http://github.com/google/tink: Tink is a small cryptographic library that provides a safe, simple, agile and fast way to accomplish some common cryptographic tasks. 
// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////

package com.google.crypto.tink.subtle;

import java.util.Arrays;


A collection of byte-manipulation functions, and some more specific functions for AES-CMAC /
AES-SIV.

Beware: some of the functions here are specific to the representation used for AES-CMAC and
SIV, as described in their RFCs. These might not work if used in other contexts.

/**
 * A collection of byte-manipulation functions, and some more specific functions for AES-CMAC /
 * AES-SIV.
 *
 * <p>Beware: some of the functions here are specific to the representation used for AES-CMAC and
 * SIV, as described in their RFCs. These might not work if used in other contexts.
 */
class AesUtil {

  public static final int BLOCK_SIZE = 16;

  
Multiplies value by x in the finite field GF(2^128) represented using the primitive polynomial
x^128 + x^7 + x^2 + x + 1.

Params:
  • value – an arrays of 16 bytes representing an element of GF(2^128) using bigendian byte
order.
/**
   * Multiplies value by x in the finite field GF(2^128) represented using the primitive polynomial
   * x^128 + x^7 + x^2 + x + 1.
   *
   * @param value an arrays of 16 bytes representing an element of GF(2^128) using bigendian byte
   * order.
   */
  static byte[] dbl(final byte[] value) {
    if (value.length != BLOCK_SIZE) {
      throw new IllegalArgumentException("value must be a block.");
    }

    // Note that >> is an arithmetical shift, which copies the leftmost bit to fill the
    // blanks created by shifting. For instance, x >> 7 will equal 0xFF if (x & 1), and 0x00
    // otherwise. This is a bit hard to read, but the operation is branchless, which is valuable
    // in this context.

    // Shift left by one.
    byte[] res = new byte[BLOCK_SIZE];
    for (int i = 0; i < BLOCK_SIZE; i++) {
      res[i] = (byte) (0xFE & (value[i] << 1));
      if (i < BLOCK_SIZE - 1) {
        res[i] |= (byte) (0x01 & (value[i + 1] >> 7));
      }
    }
    // And handle the modulus if needed (0x87 is the binary representation of the polynomial,
    // minus the x^128 part).
    res[BLOCK_SIZE - 1] ^= (byte) (0x87 & (value[0] >> 7));
    return res;
  }

  
Pad by adding a 1 bit, then pad with 0 bits to the next block limit. This is the standard for
both CMAC and AES-SIV. - https://tools.ietf.org/html/rfc4493#section-2.4 -
https://tools.ietf.org/html/rfc5297#section-2.1

Params:
  • x – The array to pad (will be copied)
Returns:The padded array.
/**
   * Pad by adding a 1 bit, then pad with 0 bits to the next block limit. This is the standard for
   * both CMAC and AES-SIV. - https://tools.ietf.org/html/rfc4493#section-2.4 -
   * https://tools.ietf.org/html/rfc5297#section-2.1
   *
   * @param x The array to pad (will be copied)
   * @return The padded array.
   */
  static byte[] cmacPad(final byte[] x) {
    if (x.length >= BLOCK_SIZE) {
      throw new IllegalArgumentException("x must be smaller than a block.");
    }
    byte[] result = Arrays.copyOf(x, 16);
    result[x.length] = (byte) 0x80;
    return result;
  }
}