Merge branch 'rfc-8103-1-jcajce' into 'main'

RFC 8103 ChaCha20-Poly1305

See merge request root/bc-java!95

Author: dghgit

core/src/main/java/org/bouncycastle/internal/asn1/kisa/KISAObjectIdentifiers.java

@@ -31,4 +31,7 @@ public interface KISAObjectIdentifiers
 
     /** RFC 9708 MTS-HashSig-2013; OID 1.2.840.113549.1.9.16.0.64 */
     static final ASN1ObjectIdentifier id_mod_mts_hashsig_2013 = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.0.64");
+
+    /** RFC 8103 id-mod-CMS-AEADChaCha20Poly1305; OID 1.2.840.113549.1.9.16.0.66 */
+    static final ASN1ObjectIdentifier id_mod_CMS_AEADChaCha20Poly1305 = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.0.66");
 }

mail/src/test/java/org/bouncycastle/mail/smime/test/NewSMIMEAuthEnvelopedTest.java

@@ -348,6 +348,43 @@ public void testCapEncrypt()
         SMIMETestUtil.verifyMessageBytes(msg, res);
     }
 
+    public void testChacha20Poly1305Encrypt()
+        throws Exception
+    {
+        MimeBodyPart msg = SMIMETestUtil.makeMimeBodyPart("WallaWallaWashington");
+
+        SMIMEAuthEnvelopedGenerator gen = new SMIMEAuthEnvelopedGenerator();
+
+        //
+        // create a subject key id - this has to be done the same way as
+        // it is done in the certificate associated with the private key
+        //
+        MessageDigest dig = MessageDigest.getInstance("SHA256", BC);
+
+        dig.update(_reciCert.getPublicKey().getEncoded());
+
+        gen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(dig.digest(), _reciCert.getPublicKey()).setProvider(BC));
+
+        //
+        // generate a MimeBodyPart object which encapsulates the content
+        // we want encrypted.
+        //
+        MimeBodyPart mp = gen.generate(msg, new JceCMSContentEncryptorBuilder(CMSAlgorithm.ChaCha20Poly1305).setProvider(BC).build());
+
+        SMIMEAuthEnveloped m = new SMIMEAuthEnveloped(mp);
+
+        dig.update(_reciCert.getPublicKey().getEncoded());
+
+        RecipientId recId = new KeyTransRecipientId(dig.digest());
+
+        RecipientInformationStore recipients = m.getRecipientInfos();
+        RecipientInformation recipient = recipients.get(recId);
+
+        MimeBodyPart res = SMIMEUtil.toMimeBodyPart(recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)));
+
+        SMIMETestUtil.verifyMessageBytes(msg, res);
+    }
+
     public void testTwoRecipients()
         throws Exception
     {

pkix/src/main/java/org/bouncycastle/cms/CMSAlgorithm.java

@@ -105,4 +105,5 @@ public class CMSAlgorithm
 
     public static final ASN1ObjectIdentifier  SHAKE128_LEN = NISTObjectIdentifiers.id_shake128_len.intern();
     public static final ASN1ObjectIdentifier  SHAKE256_LEN = NISTObjectIdentifiers.id_shake256_len.intern();
+    public static final ASN1ObjectIdentifier ChaCha20Poly1305 = PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305.intern();
 }

pkix/src/main/java/org/bouncycastle/cms/CMSAuthEnvelopedDataGenerator.java

@@ -12,6 +12,7 @@
 import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.cms.EncryptedContentInfo;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.operator.OutputAEADEncryptor;
 
 public class CMSAuthEnvelopedDataGenerator
@@ -36,10 +37,17 @@ private CMSAuthEnvelopedData doGenerate(
         try
         {
             OutputStream cOut = contentEncryptor.getOutputStream(bOut);
-
-            content.write(cOut);
-
-            authenticatedAttrSet = CMSUtils.processAuthAttrSet(authAttrsGenerator, contentEncryptor);
+            if (contentEncryptor.getAlgorithmIdentifier().getAlgorithm().equals(PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305))
+            {
+                // AEAD Ciphers process AAD at first
+                authenticatedAttrSet = CMSUtils.processAuthAttrSet(authAttrsGenerator, contentEncryptor);
+                content.write(cOut);
+            }
+            else
+            {
+                content.write(cOut);
+                authenticatedAttrSet = CMSUtils.processAuthAttrSet(authAttrsGenerator, contentEncryptor);
+            }
 
             cOut.close();
         }
@@ -66,7 +74,7 @@ private CMSAuthEnvelopedData doGenerate(
      * generate an auth-enveloped object that contains an CMS Enveloped Data
      * object using the given provider.
      *
-     * @param content the content to be encrypted
+     * @param content          the content to be encrypted
      * @param contentEncryptor the symmetric key based encryptor to encrypt the content with.
      */
     public CMSAuthEnvelopedData generate(

pkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java

@@ -110,6 +110,7 @@ public class EnvelopedDataHelper
         MAC_ALG_NAMES.put(CMSAlgorithm.AES192_CBC,  "AESMac");
         MAC_ALG_NAMES.put(CMSAlgorithm.AES256_CBC,  "AESMac");
         MAC_ALG_NAMES.put(CMSAlgorithm.RC2_CBC,  "RC2Mac");
+        MAC_ALG_NAMES.put(CMSAlgorithm.ChaCha20Poly1305, "ChaCha20Poly1305Mac");
 
