Home Explore Help
Sign In
nnesse
/
minwin-gcc-5-2
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: f5de7b477e
Branches Tags
minwin-gcc-5-2
/
libjava
/
classpath
/
gnu
/
javax
/
crypto
/
kwa
/
TripleDESKeyWrap.java

TripleDESKeyWrap.java 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293 
  1. /* TripleDESKeyWrap.java -- FIXME: briefly describe file purpose
    2. 

  2.    Copyright (C) 2006 Free Software Foundation, Inc.
    3. 

  3. 

  4. This file is part of GNU Classpath.
    5. 

  5. 

  6. GNU Classpath is free software; you can redistribute it and/or modify
    7. 

  7. it under the terms of the GNU General Public License as published by
    8. 

  8. the Free Software Foundation; either version 2, or (at your option)
    9. 

  9. any later version.
    10. 

  10. 

  11. GNU Classpath is distributed in the hope that it will be useful, but
    12. 

  12. WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    14. 

  14. General Public License for more details.
    15. 

  15. 

  16. You should have received a copy of the GNU General Public License
    17. 

  17. along with GNU Classpath; see the file COPYING.  If not, write to the
    18. 

  18. Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
    19. 

  19. 02110-1301 USA.
    20. 

  20. 

  21. Linking this library statically or dynamically with other modules is
    22. 

  22. making a combined work based on this library.  Thus, the terms and
    23. 

  23. conditions of the GNU General Public License cover the whole
    24. 

  24. combination.
    25. 

  25. 

  26. As a special exception, the copyright holders of this library give you
    27. 

  27. permission to link this library with independent modules to produce an
    28. 

  28. executable, regardless of the license terms of these independent
    29. 

  29. modules, and to copy and distribute the resulting executable under
    30. 

  30. terms of your choice, provided that you also meet, for each linked
    31. 

  31. independent module, the terms and conditions of the license of that
    32. 

  32. module.  An independent module is a module which is not derived from
    33. 

  33. or based on this library.  If you modify this library, you may extend
    34. 

  34. this exception to your version of the library, but you are not
    35. 

  35. obligated to do so.  If you do not wish to do so, delete this
    36. 

  36. exception statement from your version. */
    37. 

  37. 

  38. 

  39. package gnu.javax.crypto.kwa;
    40. 

  40. 

  41. import gnu.java.security.Registry;
    42. 

  42. import gnu.java.security.hash.Sha160;
    43. 

  43. import gnu.javax.crypto.assembly.Assembly;
    44. 

  44. import gnu.javax.crypto.assembly.Cascade;
    45. 

  45. import gnu.javax.crypto.assembly.Direction;
    46. 

  46. import gnu.javax.crypto.assembly.Stage;
    47. 

  47. import gnu.javax.crypto.assembly.Transformer;
    48. 

  48. import gnu.javax.crypto.assembly.TransformerException;
    49. 

  49. import gnu.javax.crypto.cipher.IBlockCipher;
    50. 

  50. import gnu.javax.crypto.cipher.TripleDES;
    51. 

  51. import gnu.javax.crypto.mode.IMode;
    52. 

  52. import gnu.javax.crypto.mode.ModeFactory;
    53. 

  53. 

  54. import java.security.InvalidKeyException;
    55. 

  55. import java.security.SecureRandom;
    56. 

  56. import java.util.Arrays;
    57. 

  57. import java.util.HashMap;
    58. 

  58. import java.util.Map;
    59. 

  59. 

  60. /**
    61. 

  61.  * The GNU implementation of the Triple DES Key Wrap Algorithm as described in
    62. 

  62.  * [1].
    63. 

  63.  * <p>
    64. 

  64.  * <b>IMPORTANT</b>: This class is NOT thread safe.
    65. 

  65.  * <p>
    66. 

  66.  * References:
    67. 

  67.  * <ol>
    68. 

  68.  * <li><a href="http://www.rfc-archive.org/getrfc.php?rfc=3217">Triple-DES and
    69. 

  69.  * RC2 Key Wrapping</a>.</li>
    70. 

  70.  * <li><a href="http://www.w3.org/TR/xmlenc-core/">XML Encryption Syntax and
    71. 

  71.  * Processing</a>.</li>
    72. 

  72.  * </ol>
    73. 

  73.  */
    74. 

  74. public class TripleDESKeyWrap
    75. 

  75.     extends BaseKeyWrappingAlgorithm
    76. 

