├── .github ├── dependabot.yml ├── release.yml └── workflows │ ├── build.yml │ ├── codeql-analysis.yml │ ├── dependency-check.yml │ ├── publish-central.yml │ └── publish-github.yml ├── .gitignore ├── .mvn └── wrapper │ └── maven-wrapper.properties ├── CHANGELOG.md ├── LICENSE ├── README.md ├── mvnw ├── mvnw.cmd ├── pom.xml ├── src ├── main │ ├── java │ │ └── org │ │ │ └── cryptomator │ │ │ └── siv │ │ │ ├── CustomCtrComputer.java │ │ │ ├── JceAesBlockCipher.java │ │ │ ├── JceAesCtrComputer.java │ │ │ ├── SivMode.java │ │ │ ├── ThreadLocals.java │ │ │ ├── UnauthenticCiphertextException.java │ │ │ ├── org │ │ │ └── bouncycastle │ │ │ │ ├── crypto │ │ │ │ ├── Placeholder.java │ │ │ │ ├── macs │ │ │ │ │ └── Placeholder.java │ │ │ │ ├── modes │ │ │ │ │ └── Placeholder.java │ │ │ │ ├── paddings │ │ │ │ │ └── Placeholder.java │ │ │ │ └── params │ │ │ │ │ └── Placeholder.java │ │ │ │ └── util │ │ │ │ └── Placeholder.java │ │ │ └── package-info.java │ └── java9 │ │ ├── module-info.java │ │ └── org.cryptomator.siv │ │ └── ThreadLocals.java └── test │ ├── go │ └── siv-test-vectors.go │ ├── java │ └── org │ │ └── cryptomator │ │ └── siv │ │ ├── BenchmarkTest.java │ │ ├── CustomCtrComputerTest.java │ │ ├── EncryptionTestCase.java │ │ ├── JceAesBlockCipherTest.java │ │ ├── JceAesCtrComputerTest.java │ │ ├── SivModeBenchmark.java │ │ └── SivModeTest.java │ └── resources │ └── testcases.txt └── suppression.xml /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "maven" 4 | directory: "/" 5 | schedule: 6 | interval: "monthly" 7 | day: "monday" 8 | time: "06:00" 9 | timezone: "Etc/UTC" 10 | groups: 11 | java-test-dependencies: 12 | patterns: 13 | - "org.junit.jupiter:*" 14 | - "org.mockito:*" 15 | - "org.hamcrest:*" 16 | - "org.openjdk.jmh:*" 17 | - "com.google.guava:guava" 18 | maven-build-plugins: 19 | patterns: 20 | - "org.apache.maven.plugins:*" 21 | - "org.jacoco:jacoco-maven-plugin" 22 | - "org.codehaus.mojo:versions-maven-plugin" 23 | - "org.owasp:dependency-check-maven" 24 | - "org.sonatype.plugins:nexus-staging-maven-plugin" 25 | java-production-dependencies: 26 | patterns: 27 | - "*" 28 | exclude-patterns: 29 | - "org.junit.jupiter:*" 30 | - "org.mockito:*" 31 | - "org.hamcrest:*" 32 | - "org.openjdk.jmh:*" 33 | - "com.google.guava:guava" 34 | - "org.apache.maven.plugins:*" 35 | - "org.jacoco:jacoco-maven-plugin" 36 | - "org.codehaus.mojo:versions-maven-plugin" 37 | - "org.owasp:dependency-check-maven" 38 | - "org.sonatype.plugins:nexus-staging-maven-plugin" 39 | 40 | - package-ecosystem: "github-actions" 41 | directory: "/" # even for `.github/workflows` 42 | schedule: 43 | interval: "monthly" 44 | groups: 45 | github-actions: 46 | patterns: 47 | - "*" -------------------------------------------------------------------------------- /.github/release.yml: -------------------------------------------------------------------------------- 1 | # .github/release.yml 2 | # see https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuring-automatically-generated-release-notes 3 | 4 | changelog: 5 | exclude: 6 | authors: 7 | - cryptobot 8 | - dependabot 9 | - github-actions 10 | categories: 11 | - title: What's New 🎉 12 | labels: 13 | - enhancement 14 | - title: Bugfixes 🐛 15 | labels: 16 | - bug 17 | - title: Other Changes 📎 18 | labels: 19 | - "*" 20 | exclude: 21 | labels: 22 | - bug 23 | - enhancement -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build 2 | on: 3 | push: 4 | pull_request_target: 5 | types: [labeled] 6 | jobs: 7 | build: 8 | name: Build and Test 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | with: 13 | fetch-depth: 0 14 | - uses: actions/setup-java@v4 15 | with: 16 | java-version: 21 17 | distribution: 'zulu' 18 | cache: 'maven' 19 | - name: Cache SonarCloud packages 20 | uses: actions/cache@v4 21 | with: 22 | path: ~/.sonar/cache 23 | key: ${{ runner.os }}-sonar 24 | restore-keys: ${{ runner.os }}-sonar 25 | - name: Ensure to use tagged version 26 | if: startsWith(github.ref, 'refs/tags/') 27 | run: ./mvnw -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} 28 | - name: Build and Test 29 | run: > 30 | ./mvnw -B verify 31 | jacoco:report 32 | org.sonarsource.scanner.maven:sonar-maven-plugin:sonar 33 | -Pcoverage 34 | -Dsonar.projectKey=cryptomator_siv-mode 35 | -Dsonar.organization=cryptomator 36 | -Dsonar.host.url=https://sonarcloud.io 37 | env: 38 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any 39 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 40 | - uses: actions/upload-artifact@v4 41 | with: 42 | name: artifacts 43 | path: target/*.jar 44 | - name: Calculate Checksums 45 | id: checksums 46 | run: | 47 | { 48 | echo 'sha256<> $GITHUB_OUTPUT 52 | - name: Create Release 53 | if: startsWith(github.ref, 'refs/tags/') 54 | uses: softprops/action-gh-release@v2 55 | with: 56 | token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} 57 | body: |- 58 | ### Maven Coordinates 59 | ```xml 60 | 61 | org.cryptomator 62 | siv-mode 63 | ${{ github.ref_name }} 64 | 65 | ``` 66 | 67 | ### Artifact Checksums 68 | ```txt 69 | ${{ steps.checksums.outputs.sha256 }} 70 | ``` 71 | 72 | See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build. 73 | generate_release_notes: true 74 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | 2 | name: "CodeQL" 3 | 4 | on: 5 | push: 6 | branches: [develop, main] 7 | pull_request: 8 | branches: [develop] 9 | schedule: 10 | - cron: '0 5 * * 0' 11 | 12 | jobs: 13 | analyse: 14 | name: Analyse 15 | runs-on: ubuntu-latest 16 | permissions: 17 | actions: read 18 | contents: read 19 | security-events: write 20 | steps: 21 | - name: Checkout repository 22 | uses: actions/checkout@v4 23 | with: 24 | fetch-depth: 2 25 | - name: Set up Java 26 | uses: actions/setup-java@v4 27 | with: 28 | java-version: 21 29 | distribution: 'zulu' 30 | cache: 'maven' 31 | - name: Initialize CodeQL 32 | uses: github/codeql-action/init@v3 33 | with: 34 | languages: java 35 | config: | 36 | queries: 37 | - uses: security-and-quality 38 | - name: Build 39 | run: ./mvnw -B install -DskipTests 40 | - name: Perform CodeQL Analysis 41 | uses: github/codeql-action/analyze@v3 42 | with: 43 | category: "/language:java" -------------------------------------------------------------------------------- /.github/workflows/dependency-check.yml: -------------------------------------------------------------------------------- 1 | name: OWASP Maven Dependency Check 2 | on: 3 | schedule: 4 | - cron: '0 7 * * 0' 5 | push: 6 | branches: 7 | - 'release/**' 8 | workflow_dispatch: 9 | 10 | 11 | jobs: 12 | check-dependencies: 13 | uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1 14 | with: 15 | runner-os: 'ubuntu-latest' 16 | java-distribution: 'zulu' 17 | java-version: 21 18 | secrets: 19 | nvd-api-key: ${{ secrets.NVD_API_KEY }} 20 | slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} 21 | -------------------------------------------------------------------------------- /.github/workflows/publish-central.yml: -------------------------------------------------------------------------------- 1 | name: Publish to Maven Central 2 | on: 3 | release: 4 | types: [published] 5 | jobs: 6 | publish: 7 | runs-on: ubuntu-latest 8 | if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions 9 | steps: 10 | - uses: actions/checkout@v4 11 | - uses: actions/setup-java@v4 12 | with: 13 | java-version: 21 14 | distribution: 'zulu' 15 | cache: 'maven' 16 | server-id: central 17 | server-username: MAVEN_CENTRAL_USERNAME 18 | server-password: MAVEN_CENTRAL_PASSWORD 19 | - name: Verify project version = ${{ github.event.release.tag_name }} 20 | run: | 21 | PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout) 22 | test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}" 23 | - name: Deploy 24 | run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress 25 | env: 26 | MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }} 27 | MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }} 28 | MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} 29 | MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} 30 | MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }} -------------------------------------------------------------------------------- /.github/workflows/publish-github.yml: -------------------------------------------------------------------------------- 1 | name: Publish to GitHub Packages 2 | on: 3 | release: 4 | types: [published] 5 | jobs: 6 | publish: 7 | runs-on: ubuntu-latest 8 | if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions 9 | steps: 10 | - uses: actions/checkout@v4 11 | - uses: actions/setup-java@v4 12 | with: 13 | java-version: 21 14 | distribution: 'zulu' 15 | cache: 'maven' 16 | - name: Verify project version = ${{ github.event.release.tag_name }} 17 | run: | 18 | PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout) 19 | test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}" 20 | - name: Deploy 21 | run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress 22 | env: 23 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 24 | MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} 25 | MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} 26 | MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }} 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | 3 | # Mobile Tools for Java (J2ME) 4 | .mtj.tmp/ 5 | 6 | # Package Files # 7 | *.jar 8 | *.war 9 | *.ear 10 | 11 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 12 | hs_err_pid* 13 | /target/ 14 | .settings 15 | .classpath 16 | .project 17 | 18 | # IntelliJ Settings Files # 19 | .idea/ 20 | out/ 21 | .idea_modules/ 22 | *.iml 23 | *.iws 24 | -------------------------------------------------------------------------------- /.mvn/wrapper/maven-wrapper.properties: -------------------------------------------------------------------------------- 1 | # Licensed to the Apache Software Foundation (ASF) under one 2 | # or more contributor license agreements. See the NOTICE file 3 | # distributed with this work for additional information 4 | # regarding copyright ownership. The ASF licenses this file 5 | # to you under the Apache License, Version 2.0 (the 6 | # "License"); you may not use this file except in compliance 7 | # with the License. You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, 12 | # software distributed under the License is distributed on an 13 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 | # KIND, either express or implied. See the License for the 15 | # specific language governing permissions and limitations 16 | # under the License. 17 | wrapperVersion=3.3.2 18 | distributionType=only-script 19 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip 20 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), 6 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 7 | 8 | ## [Unreleased](https://github.com/cryptomator/siv-mode/compare/1.6.0...HEAD) 9 | 10 | ## [1.6.0](https://github.com/cryptomator/siv-mode/compare/1.5.2...1.6.0) 11 | 12 | ### Added 13 | 14 | - This CHANGELOG file 15 | - `encrypt(SecretKey key, byte[] plaintext, byte[]... associatedData)` and `decrypt(SecretKey key, byte[] ciphertext, byte[]... associatedData)` using a single 256, 384, or 512 bit key 16 | 17 | ### Changed 18 | 19 | - use `maven-gpg-plugin`'s bc-based signer 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2015-2017 Cryptomator 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Java RFC 5297 SIV Authenticated Encryption 2 | 3 | [![Build](https://github.com/cryptomator/siv-mode/workflows/Build/badge.svg)](https://github.com/cryptomator/siv-mode/actions?query=workflow%3ABuild) 4 | [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_siv-mode&metric=alert_status)](https://sonarcloud.io/dashboard?id=cryptomator_siv-mode) 5 | [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_siv-mode&metric=coverage)](https://sonarcloud.io/dashboard?id=cryptomator_siv-mode) 6 | [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=cryptomator_siv-mode&metric=vulnerabilities)](https://sonarcloud.io/dashboard?id=cryptomator_siv-mode) 7 | [![Maven Central](https://img.shields.io/maven-central/v/org.cryptomator/siv-mode.svg?maxAge=86400)](https://repo1.maven.org/maven2/org/cryptomator/siv-mode/) 8 | [![Javadocs](http://www.javadoc.io/badge/org.cryptomator/siv-mode.svg)](http://www.javadoc.io/doc/org.cryptomator/siv-mode) 9 | 10 | ## Features 11 | - No dependencies (required BouncyCastle classes are repackaged) 12 | - Passes official RFC 5297 test vectors 13 | - Constant time authentication 14 | - Defaults on AES, but