Path: blob/master/src/java.base/share/classes/com/sun/crypto/provider/AESCipher.java
41161 views
/*1* Copyright (c) 2002, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package com.sun.crypto.provider;2627import javax.crypto.BadPaddingException;28import javax.crypto.CipherSpi;29import javax.crypto.IllegalBlockSizeException;30import javax.crypto.NoSuchPaddingException;31import javax.crypto.ShortBufferException;32import java.nio.ByteBuffer;33import java.security.AlgorithmParameters;34import java.security.GeneralSecurityException;35import java.security.InvalidAlgorithmParameterException;36import java.security.InvalidKeyException;37import java.security.Key;38import java.security.NoSuchAlgorithmException;39import java.security.ProviderException;40import java.security.SecureRandom;41import java.security.spec.AlgorithmParameterSpec;42import java.util.Arrays;4344/**45* This class implements the AES algorithm in its various modes46* (<code>ECB</code>, <code>CFB</code>, <code>OFB</code>, <code>CBC</code>,47* <code>PCBC</code>) and padding schemes (<code>PKCS5Padding</code>,48* <code>NoPadding</code>, <code>ISO10126Padding</code>).49*50* @author Valerie Peng51*52*53* @see AESCrypt54* @see CipherBlockChaining55* @see ElectronicCodeBook56* @see CipherFeedback57* @see OutputFeedback58*/5960abstract class AESCipher extends CipherSpi {61public static final class General extends AESCipher {62public General() {63super(-1);64}65}66abstract static class OidImpl extends AESCipher {67protected OidImpl(int keySize, String mode, String padding) {68super(keySize);69try {70engineSetMode(mode);71engineSetPadding(padding);72} catch (GeneralSecurityException gse) {73// internal error; re-throw as provider exception74ProviderException pe =new ProviderException("Internal Error");75pe.initCause(gse);76throw pe;77}78}79}80public static final class AES128_ECB_NoPadding extends OidImpl {81public AES128_ECB_NoPadding() {82super(16, "ECB", "NOPADDING");83}84}85public static final class AES192_ECB_NoPadding extends OidImpl {86public AES192_ECB_NoPadding() {87super(24, "ECB", "NOPADDING");88}89}90public static final class AES256_ECB_NoPadding extends OidImpl {91public AES256_ECB_NoPadding() {92super(32, "ECB", "NOPADDING");93}94}95public static final class AES128_CBC_NoPadding extends OidImpl {96public AES128_CBC_NoPadding() {97super(16, "CBC", "NOPADDING");98}99}100public static final class AES192_CBC_NoPadding extends OidImpl {101public AES192_CBC_NoPadding() {102super(24, "CBC", "NOPADDING");103}104}105public static final class AES256_CBC_NoPadding extends OidImpl {106public AES256_CBC_NoPadding() {107super(32, "CBC", "NOPADDING");108}109}110public static final class AES128_OFB_NoPadding extends OidImpl {111public AES128_OFB_NoPadding() {112super(16, "OFB", "NOPADDING");113}114}115public static final class AES192_OFB_NoPadding extends OidImpl {116public AES192_OFB_NoPadding() {117super(24, "OFB", "NOPADDING");118}119}120public static final class AES256_OFB_NoPadding extends OidImpl {121public AES256_OFB_NoPadding() {122super(32, "OFB", "NOPADDING");123}124}125public static final class AES128_CFB_NoPadding extends OidImpl {126public AES128_CFB_NoPadding() {127super(16, "CFB", "NOPADDING");128}129}130public static final class AES192_CFB_NoPadding extends OidImpl {131public AES192_CFB_NoPadding() {132super(24, "CFB", "NOPADDING");133}134}135public static final class AES256_CFB_NoPadding extends OidImpl {136public AES256_CFB_NoPadding() {137super(32, "CFB", "NOPADDING");138}139}140public static final class AES128_GCM_NoPadding extends OidImpl {141public AES128_GCM_NoPadding() {142super(16, "GCM", "NOPADDING");143}144}145public static final class AES192_GCM_NoPadding extends OidImpl {146public AES192_GCM_NoPadding() {147super(24, "GCM", "NOPADDING");148}149}150public static final class AES256_GCM_NoPadding extends OidImpl {151public AES256_GCM_NoPadding() {152super(32, "GCM", "NOPADDING");153}154}155156// utility method used by AESCipher and AESWrapCipher157static final void checkKeySize(Key key, int fixedKeySize)158throws InvalidKeyException {159if (fixedKeySize != -1) {160if (key == null) {161throw new InvalidKeyException("The key must not be null");162}163byte[] value = key.getEncoded();164if (value == null) {165throw new InvalidKeyException("Key encoding must not be null");166} else {167Arrays.fill(value, (byte)0);168if (value.length != fixedKeySize) {169throw