Merge branch 'pg-refactor-JceAEADUtil' into 'main'

dghgit · dghgit · commit ee9a871ab3ee · 2024-12-11T07:50:20.000Z
Pg refactor jce aead util

See merge request root/bc-java!54
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaAEADSecretKeyEncryptorBuilder.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaAEADSecretKeyEncryptorBuilder.java
@@ -4,24 +4,16 @@
 import java.security.SecureRandom;
 
 import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
 
 import org.bouncycastle.bcpg.AEADUtils;
 import org.bouncycastle.bcpg.PacketTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
 import org.bouncycastle.bcpg.S2K;
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.params.HKDFParameters;
 import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;
 import org.bouncycastle.jcajce.util.NamedJcaJceHelper;
 import org.bouncycastle.jcajce.util.ProviderJcaJceHelper;
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
-import org.bouncycastle.util.Arrays;
 
 public class JcaAEADSecretKeyEncryptorBuilder
 {
@@ -70,33 +62,21 @@ public PBESecretKeyEncryptor build(char[] passphrase, final PublicKeyPacket pubK
             public byte[] encryptKeyData(byte[] key, byte[] keyData, int keyOff, int keyLen)
                 throws PGPException
             {
-                int packetTag = pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY;
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag),
-                    (byte) pubKey.getVersion(),
-                    (byte) symmetricAlgorithm,
-                    (byte) aeadAlgorithm
-                };
-
-                HKDFParameters hkdfParameters = new HKDFParameters(
-                    getKey(),
-                    null,
-                    hkdfInfo);
-
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
                 try
                 {
-                    byte[] aad = Arrays.prepend(pubKey.getEncodedContents(), (byte) (0xC0 | packetTag));
-                    SecretKey secretKey = new SecretKeySpec(key, PGPUtil.getSymmetricCipherName(encAlgorithm));
-                    final Cipher c = aeadUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-
-                    JceAEADCipherUtil.setUpAeadCipher(c, secretKey, Cipher.ENCRYPT_MODE, iv, 128, aad);
-                    byte[] data = c.doFinal(keyData, keyOff, keyLen);
-                    return data;
+                    return JceAEADUtil.processAeadKeyData(
+                        aeadUtil,
+                        Cipher.ENCRYPT_MODE,
+                        encAlgorithm,
+                        aeadAlgorithm,
+                        getKey(),
+                        iv,
+                        pubKey.getPacketTag() == PacketTags.PUBLIC_KEY ? PacketTags.SECRET_KEY : PacketTags.SECRET_SUBKEY,
+                        pubKey.getVersion(),
+                        keyData,
+                        keyOff,
+                        keyLen,
+                        pubKey.getEncodedContents());
                 }
                 catch (Exception e)
                 {
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JceAEADUtil.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JceAEADUtil.java
@@ -4,8 +4,12 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
 
+import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
@@ -276,6 +280,30 @@ Cipher createAEADCipher(int encAlgorithm, int aeadAlgorithm)
         return helper.createCipher(cName);
     }
 
+    static byte[] processAeadKeyData(JceAEADUtil aeadUtil, int mode, int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, int keyOff, int keyLen, byte[] pubkeyData)
+        throws PGPException
+    {
+        // TODO: Replace HDKF code with JCE based implementation
+        byte[] key = generateHKDFBytes(s2kKey, null,
+            new byte[]{(byte)(0xC0 | packetTag), (byte)keyVersion, (byte)encAlgorithm, (byte)aeadAlgorithm},
+            SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm));
+
+        try
+        {
+            byte[] aad = Arrays.prepend(pubkeyData, (byte)(0xC0 | packetTag));
+            SecretKey secretKey = new SecretKeySpec(key, PGPUtil.getSymmetricCipherName(encAlgorithm));
+            final Cipher c = aeadUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
+
+            JceAEADCipherUtil.setUpAeadCipher(c, secretKey, mode, iv, 128, aad);
+            return c.doFinal(keyData, keyOff, keyLen);
+        }
+        catch (InvalidAlgorithmParameterException | InvalidKeyException |
+               IllegalBlockSizeException | BadPaddingException e)
+        {
+            throw new PGPException("Exception recovering AEAD protected private key material", e);
+        }
+    }
+
     static class PGPAeadInputStream
         extends InputStream
     {
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBEProtectionRemoverFactory.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBEProtectionRemoverFactory.java
@@ -1,21 +1,14 @@
 package org.bouncycastle.openpgp.operator.jcajce;
 
-import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.Provider;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
 
