/*
 * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package com.sun.crypto.provider;

import java.util.Arrays;
import java.util.Locale;

import java.security.*;
import java.security.spec.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.crypto.BadPaddingException;

This class represents the symmetric algorithms in its various modes (ECB, CFB, OFB, CBC, PCBC, CTR, and CTS) and padding schemes (PKCS5Padding, NoPadding, ISO10126Padding).
Author:Gigi Ankeny, Jan Luehe
See Also:
/** * This class represents the symmetric algorithms in its various modes * (<code>ECB</code>, <code>CFB</code>, <code>OFB</code>, <code>CBC</code>, * <code>PCBC</code>, <code>CTR</code>, and <code>CTS</code>) and * padding schemes (<code>PKCS5Padding</code>, <code>NoPadding</code>, * <code>ISO10126Padding</code>). * * @author Gigi Ankeny * @author Jan Luehe * @see ElectronicCodeBook * @see CipherFeedback * @see OutputFeedback * @see CipherBlockChaining * @see PCBC * @see CounterMode * @see CipherTextStealing */
final class CipherCore { /* * internal buffer */ private byte[] buffer = null; /* * block size of cipher in bytes */ private int blockSize = 0; /* * unit size (number of input bytes that can be processed at a time) */ private int unitBytes = 0; /* * index of the content size left in the buffer */ private int buffered = 0; /* * minimum number of bytes in the buffer required for * FeedbackCipher.encryptFinal()/decryptFinal() call. * update() must buffer this many bytes before starting * to encrypt/decrypt data. * currently, only the following cases have non-zero values: * 1) CTS mode - due to its special handling on the last two blocks * (the last one may be incomplete). * 2) GCM mode + decryption - due to its trailing tag bytes */ private int minBytes = 0; /* * number of bytes needed to make the total input length a multiple * of the blocksize (this is used in feedback mode, when the number of * input bytes that are processed at a time is different from the block * size) */ private int diffBlocksize = 0; /* * padding class */ private Padding padding = null; /* * internal cipher engine */ private FeedbackCipher cipher = null; /* * the cipher mode */ private int cipherMode = ECB_MODE; /* * are we encrypting or decrypting? */ private boolean decrypting = false; /* * Block Mode constants */ private static final int ECB_MODE = 0; private static final int CBC_MODE = 1; private static final int CFB_MODE = 2; private static final int OFB_MODE = 3; private static final int PCBC_MODE = 4; private static final int CTR_MODE = 5; private static final int CTS_MODE = 6; static final int GCM_MODE = 7; /* * variables used for performing the GCM (key+iv) uniqueness check. * To use GCM mode safely, the cipher object must be re-initialized * with a different combination of key + iv values for each * encryption operation. However, checking all past key + iv values * isn't feasible. Thus, we only do a per-instance check of the * key + iv values used in previous encryption. * For decryption operations, no checking is necessary. * NOTE: this key+iv check have to be done inside CipherCore class * since CipherCore class buffers potential tag bytes in GCM mode * and may not call GaloisCounterMode when there isn't sufficient * input to process. */ private boolean requireReinit = false; private byte[] lastEncKey = null; private byte[] lastEncIv = null;
Creates an instance of CipherCore with default ECB mode and PKCS5Padding.
/** * Creates an instance of CipherCore with default ECB mode and * PKCS5Padding. */
CipherCore(SymmetricCipher impl, int blkSize) { blockSize = blkSize; unitBytes = blkSize; diffBlocksize = blkSize; /* * The buffer should be usable for all cipher mode and padding * schemes. Thus, it has to be at least (blockSize+1) for CTS. * In decryption mode, it also hold the possible padding block. */ buffer = new byte[blockSize*2]; // set mode and padding cipher = new ElectronicCodeBook(impl); padding = new PKCS5Padding(blockSize); }
Sets the mode of this cipher.
Params:
  • mode – the cipher mode
Throws:
/** * Sets the mode of this cipher. * * @param mode the cipher mode * * @exception NoSuchAlgorithmException if the requested cipher mode does * not exist for this cipher */
void setMode(String mode) throws NoSuchAlgorithmException { if (mode == null) throw new NoSuchAlgorithmException("null mode"); String modeUpperCase = mode.toUpperCase(Locale.ENGLISH); if (modeUpperCase.equals("ECB")) { return; } SymmetricCipher rawImpl = cipher.getEmbeddedCipher(); if (modeUpperCase.equals("CBC")) { cipherMode = CBC_MODE; cipher = new CipherBlockChaining(rawImpl); } else if (modeUpperCase.equals("CTS")) { cipherMode = CTS_MODE; cipher = new CipherTextStealing(rawImpl); minBytes = blockSize+1; padding = null; } else if (modeUpperCase.equals("CTR")) { cipherMode = CTR_MODE; cipher = new CounterMode(rawImpl); unitBytes = 1; padding = null; } else if (modeUpperCase.equals("GCM")) { // can only be used for block ciphers w/ 128-bit block size if (blockSize != 16) { throw new NoSuchAlgorithmException ("GCM mode can only be used for AES cipher"); } cipherMode = GCM_MODE; cipher = new GaloisCounterMode(rawImpl); padding = null; } else if (modeUpperCase.startsWith("CFB")) { cipherMode = CFB_MODE; unitBytes = getNumOfUnit(mode, "CFB".length(), blockSize); cipher = new CipherFeedback(rawImpl, unitBytes); } else if (modeUpperCase.startsWith("OFB")) { cipherMode = OFB_MODE; unitBytes = getNumOfUnit(mode, "OFB".length(), blockSize); cipher = new OutputFeedback(rawImpl, unitBytes); } else if (modeUpperCase.equals("PCBC")) { cipherMode = PCBC_MODE; cipher = new PCBC(rawImpl); } else { throw new NoSuchAlgorithmException("Cipher mode: " + mode + " not found"); } }
Returns the mode of this cipher.
Returns:the parsed cipher mode
/** * Returns the mode of this cipher. * * @return the parsed cipher mode */
int getMode() { return cipherMode; } private static int getNumOfUnit(String mode, int offset, int blockSize) throws NoSuchAlgorithmException { int result = blockSize; // use blockSize as default value if (mode.length() > offset) { int numInt; try { Integer num = Integer.valueOf(mode.substring(offset)); numInt = num.intValue(); result = numInt >> 3; } catch (NumberFormatException e) { throw new NoSuchAlgorithmException ("Algorithm mode: " + mode + " not implemented"); } if ((numInt % 8 != 0) || (result > blockSize)) { throw new NoSuchAlgorithmException ("Invalid algorithm mode: " + mode); } } return result; }
Sets the padding mechanism of this cipher.
Params:
  • paddingScheme – the padding mechanism
Throws:
/** * Sets the padding mechanism of this cipher. * * @param paddingScheme the padding mechanism * * @exception NoSuchPaddingException if the requested padding mechanism * does not exist */
void setPadding(String paddingScheme) throws NoSuchPaddingException { if (paddingScheme == null) { throw new NoSuchPaddingException("null padding"); } if (paddingScheme.equalsIgnoreCase("NoPadding")) { padding = null; } else if (paddingScheme.equalsIgnoreCase("ISO10126Padding")) { padding = new ISO10126Padding(blockSize); } else if (!paddingScheme.equalsIgnoreCase("PKCS5Padding")) { throw new NoSuchPaddingException("Padding: " + paddingScheme + " not implemented"); } if ((padding != null) && ((cipherMode == CTR_MODE) || (cipherMode == CTS_MODE) || (cipherMode == GCM_MODE))) { padding = null; String modeStr = null; switch (cipherMode) { case CTR_MODE: modeStr = "CTR"; break; case GCM_MODE: modeStr = "GCM"; break; case CTS_MODE: modeStr = "CTS"; break; default: // should never happen } if (modeStr != null) { throw new NoSuchPaddingException (modeStr + " mode must be used with NoPadding"); } } }
Returns the length in bytes that an output buffer would need to be in order to hold the result of the next update or doFinal operation, given the input length inputLen (in bytes).

