org.bouncycastle.crypto.general.DesEdeWrapEngine Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of bc-fips Show documentation
Show all versions of bc-fips Show documentation
The FIPS 140-3 Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms certified to FIPS 140-3 level 1. This jar contains JCE provider and low-level API for the BC-FJA version 2.0.0, FIPS Certificate #4743. Please see certificate for certified platform details.
package org.bouncycastle.crypto.general;
import java.security.SecureRandom;
import org.bouncycastle.crypto.fips.FipsSHS;
import org.bouncycastle.crypto.fips.FipsTripleDES;
import org.bouncycastle.crypto.internal.BlockCipher;
import org.bouncycastle.crypto.internal.CipherParameters;
import org.bouncycastle.crypto.internal.Digest;
import org.bouncycastle.crypto.internal.InvalidCipherTextException;
import org.bouncycastle.crypto.internal.Wrapper;
import org.bouncycastle.crypto.internal.modes.CBCBlockCipher;
import org.bouncycastle.crypto.internal.params.DesParameters;
import org.bouncycastle.crypto.internal.params.KeyParameter;
import org.bouncycastle.crypto.internal.params.ParametersWithIV;
import org.bouncycastle.crypto.internal.params.ParametersWithRandom;
import org.bouncycastle.util.Arrays;
/**
* Wrap keys according to
*
* RFC 3217.
*
* Note:
*
* - if you are using this to wrap triple-des keys you need to set the
* parity bits on the key and, if it's a two-key triple-des key, pad it
* yourself.
*
*/
class DesEdeWrapEngine
implements Wrapper
{
/**
* Field engine
*/
private CBCBlockCipher engine;
/**
* Field param
*/
private KeyParameter param;
/**
* Field paramPlusIV
*/
private ParametersWithIV paramPlusIV;
/**
* Field iv
*/
private byte[] iv;
/**
* Field forWrapping
*/
private boolean forWrapping;
/**
* Field IV2
*/
private static final byte[] IV2 = {(byte)0x4a, (byte)0xdd, (byte)0xa2,
(byte)0x2c, (byte)0x79, (byte)0xe8,
(byte)0x21, (byte)0x05};
//
// checksum digest
//
Digest sha1 = (Digest)FipsRegister.getProvider(FipsSHS.Algorithm.SHA1).createEngine();
byte[] digest = new byte[20];
/**
* Method init
*
* @param forWrapping true if for wrapping, false otherwise.
* @param param necessary parameters, may include KeyParameter, ParametersWithRandom, and ParametersWithIV
*/
public void init(boolean forWrapping, CipherParameters param)
{
this.forWrapping = forWrapping;
this.engine = new CBCBlockCipher((BlockCipher)FipsRegister.getProvider(FipsTripleDES.ALGORITHM).createEngine());
SecureRandom sr;
if (param instanceof ParametersWithRandom)
{
ParametersWithRandom pr = (ParametersWithRandom)param;
param = pr.getParameters();
sr = pr.getRandom();
}
else
{
sr = null;
}
if (param instanceof KeyParameter)
{
this.param = (KeyParameter)param;
if (this.forWrapping)
{
if (sr == null)
{
throw new IllegalArgumentException("No SecureRandom provided when one required");
}
// Hm, we have no IV but we want to wrap ?!?
// well, then we have to create our own IV.
this.iv = new byte[8];
sr.nextBytes(iv);
this.paramPlusIV = new ParametersWithIV(this.param, this.iv);
}
}
else if (param instanceof ParametersWithIV)
{
this.paramPlusIV = (ParametersWithIV)param;
this.iv = this.paramPlusIV.getIV();
this.param = (KeyParameter)this.paramPlusIV.getParameters();
if (this.forWrapping)
{
if ((this.iv == null) || (this.iv.length != 8))
{
throw new IllegalArgumentException("IV is not 8 octets");
}
}
else
{
throw new IllegalArgumentException(
"You should not supply an IV for unwrapping");
}
}
}
/**
* Method getAlgorithmName
*
* @return the algorithm name "DESede".
*/
public String getAlgorithmName()
{
return "DESede";
}
/**
* Method wrap
*
* @param in byte array containing the encoded key.
* @param inOff off set into in that the data starts at.
* @param inLen length of the data.
* @return the wrapped bytes.
*/
public byte[] wrap(byte[] in, int inOff, int inLen)
{
if (!forWrapping)
{
throw new IllegalStateException("Not initialized for wrapping");
}
byte[] keyToBeWrapped;
if (inLen == 16)
{
keyToBeWrapped = new byte[24];
System.arraycopy(in, inOff, keyToBeWrapped, 0, inLen);
System.arraycopy(in, inOff, keyToBeWrapped, 16, 8);
}
else
{
keyToBeWrapped = new byte[inLen];
System.arraycopy(in, inOff, keyToBeWrapped, 0, inLen);
}
DesParameters.setOddParity(keyToBeWrapped);
// Compute the CMS Key Checksum, (section 5.6.1), call this CKS.
byte[] CKS = calculateCMSKeyChecksum(keyToBeWrapped);
// Let WKCKS = WK || CKS where || is concatenation.
byte[] WKCKS = new byte[keyToBeWrapped.length + CKS.length];
System.arraycopy(keyToBeWrapped, 0, WKCKS, 0, keyToBeWrapped.length);
System.arraycopy(CKS, 0, WKCKS, keyToBeWrapped.length, CKS.length);
// Encrypt WKCKS in CBC mode using KEK as the key and IV as the
// initialization vector. Call the results TEMP1.