supports any block cipher with a 128-bit block size. 15 | - Supports any key sizes that the block cipher supports (e.g. 128/192/256-bit keys for AES) 16 | - Thread-safe 17 | - [Fast](https://github.com/cryptomator/siv-mode/issues/15) 18 | - Requires JDK 8+ or Android API Level 24+ (since version 1.4.0) 19 | 20 | ## Audits 21 | - [Version 1.0.8 audit by Tim McLean](https://www.chosenplaintext.ca/publications/20161104-siv-mode-report.pdf) (Issues fixed with 1.1.0) 22 | - [Version 1.2.1 audit by Cure53](https://cryptomator.org/audits/2017-11-27%20crypto%20cure53.pdf) 23 | 24 | | Finding | Comment | 25 | |---|---| 26 | | 1u1-22-001 | The GPG key is used exclusively for the Maven repositories, is designed for signing only and is protected by a 30-character generated password (alphabet size: 96 chars). It is iterated and salted (SHA1 with 20971520 iterations). An offline attack is also very unattractive. Apart from that, this finding has no influence on the Tresor apps[1](#footnote-tresor-apps). This was not known to Cure53 at the time of reporting. | 27 | | 1u1-22-002 | As per contract of `BlockCipher#processBlock(byte[], int, byte[], int)`, `JceAesBlockCipher` is designed to encrypt or decrypt just **one single block** at a time. JCE doesn't allow us to retrieve the plain cipher without a mode, so we explicitly request `AES/ECB/NoPadding`. This is by design, because we want the plain cipher for a single 128 bit block without any mode. We're not actually using ECB mode. | 28 | 29 | ## Usage 30 | ```java 31 | private static final SivMode AES_SIV = new SivMode(); 32 | 33 | public void encrypt() { 34 | byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes()); 35 | byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted); 36 | } 37 | 38 | public void encryptWithAssociatedData() { 39 | byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes(), "associated".getBytes(), "data".getBytes()); 40 | byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted, "associated".getBytes(), "data".getBytes()); 41 | } 42 | ``` 43 | 44 | ## Maven integration 45 | 46 | ```xml 47 | 48 | 49 | org.cryptomator 50 | siv-mode 51 | 1.4.0 52 | 53 | 54 | ``` 55 | 56 | ## Java Module 57 | 58 | From version 1.3.2 onwards this library is an explicit module with the name `org.cryptomator.siv`. You can use it by adding the following line to your `module-info.java`. 59 | 60 | ```java 61 | requires org.cryptomator.siv; 62 | ``` 63 | 64 | Because BouncyCastle classes are shaded, this library only depends on `java.base`. 65 | 66 | ## Reproducible Builds 67 | 68 | This is a Maven project that can be built using `mvn install`. However, if you want to build this reproducibly, please make sure: 69 | 70 | 1. Use the same build environment 71 | * The same [JDK as our CI builds](https://github.com/cryptomator/siv-mode/blob/develop/.github/workflows/build.yml#L15-L16) 72 | * Ideally the same same arch and OS (x86_64 Linux) 73 | * Same locale (en_US) and linebreaks (POSIX) 74 | 2. Use `./mvnw install` instead (or `./mvnw verify` or `./mvnw package -DskipTests`, depending on your intentions) 75 | 76 | ## License 77 | Distributed under the MIT X Consortium license. See the LICENSE file for more info. 78 | 79 | --- 80 | 81 | 1 The Cure53 pentesting was performed during the development of the apps for 1&1 Mail & Media GmbH. 82 | -------------------------------------------------------------------------------- /mvnw: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ---------------------------------------------------------------------------- 3 | # Licensed to the Apache Software Foundation (ASF) under one 4 | # or more contributor license agreements. See the NOTICE file 5 | # distributed with this work for additional information 6 | # regarding copyright ownership. The ASF licenses this file 7 | # to you under the Apache License, Version 2.0 (the 8 | # "License"); you may not use this file except in compliance 9 | # with the License. You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, 14 | # software distributed under the License is distributed on an 15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | # KIND, either express or implied. See the License for the 17 | # specific language governing permissions and limitations 18 | # under the License. 19 | # ---------------------------------------------------------------------------- 20 | 21 | # ---------------------------------------------------------------------------- 22 | # Apache Maven Wrapper startup batch script, version 3.3.2 23 | # 24 | # Optional ENV vars 25 | # ----------------- 26 | # JAVA_HOME - location of a JDK home dir, required when download maven via java source 27 | # MVNW_REPOURL - repo url base for downloading maven distribution 28 | # MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven 29 | # MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output 30 | # ---------------------------------------------------------------------------- 31 | 32 | set -euf 33 | [ "${MVNW_VERBOSE-}" != debug ] || set -x 34 | 35 | # OS specific support. 36 | native_path() { printf %s\\n "$1"; } 37 | case "$(uname)" in 38 | CYGWIN* | MINGW*) 39 | [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" 40 | native_path() { cygpath --path --windows "$1"; } 41 | ;; 42 | esac 43 | 44 | # set JAVACMD and JAVACCMD 45 | set_java_home() { 46 | # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched 47 | if [ -n "${JAVA_HOME-}" ]; then 48 | if [ -x "$JAVA_HOME/jre/sh/java" ]; then 49 | # IBM's JDK on AIX uses strange locations for the executables 50 | JAVACMD="$JAVA_HOME/jre/sh/java" 51 | JAVACCMD="$JAVA_HOME/jre/sh/javac" 52 | else 53 | JAVACMD="$JAVA_HOME/bin/java" 54 | JAVACCMD="$JAVA_HOME/bin/javac" 55 | 56 | if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then 57 | echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 58 | echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 59 | return 1 60 | fi 61 | fi 62 | else 63 | JAVACMD="$( 64 | 'set' +e 65 | 'unset' -f command 2>/dev/null 66 | 'command' -v java 67 | )" || : 68 | JAVACCMD="$( 69 | 'set' +e 70 | 'unset' -f command 2>/dev/null 71 | 'command' -v javac 72 | )" || : 73 | 74 | if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then 75 | echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 76 | return 1 77 | fi 78 | fi 79 | } 80 | 81 | # hash string like Java String::hashCode 82 | hash_string() { 83 | str="${1:-}" h=0 84 | while [ -n "$str" ]; do 85 | char="${str%"${str#?}"}" 86 | h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296)) 87 | str="${str#?}" 88 | done 89 | printf %x\\n $h 90 | } 91 | 92 | verbose() { :; } 93 | [ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } 94 | 95 | die() { 96 | printf %s\\n "$1" >&2 97 | exit 1 98 | } 99 | 100 | trim() { 101 | # MWRAPPER-139: 102 | # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. 103 | # Needed for removing poorly interpreted newline sequences when running in more 104 | # exotic environments such as mingw bash on Windows. 105 | printf "%s" "${1}" | tr -d '[:space:]' 106 | } 107 | 108 | # parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties 109 | while IFS="=" read -r key value; do 110 | case "${key-}" in 111 | distributionUrl) distributionUrl=$(trim "${value-}") ;; 112 | distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; 113 | esac 114 | done <"${0%/*}/.mvn/wrapper/maven-wrapper.properties" 115 | [ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in ${0%/*}/.mvn/wrapper/maven-wrapper.properties" 116 | 117 | case "${distributionUrl##*/}" in 118 | maven-mvnd-*bin.*) 119 | MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ 120 | case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in 121 | *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;; 122 | :Darwin*x86_64) distributionPlatform=darwin-amd64 ;; 123 | :Darwin*arm64) distributionPlatform=darwin-aarch64 ;; 124 | :Linux*x86_64*) distributionPlatform=linux-amd64 ;; 125 | *) 126 | echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 127 | distributionPlatform=linux-amd64 128 | ;; 129 | esac 130 | distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" 131 | ;; 132 | maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; 133 | *) MVN_CMD="mvn${0##*/mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; 134 | esac 135 | 136 | # apply MVNW_REPOURL and calculate MAVEN_HOME 137 | # maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ 138 | [ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" 139 | distributionUrlName="${distributionUrl##*/}" 140 | distributionUrlNameMain="${distributionUrlName%.*}" 141 | distributionUrlNameMain="${distributionUrlNameMain%-bin}" 142 | MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}" 143 | MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" 144 | 145 | exec_maven() { 146 | unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : 147 | exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" 148 | } 149 | 150 | if [ -d "$MAVEN_HOME" ]; then 151 | verbose "found existing MAVEN_HOME at $MAVEN_HOME" 152 | exec_maven "$@" 153 | fi 154 | 155 | case "${distributionUrl-}" in 156 | *?-bin.zip | *?maven-mvnd-?*-?*.zip) ;; 157 | *) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; 158 | esac 159 | 160 | # prepare tmp dir 161 | if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then 162 | clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } 163 | trap clean HUP INT TERM EXIT 164 | else 165 | die "cannot create temp dir" 166 | fi 167 | 168 | mkdir -p -- "${MAVEN_HOME%/*}" 169 | 170 | # Download and Install Apache Maven 171 | verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." 172 | verbose "Downloading from: $distributionUrl" 173 | verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" 174 | 175 | # select .zip or .tar.gz 176 | if ! command -v unzip >/dev/null; then 177 | distributionUrl="${distributionUrl%.zip}.tar.gz" 178 | distributionUrlName="${distributionUrl##*/}" 179 | fi 180 | 181 | # verbose opt 182 | __MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' 183 | [ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v 184 | 185 | # normalize http auth 186 | case "${MVNW_PASSWORD:+has-password}" in 187 | '') MVNW_USERNAME='' MVNW_PASSWORD='' ;; 188 | has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; 189 | esac 190 | 191 | if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then 192 | verbose "Found wget ... using wget" 193 | wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl" 194 | elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then 195 | verbose "Found curl ... using curl" 196 | curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl" 197 | elif set_java_home; then 198 | verbose "Falling back to use Java to download" 199 | javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" 200 | targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" 201 | cat >"$javaSource" <<-END 202 | public class Downloader extends java.net.Authenticator 203 | { 204 | protected java.net.PasswordAuthentication getPasswordAuthentication() 205 | { 206 | return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); 207 | } 208 | public static void main( String[] args ) throws Exception 209 | { 210 | setDefault( new Downloader() ); 211 | java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); 212 | } 213 | } 214 | END 215 | # For Cygwin/MinGW, switch paths to Windows format before running javac and java 216 | verbose " - Compiling Downloader.java ..." 217 | "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java" 218 | verbose " - Running Downloader.java ..." 