This call takes into account any unprocessed (buffered) data from a previous update call, padding, and AEAD tagging.

The actual output length of the next update or doFinal call may be smaller than the length returned by this method.

Params:
  • inputLen – the input length (in bytes)
Returns:the required output buffer size (in bytes)
/** * Returns the length in bytes that an output buffer would need to be in * order to hold the result of the next <code>update</code> or * <code>doFinal</code> operation, given the input length * <code>inputLen</code> (in bytes). * * <p>This call takes into account any unprocessed (buffered) data from a * previous <code>update</code> call, padding, and AEAD tagging. * * <p>The actual output length of the next <code>update</code> or * <code>doFinal</code> call may be smaller than the length returned by * this method. * * @param inputLen the input length (in bytes) * * @return the required output buffer size (in bytes) */
int getOutputSize(int inputLen) { // estimate based on the maximum return getOutputSizeByOperation(inputLen, true); } private int getOutputSizeByOperation(int inputLen, boolean isDoFinal) { int totalLen = Math.addExact(buffered, cipher.getBufferedLength()); totalLen = Math.addExact(totalLen, inputLen); switch (cipherMode) { case GCM_MODE: if (isDoFinal) { int tagLen = ((GaloisCounterMode) cipher).getTagLen(); if (!decrypting) { totalLen = Math.addExact(totalLen, tagLen); } else { totalLen -= tagLen; } } if (totalLen < 0) { totalLen = 0; } break; default: if (padding != null && !decrypting) { if (unitBytes != blockSize) { if (totalLen < diffBlocksize) { totalLen = diffBlocksize; } else { int residue = (totalLen - diffBlocksize) % blockSize; totalLen = Math.addExact(totalLen, (blockSize - residue)); } } else { totalLen = Math.addExact(totalLen, padding.padLength(totalLen)); } } break; } return totalLen; }
Returns the initialization vector (IV) in a new buffer.

This is useful in the case where a random IV has been created (see init), or in the context of password-based encryption or decryption, where the IV is derived from a user-provided password.

Returns:the initialization vector in a new buffer, or null if the underlying algorithm does not use an IV, or if the IV has not yet been set.
/** * Returns the initialization vector (IV) in a new buffer. * * <p>This is useful in the case where a random IV has been created * (see <a href = "#init">init</a>), * or in the context of password-based encryption or * decryption, where the IV is derived from a user-provided password. * * @return the initialization vector in a new buffer, or null if the * underlying algorithm does not use an IV, or if the IV has not yet * been set. */
byte[] getIV() { byte[] iv = cipher.getIV(); return (iv == null) ? null : iv.clone(); }
Returns the parameters used with this cipher.