new InvalidKeyException("The key must be " +170fixedKeySize + " bytes");171}172}173}174}175176/*177* internal CipherCore object which does the real work.178*/179private CipherCore core = null;180181/*182* needed to support AES oids which associates a fixed key size183* to the cipher object.184*/185private final int fixedKeySize; // in bytes, -1 if no restriction186187/*188* needed to enforce ISE thrown when updateAAD is called after update for GCM mode.189*/190private boolean updateCalled;191192/**193* Creates an instance of AES cipher with default ECB mode and194* PKCS5Padding.195*/196protected AESCipher(int keySize) {197core = new CipherCore(new AESCrypt(), AESConstants.AES_BLOCK_SIZE);198fixedKeySize = keySize;199}200201/**202* Sets the mode of this cipher.203*204* @param mode the cipher mode205*206* @exception NoSuchAlgorithmException if the requested cipher mode does207* not exist208*/209protected void engineSetMode(String mode)210throws NoSuchAlgorithmException {211core.setMode(mode);212}213214/**215* Sets the padding mechanism of this cipher.216*217* @param paddingScheme the padding mechanism218*219* @exception NoSuchPaddingException if the requested padding mechanism220* does not exist221*/222protected void engineSetPadding(String paddingScheme)223throws NoSuchPaddingException {224core.setPadding(paddingScheme);225}226227/**228* Returns the block size (in bytes).229*230* @return the block size (in bytes), or 0 if the underlying algorithm is231* not a block cipher232*/233protected int engineGetBlockSize() {234return AESConstants.AES_BLOCK_SIZE;235}236237/**238* Returns the length in bytes that an output buffer would need to be in239* order to hold the result of the next <code>update</code> or240* <code>doFinal</code> operation, given the input length241* <code>inputLen</code> (in bytes).242*243* <p>This call takes into account any unprocessed (buffered) data from a244* previous <code>update</code> call, and padding.245*246* <p>The actual output length of the next <code>update</code> or247* <code>doFinal</code> call may be smaller than the length returned by248* this method.249*250* @param inputLen the input length (in bytes)251*252* @return the required output buffer size (in bytes)253*/254protected int engineGetOutputSize(int inputLen) {255return core.getOutputSize(inputLen);256}257258/**259* Returns the initialization vector (IV) in a new buffer.260*261* <p>This is useful in the case where a random IV has been created262* (see <a href = "#init">init</a>),263* or in the context of password-based encryption or264* decryption, where the IV is derived from a user-provided password.265*266* @return the initialization vector in a new buffer, or null if the267* underlying algorithm does not use an IV, or if the IV has not yet268* been set.269*/270protected byte[] engineGetIV() {271return core.getIV();272}273274/**275* Returns the parameters used with this cipher.276*277* <p>The returned parameters may be the same that were used to initialize278* this cipher, or may contain the default set of parameters or a set of279* randomly generated parameters used by the underlying cipher280* implementation (provided that the underlying cipher implementation281* uses a default set of parameters or creates new parameters if it needs282* parameters but was not initialized with any).283*284* @return the parameters used with this cipher, or null if this cipher285* does not use any parameters.286*/287protected AlgorithmParameters engineGetParameters() {288return core.getParameters("AES");289}290291/**292* Initializes this cipher with a key and a source of randomness.293*294* <p>The cipher is initialized for one of the following four operations:295* encryption, decryption, key wrapping or key unwrapping, depending on296* the value of <code>opmode</code>.297*298* <p>If this cipher requires an initialization vector (IV), it will get299* it from <code>random</code>.300* This behaviour should only be used in encryption or key wrapping301* mode, however.302* When initializing a cipher that requires an IV for decryption or303* key unwrapping, the IV304* (same IV that was used for encryption or key wrapping) must be provided305* explicitly as a306* parameter, in order to get the correct result.307*308* <p>This method also cleans existing buffer and other related state309* information.310*311* @param opmode the operation mode of this cipher (this is one of312* the following:313* <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>,314* <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>)315* @param key the secret key316* @param random the source of randomness317*318* @exception InvalidKeyException if the given key is inappropriate for319* initializing this cipher320*/321protected void engineInit(int opmode, Key key, SecureRandom random)322throws InvalidKeyException {323checkKeySize(key, fixedKeySize);324updateCalled = false;325core.init(opmode, key, random);326}327328/**329* Initializes this cipher with a key, a set of330* algorithm parameters, and a source of randomness.331*332* <p>The cipher is initialized for one of the following four operations:333* encryption, decryption, key wrapping or key unwrapping, depending on334* the value of <code>opmode</code>.335*336* <p>If this cipher (including its underlying feedback or padding scheme)337* requires any random bytes, it will get them from <code>random</code>.338*339* @param opmode the operation mode of this cipher (this is one of340* the following:341* <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>,342* <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>)343* @param key the encryption key344* @param params the algorithm parameters345* @param random the source of randomness346*347* @exception InvalidKeyException if the given key is inappropriate for348* initializing this cipher349* @exception InvalidAlgorithmParameterException if the given algorithm350* parameters are inappropriate for this cipher351*/352protected void engineInit(int opmode, Key key,353AlgorithmParameterSpec params,354SecureRandom random)355throws InvalidKeyException, InvalidAlgorithmParameterException {356checkKeySize(key, fixedKeySize);357updateCalled = false;358core.init(opmode, key, params, random);359}360361protected void engineInit(int opmode, Key key,362AlgorithmParameters params,363SecureRandom random)364throws InvalidKeyException, InvalidAlgorithmParameterException {365checkKeySize(key, fixedKeySize);366updateCalled = false;367core.init(opmode, key, params, random);368}369370/**371* Continues a multiple-part encryption or decryption operation372* (depending on how this cipher was initialized), processing another data373* part.374*375* <p>The first <code>inputLen</code> bytes in the <code>input</code>376* buffer, starting at <code>inputOffset</code>, are processed, and the377* result is stored in a new buffer.378*379* @param input the input buffer380* @param inputOffset the offset in <code>input</code> where the input381* starts382* @param inputLen the input length383*384* @return the new buffer with the result385*386* @exception IllegalStateException if this cipher is in a wrong state387* (e.g., has not been initialized)388*/389protected byte[] engineUpdate(byte[] input, int inputOffset,390int inputLen) {391updateCalled = true;392return core.update(input, inputOffset, inputLen);393}394395/**396* Continues a multiple-part encryption or decryption operation397* (depending on how this cipher was initialized), processing another data398* part.399*400* <p>The first <code>inputLen</code> bytes in the <code>input</code>401* buffer, starting at <code>inputOffset</code>, are processed, and the402* result is stored in the <code>output</code> buffer, starting at403* <code>outputOffset</code>.404*405* @param input the input buffer406* @param inputOffset the offset in <code>input</code> where the input407* starts408* @param inputLen the input length409* @param output the buffer for the result410* @param outputOffset the offset in <code>output</code> where the result411* is stored412*413* @return the number of bytes stored in <code>output</code>414*415* @exception ShortBufferException if the given output buffer is too small416* to hold the result417*/418protected int engineUpdate(byte[] input, int inputOffset, int inputLen,419byte[] output, int outputOffset)420throws ShortBufferException {421updateCalled = true;422return core.update(input, inputOffset, inputLen, output,423outputOffset);424}425426427/**428* Encrypts or decrypts data in a single-part operation,429* or finishes a multiple-part operation.430* The data is encrypted or decrypted, depending on how this cipher was431* initialized.432*433* <p>The first <code>inputLen</code> bytes in the <code>input</code>434* buffer, starting at <code>inputOffset</code>, and any input