219 | "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" 220 | fi 221 | 222 | # If specified, validate the SHA-256 sum of the Maven distribution zip file 223 | if [ -n "${distributionSha256Sum-}" ]; then 224 | distributionSha256Result=false 225 | if [ "$MVN_CMD" = mvnd.sh ]; then 226 | echo "Checksum validation is not supported for maven-mvnd." >&2 227 | echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 228 | exit 1 229 | elif command -v sha256sum >/dev/null; then 230 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c >/dev/null 2>&1; then 231 | distributionSha256Result=true 232 | fi 233 | elif command -v shasum >/dev/null; then 234 | if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then 235 | distributionSha256Result=true 236 | fi 237 | else 238 | echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 239 | echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 240 | exit 1 241 | fi 242 | if [ $distributionSha256Result = false ]; then 243 | echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 244 | echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 245 | exit 1 246 | fi 247 | fi 248 | 249 | # unzip and move 250 | if command -v unzip >/dev/null; then 251 | unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" 252 | else 253 | tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar" 254 | fi 255 | printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/mvnw.url" 256 | mv -- "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" 257 | 258 | clean || : 259 | exec_maven "$@" 260 | -------------------------------------------------------------------------------- /mvnw.cmd: -------------------------------------------------------------------------------- 1 | <# : batch portion 2 | @REM ---------------------------------------------------------------------------- 3 | @REM Licensed to the Apache Software Foundation (ASF) under one 4 | @REM or more contributor license agreements. See the NOTICE file 5 | @REM distributed with this work for additional information 6 | @REM regarding copyright ownership. The ASF licenses this file 7 | @REM to you under the Apache License, Version 2.0 (the 8 | @REM "License"); you may not use this file except in compliance 9 | @REM with the License. You may obtain a copy of the License at 10 | @REM 11 | @REM http://www.apache.org/licenses/LICENSE-2.0 12 | @REM 13 | @REM Unless required by applicable law or agreed to in writing, 14 | @REM software distributed under the License is distributed on an 15 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 | @REM KIND, either express or implied. See the License for the 17 | @REM specific language governing permissions and limitations 18 | @REM under the License. 19 | @REM ---------------------------------------------------------------------------- 20 | 21 | @REM ---------------------------------------------------------------------------- 22 | @REM Apache Maven Wrapper startup batch script, version 3.3.2 23 | @REM 24 | @REM Optional ENV vars 25 | @REM MVNW_REPOURL - repo url base for downloading maven distribution 26 | @REM MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven 27 | @REM MVNW_VERBOSE - true: enable verbose log; others: silence the output 28 | @REM ---------------------------------------------------------------------------- 29 | 30 | @IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0) 31 | @SET __MVNW_CMD__= 32 | @SET __MVNW_ERROR__= 33 | @SET __MVNW_PSMODULEP_SAVE=%PSModulePath% 34 | @SET PSModulePath= 35 | @FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @( 36 | IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B) 37 | ) 38 | @SET PSModulePath=%__MVNW_PSMODULEP_SAVE% 39 | @SET __MVNW_PSMODULEP_SAVE= 40 | @SET __MVNW_ARG0_NAME__= 41 | @SET MVNW_USERNAME= 42 | @SET MVNW_PASSWORD= 43 | @IF NOT "%__MVNW_CMD__%"=="" (%__MVNW_CMD__% %*) 44 | @echo Cannot start maven from wrapper >&2 && exit /b 1 45 | @GOTO :EOF 46 | : end batch / begin powershell #> 47 | 48 | $ErrorActionPreference = "Stop" 49 | if ($env:MVNW_VERBOSE -eq "true") { 50 | $VerbosePreference = "Continue" 51 | } 52 | 53 | # calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties 54 | $distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl 55 | if (!$distributionUrl) { 56 | Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" 57 | } 58 | 59 | switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) { 60 | "maven-mvnd-*" { 61 | $USE_MVND = $true 62 | $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip" 63 | $MVN_CMD = "mvnd.cmd" 64 | break 65 | } 66 | default { 67 | $USE_MVND = $false 68 | $MVN_CMD = $script -replace '^mvnw','mvn' 69 | break 70 | } 71 | } 72 | 73 | # apply MVNW_REPOURL and calculate MAVEN_HOME 74 | # maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ 75 | if ($env:MVNW_REPOURL) { 76 | $MVNW_REPO_PATTERN = if ($USE_MVND) { "/org/apache/maven/" } else { "/maven/mvnd/" } 77 | $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace '^.*'+$MVNW_REPO_PATTERN,'')" 78 | } 79 | $distributionUrlName = $distributionUrl -replace '^.*/','' 80 | $distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$','' 81 | $MAVEN_HOME_PARENT = "$HOME/.m2/wrapper/dists/$distributionUrlNameMain" 82 | if ($env:MAVEN_USER_HOME) { 83 | $MAVEN_HOME_PARENT = "$env:MAVEN_USER_HOME/wrapper/dists/$distributionUrlNameMain" 84 | } 85 | $MAVEN_HOME_NAME = ([System.Security.Cryptography.MD5]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join '' 86 | $MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME" 87 | 88 | if (Test-Path -Path "$MAVEN_HOME" -PathType Container) { 89 | Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME" 90 | Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" 91 | exit $? 92 | } 93 | 94 | if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) { 95 | Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl" 96 | } 97 | 98 | # prepare tmp dir 99 | $TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile 100 | $TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir" 101 | $TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null 102 | trap { 103 | if ($TMP_DOWNLOAD_DIR.Exists) { 104 | try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } 105 | catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } 106 | } 107 | } 108 | 109 | New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null 110 | 111 | # Download and Install Apache Maven 112 | Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." 113 | Write-Verbose "Downloading from: $distributionUrl" 114 | Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" 115 | 116 | $webclient = New-Object System.Net.WebClient 117 | if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) { 118 | $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD) 119 | } 120 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 121 | $webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null 122 | 123 | # If specified, validate the SHA-256 sum of the Maven distribution zip file 124 | $distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum 125 | if ($distributionSha256Sum) { 126 | if ($USE_MVND) { 127 | Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." 128 | } 129 | Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash 130 | if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) { 131 | Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property." 132 | } 133 | } 134 | 135 | # unzip and move 136 | Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null 137 | Rename-Item -Path "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" -NewName $MAVEN_HOME_NAME | Out-Null 138 | try { 139 | Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null 140 | } catch { 141 | if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) { 142 | Write-Error "fail to move MAVEN_HOME" 143 | } 144 | } finally { 145 | try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } 146 | catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } 147 | } 148 | 149 | Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" 150 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4.0.0 4 | org.cryptomator 5 | siv-mode 6 | 1.7.0-SNAPSHOT 7 | 8 | SIV Mode 9 | RFC 5297 SIV mode: deterministic authenticated encryption 10 | https://github.com/cryptomator/siv-mode 11 | 12 | 13 | scm:git:git@github.com:cryptomator/siv-mode.git 14 | scm:git:git@github.com:cryptomator/siv-mode.git 15 | git@github.com:cryptomator/siv-mode.git 16 | 17 | 18 | 19 | 20 | MIT License 21 | http://www.opensource.org/licenses/mit-license.php 22 | repo 23 | 24 | 25 | 26 | 27 | 28 | Sebastian Stenzel 29 | sebastian.stenzel@gmail.com 30 | +1 31 | cryptomator.org 32 | http://cryptomator.org 33 | 34 | 35 | 36 | 37 | UTF-8 38 | 2025-03-14T12:02:43Z 39 | 40 | 41 | 1.80 42 | 43 | 44 | 5.12.0 45 | 5.15.2 46 | 1.37 47 | 3.0 48 | 33.4.0-jre 49 | 50 | 51 | 12.1.0 52 | 53 | 54 | 55 | 56 | org.bouncycastle 57 | bcprov-jdk18on 58 | ${bouncycastle.version} 59 | 60 | true 61 | 62 | 63 | org.jetbrains 64 | annotations 65 | 26.0.2 66 | provided 67 | 68 | 69 | 70 | 71 | org.junit.jupiter 72 | junit-jupiter 73 | ${junit.version} 74 | test 75 | 76 | 77 | org.mockito 78 | mockito-core 79 | ${mockito.version} 80 | test 81 | 82 | 83 | org.hamcrest 84 | hamcrest 85 | ${hamcrest.version} 86 | test 87 | 88 | 89 | com.google.guava 90 | guava 91 | ${guava.version} 92 | test 93 | 94 | 95 | org.openjdk.jmh 96 | jmh-core 97 | ${jmh.version} 98 | test 99 | 100 | 101 | org.openjdk.jmh 102 | jmh-generator-annprocess 103 | ${jmh.version} 104 | test 105 | 106 | 107 | 108 | 109 | 110 | 111 | org.codehaus.mojo 112 | versions-maven-plugin 113 | 2.18.0 114 | 115 | 116 | org.apache.maven.plugins 117 | maven-enforcer-plugin 118 | 3.5.0 119 | 120 | 121 | enforce-java 122 | 123 | enforce 124 | 125 | 126 | 127 | 128 | 129 | You need at least JDK 18 to build this project. 130 | [18,) 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | maven-compiler-plugin 139 | 3.14.0 140 | 141 | 8 142 | UTF-8 143 | true 144 | 145 | 146 | 147 | java9 148 | compile 149 | 150 | compile 151 | 152 | 153 | 9 154 | 155 | ${project.basedir}/src/main/java9 156 | 157 | true 158 | 159 | 160 | 161 | 162 | 163 | org.apache.maven.plugins 164 | maven-surefire-plugin 165 | 3.5.2 166 | 167 | 168 | maven-jar-plugin 169 | 3.4.2 170 | 171 | 172 | 173 | true 174 | true 175 | 176 | 177 | 178 | 179 | 180 | maven-source-plugin 181 | 3.3.1 182 | 183 | 184 | attach-sources 185 | 186 | jar-no-fork 187 | 188 | 189 | 190 | 191 | 192 | maven-javadoc-plugin 193 | 3.11.2 194 | 195 | 196 | attach-javadocs 197 | 198 | jar 199 | 200 | 201 | 202 | 203 | 204 | 205 | -J-Duser.language=en 206 | -J-Duser.country=US 207 | 208 | 8 209 | 210 | 211 | 212 | maven-shade-plugin 213 | 3.6.0 214 | 215 | 216 | package 217 | 218 | shade 219 | 220 | 221 | true 222 | false 223 | false 224 | false 225 | 226 | 227 | org.bouncycastle:bcprov-jdk18on 228 | 229 | 230 | 231 | 232 | org.bouncycastle 233 | org.cryptomator.siv.org.bouncycastle 234 | 235 | 236 | 237 | 238 | org.bouncycastle:bcprov-jdk18on 239 | 240 | META-INF/** 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | dependency-check 254 | 255 | 256 | 257 | org.owasp 258 | dependency-check-maven 259 | ${dependency-check.version} 260 | 261 | 24 262 | 0 263 | true 264 | true 265 | suppression.xml 266 | NVD_API_KEY 267 | 268 | 269 | 270 | 271 | check 272 | 273 | validate 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | coverage 283 | 284 | 285 | 286 | org.jacoco 287 | jacoco-maven-plugin 288 | 0.8.12 289 | 290 | 291 | prepare-agent 292 | 293 | prepare-agent 294 | 295 | 296 | 297 | 298 | 299 | 300 | META-INF/** 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | sign 310 | 311 | 312 | 313 | maven-gpg-plugin 314 | 3.2.7 315 | 316 | 317 | sign-artifacts 318 | verify 319 | 320 | sign 321 | 322 | 323 | bc 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | deploy-central 334 | 335 | 336 | 337 | org.sonatype.central 338 | central-publishing-maven-plugin 339 | 0.7.0 340 | true 341 | 342 | central 343 | true 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | deploy-github 352 | 353 | 354 | github 355 | GitHub Packages 356 | https://maven.pkg.github.com/cryptomator/siv-mode 357 | 358 | 359 | 360 | 361 | 362 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/CustomCtrComputer.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import org.bouncycastle.crypto.BlockCipher; 4 | import org.bouncycastle.crypto.CipherParameters; 5 | import org.bouncycastle.crypto.OutputLengthException; 6 | import org.bouncycastle.crypto.modes.CTRModeCipher; 7 | import org.bouncycastle.crypto.modes.SICBlockCipher; 8 | import org.bouncycastle.crypto.params.KeyParameter; 9 | import org.bouncycastle.crypto.params.ParametersWithIV; 10 | 11 | import java.util.function.Supplier; 12 | 13 | /** 14 | * Performs CTR Mode computations facilitating BouncyCastle's {@link SICBlockCipher}. 15 | */ 16 | class CustomCtrComputer implements SivMode.CtrComputer { 17 | 18 | private final Supplier blockCipherSupplier; 19 | 20 | public CustomCtrComputer(Supplier blockCipherSupplier) { 21 | this.blockCipherSupplier = blockCipherSupplier; 22 | } 23 | 24 | @Override 25 | public byte[] computeCtr(byte[] input, byte[] key, byte[] iv) { 26 | CTRModeCipher cipher = SICBlockCipher.newInstance(blockCipherSupplier.get()); 27 | CipherParameters params = new ParametersWithIV(new KeyParameter(key), iv); 28 | cipher.init(true, params); 29 | try { 30 | byte[] output = new byte[input.length]; 31 | cipher.processBytes(input, 0, input.length, output, 0); 32 | return output; 33 | } catch (OutputLengthException e) { 34 | throw new IllegalStateException("In CTR mode output length must be equal to input length", e); 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/JceAesBlockCipher.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | /******************************************************************************* 3 | * Copyright (c) 2016 Sebastian Stenzel 4 | * This file is licensed under the terms of the MIT license. 5 | * See the LICENSE.txt file for more info. 6 | * 7 | * Contributors: 8 | * Sebastian Stenzel - initial API and implementation 9 | ******************************************************************************/ 10 | 11 | import java.security.InvalidKeyException; 12 | import java.security.Key; 13 | import java.security.NoSuchAlgorithmException; 14 | import java.security.Provider; 15 | 16 | import javax.crypto.Cipher; 17 | import javax.crypto.NoSuchPaddingException; 18 | import javax.crypto.ShortBufferException; 19 | import javax.crypto.spec.SecretKeySpec; 20 | 21 | import org.bouncycastle.crypto.BlockCipher; 22 | import org.bouncycastle.crypto.CipherParameters; 23 | import org.bouncycastle.crypto.DataLengthException; 24 | import org.bouncycastle.crypto.params.KeyParameter; 25 | 26 | /** 27 | * Adapter class between BouncyCastle's {@link BlockCipher} and JCE's {@link Cipher} API. 28 | * 29 | *