The returned parameters may be the same that were used to initialize this cipher, or may contain the default set of parameters or a set of randomly generated parameters used by the underlying cipher implementation (provided that the underlying cipher implementation uses a default set of parameters or creates new parameters if it needs parameters but was not initialized with any).

Returns:the parameters used with this cipher, or null if this cipher does not use any parameters.
/** * Returns the parameters used with this cipher. * * <p>The returned parameters may be the same that were used to initialize * this cipher, or may contain the default set of parameters or a set of * randomly generated parameters used by the underlying cipher * implementation (provided that the underlying cipher implementation * uses a default set of parameters or creates new parameters if it needs * parameters but was not initialized with any). * * @return the parameters used with this cipher, or null if this cipher * does not use any parameters. */
AlgorithmParameters getParameters(String algName) { if (cipherMode == ECB_MODE) { return null; } AlgorithmParameters params = null; AlgorithmParameterSpec spec; byte[] iv = getIV(); if (iv == null) { // generate spec using default value if (cipherMode == GCM_MODE) { iv = new byte[GaloisCounterMode.DEFAULT_IV_LEN]; } else { iv = new byte[blockSize]; } SunJCE.getRandom().nextBytes(iv); } if (cipherMode == GCM_MODE) { algName = "GCM"; spec = new GCMParameterSpec (((GaloisCounterMode) cipher).getTagLen()*8, iv); } else { if (algName.equals("RC2")) { RC2Crypt rawImpl = (RC2Crypt) cipher.getEmbeddedCipher(); spec = new RC2ParameterSpec (rawImpl.getEffectiveKeyBits(), iv); } else { spec = new IvParameterSpec(iv); } } try { params = AlgorithmParameters.getInstance(algName, SunJCE.getInstance()); params.init(spec); } catch (NoSuchAlgorithmException nsae) { // should never happen throw new RuntimeException("Cannot find " + algName + " AlgorithmParameters implementation in SunJCE provider"); } catch (InvalidParameterSpecException ipse) { // should never happen throw new RuntimeException(spec.getClass() + " not supported"); } return params; }
Initializes this cipher with a key and a source of randomness.

The cipher is initialized for one of the following four operations: encryption, decryption, key wrapping or key unwrapping, depending on the value of opmode.

If this cipher requires an initialization vector (IV), it will get it from random. This behaviour should only be used in encryption or key wrapping mode, however. When initializing a cipher that requires an IV for decryption or key unwrapping, the IV (same IV that was used for encryption or key wrapping) must be provided explicitly as a parameter, in order to get the correct result.

This method also cleans existing buffer and other related state information.

Params:
  • opmode – the operation mode of this cipher (this is one of the following: ENCRYPT_MODE, DECRYPT_MODE, WRAP_MODE or UNWRAP_MODE)
  • key – the secret key
  • random – the source of randomness
Throws:
/** * Initializes this cipher with a key and a source of randomness. * * <p>The cipher is initialized for one of the following four operations: * encryption, decryption, key wrapping or key unwrapping, depending on * the value of <code>opmode</code>. * * <p>If this cipher requires an initialization vector (IV), it will get * it from <code>random</code>. * This behaviour should only be used in encryption or key wrapping * mode, however. * When initializing a cipher that requires an IV for decryption or * key unwrapping, the IV * (same IV that was used for encryption or key wrapping) must be provided * explicitly as a * parameter, in order to get the correct result. * * <p>This method also cleans existing buffer and other related state * information. * * @param opmode the operation mode of this cipher (this is one of * the following: * <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>, * <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>) * @param key the secret key * @param random the source of randomness * * @exception InvalidKeyException if the given key is inappropriate for * initializing this cipher */
void init(int opmode, Key key, SecureRandom random) throws InvalidKeyException { try { init(opmode, key, (AlgorithmParameterSpec)null, random); } catch (InvalidAlgorithmParameterException e) { throw new InvalidKeyException(e.getMessage()); } }
Initializes this cipher with a key, a set of algorithm parameters, and a source of randomness.

The cipher is initialized for one of the following four operations: encryption, decryption, key wrapping or key unwrapping, depending on the value of opmode.

If this cipher (including its underlying feedback or padding scheme) requires any random bytes, it will get them from random.