  76. {
    77. 

  77.   private static final byte[] DEFAULT_IV = new byte[] {
    78. 

  78.      (byte) 0x4A, (byte) 0xDD, (byte) 0xA2, (byte) 0x2C,
    79. 

  79.      (byte) 0x79, (byte) 0xE8, (byte) 0x21, (byte) 0x05 };
    80. 

  80. 

  81.   private Assembly asm;
    82. 

  82.   private HashMap asmAttributes = new HashMap();
    83. 

  83.   private HashMap modeAttributes = new HashMap();
    84. 

  84.   private Sha160 sha = new Sha160();
    85. 

  85.   private SecureRandom rnd;
    86. 

  86. 

  87.   public TripleDESKeyWrap()
    88. 

  88.   {
    89. 

  89.     super(Registry.TRIPLEDES_KWA);
    90. 

  90.   }
    91. 

  91. 

  92.   protected void engineInit(Map attributes) throws InvalidKeyException
    93. 

  93.   {
    94. 

  94.     rnd = (SecureRandom) attributes.get(IKeyWrappingAlgorithm.SOURCE_OF_RANDOMNESS);
    95. 

  95.     IMode des3CBC = ModeFactory.getInstance(Registry.CBC_MODE, new TripleDES(), 8);
    96. 

  96.     Stage des3CBCStage = Stage.getInstance(des3CBC, Direction.FORWARD);
    97. 

  97.     Cascade cascade = new Cascade();
    98. 

  98.     Object modeNdx = cascade.append(des3CBCStage);
    99. 

  99. 

  100.     asmAttributes.put(modeNdx, modeAttributes);
    101. 

  101. 

  102.     asm = new Assembly();
    103. 

  103.     asm.addPreTransformer(Transformer.getCascadeTransformer(cascade));
    104. 

  104. 

  105.     modeAttributes.put(IBlockCipher.KEY_MATERIAL,
    106. 

  106.                        attributes.get(KEY_ENCRYPTION_KEY_MATERIAL));
    107. 

  107.     asmAttributes.put(Assembly.DIRECTION, Direction.FORWARD);
    108. 

  108.   }
    109. 

  109. 

  110.   protected byte[] engineWrap(byte[] in, int inOffset, int length)
    111. 

  111.   {
    112. 

  112.     // The same key wrap algorithm is used for both Two-key Triple-DES and
    113. 

  113.     // Three-key Triple-DES keys.  When a Two-key Triple-DES key is to be
    114. 

  114.     // wrapped, a third DES key with the same value as the first DES key is
    115. 

  115.     // created.  Thus, all wrapped Triple-DES keys include three DES keys.
    116. 

  116.     if (length != 16 && length != 24)
    117. 

  117.       throw new IllegalArgumentException("Only 2- and 3-key Triple DES keys are alowed");
    118. 

  118. 

  119.     byte[] CEK = new byte[24];
    120. 

  120.     if (length == 16)
    121. 

  121.       {
    122. 

  122.         System.arraycopy(in, inOffset, CEK, 0,  16);
    123. 

  123.         System.arraycopy(in, inOffset, CEK, 16, 8);
    124. 

  124.       }
    125. 

  125.     else
    126. 

  126.       System.arraycopy(in, inOffset, CEK, 0, 24);
    127. 

  127. 

  128.     // TODO: check for the following:
    129. 

  129.     // However, a Two-key Triple-DES key MUST NOT be used to wrap a Three-
    130. 

  130.     // key Triple-DES key that is comprised of three unique DES keys.
    131. 

  131. 

  132.     // 1. Set odd parity for each of the DES key octets comprising the
    133. 

  133.     //    Three-Key Triple-DES key that is to be wrapped, call the result
    134. 

  134.     //    CEK.
    135. 

  135.     TripleDES.adjustParity(CEK, 0);
    136. 

  136. 

  137.     // 2. Compute an 8 octet key checksum value on CEK as described above in
    138. 

  138.     //    Section 2, call the result ICV.
    139. 

  139.     sha.update(CEK);
    140. 

  140.     byte[] hash = sha.digest();
    141. 

  141.     byte[] ICV = new byte[8];
    142. 

  142.     System.arraycopy(hash, 0, ICV, 0, 8);
    143. 

  143. 

  144.     // 3. Let CEKICV = CEK || ICV.
    145. 

  145.     byte[] CEKICV = new byte[CEK.length + ICV.length];
    146. 