30 | * As per contract of {@link BlockCipher#processBlock(byte[], int, byte[], int)}, this class is designed to encrypt or decrypt just one single block at a time. 31 | * JCE doesn't allow us to retrieve the plain cipher without a mode, so we explicitly request {@value #SINGLE_BLOCK_PLAIN_AES_JCE_CIPHER_NAME}. 32 | * This is by design, because we want the plain cipher for a single 128 bit block without any mode. We're not actually using ECB mode. 33 | * 34 | *

35 | * This is a package-private class only used to encrypt the 128 bit counter during SIV mode. 36 | */ 37 | final class JceAesBlockCipher implements BlockCipher { 38 | 39 | private static final String ALG_NAME = "AES"; 40 | private static final String KEY_DESIGNATION = "AES"; 41 | private static final String SINGLE_BLOCK_PLAIN_AES_JCE_CIPHER_NAME = "AES/ECB/NoPadding"; 42 | 43 | private final Cipher cipher; 44 | private Key key; 45 | private int opmode; 46 | 47 | JceAesBlockCipher() { 48 | this(null); 49 | } 50 | 51 | JceAesBlockCipher(Provider provider) { 52 | try { 53 | if(provider != null) { 54 | this.cipher = Cipher.getInstance(SINGLE_BLOCK_PLAIN_AES_JCE_CIPHER_NAME, provider); 55 | } else { 56 | this.cipher = Cipher.getInstance(SINGLE_BLOCK_PLAIN_AES_JCE_CIPHER_NAME); // defaults to SunJCE 57 | } 58 | } catch (NoSuchAlgorithmException | NoSuchPaddingException e) { 59 | throw new IllegalStateException("Every implementation of the Java platform is required to support AES/ECB/NoPadding."); 60 | } 61 | } 62 | 63 | @Override 64 | public void init(boolean forEncryption, CipherParameters params) throws IllegalArgumentException { 65 | if (params instanceof KeyParameter) { 66 | init(forEncryption, (KeyParameter) params); 67 | } else { 68 | throw new IllegalArgumentException("Invalid or missing parameter of type KeyParameter."); 69 | } 70 | } 71 | 72 | private void init(boolean forEncryption, KeyParameter keyParam) throws IllegalArgumentException { 73 | this.key = new SecretKeySpec(keyParam.getKey(), KEY_DESIGNATION); 74 | this.opmode = forEncryption ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE; 75 | try { 76 | cipher.init(opmode, key); 77 | } catch (InvalidKeyException e) { 78 | throw new IllegalArgumentException("Invalid key.", e); 79 | } 80 | } 81 | 82 | @Override 83 | public String getAlgorithmName() { 84 | return ALG_NAME; 85 | } 86 | 87 | @Override 88 | public int getBlockSize() { 89 | return cipher.getBlockSize(); 90 | } 91 | 92 | @Override 93 | public int processBlock(byte[] in, int inOff, byte[] out, int outOff) throws DataLengthException, IllegalStateException { 94 | if (in.length - inOff < getBlockSize()) { 95 | throw new DataLengthException("Insufficient data in 'in'."); 96 | } 97 | try { 98 | return cipher.update(in, inOff, getBlockSize(), out, outOff); 99 | } catch (ShortBufferException e) { 100 | throw new DataLengthException("Insufficient space in 'out'."); 101 | } 102 | } 103 | 104 | @Override 105 | public void reset() { 106 | if (key == null) { 107 | return; // no-op if init has not been called yet. 108 | } 109 | try { 110 | cipher.init(opmode, key); 111 | } catch (InvalidKeyException e) { 112 | throw new IllegalStateException("cipher.init(...) already invoked successfully earlier with same parameters."); 113 | } 114 | } 115 | 116 | } 117 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/JceAesCtrComputer.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import javax.crypto.BadPaddingException; 4 | import javax.crypto.Cipher; 5 | import javax.crypto.IllegalBlockSizeException; 6 | import javax.crypto.NoSuchPaddingException; 7 | import javax.crypto.spec.IvParameterSpec; 8 | import javax.crypto.spec.SecretKeySpec; 9 | import java.security.InvalidAlgorithmParameterException; 10 | import java.security.InvalidKeyException; 11 | import java.security.NoSuchAlgorithmException; 12 | import java.security.Provider; 13 | 14 | /** 15 | * Performs CTR Mode computations facilitating a cipher returned by JCE's Cipher.getInstance("AES/CTR/NoPadding"). 16 | */ 17 | final class JceAesCtrComputer implements SivMode.CtrComputer { 18 | 19 | private final ThreadLocal threadLocalCipher; 20 | 21 | public JceAesCtrComputer(final Provider jceSecurityProvider) { 22 | this.threadLocalCipher = ThreadLocals.withInitial(() -> { 23 | try { 24 | if (jceSecurityProvider == null) { 25 | return Cipher.getInstance("AES/CTR/NoPadding"); 26 | } else { 27 | return Cipher.getInstance("AES/CTR/NoPadding", jceSecurityProvider); 28 | } 29 | } catch (NoSuchAlgorithmException | NoSuchPaddingException e) { 30 | throw new IllegalStateException("AES/CTR/NoPadding not available on this platform.", e); 31 | } 32 | }); 33 | } 34 | 35 | @Override 36 | public byte[] computeCtr(byte[] input, byte[] key, final byte[] iv) { 37 | try { 38 | Cipher cipher = threadLocalCipher.get(); 39 | cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, "AES"), new IvParameterSpec(iv)); 40 | return cipher.doFinal(input); 41 | } catch (InvalidKeyException | InvalidAlgorithmParameterException e) { 42 | throw new IllegalArgumentException("Key or IV invalid."); 43 | } catch (BadPaddingException e) { 44 | throw new IllegalStateException("Cipher doesn't require padding.", e); 45 | } catch (IllegalBlockSizeException e) { 46 | throw new IllegalStateException("Block size irrelevant for stream ciphers.", e); 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/SivMode.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | /******************************************************************************* 3 | * Copyright (c) 2015 Sebastian Stenzel 4 | * This file is licensed under the terms of the MIT license. 5 | * See the LICENSE.txt file for more info. 6 | * 7 | * Contributors: 8 | * Sebastian Stenzel - initial API and implementation 9 | ******************************************************************************/ 10 | 11 | import org.bouncycastle.crypto.BlockCipher; 12 | import org.bouncycastle.crypto.CipherParameters; 13 | import org.bouncycastle.crypto.Mac; 14 | import org.bouncycastle.crypto.macs.CMac; 15 | import org.bouncycastle.crypto.paddings.ISO7816d4Padding; 16 | import org.bouncycastle.crypto.params.KeyParameter; 17 | import org.jetbrains.annotations.VisibleForTesting; 18 | 19 | import javax.crypto.IllegalBlockSizeException; 20 | import javax.crypto.SecretKey; 21 | import java.security.Provider; 22 | import java.util.Arrays; 23 | 24 | /** 25 | * Implements the RFC 5297 SIV mode. 26 | */ 27 | public final class SivMode { 28 | 29 | private static final byte[] BYTES_ZERO = new byte[16]; 30 | private static final byte DOUBLING_CONST = (byte) 0x87; 31 | 32 | private final ThreadLocal threadLocalCipher; 33 | private final CtrComputer ctrComputer; 34 | 35 | /** 36 | * Creates an AES-SIV instance using JCE's cipher implementation, which should normally be the best choice.
37 | *

38 | * For embedded systems, you might want to consider using {@link #SivMode(BlockCipherFactory)} with BouncyCastle's {@code AESLightEngine} instead. 39 | * 40 | * @see #SivMode(BlockCipherFactory) 41 | */ 42 | public SivMode() { 43 | this((Provider) null); 44 | } 45 | 46 | /** 47 | * Creates an AES-SIV instance using a custom JCE's security provider
48 | *

49 | * For embedded systems, you might want to consider using {@link #SivMode(BlockCipherFactory)} with BouncyCastle's {@code AESLightEngine} instead. 50 | * 51 | * @param jceSecurityProvider to use to create the internal {@link javax.crypto.Cipher} instance 52 | * @see #SivMode(BlockCipherFactory) 53 | */ 54 | public SivMode(final Provider jceSecurityProvider) { 55 | this(ThreadLocals.withInitial(() -> new JceAesBlockCipher(jceSecurityProvider)), new JceAesCtrComputer(jceSecurityProvider)); 56 | } 57 | 58 | /** 59 | * Creates an instance using a specific Blockcipher.get(). If you want to use AES, just use the default constructor. 60 | * 61 | * @param cipherFactory A factory method creating a Blockcipher.get(). Must use a block size of 128 bits (16 bytes). 62 | */ 63 | public SivMode(final BlockCipherFactory cipherFactory) { 64 | this(ThreadLocals.withInitial(cipherFactory::create)); 65 | } 66 | 67 | private SivMode(final ThreadLocal threadLocalCipher) { 68 | this(threadLocalCipher, new CustomCtrComputer(threadLocalCipher::get)); 69 | } 70 | 71 | private SivMode(final ThreadLocal threadLocalCipher, final CtrComputer ctrComputer) { 72 | // Try using cipherFactory to check that the block size is valid. 73 | // We assume here that the block size will not vary across calls to .create(). 74 | if (threadLocalCipher.get().getBlockSize() != 16) { 75 | throw new IllegalArgumentException("cipherFactory must create BlockCipher objects with a 16-byte block size"); 76 | } 77 | 78 | this.threadLocalCipher = threadLocalCipher; 79 | this.ctrComputer = ctrComputer; 80 | } 81 | 82 | /** 83 | * Creates {@link BlockCipher}s. 84 | */ 85 | @FunctionalInterface 86 | public interface BlockCipherFactory { 87 | /** 88 | * Creates a new {@link BlockCipher}. 89 | * 90 | * @return New {@link BlockCipher} instance 91 | */ 92 | BlockCipher create(); 93 | } 94 | 95 | /** 96 | * Performs CTR computations. 97 | */ 98 | @FunctionalInterface 99 | interface CtrComputer { 100 | byte[] computeCtr(byte[] input, byte[] key, final byte[] iv); 101 | } 102 | 103 | /** 104 | * Convenience method using a single 256, 384, or 512 bits key. This is just a wrapper for {@link #encrypt(byte[], byte[], byte[], byte[]...)}. 105 | * @param key Combined key, which is split in half. 106 | * @param plaintext Your plaintext, which shall be encrypted. 107 | * @param associatedData Optional associated data, which gets authenticated but not encrypted. 108 | * @return IV + Ciphertext as a concatenated byte array. 109 | */ 110 | public byte[] encrypt(SecretKey key, byte[] plaintext, byte[]... associatedData) { 111 | try { 112 | return deriveSubkeysAndThen(this::encrypt, key, plaintext, associatedData); 113 | } catch (UnauthenticCiphertextException | IllegalBlockSizeException e) { 114 | throw new IllegalStateException("Exceptions only expected during decryption", e); 115 | } 116 | } 117 | 118 | /** 119 | * Convenience method, if you are using the javax.crypto API. This is just a wrapper for {@link #encrypt(byte[], byte[], byte[], byte[]...)}. 120 | * 121 | * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 122 | * @param macKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 123 | * @param plaintext Your plaintext, which shall be encrypted. 124 | * @param associatedData Optional associated data, which gets authenticated but not encrypted. 125 | * @return IV + Ciphertext as a concatenated byte array. 126 | * @throws IllegalArgumentException if keys are invalid or {@link SecretKey#getEncoded()} is not supported. 127 | */ 128 | public byte[] encrypt(SecretKey ctrKey, SecretKey macKey, byte[] plaintext, byte[]... associatedData) { 129 | try { 130 | return getEncodedAndThen(this::encrypt, ctrKey, macKey, plaintext, associatedData); 131 | } catch (UnauthenticCiphertextException | IllegalBlockSizeException e) { 132 | throw new IllegalStateException("Exceptions only expected during decryption", e); 133 | } 134 | } 135 | 136 | /** 137 | * Encrypts plaintext using SIV mode. A block cipher defined by the constructor is being used.