bytes that435* may have been buffered during a previous <code>update</code> operation,436* are processed, with padding (if requested) being applied.437* The result is stored in a new buffer.438*439* <p>The cipher is reset to its initial state (uninitialized) after this440* call.441*442* @param input the input buffer443* @param inputOffset the offset in <code>input</code> where the input444* starts445* @param inputLen the input length446*447* @return the new buffer with the result448*449* @exception IllegalBlockSizeException if this cipher is a block cipher,450* no padding has been requested (only in encryption mode), and the total451* input length of the data processed by this cipher is not a multiple of452* block size453* @exception BadPaddingException if this cipher is in decryption mode,454* and (un)padding has been requested, but the decrypted data is not455* bounded by the appropriate padding bytes456*/457protected byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen)458throws IllegalBlockSizeException, BadPaddingException {459byte[] out = core.doFinal(input, inputOffset, inputLen);460updateCalled = false;461return out;462}463464/**465* Encrypts or decrypts data in a single-part operation,466* or finishes a multiple-part operation.467* The data is encrypted or decrypted, depending on how this cipher was468* initialized.469*470* <p>The first <code>inputLen</code> bytes in the <code>input</code>471* buffer, starting at <code>inputOffset</code>, and any input bytes that472* may have been buffered during a previous <code>update</code> operation,473* are processed, with padding (if requested) being applied.474* The result is stored in the <code>output</code> buffer, starting at475* <code>outputOffset</code>.476*477* <p>The cipher is reset to its initial state (uninitialized) after this478* call.479*480* @param input the input buffer481* @param inputOffset the offset in <code>input</code> where the input482* starts483* @param inputLen the input length484* @param output the buffer for the result485* @param outputOffset the offset in <code>output</code> where the result486* is stored487*488* @return the number of bytes stored in <code>output</code>489*490* @exception IllegalBlockSizeException if this cipher is a block cipher,491* no padding has been requested (only in encryption mode), and the total492* input length of the data processed by this cipher is not a multiple of493* block size494* @exception ShortBufferException if the given output buffer is too small495* to hold the result496* @exception BadPaddingException if this cipher is in decryption mode,497* and (un)padding has been requested, but the decrypted data is not498* bounded by the appropriate padding bytes499*/500protected int engineDoFinal(byte[] input, int inputOffset, int inputLen,501byte[] output, int outputOffset)502throws IllegalBlockSizeException, ShortBufferException,503BadPaddingException {504int outLen = core.doFinal(input, inputOffset, inputLen, output,505outputOffset);506updateCalled = false;507return outLen;508}509510/**511* Returns the key size of the given key object.512*513* @param key the key object.514*515* @return the key size of the given key object.516*517* @exception InvalidKeyException if <code>key</code> is invalid.518*/519protected int engineGetKeySize(Key key) throws InvalidKeyException {520byte[] encoded = key.getEncoded();521Arrays.fill(encoded, (byte)0);522if (!AESCrypt.isKeySizeValid(encoded.length)) {523throw new InvalidKeyException("Invalid AES key length: " +524encoded.length + " bytes");525}526return Math.multiplyExact(encoded.length, 8);527}528529/**530* Wrap a key.531*532* @param key the key to be wrapped.533*534* @return the wrapped key.535*536* @exception IllegalBlockSizeException if this cipher is a block537* cipher, no padding has been requested, and the length of the538* encoding of the key to be wrapped is not a539* multiple of the block size.540*541* @exception InvalidKeyException if it is impossible or unsafe to542* wrap the key with this cipher (e.g., a hardware protected key is543* being passed to a software only cipher).544*/545protected byte[] engineWrap(Key key)546throws IllegalBlockSizeException, InvalidKeyException {547return core.wrap(key);548}549550/**551* Unwrap a previously wrapped key.552*553* @param wrappedKey the key to be unwrapped.554*555* @param wrappedKeyAlgorithm the algorithm the wrapped key is