEAD protected private key material";
+    final static String GetEskAndTagErrorMessage = "cannot encrypt session info";
     /**
      * Generate a nonce by xor-ing the given iv with the chunk index.
      *
@@ -275,6 +278,45 @@ public PGPDigestCalculator getIntegrityCalculator()
         };
     }
 
+    static byte[] processAEADData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] key, byte[] iv, byte[] aad, byte[] msg, int off, int len, String errorMessage)
+        throws PGPException
+    {
+        AEADBlockCipher cipher = createAEADCipher(encAlgorithm, aeadAlgorithm);
+        try
+        {
+            return processAEADData(forEncryption, cipher, new KeyParameter(key), iv, aad, msg, off, len);
+        }
+        catch (InvalidCipherTextException e)
+        {
+            throw new PGPException(errorMessage, e);
+        }
+    }
+
+    static byte[] processAEADData(boolean forEncryption, AEADBlockCipher cipher, KeyParameter key, byte[] iv, byte[] aad, byte[] msg, int off, int msgLen)
+        throws InvalidCipherTextException
+    {
+        cipher.init(forEncryption, new AEADParameters(key, 128, iv, aad));
+        int dataLen = cipher.getOutputSize(msgLen);
+        byte[] data = new byte[dataLen];
+        dataLen = cipher.processBytes(msg, off, msgLen, data, 0);
+        cipher.doFinal(data, dataLen);
+        return data;
+    }
+
+    static byte[] processAeadKeyData(boolean forEncryption, int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv,
+                                     int packetTag, int keyVersion, byte[] keyData, int keyOff, int keyLen, byte[] pubkeyData)
+        throws PGPException
+    {
+        byte[] key = generateHKDFBytes(s2kKey,
+            null,
+            new byte[]{
+                (byte)(0xC0 | packetTag), (byte)keyVersion, (byte)encAlgorithm, (byte)aeadAlgorithm
+            },
+            SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm));
+        byte[] aad = Arrays.prepend(pubkeyData, (byte)(0xC0 | packetTag));
+        return processAEADData(forEncryption, encAlgorithm, aeadAlgorithm, key, iv, aad, keyData, keyOff, keyLen, ProcessAeadKeyDataErrorMessage);
+    }
+
     protected static class PGPAeadInputStream
         extends InputStream
     {
@@ -422,16 +464,10 @@ private byte[] readBlock()
                 xorChunkId(adata, chunkIndex);
             }
 
-            byte[] decData = new byte[dataLen];
+            byte[] decData;
             try
             {
-                c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-
-                c.processAADBytes(adata, 0, adata.length);
-
-                int len = c.processBytes(buf, 0, dataLen + tagLen, decData, 0);
-
-                c.doFinal(decData, len);
+                decData = processAEADData(false, c, secretKey, getNonce(iv, chunkIndex), adata, buf, 0, dataLen + tagLen);
             }
             catch (InvalidCipherTextException e)
             {
@@ -449,9 +485,8 @@ private byte[] readBlock()
 
                 try
                 {
-                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
+                    c.init(false, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
-                    c.processAADBytes(adata, 0, adata.length);
                     if (isV5StyleAEAD)
                     {
                         c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);
@@ -625,8 +660,7 @@ private void writeBlock()
 
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
 
                 int len = c.processBytes(data, 0, dataOff, data, 0);
                 out.write(data, 0, len);
@@ -655,8 +689,8 @@ private void finish()
             byte[] adata = PGPAeadInputStream.getAdata(v5StyleAEAD, aaData, chunkIndex, totalBytes);
             try
             {
-                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex)));  // always full tag.
-                c.processAADBytes(adata, 0, adata.length);
+                c.init(true, new AEADParameters(secretKey, 128, getNonce(iv, chunkIndex), adata));  // always full tag.
+
                 if (v5StyleAEAD)
                 {
                     c.processAADBytes(Pack.longToBigEndian(totalBytes), 0, 8);