Params:
  • opmode – the operation mode of this cipher (this is one of the following: ENCRYPT_MODE, DECRYPT_MODE, WRAP_MODE or UNWRAP_MODE)
  • key – the encryption key
  • params – the algorithm parameters
  • random – the source of randomness
Throws:
/** * Initializes this cipher with a key, a set of * algorithm parameters, and a source of randomness. * * <p>The cipher is initialized for one of the following four operations: * encryption, decryption, key wrapping or key unwrapping, depending on * the value of <code>opmode</code>. * * <p>If this cipher (including its underlying feedback or padding scheme) * requires any random bytes, it will get them from <code>random</code>. * * @param opmode the operation mode of this cipher (this is one of * the following: * <code>ENCRYPT_MODE</code>, <code>DECRYPT_MODE</code>, * <code>WRAP_MODE</code> or <code>UNWRAP_MODE</code>) * @param key the encryption key * @param params the algorithm parameters * @param random the source of randomness * * @exception InvalidKeyException if the given key is inappropriate for * initializing this cipher * @exception InvalidAlgorithmParameterException if the given algorithm * parameters are inappropriate for this cipher */
void init(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException { decrypting = (opmode == Cipher.DECRYPT_MODE) || (opmode == Cipher.UNWRAP_MODE); byte[] keyBytes = getKeyBytes(key); int tagLen = -1; byte[] ivBytes = null; if (params != null) { if (cipherMode == GCM_MODE) { if (params instanceof GCMParameterSpec) { tagLen = ((GCMParameterSpec)params).getTLen(); if (tagLen < 96 || tagLen > 128 || ((tagLen & 0x07) != 0)) { throw new InvalidAlgorithmParameterException ("Unsupported TLen value; must be one of " + "{128, 120, 112, 104, 96}"); } tagLen = tagLen >> 3; ivBytes = ((GCMParameterSpec)params).getIV(); } else { throw new InvalidAlgorithmParameterException ("Unsupported parameter: " + params); } } else { if (params instanceof IvParameterSpec) { ivBytes = ((IvParameterSpec)params).getIV(); if ((ivBytes == null) || (ivBytes.length != blockSize)) { throw new InvalidAlgorithmParameterException ("Wrong IV length: must be " + blockSize + " bytes long"); } } else if (params instanceof RC2ParameterSpec) { ivBytes = ((RC2ParameterSpec)params).getIV(); if ((ivBytes != null) && (ivBytes.length != blockSize)) { throw new InvalidAlgorithmParameterException ("Wrong IV length: must be " + blockSize + " bytes long"); } } else { throw new InvalidAlgorithmParameterException ("Unsupported parameter: " + params); } } } if (cipherMode == ECB_MODE) { if (ivBytes != null) { throw new InvalidAlgorithmParameterException ("ECB mode cannot use IV"); } } else if (ivBytes == null) { if (decrypting) { throw new InvalidAlgorithmParameterException("Parameters " + "missing"); } if (random == null) { random = SunJCE.getRandom(); } if (cipherMode == GCM_MODE) { ivBytes = new byte[GaloisCounterMode.DEFAULT_IV_LEN]; } else { ivBytes = new byte[blockSize]; } random.nextBytes(ivBytes); } buffered = 0; diffBlocksize = blockSize; String algorithm = key.getAlgorithm(); // GCM mode needs additional handling if (cipherMode == GCM_MODE) { if(tagLen == -1) { tagLen = GaloisCounterMode.DEFAULT_TAG_LEN; } if (decrypting) { minBytes = tagLen; } else { // check key+iv for encryption in GCM mode requireReinit = Arrays.equals(ivBytes, lastEncIv) && MessageDigest.isEqual(keyBytes, lastEncKey); if (requireReinit) { throw new InvalidAlgorithmParameterException ("Cannot reuse iv for GCM encryption"); } lastEncIv = ivBytes; lastEncKey = keyBytes; } ((GaloisCounterMode) cipher).init (decrypting, algorithm, keyBytes, ivBytes, tagLen); } else { cipher.init(decrypting, algorithm, keyBytes, ivBytes); } // skip checking key+iv from now on until after doFinal() requireReinit = false; } void init(int opmode, Key key, AlgorithmParameters params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException { AlgorithmParameterSpec spec = null; String paramType = null; if (params != null) { try { if (cipherMode == GCM_MODE) { paramType = "GCM"; spec = params.getParameterSpec(GCMParameterSpec.class); } else { // NOTE: RC2 parameters are always handled through // init(..., AlgorithmParameterSpec,...) method, so // we can assume IvParameterSpec type here. paramType = "IV"; spec = params.getParameterSpec(IvParameterSpec.class); } } catch (InvalidParameterSpecException ipse) { throw new InvalidAlgorithmParameterException ("Wrong parameter type: " + paramType + " expected"); } } init(opmode, key, spec, random); }
Return the key bytes of the specified key. Throw an InvalidKeyException if the key is not usable.
/** * Return the key bytes of the specified key. Throw an InvalidKeyException * if the key is not usable. */
static byte[] getKeyBytes(Key key) throws InvalidKeyException { if (key == null) { throw new InvalidKeyException("No key given"); } // note: key.getFormat() may return null if (!"RAW".equalsIgnoreCase(key.getFormat())) { throw new InvalidKeyException("Wrong format: RAW bytes needed"); } byte[] keyBytes = key.getEncoded(); if (keyBytes == null) { throw new InvalidKeyException("RAW key bytes missing"); } return keyBytes; }
Continues a multiple-part encryption or decryption operation (depending on how this cipher was initialized), processing another data part.

The first inputLen bytes in the input buffer, starting at inputOffset, are processed, and the result is stored in a new buffer.