         PBKDF2_ALG_NAMES.put(PasswordRecipient.PRF.HMacSHA1.getAlgorithmID(), "PBKDF2WITHHMACSHA1");
         PBKDF2_ALG_NAMES.put(PasswordRecipient.PRF.HMacSHA224.getAlgorithmID(), "PBKDF2WITHHMACSHA224");
@@ -123,6 +124,7 @@ public class EnvelopedDataHelper
         authEnvelopedAlgorithms.add(NISTObjectIdentifiers.id_aes128_CCM);
         authEnvelopedAlgorithms.add(NISTObjectIdentifiers.id_aes192_CCM);
         authEnvelopedAlgorithms.add(NISTObjectIdentifiers.id_aes256_CCM);
+        authEnvelopedAlgorithms.add(PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305);
     }
 
     private static final short[] rc2Table = {

pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java

@@ -376,10 +376,17 @@ public OutputStream getOutputStream(OutputStream dOut)
             {
                 algId = algorithmIdentifier;
             }
-            
-            // TODO: works for CCM too, but others will follow.
-            GCMParameters p = GCMParameters.getInstance(algId.getParameters());
-            macOut = new MacCaptureStream(dOut, p.getIcvLen());
+
+            if (algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305))
+            {
+                macOut = new MacCaptureStream(dOut, 16);
+            }
+            else
+            {
+                // TODO: works for CCM too, but others will follow.
+                GCMParameters p = GCMParameters.getInstance(algId.getParameters());
+                macOut = new MacCaptureStream(dOut, p.getIcvLen());
+            }
             return new CipherOutputStream(macOut, cipher);
         }
 

pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordAuthEnvelopedRecipient.java

@@ -0,0 +1,31 @@
+package org.bouncycastle.cms.jcajce;
+
+import java.security.Key;
+
+import javax.crypto.Cipher;
+
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.RecipientOperator;
+
+public class JcePasswordAuthEnvelopedRecipient
+    extends JcePasswordRecipient
+{
+    public JcePasswordAuthEnvelopedRecipient(char[] password)
+    {
+        super(password);
+    }
+
+    public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm,
+                                                  final AlgorithmIdentifier contentMacAlgorithm,
+                                                  byte[] derivedKey,
+                                                  byte[] encryptedContentEncryptionKey)
+        throws CMSException
+    {
+        Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentMacAlgorithm, derivedKey, encryptedContentEncryptionKey);
+
+        final Cipher dataCipher = helper.createContentCipher(secretKey, contentMacAlgorithm);
+
+        return new RecipientOperator(new CMSInputAEADDecryptor(contentMacAlgorithm, dataCipher));
+    }
+}

pkix/src/test/java/org/bouncycastle/cms/test/AuthEnvelopedDataTest.java

@@ -22,6 +22,7 @@
 import org.bouncycastle.asn1.cms.GCMParameters;
 import org.bouncycastle.asn1.cms.Time;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.cms.CMSAttributeTableGenerationException;
 import org.bouncycastle.cms.CMSAttributeTableGenerator;
@@ -207,6 +208,53 @@ public AttributeTable getAttributes(Map parameters)
         assertEquals("Hello, world!", Strings.fromByteArray(recData));
     }
 
+    public void testChacha20Poly1305()
+        throws Exception
+    {
+        if (!CMSTestUtil.isAeadAvailable())
+        {
+            return;
+        }
+        byte[] message = Strings.toByteArray("Hello, world!");
+        OutputEncryptor candidate = new JceCMSContentEncryptorBuilder(PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305).setProvider(BC).build();
+
+        assertEquals(PKCSObjectIdentifiers.id_alg_AEADChaCha20Poly1305, candidate.getAlgorithmIdentifier().getAlgorithm());
+        //assertNotNull(GCMParameters.getInstance(candidate.getAlgorithmIdentifier().getParameters()));
+
+        assertTrue(candidate instanceof OutputAEADEncryptor);
+
+        OutputAEADEncryptor macProvider = (OutputAEADEncryptor)candidate;
+
+        CMSAuthEnvelopedDataGenerator authGen = new CMSAuthEnvelopedDataGenerator();
+
+        authGen.setAuthenticatedAttributeGenerator(new CMSAttributeTableGenerator()
+        {
+            public AttributeTable getAttributes(Map parameters)
+                throws CMSAttributeTableGenerationException
+            {
+                Hashtable<ASN1ObjectIdentifier, Attribute> attrs = new Hashtable<ASN1ObjectIdentifier, Attribute>();
+                Attribute testAttr = new Attribute(CMSAttributes.signingTime,
+                    new DERSet(new Time(new Date())));
+                attrs.put(testAttr.getAttrType(), testAttr);
+                return new AttributeTable(attrs);
+            }
+        });
+
+        authGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert));
+
+        CMSAuthEnvelopedData authData = authGen.generate(new CMSProcessableByteArray(message), macProvider);
+
+        CMSAuthEnvelopedData encAuthData = new CMSAuthEnvelopedData(authData.getEncoded());
+
+        RecipientInformationStore recipients = encAuthData.getRecipientInfos();
+
+        RecipientInformation recipient = (RecipientInformation)recipients.getRecipients().iterator().next();
+
+        byte[] recData = recipient.getContent(new JceKeyTransAuthEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC));
+
+        assertEquals("Hello, world!", Strings.fromByteArray(recData));
+    }
+
     public void testGCMwithHKDF()
         throws Exception
     {