  146.     System.arraycopy(CEK, 0, CEKICV, 0,          CEK.length);
    147. 

  147.     System.arraycopy(ICV, 0, CEKICV, CEK.length, ICV.length);
    148. 

  148. 

  149.     // 4. Generate 8 octets at random, call the result IV.
    150. 

  150.     byte[] IV = new byte[8];
    151. 

  151.     nextRandomBytes(IV);
    152. 

  152. 

  153.     // 5. Encrypt CEKICV in CBC mode using the key-encryption key.  Use the
    154. 

  154.     //    random value generated in the previous step as the initialization
    155. 

  155.     //    vector (IV).  Call the ciphertext TEMP1.
    156. 

  156.     modeAttributes.put(IMode.IV, IV);
    157. 

  157.     asmAttributes.put(Assembly.DIRECTION, Direction.FORWARD);
    158. 

  158.     byte[] TEMP1;
    159. 

  159.     try
    160. 

  160.       {
    161. 

  161.         asm.init(asmAttributes);
    162. 

  162.         TEMP1 = asm.lastUpdate(CEKICV);
    163. 

  163.       }
    164. 

  164.     catch (TransformerException x)
    165. 

  165.       {
    166. 

  166.         throw new RuntimeException(x);
    167. 

  167.       }
    168. 

  168. 

  169.     // 6. Let TEMP2 = IV || TEMP1.
    170. 

  170.     byte[] TEMP2 = new byte[IV.length + TEMP1.length];
    171. 

  171.     System.arraycopy(IV,    0, TEMP2, 0,         IV.length);
    172. 

  172.     System.arraycopy(TEMP1, 0, TEMP2, IV.length, TEMP1.length);
    173. 

  173. 

  174.     // 7. Reverse the order of the octets in TEMP2.  That is, the most
    175. 

  175.     //    significant (first) octet is swapped with the least significant
    176. 

  176.     //    (last) octet, and so on.  Call the result TEMP3.
    177. 

  177.     byte[] TEMP3 = new byte[TEMP2.length];
    178. 

  178.     for (int i = 0, j = TEMP2.length - 1; i < TEMP2.length; i++, j--)
    179. 

  179.       TEMP3[j] = TEMP2[i];
    180. 

  180. 

  181.     // 8. Encrypt TEMP3 in CBC mode using the key-encryption key.  Use an
    182. 

  182.     //    initialization vector (IV) of 0x4adda22c79e82105.  The ciphertext
    183. 

  183.     //    is 40 octets long.
    184. 

  184.     modeAttributes.put(IMode.IV, DEFAULT_IV);
    185. 

  185.     asmAttributes.put(Assembly.DIRECTION, Direction.FORWARD);
    186. 

  186.     byte[] result;
    187. 

  187.     try
    188. 

  188.       {
    189. 

  189.         asm.init(asmAttributes);
    190. 

  190.         result = asm.lastUpdate(TEMP3);
    191. 

  191.       }
    192. 

  192.     catch (TransformerException x)
    193. 

  193.       {
    194. 

  194.         throw new RuntimeException(x);
    195. 

  195.       }
    196. 

  196.     return result;
    197. 

  197.   }
    198. 

  198. 

  199.   protected byte[] engineUnwrap(byte[] in, int inOffset, int length)
    200. 

  200.       throws KeyUnwrappingException
    201. 

  201.   {
    202. 

  202.     // 1. If the wrapped key is not 40 octets, then error.
    203. 

  203.     if (length != 40)
    204. 

  204.       throw new IllegalArgumentException("length MUST be 40");
    205. 

  205. 

  206.     // 2. Decrypt the wrapped key in CBC mode using the key-encryption key.
    207. 

  207.     //    Use an initialization vector (IV) of 0x4adda22c79e82105.  Call the
    208. 

  208.     //    output TEMP3.
    209. 

  209.     modeAttributes.put(IMode.IV, DEFAULT_IV);
    210. 

  210.     asmAttributes.put(Assembly.DIRECTION, Direction.REVERSED);
    211. 

  211.     byte[] TEMP3;
    212. 

  212.     try
    213. 

  213.       {
    214. 

  214.         asm.init(asmAttributes);
    215. 

  215.         TEMP3 = asm.lastUpdate(in, inOffset, 40);
    216. 

  216.       }
    217. 

  217.     catch (TransformerException x)
    218. 