Params:
  • input – the input buffer
  • inputOffset – the offset in input where the input starts
  • inputLen – the input length
Throws:
Returns:the new buffer with the result
/** * Continues a multiple-part encryption or decryption operation * (depending on how this cipher was initialized), processing another data * part. * * <p>The first <code>inputLen</code> bytes in the <code>input</code> * buffer, starting at <code>inputOffset</code>, are processed, and the * result is stored in a new buffer. * * @param input the input buffer * @param inputOffset the offset in <code>input</code> where the input * starts * @param inputLen the input length * * @return the new buffer with the result * * @exception IllegalStateException if this cipher is in a wrong state * (e.g., has not been initialized) */
byte[] update(byte[] input, int inputOffset, int inputLen) { checkReinit(); byte[] output = null; try { output = new byte[getOutputSizeByOperation(inputLen, false)]; int len = update(input, inputOffset, inputLen, output, 0); if (len == output.length) { return output; } else { byte[] copy = Arrays.copyOf(output, len); if (decrypting) { // Zero out internal buffer which is no longer required Arrays.fill(output, (byte) 0x00); } return copy; } } catch (ShortBufferException e) { // should never happen throw new ProviderException("Unexpected exception", e); } }
Continues a multiple-part encryption or decryption operation (depending on how this cipher was initialized), processing another data part.

The first inputLen bytes in the input buffer, starting at inputOffset, are processed, and the result is stored in the output buffer, starting at outputOffset.

Params:
  • input – the input buffer
  • inputOffset – the offset in input where the input starts
  • inputLen – the input length
  • output – the buffer for the result
  • outputOffset – the offset in output where the result is stored
Throws:
Returns:the number of bytes stored in output
/** * Continues a multiple-part encryption or decryption operation * (depending on how this cipher was initialized), processing another data * part. * * <p>The first <code>inputLen</code> bytes in the <code>input</code> * buffer, starting at <code>inputOffset</code>, are processed, and the * result is stored in the <code>output</code> buffer, starting at * <code>outputOffset</code>. * * @param input the input buffer * @param inputOffset the offset in <code>input</code> where the input * starts * @param inputLen the input length * @param output the buffer for the result * @param outputOffset the offset in <code>output</code> where the result * is stored * * @return the number of bytes stored in <code>output</code> * * @exception ShortBufferException if the given output buffer is too small * to hold the result */
int update(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws ShortBufferException { checkReinit(); // figure out how much can be sent to crypto function int len = Math.addExact(buffered, inputLen); len -= minBytes; if (padding != null && decrypting) { // do not include the padding bytes when decrypting len -= blockSize; } // do not count the trailing bytes which do not make up a unit len = (len > 0 ? (len - (len % unitBytes)) : 0); // check output buffer capacity if ((output == null) || ((output.length - outputOffset) < len)) { throw new ShortBufferException("Output buffer must be " + "(at least) " + len + " bytes long"); } int outLen = 0; if (len != 0) { // there is some work to do if ((input == output) && (outputOffset - inputOffset < inputLen) && (inputOffset - outputOffset < buffer.length)) { // copy 'input' out to avoid its content being // overwritten prematurely. input = Arrays.copyOfRange(input, inputOffset, Math.addExact(inputOffset, inputLen)); inputOffset = 0; } if (len <= buffered) { // all to-be-processed data are from 'buffer' if (decrypting) { outLen = cipher.decrypt(buffer, 0, len, output, outputOffset); } else { outLen = cipher.encrypt(buffer, 0, len, output, outputOffset); } buffered -= len; if (buffered != 0) { System.arraycopy(buffer, len, buffer, 0, buffered); } } else { // len > buffered int inputConsumed = len - buffered; int temp; if (buffered > 0) { int bufferCapacity = buffer.length - buffered; if (bufferCapacity != 0) { temp = Math.min(bufferCapacity, inputConsumed); if (unitBytes != blockSize) { temp -= (Math.addExact(buffered, temp) % unitBytes); } System.arraycopy(input, inputOffset, buffer, buffered, temp); inputOffset = Math.addExact(inputOffset, temp); inputConsumed -= temp; inputLen -= temp; buffered = Math.addExact(buffered, temp); } // process 'buffer'. When finished we can null out 'buffer' // Only necessary to null out if buffer holds data for encryption if (decrypting) { outLen = cipher.decrypt(buffer, 0, buffered, output, outputOffset); } else { outLen = cipher.encrypt(buffer, 0, buffered, output, outputOffset); //encrypt mode. Zero out internal (input) buffer Arrays.fill(buffer, (byte) 0x00); } outputOffset = Math.addExact(outputOffset, outLen); buffered = 0; } if (inputConsumed > 0) { // still has input to process if (decrypting) { outLen += cipher.decrypt(input, inputOffset, inputConsumed, output, outputOffset); } else { outLen += cipher.encrypt(input, inputOffset, inputConsumed, output, outputOffset); } inputOffset += inputConsumed; inputLen -= inputConsumed; } } // Let's keep track of how many bytes are needed to make // the total input length a multiple of blocksize when // padding is applied if (unitBytes != blockSize) { if (len < diffBlocksize) { diffBlocksize -= len; } else { diffBlocksize = blockSize - ((len - diffBlocksize) % blockSize); } } } // Store remaining input into 'buffer' again if (inputLen > 0) { System.arraycopy(input, inputOffset, buffer, buffered, inputLen); buffered = Math.addExact(buffered, inputLen); } return outLen; }
Encrypts or decrypts data in a single-part operation, or finishes a multiple-part operation. The data is encrypted or decrypted, depending on how this cipher was initialized.

The first inputLen bytes in the input buffer, starting at inputOffset, and any input bytes that may have been buffered during a previous update operation, are processed, with padding (if requested) being applied. The result is stored in a new buffer.

The cipher is reset to its initial state (uninitialized) after this call.

