public static byte[] computeIkm( final byte[] ecdhSecret, final byte[] authSecret, final byte[] uaPublic, final byte[] asPublic) throws GeneralSecurityException { byte[] keyInfo = Bytes.concat(WebPushConstants.IKM_INFO, uaPublic, asPublic); return Hkdf.computeHkdf( WebPushConstants.HMAC_SHA256, ecdhSecret /* ikm */, authSecret /* salt */, keyInfo, WebPushConstants.IKM_SIZE); }
/** * Encrypts {@code plaintext} with {@code aad} as additional authenticated data. The resulting * ciphertext allows for checking authenticity and integrity of additional data ({@code aad}), but * does not guarantee its secrecy. * * <p>The plaintext is encrypted with an {@code IndCpaCipher}, then MAC is computed over (aad || * ciphertext || t) where t is aad's length in bits represented as 64-bit bigendian unsigned * integer. The final ciphertext format is (ind-cpa ciphertext || mac). * * @return resulting ciphertext. */ @Override public byte[] encrypt(final byte[] plaintext, final byte[] associatedData) throws GeneralSecurityException { byte[] ciphertext = cipher.encrypt(plaintext); byte[] aad = associatedData; if (aad == null) { aad = new byte[0]; } byte[] aadLengthInBits = Arrays.copyOf(ByteBuffer.allocate(8).putLong(8L * aad.length).array(), 8); byte[] macValue = mac.computeMac(Bytes.concat(aad, ciphertext, aadLengthInBits)); return Bytes.concat(ciphertext, macValue); }
/** * Computes symmetric key for ECIES with HKDF from the provided parameters. * * @param ephemeralPublicKeyBytes the encoded ephemeral public key, i.e. the KEM part of the * hybrid encryption. In some versions of ECIES (e.g. IEEE P1363a) this argument is optional. * Shoup strongly prefers the inclusion of this argument in * http://eprint.iacr.org/2001/112.pdf (see discussion of the value C0 in Section 15.6, and * 15.6.1) * @param sharedSecret the shared DH secret. This typically is the x-coordinate of the secret * point. * @param hmacAlgo the HMAC used (e.g. "HmacSha256") * @param hkdfInfo TODO(bleichen): determine what are good values for Info and salt and what are * not good values. The ISO standard proposal http://eprint.iacr.org/2001/112.pdf does not * allow additional values for the key derivation (see Section 15.6.2) * @param hkdfSalt * @param keySizeInBytes the size of the key material for the DEM key. * @throws GeneralSecurityException if hmacAlgo is not supported */ public static byte[] computeEciesHkdfSymmetricKey( final byte[] ephemeralPublicKeyBytes, final byte[] sharedSecret, String hmacAlgo, final byte[] hkdfSalt, final byte[] hkdfInfo, int keySizeInBytes) throws GeneralSecurityException { byte[] hkdfInput = Bytes.concat(ephemeralPublicKeyBytes, sharedSecret); return Hkdf.computeHkdf(hmacAlgo, hkdfInput, hkdfSalt, hkdfInfo, keySizeInBytes); } }
@Override public byte[] encryptDeterministically(final byte[] plaintext, final byte[] associatedData) throws GeneralSecurityException { if (plaintext.length > Integer.MAX_VALUE - AesUtil.BLOCK_SIZE) { throw new GeneralSecurityException("plaintext too long"); } Cipher aesCtr = EngineFactory.CIPHER.getInstance("AES/CTR/NoPadding"); byte[] computedIv = s2v(associatedData, plaintext); byte[] ivForJavaCrypto = computedIv.clone(); ivForJavaCrypto[8] &= (byte) 0x7F; // 63th bit from the right ivForJavaCrypto[12] &= (byte) 0x7F; // 31st bit from the right aesCtr.init( Cipher.ENCRYPT_MODE, new SecretKeySpec(this.aesCtrKey, "AES"), new IvParameterSpec(ivForJavaCrypto)); byte[] ctrCiphertext = aesCtr.doFinal(plaintext); return Bytes.concat(computedIv, ctrCiphertext); }
/** * Decrypts {@code ciphertext} with {@code aad} as additional authenticated data. The decryption * verifies the authenticity and integrity of additional data ({@code aad}), but there are no * guarantees wrt. secrecy of that data. * * <p>The ciphertext format is ciphertext || mac. The MAC is verified against (aad || ciphertext|| * t) where t is aad's length in bits represented as 64-bit bigendian unsigned integer. * * @return resulting plaintext. */ @Override public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData) throws GeneralSecurityException { if (ciphertext.length < macLength) { throw new GeneralSecurityException("ciphertext too short"); } byte[] rawCiphertext = Arrays.copyOfRange(ciphertext, 0, ciphertext.length - macLength); byte[] macValue = Arrays.copyOfRange(ciphertext, ciphertext.length - macLength, ciphertext.length); byte[] aad = associatedData; if (aad == null) { aad = new byte[0]; } byte[] aadLengthInBits = Arrays.copyOf(ByteBuffer.allocate(8).putLong(8L * aad.length).array(), 8); mac.verifyMac(macValue, Bytes.concat(aad, rawCiphertext, aadLengthInBits)); return cipher.decrypt(rawCiphertext); } }
byte[] s = new byte[FIELD_LEN]; mulAdd(s, hram, hashedPrivateKey, r); return Bytes.concat(rB, s);
@Override public byte[] computeMac(final byte[] data) throws GeneralSecurityException { if (primitives.getPrimary().getOutputPrefixType().equals(OutputPrefixType.LEGACY)) { return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives.getPrimary().getPrimitive().computeMac(Bytes.concat(data, formatVersion))); } return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives.getPrimary().getPrimitive().computeMac(data)); }
@Override public byte[] sign(final byte[] data) throws GeneralSecurityException { if (primitives.getPrimary().getOutputPrefixType().equals(OutputPrefixType.LEGACY)) { byte[] formatVersion = new byte[] {CryptoFormat.LEGACY_START_BYTE}; return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives.getPrimary().getPrimitive().sign(Bytes.concat(data, formatVersion))); } return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives.getPrimary().getPrimitive().sign(data)); } };
@Override public byte[] encrypt(final byte[] plaintext, final byte[] contextInfo) throws GeneralSecurityException { return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives.getPrimary().getPrimitive().encrypt(plaintext, contextInfo)); } };
@Override public byte[] encryptDeterministically(final byte[] plaintext, final byte[] associatedData) throws GeneralSecurityException { return Bytes.concat( primitives.getPrimary().getIdentifier(), primitives .getPrimary() .getPrimitive() .encryptDeterministically(plaintext, associatedData)); }
@Override public byte[] encrypt(final byte[] plaintext, final byte[] associatedData) throws GeneralSecurityException { return Bytes.concat( pset.getPrimary().getIdentifier(), pset.getPrimary().getPrimitive().encrypt(plaintext, associatedData)); }
try { if (entry.getOutputPrefixType().equals(OutputPrefixType.LEGACY)) { entry.getPrimitive().verifyMac(macNoPrefix, Bytes.concat(data, formatVersion)); } else { entry.getPrimitive().verifyMac(macNoPrefix, data);
if (entry.getOutputPrefixType().equals(OutputPrefixType.LEGACY)) { final byte[] formatVersion = new byte[] {CryptoFormat.LEGACY_START_BYTE}; final byte[] dataWithFormatVersion = Bytes.concat(data, formatVersion); entry.getPrimitive().verify(sigNoPrefix, dataWithFormatVersion); } else {