  218.       {
    219. 

  219.         throw new RuntimeException(x);
    220. 

  220.       }
    221. 

  221. 

  222.     // 3. Reverse the order of the octets in TEMP3.  That is, the most
    223. 

  223.     //    significant (first) octet is swapped with the least significant
    224. 

  224.     //    (last) octet, and so on.  Call the result TEMP2.
    225. 

  225.     byte[] TEMP2 = new byte[40];
    226. 

  226.     for (int i = 0, j = 40 - 1; i < 40; i++, j--)
    227. 

  227.       TEMP2[j] = TEMP3[i];
    228. 

  228. 

  229.     // 4. Decompose TEMP2 into IV and TEMP1.  IV is the most significant
    230. 

  230.     //    (first) 8 octets, and TEMP1 is the least significant (last) 32
    231. 

  231.     //    octets.
    232. 

  232.     byte[] IV = new byte[8];
    233. 

  233.     byte[] TEMP1 = new byte[32];
    234. 

  234.     System.arraycopy(TEMP2, 0, IV,    0, 8);
    235. 

  235.     System.arraycopy(TEMP2, 8, TEMP1, 0, 32);
    236. 

  236. 

  237.     // 5. Decrypt TEMP1 in CBC mode using the key-encryption key.  Use the
    238. 

  238.     //    IV value from the previous step as the initialization vector.
    239. 

  239.     //    Call the ciphertext CEKICV.
    240. 

  240.     modeAttributes.put(IMode.IV, IV);
    241. 

  241.     asmAttributes.put(Assembly.DIRECTION, Direction.REVERSED);
    242. 

  242.     byte[] CEKICV;
    243. 

  243.     try
    244. 

  244.       {
    245. 

  245.         asm.init(asmAttributes);
    246. 

  246.         CEKICV = asm.lastUpdate(TEMP1, 0, 32);
    247. 

  247.       }
    248. 

  248.     catch (TransformerException x)
    249. 

  249.       {
    250. 

  250.         throw new RuntimeException(x);
    251. 

  251.       }
    252. 

  252. 

  253.     // 6. Decompose CEKICV into CEK and ICV.  CEK is the most significant
    254. 

  254.     //    (first) 24 octets, and ICV is the least significant (last) 8
    255. 

  255.     //    octets.
    256. 

  256.     byte[] CEK = new byte[24];
    257. 

  257.     byte[] ICV = new byte[8];
    258. 

  258.     System.arraycopy(CEKICV, 0,  CEK, 0, 24);
    259. 

  259.     System.arraycopy(CEKICV, 24, ICV, 0, 8);
    260. 

  260. 

  261.     // 7. Compute an 8 octet key checksum value on CEK as described above in
    262. 

  262.     //    Section 2.  If the computed key checksum value does not match the
    263. 

  263.     //    decrypted key checksum value, ICV, then error.
    264. 

  264.     sha.update(CEK);
    265. 

  265.     byte[] hash = sha.digest();
    266. 

  266.     byte[] computedICV = new byte[8];
    267. 

  267.     System.arraycopy(hash, 0, computedICV, 0, 8);
    268. 

  268.     if (! Arrays.equals(ICV, computedICV))
    269. 

  269.       throw new KeyUnwrappingException("ICV and computed ICV MUST match");
    270. 

  270. 

  271.     // 8. Check for odd parity each of the DES key octets comprising CEK.
    272. 

  272.     //    If parity is incorrect, then error.
    273. 

  273.     if (! TripleDES.isParityAdjusted(CEK, 0))
    274. 

  274.       throw new KeyUnwrappingException("Triple-DES key parity MUST be adjusted");
    275. 

  275. 

  276.     // 9. Use CEK as a Triple-DES key.
    277. 

  277.     return CEK;
    278. 

  278.   }
    279. 

  279. 

  280.   /**
    281. 

  281.    * Fills the designated byte array with random data.
    282. 

  282.    *
    283. 

  283.    * @param buffer the byte array to fill with random data.
    284. 

  284.    */
    285. 

  285.   private void nextRandomBytes(byte[] buffer)
    286. 

  286.   {
    287. 

  287.     if (rnd != null)
    288. 

  288.       rnd.nextBytes(buffer);
    289. 

  289.     else
    290. 

  290.       getDefaultPRNG().nextBytes(buffer);
    291. 

  291.   }
    292. 

  292. }
    293. 

  293.