Params:
  • input – the input buffer
  • inputOffset – the offset in input where the input starts
  • inputLen – the input length
Throws:
  • IllegalBlockSizeException – if this cipher is a block cipher, no padding has been requested (only in encryption mode), and the total input length of the data processed by this cipher is not a multiple of block size
  • BadPaddingException – if this cipher is in decryption mode, and (un)padding has been requested, but the decrypted data is not bounded by the appropriate padding bytes
Returns:the new buffer with the result
/** * Encrypts or decrypts data in a single-part operation, * or finishes a multiple-part operation. * The data is encrypted or decrypted, depending on how this cipher was * initialized. * * <p>The first <code>inputLen</code> bytes in the <code>input</code> * buffer, starting at <code>inputOffset</code>, and any input bytes that * may have been buffered during a previous <code>update</code> operation, * are processed, with padding (if requested) being applied. * The result is stored in a new buffer. * * <p>The cipher is reset to its initial state (uninitialized) after this * call. * * @param input the input buffer * @param inputOffset the offset in <code>input</code> where the input * starts * @param inputLen the input length * * @return the new buffer with the result * * @exception IllegalBlockSizeException if this cipher is a block cipher, * no padding has been requested (only in encryption mode), and the total * input length of the data processed by this cipher is not a multiple of * block size * @exception BadPaddingException if this cipher is in decryption mode, * and (un)padding has been requested, but the decrypted data is not * bounded by the appropriate padding bytes */
byte[] doFinal(byte[] input, int inputOffset, int inputLen) throws IllegalBlockSizeException, BadPaddingException { try { checkReinit(); byte[] output = new byte[getOutputSizeByOperation(inputLen, true)]; byte[] finalBuf = prepareInputBuffer(input, inputOffset, inputLen, output, 0); int finalOffset = (finalBuf == input) ? inputOffset : 0; int finalBufLen = (finalBuf == input) ? inputLen : finalBuf.length; int outLen = fillOutputBuffer(finalBuf, finalOffset, output, 0, finalBufLen, input); endDoFinal(); if (outLen < output.length) { byte[] copy = Arrays.copyOf(output, outLen); if (decrypting) { // Zero out internal (ouput) array Arrays.fill(output, (byte) 0x00); } return copy; } else { return output; } } catch (ShortBufferException e) { // never thrown throw new ProviderException("Unexpected exception", e); } }
Encrypts or decrypts data in a single-part operation, or finishes a multiple-part operation. The data is encrypted or decrypted, depending on how this cipher was initialized.

The first inputLen bytes in the input buffer, starting at inputOffset, and any input bytes that may have been buffered during a previous update operation, are processed, with padding (if requested) being applied. The result is stored in the output buffer, starting at outputOffset.

The cipher is reset to its initial state (uninitialized) after this call.

