com.google.crypto.tink.subtle.AesUtil Maven / Gradle / Ivy
// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
package com.google.crypto.tink.subtle;
import java.util.Arrays;
/**
* A collection of byte-manipulation functions, and some more specific functions for AES-CMAC /
* AES-SIV.
*
* Beware: some of the functions here are specific to the representation used for AES-CMAC and
* SIV, as described in their RFCs. These might not work if used in other contexts.
*/
class AesUtil {
public static final int BLOCK_SIZE = 16;
/**
* Multiplies value by x in the finite field GF(2^128) represented using the primitive polynomial
* x^128 + x^7 + x^2 + x + 1.
*
* @param value an arrays of 16 bytes representing an element of GF(2^128) using bigendian byte
* order.
*/
static byte[] dbl(final byte[] value) {
if (value.length != BLOCK_SIZE) {
throw new IllegalArgumentException("value must be a block.");
}
// Note that >> is an arithmetical shift, which copies the leftmost bit to fill the
// blanks created by shifting. For instance, x >> 7 will equal 0xFF if (x & 1), and 0x00
// otherwise. This is a bit hard to read, but the operation is branchless, which is valuable
// in this context.
// Shift left by one.
byte[] res = new byte[BLOCK_SIZE];
for (int i = 0; i < BLOCK_SIZE; i++) {
res[i] = (byte) (0xFE & (value[i] << 1));
if (i < BLOCK_SIZE - 1) {
res[i] |= (byte) (0x01 & (value[i + 1] >> 7));
}
}
// And handle the modulus if needed (0x87 is the binary representation of the polynomial,
// minus the x^128 part).
res[BLOCK_SIZE - 1] ^= (byte) (0x87 & (value[0] >> 7));
return res;
}
/**
* Pad by adding a 1 bit, then pad with 0 bits to the next block limit. This is the standard for
* both CMAC and AES-SIV. - https://tools.ietf.org/html/rfc4493#section-2.4 -
* https://tools.ietf.org/html/rfc5297#section-2.1
*
* @param x The array to pad (will be copied)
* @return The padded array.
*/
static byte[] cmacPad(final byte[] x) {
if (x.length >= BLOCK_SIZE) {
throw new IllegalArgumentException("x must be smaller than a block.");
}
byte[] result = Arrays.copyOf(x, 16);
result[x.length] = (byte) 0x80;
return result;
}
}