138 | * 139 | * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 140 | * @param macKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 141 | * @param plaintext Your plaintext, which shall be encrypted. 142 | * @param associatedData Optional associated data, which gets authenticated but not encrypted. 143 | * @return IV + Ciphertext as a concatenated byte array. 144 | * @throws IllegalArgumentException if the either of the two keys is of invalid length for the used {@link BlockCipher}. 145 | */ 146 | public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]... associatedData) { 147 | // Check if plaintext length will cause overflows 148 | if (plaintext.length > (Integer.MAX_VALUE - 16)) { 149 | throw new IllegalArgumentException("Plaintext is too long"); 150 | } 151 | 152 | final byte[] iv = s2v(macKey, plaintext, associatedData); 153 | final byte[] ciphertext = computeCtr(plaintext, ctrKey, iv); 154 | 155 | // concat IV + ciphertext: 156 | final byte[] result = new byte[iv.length + ciphertext.length]; 157 | System.arraycopy(iv, 0, result, 0, iv.length); 158 | System.arraycopy(ciphertext, 0, result, iv.length, ciphertext.length); 159 | return result; 160 | } 161 | 162 | /** 163 | * Convenience method using a single 256, 384, or 512 bits key. This is just a wrapper for {@link #decrypt(byte[], byte[], byte[], byte[]...)}. 164 | * @param key Combined key, which is split in half. 165 | * @param ciphertext Your cipehrtext, which shall be decrypted. 166 | * @param associatedData Optional associated data, which gets authenticated but not encrypted. 167 | * @return Plaintext byte array. 168 | * @throws IllegalArgumentException If keys are invalid. 169 | * @throws UnauthenticCiphertextException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted. 170 | * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length. 171 | */ 172 | public byte[] decrypt(SecretKey key, byte[] ciphertext, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException { 173 | return deriveSubkeysAndThen(this::decrypt, key, ciphertext, associatedData); 174 | } 175 | 176 | /** 177 | * Convenience method, if you are using the javax.crypto API. This is just a wrapper for {@link #decrypt(byte[], byte[], byte[], byte[]...)}. 178 | * 179 | * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 180 | * @param macKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 181 | * @param ciphertext Your cipehrtext, which shall be decrypted. 182 | * @param associatedData Optional associated data, which needs to be authenticated during decryption. 183 | * @return Plaintext byte array. 184 | * @throws IllegalArgumentException If keys are invalid or {@link SecretKey#getEncoded()} is not supported. 185 | * @throws UnauthenticCiphertextException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted. 186 | * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length. 187 | */ 188 | public byte[] decrypt(SecretKey ctrKey, SecretKey macKey, byte[] ciphertext, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException { 189 | return getEncodedAndThen(this::decrypt, ctrKey, macKey, ciphertext, associatedData); 190 | } 191 | 192 | /** 193 | * Decrypts ciphertext using SIV mode. A block cipher defined by the constructor is being used.
194 | * 195 | * @param ctrKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 196 | * @param macKey SIV mode requires two separate keys. You can use one long key, which is split in half. See RFC 5297 Section 2.2 197 | * @param ciphertext Your ciphertext, which shall be encrypted. 198 | * @param associatedData Optional associated data, which needs to be authenticated during decryption. 199 | * @return Plaintext byte array. 200 | * @throws IllegalArgumentException If the either of the two keys is of invalid length for the used {@link BlockCipher}. 201 | * @throws UnauthenticCiphertextException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted. 202 | * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length. 203 | */ 204 | public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException { 205 | if (ciphertext.length < 16) { 206 | throw new IllegalBlockSizeException("Input length must be greater than or equal 16."); 207 | } 208 | 209 | final byte[] iv = Arrays.copyOf(ciphertext, 16); 210 | final byte[] actualCiphertext = Arrays.copyOfRange(ciphertext, 16, ciphertext.length); 211 | final byte[] plaintext = computeCtr(actualCiphertext, ctrKey, iv); 212 | final byte[] control = s2v(macKey, plaintext, associatedData); 213 | 214 | // time-constant comparison (taken from MessageDigest.isEqual in JDK8) 215 | assert iv.length == control.length; 216 | int diff = 0; 217 | for (int i = 0; i < iv.length; i++) { 218 | diff |= iv[i] ^ control[i]; 219 | } 220 | 221 | if (diff == 0) { 222 | return plaintext; 223 | } else { 224 | throw new UnauthenticCiphertextException("authentication in SIV decryption failed"); 225 | } 226 | } 227 | 228 | 229 | /** 230 | * Either {@link #encrypt(byte[], byte[], byte[], byte[]...)} or {@link #decrypt(byte[], byte[], byte[], byte[]...)}. 231 | */ 232 | @FunctionalInterface 233 | private interface EncryptOrDecrypt { 234 | byte[] compute(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException; 235 | } 236 | 237 | /** 238 | * Splits the key into two subkeys and then encrypts or decrypts the data. 239 | * @param encryptOrDecrypt Either {@link #encrypt(byte[], byte[], byte[], byte[]...)} or {@link #decrypt(byte[], byte[], byte[], byte[]...)} 240 | * @param key The combined key, with the leftmost half being the S2V key and the rightmost half being the CTR key 241 | * @param data The to-be-encrypted plaintext or the to-be-decrypted ciphertext 242 | * @param associatedData Optional associated data 243 | * @return result of the encryptOrDecrypt function 244 | * @throws UnauthenticCiphertextException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted (only during decryption). 245 | * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length (only during decryption). 246 | */ 247 | private byte[] deriveSubkeysAndThen(EncryptOrDecrypt encryptOrDecrypt, SecretKey key, byte[] data, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException { 248 | final byte[] keyBytes = key.getEncoded(); 249 | if (keyBytes.length != 64 && keyBytes.length != 48 && keyBytes.length != 32) { 250 | throw new IllegalArgumentException("Key length must be 256, 384, or 512 bits."); 251 | } 252 | final int subkeyLen = keyBytes.length / 2; 253 | assert subkeyLen == 32 || subkeyLen == 24 || subkeyLen == 16; 254 | final byte[] macKey = new byte[subkeyLen]; 255 | final byte[] ctrKey = new byte[subkeyLen]; 256 | try { 257 | System.arraycopy(keyBytes, 0, macKey, 0, macKey.length); // K1 = leftmost(K, len(K)/2); 258 | System.arraycopy(keyBytes, macKey.length, ctrKey, 0, ctrKey.length); // K2 = rightmost(K, len(K)/2); 259 | return encryptOrDecrypt.compute(ctrKey, macKey, data, associatedData); 260 | } finally { 261 | Arrays.fill(macKey, (byte) 0); 262 | Arrays.fill(ctrKey, (byte) 0); 263 | Arrays.fill(keyBytes, (byte) 0); 264 | } 265 | } 266 | 267 | /** 268 | * Encrypts or decrypts data using the given keys. 269 | * @param encryptOrDecrypt Either {@link #encrypt(byte[], byte[], byte[], byte[]...)} or {@link #decrypt(byte[], byte[], byte[], byte[]...)} 270 | * @param ctrKey The part of the key used for the CTR computation 271 | * @param macKey The part of the key used for the S2V computation 272 | * @param data The to-be-encrypted plaintext or the to-be-decrypted ciphertext 273 | * @param associatedData Optional associated data 274 | * @return result of the encryptOrDecrypt function 275 | * @throws UnauthenticCiphertextException If the authentication failed, e.g. because ciphertext and/or associatedData are corrupted (only during decryption). 276 | * @throws IllegalBlockSizeException If the provided ciphertext is of invalid length (only during decryption). 277 | */ 278 | private byte[] getEncodedAndThen(EncryptOrDecrypt encryptOrDecrypt, SecretKey ctrKey, SecretKey macKey, byte[] data, byte[]... associatedData) throws UnauthenticCiphertextException, IllegalBlockSizeException { 279 | final byte[] ctrKeyBytes = ctrKey.getEncoded(); 280 | final byte[] macKeyBytes = macKey.getEncoded(); 281 | if (ctrKeyBytes == null || macKeyBytes == null) { 282 | throw new IllegalArgumentException("Can't get bytes of given key."); 283 | } 284 | try { 285 | return encryptOrDecrypt.compute(ctrKeyBytes, macKeyBytes, data, associatedData); 286 | } finally { 287 | Arrays.fill(ctrKeyBytes, (byte) 0); 288 | Arrays.fill(macKeyBytes, (byte) 0); 289 | } 290 | } 291 | 292 | @VisibleForTesting 293 | byte[] computeCtr(byte[] input, byte[] key, final byte[] iv) { 294 | // clear out the 31st and 63rd (rightmost) bit: 295 | final byte[] adjustedIv = Arrays.copyOf(iv, 16); 296 | adjustedIv[8] = (byte) (adjustedIv[8] & 0x7F); 297 | adjustedIv[12] = (byte) (adjustedIv[12] & 0x7F); 298 | 299 | return ctrComputer.computeCtr(input, key, adjustedIv); 300 | } 301 | 302 | @VisibleForTesting 303 | byte[] s2v(byte[] macKey, byte[] plaintext, byte[]... associatedData) throws IllegalArgumentException { 304 | // Maximum permitted AD length is the block size in bits - 2 305 | if (associatedData.length > 126) { 306 | // SIV mode cannot be used safely with this many AD fields 307 | throw new IllegalArgumentException("too many Associated Data fields"); 308 | } 309 | 310 | final CipherParameters params = new KeyParameter(macKey); 311 | final CMac mac = new CMac(threadLocalCipher.get()); 312 | mac.init(params); 313 | 314 | // RFC 5297 defines a n == 0 case here. Where n is the length of the input vector: 315 | // S1 = associatedData1, S2 = associatedData2, ... Sn = plaintext 316 | // Since this method is invoked only by encrypt/decrypt, we always have a plaintext. 317 | // Thus n > 0 318 | 319 | byte[] d = mac(mac, BYTES_ZERO); 320 | 321 | for (byte[] s : associatedData) { 322 | d = xor(dbl(d), mac(mac, s)); 323 | } 324 | 325 | final byte[] t; 326 | if (plaintext.length >= 16) { 327 | t = xorend(plaintext, d); 328 | } else { 329 | t = xor(dbl(d), pad(plaintext)); 330 | } 331 | 332 | return mac(mac, t); 333 | } 334 | 335 | private static byte[] mac(Mac mac, byte[] in) { 336 | byte[] result = new byte[mac.getMacSize()]; 337 | mac.update(in, 0, in.length); 338 | mac.doFinal(result, 0); 339 | return result; 340 | } 341 | 342 | // First bit 1, following bits 0. 343 | private static byte[] pad(byte[] in) { 344 | final byte[] result = Arrays.copyOf(in, 16); 345 | new ISO7816d4Padding().addPadding(result, in.length); 346 | return result; 347 | } 348 | 349 | // Code taken from {@link org.bouncycastle.crypto.macs.CMac} 350 | @VisibleForTesting 351 | static int shiftLeft(byte[] block, byte[] output) { 352 | int i = block.length; 353 | int bit = 0; 354 | while (--i >= 0) { 355 | int b = block[i] & 0xff; 356 | output[i] = (byte) ((b << 1) | bit); 357 | bit = (b >>> 7) & 1; 358 | } 359 | return bit; 360 | } 361 | 362 | // Code taken from {@link org.bouncycastle.crypto.macs.CMac} 363 | @VisibleForTesting 364 | static byte[] dbl(byte[] in) { 365 | byte[] ret = new byte[in.length]; 366 | int carry = shiftLeft(in, ret); 367 | int xor = 0xff & DOUBLING_CONST; 368 | 369 | /* 370 | * NOTE: This construction is an attempt at a constant-time implementation. 371 | */ 372 | int mask = (-carry) & 0xff; 373 | ret[in.length - 1] ^= xor & mask; 374 | 375 | return ret; 376 | } 377 | 378 | @VisibleForTesting 379 | static byte[] xor(byte[] in1, byte[] in2) { 380 | assert in1.length <= in2.length : "Length of first input must be <= length of second input."; 381 | final byte[] result = new byte[in1.length]; 382 | for (int i = 0; i < result.length; i++) { 383 | result[i] = (byte) (in1[i] ^ in2[i]); 384 | } 385 | return result; 386 | } 387 | 388 | @VisibleForTesting 389 | static byte[] xorend(byte[] in1, byte[] in2) { 390 | assert in1.length >= in2.length : "Length of first input must be >= length of second input."; 391 | final byte[] result = Arrays.copyOf(in1, in1.length); 392 | final int diff = in1.length - in2.length; 393 | for (int i = 0; i < in2.length; i++) { 394 | result[i + diff] = (byte) (result[i + diff] ^ in2[i]); 395 | } 396 | return result; 397 | } 398 | 399 | } 400 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/ThreadLocals.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import java.util.function.Supplier; 4 | 5 | /** 6 | * Shim for Android 7.x 7 | * @see Issue 17 8 | */ 9 | class ThreadLocals { 10 | 11 | private ThreadLocals() { 12 | } 13 | 14 | static ThreadLocal withInitial(Supplier supplier) { 15 | // ThreadLocal.withInitial is unavailable on Android 7.x 16 | return new ThreadLocal() { 17 | @Override 18 | protected S initialValue() { 19 | return supplier.get(); 20 | } 21 | }; 22 | } 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/UnauthenticCiphertextException.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import javax.crypto.BadPaddingException; 4 | 5 | /** 6 | * Drop-in replacement for {@link javax.crypto.AEADBadTagException}, which is not available on some older Android systems. 7 | */ 8 | public class UnauthenticCiphertextException extends BadPaddingException { 9 | 10 | /** 11 | * Constructs a UnauthenticCiphertextException with the specified 12 | * detail message. 13 | * 14 | * @param message the detail message. 15 | */ 16 | public UnauthenticCiphertextException(String message) { 17 | super(message); 18 | } 19 | 20 | } 21 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/crypto/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.crypto; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/crypto/macs/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.crypto.macs; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/crypto/modes/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.crypto.modes; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/crypto/paddings/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.crypto.paddings; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/crypto/params/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.crypto.params; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/org/bouncycastle/util/Placeholder.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv.org.bouncycastle.util; 2 | 3 | /** 4 | * module-info will be evaluated before maven-shade-plugin, so we need this placeholder 5 | * to avoid complaints about this package being empty. 6 | */ 7 | interface Placeholder { 8 | } 9 | -------------------------------------------------------------------------------- /src/main/java/org/cryptomator/siv/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * Java implementation of RFC 5297 SIV Authenticated Encryption. 3 | *