Params:
  • input – the input buffer
  • inputOffset – the offset in input where the input starts
  • inputLen – the input length
  • output – the buffer for the result
  • outputOffset – the offset in output where the result is stored
Throws:
  • IllegalBlockSizeException – if this cipher is a block cipher, no padding has been requested (only in encryption mode), and the total input length of the data processed by this cipher is not a multiple of block size
  • ShortBufferException – if the given output buffer is too small to hold the result
  • BadPaddingException – if this cipher is in decryption mode, and (un)padding has been requested, but the decrypted data is not bounded by the appropriate padding bytes
Returns:the number of bytes stored in output
/** * Encrypts or decrypts data in a single-part operation, * or finishes a multiple-part operation. * The data is encrypted or decrypted, depending on how this cipher was * initialized. * * <p>The first <code>inputLen</code> bytes in the <code>input</code> * buffer, starting at <code>inputOffset</code>, and any input bytes that * may have been buffered during a previous <code>update</code> operation, * are processed, with padding (if requested) being applied. * The result is stored in the <code>output</code> buffer, starting at * <code>outputOffset</code>. * * <p>The cipher is reset to its initial state (uninitialized) after this * call. * * @param input the input buffer * @param inputOffset the offset in <code>input</code> where the input * starts * @param inputLen the input length * @param output the buffer for the result * @param outputOffset the offset in <code>output</code> where the result * is stored * * @return the number of bytes stored in <code>output</code> * * @exception IllegalBlockSizeException if this cipher is a block cipher, * no padding has been requested (only in encryption mode), and the total * input length of the data processed by this cipher is not a multiple of * block size * @exception ShortBufferException if the given output buffer is too small * to hold the result * @exception BadPaddingException if this cipher is in decryption mode, * and (un)padding has been requested, but the decrypted data is not * bounded by the appropriate padding bytes */
int doFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws IllegalBlockSizeException, ShortBufferException, BadPaddingException { checkReinit(); int estOutSize = getOutputSizeByOperation(inputLen, true); int outputCapacity = checkOutputCapacity(output, outputOffset, estOutSize); int offset = decrypting ? 0 : outputOffset; // 0 for decrypting byte[] finalBuf = prepareInputBuffer(input, inputOffset, inputLen, output, outputOffset); byte[] outWithPadding = null; // for decrypting only int finalOffset = (finalBuf == input) ? inputOffset : 0; int finalBufLen = (finalBuf == input) ? inputLen : finalBuf.length; if (decrypting) { // if the size of specified output buffer is less than // the length of the cipher text, then the current // content of cipher has to be preserved in order for // users to retry the call with a larger buffer in the // case of ShortBufferException. if (outputCapacity < estOutSize) { cipher.save(); } // create temporary output buffer so that only "real" // data bytes are passed to user's output buffer. outWithPadding = new byte[estOutSize]; } byte[] outBuffer = decrypting ? outWithPadding : output; int outLen = fillOutputBuffer(finalBuf, finalOffset, outBuffer, offset, finalBufLen, input); if (decrypting) { if (outputCapacity < outLen) { // restore so users can retry with a larger buffer cipher.restore(); throw new ShortBufferException("Output buffer too short: " + (outputCapacity) + " bytes given, " + outLen + " bytes needed"); } // copy the result into user-supplied output buffer System.arraycopy(outWithPadding, 0, output, outputOffset, outLen); // decrypt mode. Zero out output data that's not required Arrays.fill(outWithPadding, (byte) 0x00); } endDoFinal(); return outLen; } private void endDoFinal() { buffered = 0; diffBlocksize = blockSize; if (cipherMode != ECB_MODE) { cipher.reset(); } } private int unpad(int outLen, byte[] outWithPadding) throws BadPaddingException { int padStart = padding.unpad(outWithPadding, 0, outLen); if (padStart < 0) { throw new BadPaddingException("Given final block not " + "properly padded. Such issues can arise if a bad key " + "is used during decryption."); } outLen = padStart; return outLen; } private byte[] prepareInputBuffer(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws IllegalBlockSizeException, ShortBufferException { // calculate total input length int len = Math.addExact(buffered, inputLen); // calculate padding length int totalLen = Math.addExact(len, cipher.getBufferedLength()); int paddingLen = 0; // will the total input length be a multiple of blockSize? if (unitBytes != blockSize) { if (totalLen < diffBlocksize) { paddingLen = diffBlocksize - totalLen; } else { paddingLen = blockSize - ((totalLen - diffBlocksize) % blockSize); } } else if (padding != null) { paddingLen = padding.padLength(totalLen); } if (decrypting && (padding != null) && (paddingLen > 0) && (paddingLen != blockSize)) { throw new IllegalBlockSizeException ("Input length must be multiple of " + blockSize + " when decrypting with padded cipher"); } /* * prepare the final input, assemble a new buffer if any * of the following is true: * - 'input' and 'output' are the same buffer * - there are internally buffered bytes * - doing encryption and padding is needed */ if ((buffered != 0) || (!decrypting && padding != null) || ((input == output) && (outputOffset - inputOffset < inputLen) && (inputOffset - outputOffset < buffer.length))) { byte[] finalBuf; if (decrypting || padding == null) { paddingLen = 0; } finalBuf = new byte[Math.addExact(len, paddingLen)]; if (buffered != 0) { System.arraycopy(buffer, 0, finalBuf, 0, buffered); if (!decrypting) { // done with input buffer. We should zero out the // data if we're in encrypt mode. Arrays.fill(buffer, (byte) 0x00); } } if (inputLen != 0) { System.arraycopy(input, inputOffset, finalBuf, buffered, inputLen); } if (paddingLen != 0) { padding.padWithLen(finalBuf, Math.addExact(buffered, inputLen), paddingLen); } return finalBuf; } return input; } private int fillOutputBuffer(byte[] finalBuf, int finalOffset, byte[] output, int outOfs, int finalBufLen, byte[] input) throws ShortBufferException, BadPaddingException, IllegalBlockSizeException { int len; try { len = finalNoPadding(finalBuf, finalOffset, output, outOfs, finalBufLen); if (decrypting && padding != null) { len = unpad(len, output); } return len; } finally { if (!decrypting) { // reset after doFinal() for GCM encryption requireReinit = (cipherMode == GCM_MODE); if (finalBuf != input) { // done with internal finalBuf array. Copied to output Arrays.fill(finalBuf, (byte) 0x00); } } } } private int checkOutputCapacity(byte[] output, int outputOffset, int estOutSize) throws ShortBufferException { // check output buffer capacity. // if we are decrypting with padding applied, we can perform this // check only after we have determined how many padding bytes there // are. int outputCapacity = output.length - outputOffset; int minOutSize = decrypting ? (estOutSize - blockSize) : estOutSize; if ((output == null) || (outputCapacity < minOutSize)) { throw new ShortBufferException("Output buffer must be " + "(at least) " + minOutSize + " bytes long"); } return outputCapacity; } private void checkReinit() { if (requireReinit) { throw new IllegalStateException ("Must use either different key or iv for GCM encryption"); } } private int finalNoPadding(byte[] in, int inOfs, byte[] out, int outOfs, int len) throws IllegalBlockSizeException, AEADBadTagException, ShortBufferException { if ((cipherMode != GCM_MODE) && (in == null || len == 0)) { return 0; } if ((cipherMode != CFB_MODE) && (cipherMode != OFB_MODE) && (cipherMode != GCM_MODE) && ((len % unitBytes) != 0) && (cipherMode != CTS_MODE)) { if (padding != null) { throw new IllegalBlockSizeException ("Input length (with padding) not multiple of " + unitBytes + " bytes"); } else { throw new IllegalBlockSizeException ("Input length not multiple of " + unitBytes + " bytes"); } } int outLen = 0; if (decrypting) { outLen = cipher.decryptFinal(in, inOfs, len, out, outOfs); } else { outLen = cipher.encryptFinal(in, inOfs, len, out, outOfs); } return outLen; } // Note: Wrap() and Unwrap() are the same in // each of SunJCE CipherSpi implementation classes. // They are duplicated due to export control requirements: // All CipherSpi implementation must be final.
Wrap a key.
Params:
  • key – the key to be wrapped.
Throws:
  • IllegalBlockSizeException – if this cipher is a block cipher, no padding has been requested, and the length of the encoding of the key to be wrapped is not a multiple of the block size.
  • InvalidKeyException – if it is impossible or unsafe to wrap the key with this cipher (e.g., a hardware protected key is being passed to a software only cipher).
Returns:the wrapped key.
/** * Wrap a key. * * @param key the key to be wrapped. * * @return the wrapped key. * * @exception IllegalBlockSizeException if this cipher is a block * cipher, no padding has been requested, and the length of the * encoding of the key to be wrapped is not a * multiple of the block size. * * @exception InvalidKeyException if it is impossible or unsafe to * wrap the key with this cipher (e.g., a hardware protected key is * being passed to a software only cipher). */
byte[] wrap(Key key) throws IllegalBlockSizeException, InvalidKeyException { byte[] result = null; try { byte[] encodedKey = key.getEncoded(); if ((encodedKey == null) || (encodedKey.length == 0)) { throw new InvalidKeyException("Cannot get an encoding of " + "the key to be wrapped"); } result = doFinal(encodedKey, 0, encodedKey.length); } catch (BadPaddingException e) { // Should never happen } return result; }
Unwrap a previously wrapped key.
Params:
  • wrappedKey – the key to be unwrapped.
  • wrappedKeyAlgorithm – the algorithm the wrapped key is for.
  • wrappedKeyType – the type of the wrapped key. This is one of Cipher.SECRET_KEY, Cipher.PRIVATE_KEY, or Cipher.PUBLIC_KEY.
Throws:
  • NoSuchAlgorithmException – if no installed providers can create keys of type wrappedKeyType for the wrappedKeyAlgorithm.
  • InvalidKeyException – if wrappedKey does not represent a wrapped key of type wrappedKeyType for the wrappedKeyAlgorithm.
Returns:the unwrapped key.
/** * Unwrap a previously wrapped key. * * @param wrappedKey the key to be unwrapped. * * @param wrappedKeyAlgorithm the algorithm the wrapped key is for. * * @param wrappedKeyType the type of the wrapped key. * This is one of <code>Cipher.SECRET_KEY</code>, * <code>Cipher.PRIVATE_KEY</code>, or <code>Cipher.PUBLIC_KEY</code>. * * @return the unwrapped key. * * @exception NoSuchAlgorithmException if no installed providers * can create keys of type <code>wrappedKeyType</code> for the * <code>wrappedKeyAlgorithm</code>. * * @exception InvalidKeyException if <code>wrappedKey</code> does not * represent a wrapped key of type <code>wrappedKeyType</code> for * the <code>wrappedKeyAlgorithm</code>. */
Key unwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType) throws InvalidKeyException, NoSuchAlgorithmException { byte[] encodedKey; try { encodedKey = doFinal(wrappedKey, 0, wrappedKey.length); } catch (BadPaddingException ePadding) { throw new InvalidKeyException("The wrapped key is not padded " + "correctly"); } catch (IllegalBlockSizeException eBlockSize) { throw new InvalidKeyException("The wrapped key does not have " + "the correct length"); } return ConstructKeys.constructKey(encodedKey, wrappedKeyAlgorithm, wrappedKeyType); }
Continues a multi-part update of the Additional Authentication Data (AAD), using a subset of the provided buffer.