int blockSize = engine.getBlockSize();
if (WKCKS.length % blockSize != 0)
{
throw new IllegalStateException("Not multiple of block length");
}
engine.init(true, paramPlusIV);
byte TEMP1[] = new byte[WKCKS.length];
for (int currentBytePos = 0; currentBytePos != WKCKS.length; currentBytePos += blockSize)
{
engine.processBlock(WKCKS, currentBytePos, TEMP1, currentBytePos);
}
// Let TEMP2 = IV || TEMP1.
byte[] TEMP2 = new byte[this.iv.length + TEMP1.length];
System.arraycopy(this.iv, 0, TEMP2, 0, this.iv.length);
System.arraycopy(TEMP1, 0, TEMP2, this.iv.length, TEMP1.length);
// Reverse the order of the octets in TEMP2 and call the result TEMP3.
byte[] TEMP3 = reverse(TEMP2);
// Encrypt TEMP3 in CBC mode using the KEK and an initialization vector
// of 0x 4a dd a2 2c 79 e8 21 05. The resulting cipher text is the desired
// result. It is 40 octets long if a 168 bit key is being wrapped.
ParametersWithIV param2 = new ParametersWithIV(this.param, IV2);
this.engine.init(true, param2);
for (int currentBytePos = 0; currentBytePos != TEMP3.length; currentBytePos += blockSize)
{
engine.processBlock(TEMP3, currentBytePos, TEMP3, currentBytePos);
}
return TEMP3;
}
/**
* Method unwrap
*
* @param in byte array containing the wrapped key.
* @param inOff off set into in that the data starts at.
* @param inLen length of the data.
* @return the unwrapped bytes.
* @throws InvalidCipherTextException
*/
public byte[] unwrap(byte[] in, int inOff, int inLen)
throws InvalidCipherTextException
{
if (forWrapping)
{
throw new IllegalStateException("Not set for unwrapping");
}
if (in == null)
{
throw new InvalidCipherTextException("Null pointer as ciphertext");
}
final int blockSize = engine.getBlockSize();
if (inLen % blockSize != 0)
{
throw new InvalidCipherTextException("Ciphertext not multiple of " + blockSize);
}
if (inLen != 40)
{
throw new InvalidCipherTextException("Ciphertext must be 40 bytes");
}
// Decrypt the cipher text with TRIPLedeS in CBC mode using the KEK
// and an initialization vector (IV) of 0x4adda22c79e82105. Call the output TEMP3.
ParametersWithIV param2 = new ParametersWithIV(this.param, IV2);
this.engine.init(false, param2);
byte TEMP3[] = new byte[inLen];
for (int currentBytePos = 0; currentBytePos != inLen; currentBytePos += blockSize)
{
engine.processBlock(in, inOff + currentBytePos, TEMP3, currentBytePos);
}
// Reverse the order of the octets in TEMP3 and call the result TEMP2.
byte[] TEMP2 = reverse(TEMP3);
// Decompose TEMP2 into IV, the first 8 octets, and TEMP1, the remaining octets.
this.iv = new byte[8];
byte[] TEMP1 = new byte[TEMP2.length - 8];
System.arraycopy(TEMP2, 0, this.iv, 0, 8);
System.arraycopy(TEMP2, 8, TEMP1, 0, TEMP2.length - 8);
// Decrypt TEMP1 using TRIPLedeS in CBC mode using the KEK and the IV
// found in the previous step. Call the result WKCKS.
this.paramPlusIV = new ParametersWithIV(this.param, this.iv);
this.engine.init(false, this.paramPlusIV);
byte[] WKCKS = new byte[TEMP1.length];
for (int currentBytePos = 0; currentBytePos != WKCKS.length; currentBytePos += blockSize)
{
engine.processBlock(TEMP1, currentBytePos, WKCKS, currentBytePos);
}
// Decompose WKCKS. CKS is the last 8 octets and WK, the wrapped key, are
// those octets before the CKS.
byte[] result = new byte[WKCKS.length - 8];
byte[] CKStoBeVerified = new byte[8];
System.arraycopy(WKCKS, 0, result, 0, WKCKS.length - 8);
System.arraycopy(WKCKS, WKCKS.length - 8, CKStoBeVerified, 0, 8);
// Calculate a CMS Key Checksum, (section 5.6.1), over the WK and compare
// with the CKS extracted in the above step. If they are not equal, return error.
if (!checkCMSKeyChecksum(result, CKStoBeVerified))
{
throw new InvalidCipherTextException(
"Checksum inside ciphertext is corrupted");
}
// WK is the wrapped key, now extracted for use in data decryption.
return result;
}
/**
* Some key wrap algorithms make use of the Key Checksum defined
* in CMS [CMS-Algorithms]. This is used to provide an integrity
* check value for the key being wrapped. The algorithm is
*
* - Compute the 20 octet SHA-1 hash on the key being wrapped.
* - Use the first 8 octets of this hash as the checksum value.
*
* For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum.
*
* @param key the key to check,
* @return the CMS checksum.
*/
private byte[] calculateCMSKeyChecksum(
byte[] key)
{
byte[] result = new byte[8];
sha1.update(key, 0, key.length);
sha1.doFinal(digest, 0);
System.arraycopy(digest, 0, result, 0, 8);
return result;
}
/**
* For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
*
* @param key key to be validated.
* @param checksum the checksum.
* @return true if okay, false otherwise.
*/
private boolean checkCMSKeyChecksum(
byte[] key,
byte[] checksum)
{
return Arrays.constantTimeAreEqual(calculateCMSKeyChecksum(key), checksum);
}
private static byte[] reverse(byte[] bs)
{
byte[] result = new byte[bs.length];
for (int i = 0; i < bs.length; i++)
{
result[i] = bs[bs.length - (i + 1)];
}
return result;
}
}