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEDataDecryptorFactory.java

@@ -7,16 +7,11 @@
 import org.bouncycastle.bcpg.SymmetricKeyUtils;
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
 import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.BufferedBlockCipher;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPSessionKey;
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.PGPDataDecryptor;
-import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
+import org.bouncycastle.util.Arrays;
 
 /**
  * A {@link PBEDataDecryptorFactory} for handling PBE decryption operations using the Bouncy Castle
@@ -31,7 +26,7 @@ public class BcPBEDataDecryptorFactory
      * @param pass               the passphrase to use as the primary source of key material.
      * @param calculatorProvider a digest calculator provider to provide calculators to support the key generation calculation required.
      */
-    public BcPBEDataDecryptorFactory(char[] pass, PGPDigestCalculatorProvider calculatorProvider)
+    public BcPBEDataDecryptorFactory(char[] pass, BcPGPDigestCalculatorProvider calculatorProvider)
     {
         super(pass, calculatorProvider);
     }
@@ -55,15 +50,7 @@ public byte[] recoverSessionData(int keyAlgorithm, byte[] key, byte[] secKeyData
             if (secKeyData != null && secKeyData.length > 0)
             {
                 BlockCipher engine = BcImplProvider.createBlockCipher(keyAlgorithm);
-                BufferedBlockCipher cipher = BcUtil.createSymmetricKeyWrapper(false, engine, key, new byte[engine.getBlockSize()]);
-
-                byte[] out = new byte[secKeyData.length];
-
-                int len = cipher.processBytes(secKeyData, 0, secKeyData.length, out, 0);
-
-                len += cipher.doFinal(out, len);
-
-                return out;
+                return BcUtil.processBufferedBlockCipher(false, engine, key, new byte[engine.getBlockSize()], secKeyData, 0, secKeyData.length);
             }
             else
             {
@@ -92,50 +79,29 @@ public byte[] recoverAEADEncryptedSessionData(SymmetricKeyEncSessionPacket keyDa
 
         byte[] hkdfInfo = keyData.getAAData(); // Between v5 and v6, these bytes differ
 
-        KeyParameter secretKey;
+        byte[] kek;
         if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_5)
         {
-            secretKey = new KeyParameter(ikm);
+            kek = ikm;
         }
         else if (keyData.getVersion() == SymmetricKeyEncSessionPacket.VERSION_6)
         {
             // HKDF
             // secretKey := HKDF_sha256(ikm, hkdfInfo).generate()
             int kekLen = SymmetricKeyUtils.getKeyLengthInOctets(keyData.getEncAlgorithm());
-            byte[] kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
-            secretKey = new KeyParameter(kek);
+            kek = BcAEADUtil.generateHKDFBytes(ikm, null, hkdfInfo, kekLen);
         }
         else
         {
             throw new UnsupportedPacketVersionException("Unsupported SKESK packet version encountered: " + keyData.getVersion());
         }
 
         // AEAD
-        AEADBlockCipher aead = BcAEADUtil.createAEADCipher(keyData.getEncAlgorithm(), keyData.getAeadAlgorithm());
-        int aeadMacLen = 128;
-        byte[] authTag = keyData.getAuthTag();
-        byte[] aeadIv = keyData.getIv();
-        byte[] encSessionKey = keyData.getSecKeyData();
-
         // sessionData := AEAD(secretKey).decrypt(encSessionKey || authTag)
-        AEADParameters parameters = new AEADParameters(secretKey,
-            aeadMacLen, aeadIv, keyData.getAAData());
-        aead.init(false, parameters);
-        int sessionKeyLen = aead.getOutputSize(encSessionKey.length + authTag.length);
-        byte[] sessionData = new byte[sessionKeyLen];
-        int dataLen = aead.processBytes(encSessionKey, 0, encSessionKey.length, sessionData, 0);
-        dataLen += aead.processBytes(authTag, 0, authTag.length, sessionData, dataLen);
-
-        try
-        {
-            aead.doFinal(sessionData, dataLen);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("Exception recovering session info", e);
-        }
-
-        return sessionData;
+        byte[] data = Arrays.concatenate(keyData.getSecKeyData(), keyData.getAuthTag());
+        return BcAEADUtil.processAEADData(false, keyData.getEncAlgorithm(), keyData.getAeadAlgorithm(), kek,
+            keyData.getIv(), keyData.getAAData(), data, 0, data.length,
+            BcAEADUtil.RecoverAEADEncryptedSessionDataErrorMessage);
     }
 