4 | * Use an instance of the {@link org.cryptomator.siv.SivMode} class to 5 | * {@link org.cryptomator.siv.SivMode#encrypt(javax.crypto.SecretKey, javax.crypto.SecretKey, byte[], byte[]...) encrypt} or 6 | * {@link org.cryptomator.siv.SivMode#decrypt(javax.crypto.SecretKey, javax.crypto.SecretKey, byte[], byte[]...) decrypt} data. 7 | */ 8 | package org.cryptomator.siv; -------------------------------------------------------------------------------- /src/main/java9/module-info.java: -------------------------------------------------------------------------------- 1 | module org.cryptomator.siv { 2 | requires static org.bouncycastle.provider; 3 | requires static org.jetbrains.annotations; 4 | 5 | exports org.cryptomator.siv; 6 | exports org.cryptomator.siv.org.bouncycastle.crypto; 7 | exports org.cryptomator.siv.org.bouncycastle.crypto.macs; 8 | exports org.cryptomator.siv.org.bouncycastle.crypto.modes; 9 | exports org.cryptomator.siv.org.bouncycastle.crypto.paddings; 10 | exports org.cryptomator.siv.org.bouncycastle.crypto.params; 11 | exports org.cryptomator.siv.org.bouncycastle.util; 12 | } -------------------------------------------------------------------------------- /src/main/java9/org.cryptomator.siv/ThreadLocals.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import java.util.function.Supplier; 4 | 5 | class ThreadLocals { 6 | 7 | private ThreadLocals() { 8 | } 9 | 10 | static ThreadLocal withInitial(Supplier supplier) { 11 | return ThreadLocal.withInitial(supplier); 12 | } 13 | 14 | } 15 | -------------------------------------------------------------------------------- /src/test/go/siv-test-vectors.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "crypto/rand" 4 | import "fmt" 5 | import "encoding/hex" 6 | import "math/big" 7 | import "os" 8 | 9 | import "github.com/jacobsa/crypto/siv" 10 | 11 | func main() { 12 | printTestCases() 13 | } 14 | 15 | // Generate a variety of test cases based on a Go implementation of AES-SIV. 16 | // Output these test cases to STDOUT in a simple text format so that 17 | // implementations in other languages can use them for functional testing. 18 | func printTestCases() { 19 | keyLengths := []int{ 20 | 32, 48, 64, 21 | } 22 | plaintextLengths := []int{ 23 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 24 | 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 25 | 32, 41, 58, 67,127,128,129,500, 26 | } 27 | adLengths := []int{ 28 | 0, 1, 2, 3, 4, 8, 36, 63, 126, 29 | } 30 | 31 | // Try to generate all possible edge case combinations 32 | for _, keyLength := range keyLengths { 33 | for _, isKeyZeros := range []bool{false, true} { 34 | for _, plaintextLength := range plaintextLengths { 35 | for _, isPlaintextZeros := range []bool{false, true} { 36 | for _, adLength := range adLengths { 37 | for _, areAdElemsEmpty := range []bool{false, true} { 38 | key := make([]byte, keyLength) 39 | if !isKeyZeros { 40 | // Set key to random bytes 41 | rand.Read(key) 42 | } 43 | 44 | plaintext := make([]byte, plaintextLength) 45 | if !isPlaintextZeros { 46 | // Set plaintext to random bytes 47 | rand.Read(plaintext) 48 | } 49 | 50 | ad := make([][]byte, adLength) 51 | for adIdx := range ad { 52 | if areAdElemsEmpty { 53 | ad[adIdx] = make([]byte, 0) 54 | } else { 55 | randomLen, err := rand.Int(rand.Reader, big.NewInt(128)) 56 | if err != nil { 57 | fmt.Println("rand.Int failed") 58 | os.Exit(7) 59 | } 60 | ad[adIdx] = make([]byte, randomLen.Int64() + 1) 61 | } 62 | 63 | // Fill with random bytes 64 | rand.Read(ad[adIdx]) 65 | } 66 | 67 | printTestCase(key, plaintext, ad) 68 | } 69 | } 70 | } 71 | } 72 | } 73 | } 74 | } 75 | 76 | // Print a single test case to STDOUT. 77 | func printTestCase(key []byte, plaintext []byte, associatedData [][]byte) { 78 | // CTR mode encryption key 79 | fmt.Printf("%s;", hex.EncodeToString(key[len(key)/2:])) 80 | 81 | // MAC (authentication) key 82 | fmt.Printf("%s;", hex.EncodeToString(key[:len(key)/2])) 83 | 84 | // Plaintext 85 | fmt.Printf("%s;", hex.EncodeToString(plaintext)) 86 | 87 | // Additional associated data 88 | fmt.Printf("%v;", len(associatedData)) 89 | for _, adElem := range associatedData { 90 | fmt.Printf("%s;", hex.EncodeToString(adElem)) 91 | } 92 | 93 | // Ciphertext 94 | ciphertext, err := siv.Encrypt(nil, key, plaintext, associatedData) 95 | if err != nil { 96 | fmt.Println("encrypt failed: ", err) 97 | os.Exit(7) 98 | } 99 | fmt.Println(hex.EncodeToString(ciphertext)); 100 | } 101 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/BenchmarkTest.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * Copyright (c) 2016 Sebastian Stenzel 3 | * This file is licensed under the terms of the MIT license. 4 | * See the LICENSE.txt file for more info. 5 | * 6 | * Contributors: 7 | * Sebastian Stenzel - initial API and implementation 8 | ******************************************************************************/ 9 | package org.cryptomator.siv; 10 | 11 | import org.junit.jupiter.api.Test; 12 | import org.junit.jupiter.api.condition.EnabledOnJre; 13 | import org.openjdk.jmh.runner.Runner; 14 | import org.openjdk.jmh.runner.RunnerException; 15 | import org.openjdk.jmh.runner.options.Options; 16 | import org.openjdk.jmh.runner.options.OptionsBuilder; 17 | 18 | public class BenchmarkTest { 19 | 20 | @Test 21 | public void runBenchmarks() throws RunnerException { 22 | // Taken from http://stackoverflow.com/a/30486197/4014509: 23 | Options opt = new OptionsBuilder() 24 | // Specify which benchmarks to run 25 | .include(getClass().getPackage().getName() + ".*Benchmark.*") 26 | // Set the following options as needed 27 | .threads(2).forks(2) // 28 | .shouldFailOnError(true).shouldDoGC(true) 29 | // .jvmArgs("-XX:+UnlockDiagnosticVMOptions", "-XX:+PrintInlining") 30 | // .addProfiler(WinPerfAsmProfiler.class) 31 | .build(); 32 | new Runner(opt).run(); 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/CustomCtrComputerTest.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import org.bouncycastle.crypto.BlockCipher; 4 | import org.bouncycastle.crypto.engines.AESLightEngine; 5 | import org.junit.jupiter.api.Assertions; 6 | import org.junit.jupiter.api.Test; 7 | 8 | public class CustomCtrComputerTest { 9 | 10 | private BlockCipher supplyBlockCipher() { 11 | return new AESLightEngine(); 12 | } 13 | 14 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1 15 | @Test 16 | public void testComputeCtr1() { 17 | byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 18 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 19 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 20 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff}; 21 | 22 | byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 23 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 24 | (byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 25 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93}; 26 | 27 | byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, // 28 | (byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, // 29 | (byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, // 30 | (byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f}; 31 | 32 | byte[] result = new CustomCtrComputer(this::supplyBlockCipher).computeCtr(new byte[16], ctrKey, ctr); 33 | Assertions.assertArrayEquals(expected, result); 34 | } 35 | 36 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2 37 | @Test 38 | public void testComputeCtr2() { 39 | final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, // 40 | (byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, // 41 | (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, // 42 | (byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f}; 43 | 44 | final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, // 45 | (byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, // 46 | (byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, // 47 | (byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f}; 48 | 49 | final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, // 50 | (byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, // 51 | (byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, // 52 | (byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, // 53 | (byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, // 54 | (byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, // 55 | (byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, // 56 | (byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, // 57 | (byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, // 58 | (byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, // 59 | (byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, // 60 | (byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7}; 61 | 62 | byte[] result = new CustomCtrComputer(this::supplyBlockCipher).computeCtr(new byte[48], ctrKey, ctr); 63 | Assertions.assertArrayEquals(expected, result); 64 | } 65 | 66 | } 67 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/EncryptionTestCase.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import com.google.common.base.Splitter; 4 | import com.google.common.io.BaseEncoding; 5 | 6 | import java.io.BufferedReader; 7 | import java.io.IOException; 8 | import java.io.InputStreamReader; 9 | import java.nio.charset.StandardCharsets; 10 | import java.util.ArrayList; 11 | import java.util.Arrays; 12 | import java.util.List; 13 | import java.util.Optional; 14 | 15 | public class EncryptionTestCase { 16 | 17 | private static int TESTCASE_CTR = 0; 18 | 19 | private final int testCaseNumber; 20 | private final byte[] ctrKey; 21 | private final byte[] macKey; 22 | private final byte[] plaintext; 23 | private final byte[][] additionalData; 24 | private final byte[] ciphertext; 25 | 26 | public EncryptionTestCase(int testCaseNumber, byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[][] additionalData, byte[] ciphertext) { 27 | this.testCaseNumber = testCaseNumber; 28 | this.ctrKey = ctrKey; 29 | this.macKey = macKey; 30 | this.plaintext = plaintext; 31 | this.additionalData = additionalData; 32 | this.ciphertext = ciphertext; 33 | } 34 | 35 | public static EncryptionTestCase fromLine(String line) { 36 | List fields = Splitter.on(';').splitToList(line); 37 | byte[] ctrKey = BaseEncoding.base16().decode(fields.get(0).toUpperCase()); 38 | byte[] macKey = BaseEncoding.base16().decode(fields.get(1).toUpperCase()); 39 | byte[] plaintext = BaseEncoding.base16().decode(fields.get(2).toUpperCase()); 40 | int adCount = Integer.parseInt(fields.get(3)); 41 | byte[][] ad = new byte[adCount][]; 42 | for (int adIdx = 0; adIdx < adCount; adIdx++) { 43 | ad[adIdx] = BaseEncoding.base16().decode(fields.get(4+adIdx).toUpperCase()); 44 | } 45 | byte[] ciphertext = BaseEncoding.base16().decode(fields.get(4+adCount).toUpperCase()); 46 | return new EncryptionTestCase(TESTCASE_CTR++, ctrKey, macKey, plaintext, ad, ciphertext); 47 | } 48 | 49 | public int getTestCaseNumber() { 50 | return testCaseNumber; 51 | } 52 | 53 | public byte[] getCtrKey() { 54 | return Arrays.copyOf(ctrKey, ctrKey.length); 55 | } 56 | 57 | public byte[] getMacKey() { 58 | return Arrays.copyOf(macKey, macKey.length); 59 | } 60 | 61 | public byte[] getPlaintext() { 62 | return Arrays.copyOf(plaintext, plaintext.length); 63 | } 64 | 65 | public byte[][] getAssociatedData() { 66 | final byte[][] result = new byte[additionalData.length][]; 67 | 68 | for (int i = 0; i < additionalData.length; i++) { 69 | result[i] = Arrays.copyOf(additionalData[i], additionalData[i].length); 70 | } 71 | 72 | return result; 73 | } 74 | 75 | public byte[] getCiphertext() { 76 | return Arrays.copyOf(ciphertext, ciphertext.length); 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/JceAesBlockCipherTest.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | /******************************************************************************* 3 | * Copyright (c) 2016 Sebastian Stenzel 4 | * This file is licensed under the terms of the MIT license. 