for.556*557* @param wrappedKeyType the type of the wrapped key.558* This is one of <code>Cipher.SECRET_KEY</code>,559* <code>Cipher.PRIVATE_KEY</code>, or <code>Cipher.PUBLIC_KEY</code>.560*561* @return the unwrapped key.562*563* @exception NoSuchAlgorithmException if no installed providers564* can create keys of type <code>wrappedKeyType</code> for the565* <code>wrappedKeyAlgorithm</code>.566*567* @exception InvalidKeyException if <code>wrappedKey</code> does not568* represent a wrapped key of type <code>wrappedKeyType</code> for569* the <code>wrappedKeyAlgorithm</code>.570*/571protected Key engineUnwrap(byte[] wrappedKey,572String wrappedKeyAlgorithm,573int wrappedKeyType)574throws InvalidKeyException, NoSuchAlgorithmException {575return core.unwrap(wrappedKey, wrappedKeyAlgorithm,576wrappedKeyType);577}578579/**580* Continues a multi-part update of the Additional Authentication581* Data (AAD), using a subset of the provided buffer.582* <p>583* Calls to this method provide AAD to the cipher when operating in584* modes such as AEAD (GCM/CCM). If this cipher is operating in585* either GCM or CCM mode, all AAD must be supplied before beginning586* operations on the ciphertext (via the {@code update} and {@code587* doFinal} methods).588*589* @param src the buffer containing the AAD590* @param offset the offset in {@code src} where the AAD input starts591* @param len the number of AAD bytes592*593* @throws IllegalStateException if this cipher is in a wrong state594* (e.g., has not been initialized), does not accept AAD, or if595* operating in either GCM or CCM mode and one of the {@code update}596* methods has already been called for the active597* encryption/decryption operation598* @throws UnsupportedOperationException if this method599* has not been overridden by an implementation600*601* @since 1.8602*/603@Override604protected void engineUpdateAAD(byte[] src, int offset, int len) {605if (core.getMode() == CipherCore.GCM_MODE && updateCalled) {606throw new IllegalStateException("AAD must be supplied before encryption/decryption starts");607}608core.updateAAD(src, offset, len);609}610611/**612* Continues a multi-part update of the Additional Authentication613* Data (AAD).614* <p>615* Calls to this method provide AAD to the cipher when operating in616* modes such as AEAD (GCM/CCM). If this cipher is operating in617* either GCM or CCM mode, all AAD must be supplied before beginning618* operations on the ciphertext (via the {@code update} and {@code619* doFinal} methods).620* <p>621* All {@code src.remaining()} bytes starting at622* {@code src.position()} are processed.623* Upon return, the input buffer's position will be equal624* to its limit; its limit will not have changed.625*626* @param src the buffer containing the AAD627*628* @throws IllegalStateException if this cipher is in a wrong state629* (e.g., has not been initialized), does not accept AAD, or if630* operating in either GCM or CCM mode and one of the {@code update}631* methods has already been called for the active632* encryption/decryption operation633* @throws UnsupportedOperationException if this method634* has not been overridden by an implementation635*636* @since 1.8637*/638@Override639protected void engineUpdateAAD(ByteBuffer src) {640if (core.getMode() == CipherCore.GCM_MODE && updateCalled) {641throw new IllegalStateException("AAD must be supplied before encryption/decryption starts");642}643if (src != null) {644int aadLen = src.limit() - src.position();645if (aadLen > 0) {646if (src.hasArray()) {647int aadOfs = Math.addExact(src.arrayOffset(), src.position());648core.updateAAD(src.array(), aadOfs, aadLen);649src.position(src.limit());650} else {651byte[] aad = new byte[aadLen];652src.get(aad);653core.updateAAD(aad, 0, aadLen);654}655}656}657}658659/**660* Finalize crypto operation with ByteBuffers661*662* @param input the input ByteBuffer663* @param output the output ByteBuffer664*665* @return output length666* @throws ShortBufferException667* @throws IllegalBlockSizeException668* @throws BadPaddingException669*/670@Override671protected int engineDoFinal(ByteBuffer input, ByteBuffer output)672throws ShortBufferException, IllegalBlockSizeException,673BadPaddingException {674if (core.getMode() == CipherCore.GCM_MODE && !input.hasArray()) {675return core.gcmDoFinal(input, output);676} else {677return super.engineDoFinal(input, output);678}679}680}681682683