     // OpenPGP v4

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBEKeyEncryptionMethodGenerator.java

@@ -5,11 +5,7 @@
 import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SymmetricKeyUtils;
 import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.modes.AEADCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
@@ -92,15 +88,7 @@ protected byte[] encryptSessionInfo(int encAlgorithm, byte[] key, byte[] session
         try
         {
             BlockCipher engine = BcImplProvider.createBlockCipher(encAlgorithm);
-            BufferedBlockCipher cipher = BcUtil.createSymmetricKeyWrapper(true, engine, key, new byte[engine.getBlockSize()]);
-
-            byte[] out = new byte[sessionInfo.length];
-
-            int len = cipher.processBytes(sessionInfo, 0, sessionInfo.length, out, 0);
-
-            len += cipher.doFinal(out, len);
-
-            return out;
+            return BcUtil.processBufferedBlockCipher(true, engine, key, new byte[engine.getBlockSize()], sessionInfo, 0, sessionInfo.length);
         }
         catch (InvalidCipherTextException e)
         {
@@ -113,22 +101,11 @@ protected byte[] generateV6KEK(int kekAlgorithm, byte[] ikm, byte[] info)
         return BcAEADUtil.generateHKDFBytes(ikm, null, info, SymmetricKeyUtils.getKeyLengthInOctets(kekAlgorithm));
     }
 
-    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey, byte[] key, byte[] iv, byte[] info)
+    protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo, byte[] key, byte[] iv, byte[] info)
         throws PGPException
     {
-        AEADCipher aeadCipher = BcAEADUtil.createAEADCipher(kekAlgorithm, aeadAlgorithm);
-        aeadCipher.init(true, new AEADParameters(new KeyParameter(key), 128, iv, info));
-        int outLen = aeadCipher.getOutputSize(sessionKey.length);
-        byte[] eskAndTag = new byte[outLen];
-        int len = aeadCipher.processBytes(sessionKey, 0, sessionKey.length, eskAndTag, 0);
-        try
-        {
-            len += aeadCipher.doFinal(eskAndTag, len);
-        }
-        catch (InvalidCipherTextException e)
-        {
-            throw new PGPException("cannot encrypt session info", e);
-        }
-        return eskAndTag;
+        byte[] sessionKey = new byte[sessionInfo.length - 3];
+        System.arraycopy(sessionInfo, 1, sessionKey, 0, sessionKey.length);
+        return BcAEADUtil.processAEADData(true, kekAlgorithm, aeadAlgorithm, key, iv, info, sessionKey, 0, sessionKey.length, BcAEADUtil.GetEskAndTagErrorMessage);
     }
 }

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBESecretKeyDecryptorBuilder.java

@@ -1,18 +1,9 @@
 package org.bouncycastle.openpgp.operator.bc;
 