Calls to this method provide AAD to the cipher when operating in modes such as AEAD (GCM/CCM). If this cipher is operating in either GCM or CCM mode, all AAD must be supplied before beginning operations on the ciphertext (via the update and doFinal methods).

Params:
  • src – the buffer containing the AAD
  • offset – the offset in src where the AAD input starts
  • len – the number of AAD bytes
Throws:
  • IllegalStateException – if this cipher is in a wrong state (e.g., has not been initialized), does not accept AAD, or if operating in either GCM or CCM mode and one of the update methods has already been called for the active encryption/decryption operation
  • UnsupportedOperationException – if this method has not been overridden by an implementation
Since:1.8
/** * Continues a multi-part update of the Additional Authentication * Data (AAD), using a subset of the provided buffer. * <p> * Calls to this method provide AAD to the cipher when operating in * modes such as AEAD (GCM/CCM). If this cipher is operating in * either GCM or CCM mode, all AAD must be supplied before beginning * operations on the ciphertext (via the {@code update} and {@code * doFinal} methods). * * @param src the buffer containing the AAD * @param offset the offset in {@code src} where the AAD input starts * @param len the number of AAD bytes * * @throws IllegalStateException if this cipher is in a wrong state * (e.g., has not been initialized), does not accept AAD, or if * operating in either GCM or CCM mode and one of the {@code update} * methods has already been called for the active * encryption/decryption operation * @throws UnsupportedOperationException if this method * has not been overridden by an implementation * * @since 1.8 */
void updateAAD(byte[] src, int offset, int len) { checkReinit(); cipher.updateAAD(src, offset, len); } }