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.params.HKDFParameters;
 import org.bouncycastle.jcajce.spec.AEADParameterSpec;
 import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;
 import org.bouncycastle.jcajce.util.NamedJcaJceHelper;
@@ -26,7 +19,6 @@
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
 import org.bouncycastle.openpgp.operator.PGPSecretKeyDecryptorWithAAD;
-import org.bouncycastle.util.Arrays;
 
 public class JcePBEProtectionRemoverFactory
     implements PBEProtectionRemoverFactory
@@ -121,30 +113,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] aad
                 public byte[] recoverKeyData(int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, byte[] pubkeyData) 
                     throws PGPException
                 {
-                    byte[] hkdfInfo = new byte[] {
-                        (byte) (0xC0 | packetTag), (byte) keyVersion, (byte) encAlgorithm, (byte) aeadAlgorithm
-                    };
-                    // TODO: Replace HDKF code with JCE based implementation
-                    HKDFParameters hkdfParameters = new HKDFParameters(s2kKey, null, hkdfInfo);
-                    HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                    hkdfGen.init(hkdfParameters);
-                    byte[] key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                    hkdfGen.generateBytes(key, 0, key.length);
-
-                    byte[] aad = Arrays.prepend(pubkeyData, (byte) (0xC0 | packetTag));
-
-                    SecretKey secretKey = new SecretKeySpec(key, PGPUtil.getSymmetricCipherName(encAlgorithm));
-                    final Cipher c = aeadUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                    try
-                    {
-                        JceAEADCipherUtil.setUpAeadCipher(c, secretKey, Cipher.DECRYPT_MODE, iv, 128, aad);
-                        byte[] data = c.doFinal(keyData);
-                        return data;
-                    }
-                    catch (GeneralSecurityException e)
-                    {
-                        throw new PGPException("Cannot extract AEAD protected secret key material", e);
-                    }
+                    return JceAEADUtil.processAeadKeyData(aeadUtil, Cipher.DECRYPT_MODE, encAlgorithm, aeadAlgorithm, s2kKey, iv, packetTag, keyVersion, keyData, 0, keyData.length, pubkeyData);
                 }
             };
         }
@@ -184,30 +153,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] key
                 public byte[] recoverKeyData(int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, byte[] pubkeyData) 
                     throws PGPException
                 {
-                    byte[] hkdfInfo = new byte[] {
-                        (byte) (0xC0 | packetTag), (byte) keyVersion, (byte) encAlgorithm, (byte) aeadAlgorithm
-                    };
-                    // TODO: Replace HDKF code with JCE based implementation
-                    HKDFParameters hkdfParameters = new HKDFParameters(s2kKey, null, hkdfInfo);
-                    HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                    hkdfGen.init(hkdfParameters);
-                    byte[] key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                    hkdfGen.generateBytes(key, 0, key.length);
-
-                    byte[] aad = Arrays.prepend(pubkeyData, (byte) (0xC0 | packetTag));
-
-                    SecretKey secretKey = new SecretKeySpec(key, PGPUtil.getSymmetricCipherName(encAlgorithm));
-                    final Cipher c = aeadUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                    try
-                    {
-                        JceAEADCipherUtil.setUpAeadCipher(c, secretKey, Cipher.DECRYPT_MODE, iv, 128, aad);
-                        byte[] data = c.doFinal(keyData);
-                        return data;
-                    }
-                    catch (GeneralSecurityException e)
-                    {
-                        throw new PGPException("Cannot extract AEAD protected secret key material", e);
-                    }
+                    return JceAEADUtil.processAeadKeyData(aeadUtil, Cipher.DECRYPT_MODE, encAlgorithm, aeadAlgorithm, s2kKey, iv, packetTag, keyVersion, keyData, 0, keyData.length, pubkeyData);
                 }
             };
 
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBESecretKeyDecryptorBuilder.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBESecretKeyDecryptorBuilder.java
@@ -1,29 +1,21 @@
 package org.bouncycastle.openpgp.operator.jcajce;
 
-import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.Provider;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
 
-import org.bouncycastle.bcpg.SymmetricKeyUtils;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
-import org.bouncycastle.crypto.params.HKDFParameters;
 import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;
 import org.bouncycastle.jcajce.util.NamedJcaJceHelper;
 import org.bouncycastle.jcajce.util.ProviderJcaJceHelper;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPUtil;
 import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
-import org.bouncycastle.util.Arrays;
 