5 | * See the LICENSE.txt file for more info. 6 | * 7 | * Contributors: 8 | * Sebastian Stenzel - initial API and implementation 9 | ******************************************************************************/ 10 | 11 | import org.bouncycastle.crypto.CipherParameters; 12 | import org.bouncycastle.crypto.DataLengthException; 13 | import org.bouncycastle.crypto.params.AsymmetricKeyParameter; 14 | import org.bouncycastle.crypto.params.KeyParameter; 15 | import org.hamcrest.CoreMatchers; 16 | import org.hamcrest.MatcherAssert; 17 | import org.junit.jupiter.api.Assertions; 18 | import org.junit.jupiter.api.Test; 19 | 20 | import java.security.Provider; 21 | import java.security.Security; 22 | 23 | public class JceAesBlockCipherTest { 24 | 25 | @Test 26 | public void testInitWithNullParam() { 27 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 28 | CipherParameters params = null; 29 | IllegalArgumentException e = Assertions.assertThrows(IllegalArgumentException.class, () -> { 30 | cipher.init(true, params); 31 | }); 32 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("missing parameter of type KeyParameter")); 33 | } 34 | 35 | @Test 36 | public void testInitWithMissingKey() { 37 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 38 | CipherParameters params = new AsymmetricKeyParameter(true); 39 | IllegalArgumentException e = Assertions.assertThrows(IllegalArgumentException.class, () -> { 40 | cipher.init(true, params); 41 | }); 42 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("missing parameter of type KeyParameter")); 43 | } 44 | 45 | @Test 46 | public void testInitWithInvalidKey() { 47 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 48 | CipherParameters params = new KeyParameter(new byte[7]); 49 | IllegalArgumentException e = Assertions.assertThrows(IllegalArgumentException.class, () -> { 50 | cipher.init(true, params); 51 | }); 52 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("Invalid key")); 53 | } 54 | 55 | @Test 56 | public void testInitForEncryption() { 57 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 58 | CipherParameters params = new KeyParameter(new byte[16]); 59 | Assertions.assertDoesNotThrow(() -> { 60 | cipher.init(true, params); 61 | }); 62 | } 63 | 64 | @Test 65 | public void testInitForEncryptionWithProvider() { 66 | JceAesBlockCipher cipher = new JceAesBlockCipher(getSunJceProvider()); 67 | CipherParameters params = new KeyParameter(new byte[16]); 68 | Assertions.assertDoesNotThrow(() -> { 69 | cipher.init(true, params); 70 | }); 71 | } 72 | 73 | @Test 74 | public void testInitForDecryption() { 75 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 76 | CipherParameters params = new KeyParameter(new byte[16]); 77 | Assertions.assertDoesNotThrow(() -> { 78 | cipher.init(false, params); 79 | }); 80 | } 81 | 82 | @Test 83 | public void testInitForDecryptionWithProvider() { 84 | JceAesBlockCipher cipher = new JceAesBlockCipher(getSunJceProvider()); 85 | CipherParameters params = new KeyParameter(new byte[16]); 86 | Assertions.assertDoesNotThrow(() -> { 87 | cipher.init(false, params); 88 | }); 89 | } 90 | 91 | private Provider getSunJceProvider() { 92 | Provider provider = Security.getProvider("SunJCE"); 93 | Assertions.assertNotNull(provider); 94 | return provider; 95 | } 96 | 97 | @Test 98 | public void testGetAlgorithmName() { 99 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 100 | Assertions.assertEquals("AES", cipher.getAlgorithmName()); 101 | } 102 | 103 | @Test 104 | public void testGetBlockSize() { 105 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 106 | Assertions.assertEquals(16, cipher.getBlockSize()); 107 | } 108 | 109 | @Test 110 | public void testProcessBlockWithUninitializedCipher() { 111 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 112 | Assertions.assertThrows(IllegalStateException.class, () -> { 113 | cipher.processBlock(new byte[16], 0, new byte[16], 0); 114 | }); 115 | } 116 | 117 | @Test 118 | public void testProcessBlockWithInsufficientInput() { 119 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 120 | cipher.init(true, new KeyParameter(new byte[16])); 121 | DataLengthException e = Assertions.assertThrows(DataLengthException.class, () -> { 122 | cipher.processBlock(new byte[16], 1, new byte[16], 0); 123 | }); 124 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("Insufficient data in 'in'")); 125 | } 126 | 127 | @Test 128 | public void testProcessBlockWithInsufficientOutput() { 129 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 130 | cipher.init(true, new KeyParameter(new byte[16])); 131 | DataLengthException e = Assertions.assertThrows(DataLengthException.class, () -> { 132 | cipher.processBlock(new byte[16], 0, new byte[16], 1); 133 | }); 134 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("Insufficient space in 'out'")); 135 | } 136 | 137 | @Test 138 | public void testProcessBlock() { 139 | testProcessBlock(new JceAesBlockCipher()); 140 | } 141 | 142 | @Test 143 | public void testProcessBlockWithProvider() { 144 | testProcessBlock(new JceAesBlockCipher(getSunJceProvider())); 145 | } 146 | 147 | private void testProcessBlock(JceAesBlockCipher cipher) { 148 | cipher.init(true, new KeyParameter(new byte[16])); 149 | byte[] ciphertext = new byte[16]; 150 | int encrypted = cipher.processBlock(new byte[20], 0, ciphertext, 0); 151 | Assertions.assertEquals(16, encrypted); 152 | 153 | cipher.init(false, new KeyParameter(new byte[16])); 154 | byte[] cleartext = new byte[16]; 155 | int decrypted = cipher.processBlock(ciphertext, 0, cleartext, 0); 156 | Assertions.assertEquals(16, decrypted); 157 | Assertions.assertArrayEquals(new byte[16], cleartext); 158 | } 159 | 160 | @Test 161 | public void testResetBeforeInitDoesNotThrowExceptions() { 162 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 163 | Assertions.assertDoesNotThrow(cipher::reset); 164 | } 165 | 166 | @Test 167 | public void testResetAfterInitDoesNotThrowExceptions() { 168 | JceAesBlockCipher cipher = new JceAesBlockCipher(); 169 | cipher.init(true, new KeyParameter(new byte[16])); 170 | Assertions.assertDoesNotThrow(cipher::reset); 171 | } 172 | 173 | } 174 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/JceAesCtrComputerTest.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | 3 | import org.junit.jupiter.api.Assertions; 4 | import org.junit.jupiter.api.Test; 5 | 6 | public class JceAesCtrComputerTest { 7 | 8 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1 9 | @Test 10 | public void testComputeCtr1() { 11 | byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 12 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 13 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 14 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff}; 15 | 16 | byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 17 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 18 | (byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 19 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93}; 20 | 21 | byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, // 22 | (byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, // 23 | (byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, // 24 | (byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f}; 25 | 26 | byte[] result = new JceAesCtrComputer(null).computeCtr(new byte[16], ctrKey, ctr); 27 | Assertions.assertArrayEquals(expected, result); 28 | } 29 | 30 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2 31 | @Test 32 | public void testComputeCtr2() { 33 | final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, // 34 | (byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, // 35 | (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, // 36 | (byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f}; 37 | 38 | final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, // 39 | (byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, // 40 | (byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, // 41 | (byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f}; 42 | 43 | final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, // 44 | (byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, // 45 | (byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, // 46 | (byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, // 47 | (byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, // 48 | (byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, // 49 | (byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, // 50 | (byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, // 51 | (byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, // 52 | (byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, // 53 | (byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, // 54 | (byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7}; 55 | 56 | byte[] result = new JceAesCtrComputer(null).computeCtr(new byte[48], ctrKey, ctr); 57 | Assertions.assertArrayEquals(expected, result); 58 | } 59 | 60 | } 61 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/SivModeBenchmark.java: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * Copyright (c) 2016 Sebastian Stenzel 3 | * This file is licensed under the terms of the MIT license. 4 | * See the LICENSE.txt file for more info. 5 | * 6 | * Contributors: 7 | * Sebastian Stenzel - initial API and implementation 8 | ******************************************************************************/ 9 | package org.cryptomator.siv; 10 | 11 | import org.bouncycastle.crypto.BlockCipher; 12 | import org.bouncycastle.crypto.engines.AESFastEngine; 13 | import org.bouncycastle.crypto.engines.AESLightEngine; 14 | import org.cryptomator.siv.SivMode.BlockCipherFactory; 15 | import org.junit.jupiter.api.Assertions; 16 | import org.openjdk.jmh.annotations.Benchmark; 17 | import org.openjdk.jmh.annotations.BenchmarkMode; 18 | import org.openjdk.jmh.annotations.Level; 19 | import org.openjdk.jmh.annotations.Measurement; 20 | import org.openjdk.jmh.annotations.Mode; 21 | import org.openjdk.jmh.annotations.OutputTimeUnit; 22 | import org.openjdk.jmh.annotations.Scope; 23 | import org.openjdk.jmh.annotations.Setup; 24 | import org.openjdk.jmh.annotations.State; 25 | import org.openjdk.jmh.annotations.Warmup; 26 | import org.openjdk.jmh.infra.Blackhole; 27 | 28 | import javax.crypto.IllegalBlockSizeException; 29 | import java.util.Arrays; 30 | import java.util.concurrent.TimeUnit; 31 | 32 | /** 33 | * Needs to be compiled via maven as the JMH annotation processor needs to do stuff... 34 | */ 35 | @SuppressWarnings("deprecation") 36 | @State(Scope.Thread) 37 | @Warmup(iterations = 3, time = 300, timeUnit = TimeUnit.MILLISECONDS) 38 | @Measurement(iterations = 2, time = 500, timeUnit = TimeUnit.MILLISECONDS) 39 | @BenchmarkMode(value = {Mode.AverageTime}) 40 | @OutputTimeUnit(TimeUnit.MICROSECONDS) 41 | public class SivModeBenchmark { 42 | 43 | private int run; 44 | private final byte[] encKey = new byte[16]; 45 | private final byte[] macKey = new byte[16]; 46 | private final byte[] cleartextData = new byte[1000]; 47 | private final byte[] associatedData = new byte[100]; 48 | 49 | private final SivMode jceSivMode = new SivMode(); 50 | private final SivMode bcFastSivMode = new SivMode(new BlockCipherFactory() { 51 | 52 | @Override 53 | public BlockCipher create() { 54 | return new AESFastEngine(); 55 | } 56 | 57 | }); 58 | private final SivMode bcLightSivMode = new SivMode(new BlockCipherFactory() { 59 | 60 | @Override 61 | public BlockCipher create() { 62 | return new AESLightEngine(); 63 | } 64 | 65 | }); 66 | 67 | @Setup(Level.Trial) 68 | public void shuffleData() { 69 | run++; 70 | Arrays.fill(encKey, (byte) (run & 0xFF)); 71 | Arrays.fill(macKey, (byte) (run & 0xFF)); 72 | Arrays.fill(cleartextData, (byte) (run & 0xFF)); 73 | Arrays.fill(associatedData, (byte) (run & 0xFF)); 74 | } 75 | 76 | @Benchmark 77 | public void benchmarkJce(Blackhole bh) throws UnauthenticCiphertextException, IllegalBlockSizeException { 78 | byte[] encrypted = jceSivMode.encrypt(encKey, macKey, cleartextData, associatedData); 79 | byte[] decrypted = jceSivMode.decrypt(encKey, macKey, encrypted, associatedData); 80 | Assertions.assertArrayEquals(cleartextData, decrypted); 81 | bh.consume(encrypted); 82 | bh.consume(decrypted); 83 | } 84 | 85 | @Benchmark 86 | public void benchmarkBcFast(Blackhole bh) throws UnauthenticCiphertextException, IllegalBlockSizeException { 87 | byte[] encrypted = bcFastSivMode.encrypt(encKey, macKey, cleartextData, associatedData); 88 | byte[] decrypted = bcFastSivMode.decrypt(encKey, macKey, encrypted, associatedData); 89 | Assertions.assertArrayEquals(cleartextData, decrypted); 90 | bh.consume(encrypted); 91 | bh.consume(decrypted); 92 | } 93 | 94 | @Benchmark 95 | public void benchmarkBcLight(Blackhole bh) throws UnauthenticCiphertextException, IllegalBlockSizeException { 96 | byte[] encrypted = bcLightSivMode.encrypt(encKey, macKey, cleartextData, associatedData); 97 | byte[] decrypted = bcLightSivMode.decrypt(encKey, macKey, encrypted, associatedData); 98 | Assertions.assertArrayEquals(cleartextData, decrypted); 99 | bh.consume(encrypted); 100 | bh.consume(decrypted); 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /src/test/java/org/cryptomator/siv/SivModeTest.java: -------------------------------------------------------------------------------- 1 | package org.cryptomator.siv; 2 | /******************************************************************************* 3 | * Copyright (c) 2015 Sebastian Stenzel 4 | * This file is licensed under the terms of the MIT license. 