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.modes.AEADBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.HKDFParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
-import org.bouncycastle.util.Arrays;
 
 public class BcPBESecretKeyDecryptorBuilder
 {
@@ -32,14 +23,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] key
             {
                 try
                 {
-                    BufferedBlockCipher c = BcUtil.createSymmetricKeyWrapper(false, BcImplProvider.createBlockCipher(encAlgorithm), key, iv);
-
-                    byte[] out = new byte[keyLen];
-                    int    outLen = c.processBytes(keyData, keyOff, keyLen, out, 0);
-
-                    outLen += c.doFinal(out, outLen);
-
-                    return out;
+                    return BcUtil.processBufferedBlockCipher(false, BcImplProvider.createBlockCipher(encAlgorithm), key, iv, keyData, keyOff, keyLen);
                 }
                 catch (InvalidCipherTextException e)
                 {
@@ -50,37 +34,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] key
             @Override
             public byte[] recoverKeyData(int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, byte[] pubkeyData) throws PGPException
             {
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag), (byte) keyVersion, (byte) encAlgorithm, (byte) aeadAlgorithm
-                };
-
-                HKDFParameters hkdfParameters = new HKDFParameters(s2kKey, null, hkdfInfo);
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                byte[] key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
-                byte[] aad = Arrays.prepend(pubkeyData, (byte) (0xC0 | packetTag));
-                AEADBlockCipher cipher = BcAEADUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                cipher.init(false, new AEADParameters(
-                    new KeyParameter(key),
-                    128,
-                    iv,
-                    aad
-                ));
-                int dataLen = cipher.getOutputSize(keyData.length);
-                byte[] data = new byte[dataLen];
-                dataLen = cipher.processBytes(keyData, 0, keyData.length, data, 0);
-
-                try
-                {
-                    cipher.doFinal(data, dataLen);
-                    return data;
-                }
-                catch (InvalidCipherTextException e)
-                {
-                    throw new PGPException("Exception recovering AEAD protected private key material", e);
-                }
+                return BcAEADUtil.processAeadKeyData(false, encAlgorithm, aeadAlgorithm, s2kKey, iv, packetTag, keyVersion, keyData, 0, keyData.length, pubkeyData);
             }
         };
     }

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPBESecretKeyEncryptorBuilder.java

@@ -3,7 +3,6 @@
 import java.security.SecureRandom;
 
 import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.InvalidCipherTextException;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
@@ -117,15 +116,7 @@ public byte[] encryptKeyData(byte[] key, byte[] iv, byte[] keyData, int keyOff,
 
                         this.random.nextBytes(iv);
                     }
-
-                    BufferedBlockCipher c = BcUtil.createSymmetricKeyWrapper(true, engine, key, iv);
-
-                    byte[] out = new byte[keyLen];
-                    int    outLen = c.processBytes(keyData, keyOff, keyLen, out, 0);
-
-                    outLen += c.doFinal(out, outLen);
-
-                    return out;
+                    return BcUtil.processBufferedBlockCipher(true, engine, key, iv, keyData, keyOff, keyLen);
                 }
                 catch (InvalidCipherTextException e)
                 {

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcUtil.java

@@ -13,6 +13,7 @@
 import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.BufferedBlockCipher;
 import org.bouncycastle.crypto.DefaultBufferedBlockCipher;
+import org.bouncycastle.crypto.InvalidCipherTextException;
 import org.bouncycastle.crypto.RawAgreement;
 import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.io.CipherInputStream;
@@ -102,6 +103,21 @@ public static BufferedBlockCipher createSymmetricKeyWrapper(boolean forEncryptio
         return c;
     }
 
+    static byte[] processBufferedBlockCipher(boolean forEncryption, BlockCipher engine, byte[] key, byte[] iv, byte[] msg, int msgOff, int msgLen)
+        throws InvalidCipherTextException
+
+    {
+        BufferedBlockCipher cipher = BcUtil.createSymmetricKeyWrapper(forEncryption, engine, key, iv);
+
+        byte[] out = new byte[msgLen];
+
+        int len = cipher.processBytes(msg, msgOff, msgLen, out, 0);
+
+        len += cipher.doFinal(out, len);
+
+        return out;
+    }
+
     static X9ECParameters getX9Parameters(ASN1ObjectIdentifier curveOID)
     {
         X9ECParameters x9 = CustomNamedCurves.getByOID(curveOID);