 public class JcePBESecretKeyDecryptorBuilder
 {
@@ -112,30 +104,7 @@ public byte[] recoverKeyData(int encAlgorithm, byte[] key, byte[] iv, byte[] key
             public byte[] recoverKeyData(int encAlgorithm, int aeadAlgorithm, byte[] s2kKey, byte[] iv, int packetTag, int keyVersion, byte[] keyData, byte[] pubkeyData)
                 throws PGPException
             {
-                byte[] hkdfInfo = new byte[] {
-                    (byte) (0xC0 | packetTag), (byte) keyVersion, (byte) encAlgorithm, (byte) aeadAlgorithm
-                };
-                // TODO: Replace HDKF code with JCE based implementation
-                HKDFParameters hkdfParameters = new HKDFParameters(s2kKey, null, hkdfInfo);
-                HKDFBytesGenerator hkdfGen = new HKDFBytesGenerator(new SHA256Digest());
-                hkdfGen.init(hkdfParameters);
-                byte[] key = new byte[SymmetricKeyUtils.getKeyLengthInOctets(encAlgorithm)];
-                hkdfGen.generateBytes(key, 0, key.length);
-
-                byte[] aad = Arrays.prepend(pubkeyData, (byte) (0xC0 | packetTag));
-
-                SecretKey secretKey = new SecretKeySpec(key, PGPUtil.getSymmetricCipherName(encAlgorithm));
-                final Cipher c = aeadUtil.createAEADCipher(encAlgorithm, aeadAlgorithm);
-                try
-                {
-                    JceAEADCipherUtil.setUpAeadCipher(c, secretKey, Cipher.DECRYPT_MODE, iv, 128, aad);
-                    byte[] data = c.doFinal(keyData);
-                    return data;
-                }
-                catch (GeneralSecurityException e)
-                {
-                    throw new PGPException("Cannot extract AEAD protected secret key material", e);
-                }
+                return JceAEADUtil.processAeadKeyData(aeadUtil, Cipher.DECRYPT_MODE, encAlgorithm, aeadAlgorithm, s2kKey, iv, packetTag, keyVersion, keyData, 0, keyData.length, pubkeyData);
             }
         };
     }
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/OperatorJcajceTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/OperatorJcajceTest.java
@@ -9,6 +9,7 @@
 import java.security.PrivateKey;
 import java.security.Provider;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.Security;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
@@ -21,6 +22,7 @@
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyPacket;
+import org.bouncycastle.bcpg.S2K;
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.crypto.params.X25519PrivateKeyParameters;
@@ -30,21 +32,27 @@
 import org.bouncycastle.jcajce.spec.HybridValueParameterSpec;
 import org.bouncycastle.jcajce.spec.UserKeyingMaterialSpec;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jce.spec.ECNamedCurveGenParameterSpec;
 import org.bouncycastle.openpgp.PGPEncryptedData;
+import org.bouncycastle.openpgp.PGPKeyPair;
 import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
 import org.bouncycastle.openpgp.operator.PGPContentVerifier;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;
+import org.bouncycastle.openpgp.operator.jcajce.JcaAEADSecretKeyEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyConverter;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair;
 import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyEncryptorBuilder;
 import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.test.SimpleTest;
+import org.junit.Assert;
 
 public class OperatorJcajceTest
     extends SimpleTest
@@ -66,6 +74,7 @@ public String getName()
     public void performTest()
         throws Exception
     {
+        testJcaAEADSecretKeyEncryptorBuilder();
         testCreateDigest();
         testX25519HKDF();
         testJcePBESecretKeyEncryptorBuilder();
@@ -316,12 +325,43 @@ public void testX25519HKDF()
         //isTrue(Arrays.areEqual(output, expectedDecryptedSessionKey));
     }
 
+    public void testJcaAEADSecretKeyEncryptorBuilder()
+        throws Exception
+    {
+        BouncyCastleProvider prov = new BouncyCastleProvider();
+        KeyPairGenerator eddsaGen = KeyPairGenerator.getInstance("EdDSA", prov);
+        Date creationTime = new Date();
+        eddsaGen.initialize(new ECNamedCurveGenParameterSpec("ed25519"));
+        KeyPair kp = eddsaGen.generateKeyPair();
+        SecureRandom random = new SecureRandom();
+        for (int version : new int[]{PublicKeyPacket.VERSION_4, PublicKeyPacket.VERSION_6})
+        {
+            PGPKeyPair keyPair = new JcaPGPKeyPair(version, PublicKeyAlgorithmTags.Ed25519, kp, creationTime);
+            JcaAEADSecretKeyEncryptorBuilder jcaEncBuilder = new JcaAEADSecretKeyEncryptorBuilder(
+                AEADAlgorithmTags.OCB, SymmetricKeyAlgorithmTags.AES_256,
+                S2K.Argon2Params.memoryConstrainedParameters())
+                .setProvider(new BouncyCastleProvider());
+            PBESecretKeyEncryptor encryptor = jcaEncBuilder.build(
+                "Yin".toCharArray(),
+                keyPair.getPublicKey().getPublicKeyPacket());
+            byte[] key = new byte[16];
+            random.nextBytes(key);
+            byte[] input1 = new byte[64];
+            random.nextBytes(input1);
+
+            byte[] input2 = Arrays.copyOfRange(input1, 32, 64);
+            byte[] output1 = encryptor.encryptKeyData(key, input1, 32, 32);
+            byte[] output2 = encryptor.encryptKeyData(key, input2, 0, 32);
+            Assert.assertTrue(Arrays.areEqual(output1, output2));
+        }
+    }
+
     private class NullProvider
         extends Provider
     {
         NullProvider()
         {
-             super("NULL", 0.0, "Null Provider");
+            super("NULL", 0.0, "Null Provider");
         }
     }
 