5 | * See the LICENSE.txt file for more info. 6 | * 7 | * Contributors: 8 | * Sebastian Stenzel - initial API and implementation 9 | ******************************************************************************/ 10 | 11 | import org.bouncycastle.crypto.engines.AESLightEngine; 12 | import org.bouncycastle.crypto.engines.DESEngine; 13 | import org.cryptomator.siv.SivMode.BlockCipherFactory; 14 | import org.hamcrest.CoreMatchers; 15 | import org.hamcrest.MatcherAssert; 16 | import org.junit.jupiter.api.Assertions; 17 | import org.junit.jupiter.api.DynamicContainer; 18 | import org.junit.jupiter.api.DynamicTest; 19 | import org.junit.jupiter.api.Test; 20 | import org.junit.jupiter.api.TestFactory; 21 | import org.junit.jupiter.params.ParameterizedTest; 22 | import org.junit.jupiter.params.provider.ValueSource; 23 | import org.mockito.Mockito; 24 | 25 | import javax.crypto.IllegalBlockSizeException; 26 | import javax.crypto.SecretKey; 27 | import javax.crypto.spec.SecretKeySpec; 28 | import java.io.BufferedReader; 29 | import java.io.IOException; 30 | import java.io.InputStream; 31 | import java.io.InputStreamReader; 32 | import java.io.Reader; 33 | import java.io.UncheckedIOException; 34 | import java.nio.charset.StandardCharsets; 35 | import java.security.Provider; 36 | import java.security.Security; 37 | import java.util.Arrays; 38 | import java.util.stream.Stream; 39 | 40 | /** 41 | * Official RFC 5297 test vector taken from https://tools.ietf.org/html/rfc5297#appendix-A.1 and https://tools.ietf.org/html/rfc5297#appendix-A.2 42 | */ 43 | public class SivModeTest { 44 | 45 | @Test 46 | public void testEncryptWithInvalidKey1() { 47 | SecretKey key1 = Mockito.mock(SecretKey.class); 48 | Mockito.when(key1.getEncoded()).thenReturn(null); 49 | SecretKey key2 = Mockito.mock(SecretKey.class); 50 | Mockito.when(key2.getEncoded()).thenReturn(new byte[16]); 51 | 52 | SivMode sivMode = new SivMode(); 53 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 54 | sivMode.encrypt(key1, key2, new byte[10]); 55 | }); 56 | } 57 | 58 | @Test 59 | public void testEncryptWithInvalidKey2() { 60 | SecretKey key1 = Mockito.mock(SecretKey.class); 61 | Mockito.when(key1.getEncoded()).thenReturn(new byte[16]); 62 | SecretKey key2 = Mockito.mock(SecretKey.class); 63 | Mockito.when(key2.getEncoded()).thenReturn(null); 64 | 65 | SivMode sivMode = new SivMode(); 66 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 67 | sivMode.encrypt(key1, key2, new byte[10]); 68 | }); 69 | } 70 | 71 | @Test 72 | public void testEncryptWithInvalidKey3() { 73 | SecretKey key = Mockito.mock(SecretKey.class); 74 | Mockito.when(key.getEncoded()).thenReturn(new byte[13]); 75 | 76 | SivMode sivMode = new SivMode(); 77 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 78 | sivMode.encrypt(key, new byte[10]); 79 | }); 80 | } 81 | 82 | @Test 83 | public void testInvalidCipher1() { 84 | BlockCipherFactory factory = () -> null; 85 | 86 | Assertions.assertThrows(NullPointerException.class, () -> { 87 | new SivMode(factory); 88 | }); 89 | } 90 | 91 | @Test 92 | public void testInvalidCipher2() { 93 | BlockCipherFactory factory = DESEngine::new; // wrong block size 94 | 95 | IllegalArgumentException e = Assertions.assertThrows(IllegalArgumentException.class, () -> { 96 | new SivMode(factory); 97 | }); 98 | MatcherAssert.assertThat(e.getMessage(), CoreMatchers.containsString("cipherFactory must create BlockCipher objects with a 16-byte block size")); 99 | } 100 | 101 | @Test 102 | public void testDecryptWithInvalidKey1() { 103 | SecretKey key1 = Mockito.mock(SecretKey.class); 104 | Mockito.when(key1.getEncoded()).thenReturn(null); 105 | SecretKey key2 = Mockito.mock(SecretKey.class); 106 | Mockito.when(key2.getEncoded()).thenReturn(new byte[16]); 107 | 108 | SivMode sivMode = new SivMode(); 109 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 110 | sivMode.decrypt(key1, key2, new byte[16]); 111 | }); 112 | } 113 | 114 | @Test 115 | public void testDecryptWithInvalidKey2() { 116 | SecretKey key1 = Mockito.mock(SecretKey.class); 117 | Mockito.when(key1.getEncoded()).thenReturn(new byte[16]); 118 | SecretKey key2 = Mockito.mock(SecretKey.class); 119 | Mockito.when(key2.getEncoded()).thenReturn(null); 120 | 121 | SivMode sivMode = new SivMode(); 122 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 123 | sivMode.decrypt(key1, key2, new byte[10]); 124 | }); 125 | } 126 | 127 | @Test 128 | public void testDecryptWithInvalidKey3() { 129 | SecretKey key = Mockito.mock(SecretKey.class); 130 | Mockito.when(key.getEncoded()).thenReturn(new byte[13]); 131 | 132 | SivMode sivMode = new SivMode(); 133 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 134 | sivMode.decrypt(key, new byte[10]); 135 | }); 136 | } 137 | 138 | @Test 139 | public void testDecryptWithInvalidBlockSize() { 140 | final byte[] dummyKey = new byte[16]; 141 | final SecretKey ctrKey = new SecretKeySpec(dummyKey, "AES"); 142 | final SecretKey macKey = new SecretKeySpec(dummyKey, "AES"); 143 | 144 | SivMode sivMode = new SivMode(); 145 | Assertions.assertThrows(IllegalBlockSizeException.class, () -> { 146 | sivMode.decrypt(ctrKey, macKey, new byte[10]); 147 | }); 148 | } 149 | 150 | @Test 151 | public void testEncryptAssociatedDataLimit() { 152 | final byte[] ctrKey = new byte[16]; 153 | final byte[] macKey = new byte[16]; 154 | final byte[] plaintext = new byte[30]; 155 | 156 | SivMode sivMode = new SivMode(); 157 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 158 | sivMode.encrypt(ctrKey, macKey, plaintext, new byte[127][0]); 159 | }); 160 | } 161 | 162 | @Test 163 | public void testDecryptAssociatedDataLimit() { 164 | final byte[] ctrKey = new byte[16]; 165 | final byte[] macKey = new byte[16]; 166 | final byte[] plaintext = new byte[80]; 167 | 168 | SivMode sivMode = new SivMode(); 169 | Assertions.assertThrows(IllegalArgumentException.class, () -> { 170 | sivMode.decrypt(ctrKey, macKey, plaintext, new byte[127][0]); 171 | }); 172 | } 173 | 174 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1 175 | @Test 176 | public void testComputeCtr1() { 177 | final byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 178 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 179 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 180 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff}; 181 | 182 | final byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 183 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 184 | (byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 185 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93}; 186 | 187 | final byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, // 188 | (byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, // 189 | (byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, // 190 | (byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f}; 191 | 192 | final byte[] result = new SivMode().computeCtr(new byte[16], ctrKey, ctr); 193 | Assertions.assertArrayEquals(expected, result); 194 | 195 | final byte[] sunJceResult = new SivMode(getSunJceProvider()).computeCtr(new byte[16], ctrKey, ctr); 196 | Assertions.assertArrayEquals(expected, sunJceResult); 197 | 198 | final byte[] bcResult = new SivMode(AESLightEngine::new).computeCtr(new byte[16], ctrKey, ctr); 199 | Assertions.assertArrayEquals(expected, bcResult); 200 | } 201 | 202 | // CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2 203 | @Test 204 | public void testComputeCtr2() { 205 | final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, // 206 | (byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, // 207 | (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, // 208 | (byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f}; 209 | 210 | final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, // 211 | (byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, // 212 | (byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, // 213 | (byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f}; 214 | 215 | final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, // 216 | (byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, // 217 | (byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, // 218 | (byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, // 219 | (byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, // 220 | (byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, // 221 | (byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, // 222 | (byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, // 223 | (byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, // 224 | (byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, // 225 | (byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, // 226 | (byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7}; 227 | 228 | final byte[] result = new SivMode().computeCtr(new byte[48], ctrKey, ctr); 229 | Assertions.assertArrayEquals(expected, result); 230 | } 231 | 232 | @Test 233 | public void testS2v() { 234 | final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, // 235 | (byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, // 236 | (byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, // 237 | (byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0}; 238 | 239 | final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, // 240 | (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, // 241 | (byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, // 242 | (byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, // 243 | (byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, // 244 | (byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27}; 245 | 246 | final byte[] plaintext = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, // 247 | (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, // 248 | (byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, // 249 | (byte) 0xdd, (byte) 0xee}; 250 | 251 | final byte[] expected = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 252 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 253 | (byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 254 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93}; 255 | 256 | final byte[] result = new SivMode().s2v(macKey, plaintext, ad); 257 | Assertions.assertArrayEquals(expected, result); 258 | 259 | final byte[] resultProvider = new SivMode(getSunJceProvider()).s2v(macKey, plaintext, ad); 260 | Assertions.assertArrayEquals(expected, resultProvider); 261 | } 262 | 263 | @Test 264 | public void testSivEncrypt() { 265 | final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, // 266 | (byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, // 267 | (byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, // 268 | (byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0}; 269 | 270 | final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 271 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 272 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 273 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff}; 274 | 275 | final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, // 276 | (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, // 277 | (byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, // 278 | (byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, // 279 | (byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, // 280 | (byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27}; 281 | 282 | final byte[] plaintext = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, // 283 | (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, // 284 | (byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, // 285 | (byte) 0xdd, (byte) 0xee}; 286 | 287 | final byte[] expected = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 288 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 289 | (byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 290 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, // 291 | (byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, // 292 | (byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, // 293 | (byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, // 294 | (byte) 0xfe, (byte) 0x5c}; 295 | 296 | final byte[] result = new SivMode().encrypt(aesKey, macKey, plaintext, ad); 297 | Assertions.assertArrayEquals(expected, result); 298 | } 299 | 300 | @Test 301 | public void testSivDecrypt() throws UnauthenticCiphertextException, IllegalBlockSizeException { 302 | final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, // 303 | (byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, // 304 | (byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, // 305 | (byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0}; 306 | 307 | final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 308 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 309 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 310 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff}; 311 | 312 | final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, // 313 | (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, // 314 | (byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, // 315 | (byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, // 316 | (byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, // 317 | (byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27}; 318 | 319 | final byte[] ciphertext = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 320 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 321 | (byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 322 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, // 323 | (byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, // 324 | (byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, // 325 | (byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, // 326 | (byte) 0xfe, (byte) 0x5c}; 327 | 328 | final byte[] expected = {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, // 329 | (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, // 330 | (byte) 0x99, (byte) 0xaa, (byte) 0xbb, (byte) 0xcc, // 331 | (byte) 0xdd, (byte) 0xee}; 332 | 333 | final byte[] result = new SivMode().decrypt(aesKey, macKey, ciphertext, ad); 334 | Assertions.assertArrayEquals(expected, result); 335 | } 336 | 337 | @Test 338 | public void testSivDecryptWithInvalidKey() { 339 | final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, // 340 | (byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, // 341 | (byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, // 342 | (byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0}; 343 | 344 | final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 345 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 346 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 347 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0x00}; 348 | 349 | final byte[] ad = {(byte) 0x10, (byte) 0x11, (byte) 0x12, (byte) 0x13, // 350 | (byte) 0x14, (byte) 0x15, (byte) 0x16, (byte) 0x17, // 351 | (byte) 0x18, (byte) 0x19, (byte) 0x1a, (byte) 0x1b, // 352 | (byte) 0x1c, (byte) 0x1d, (byte) 0x1e, (byte) 0x1f, // 353 | (byte) 0x20, (byte) 0x21, (byte) 0x22, (byte) 0x23, // 354 | (byte) 0x24, (byte) 0x25, (byte) 0x26, (byte) 0x27}; 355 | 356 | final byte[] ciphertext = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 357 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 358 | (byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 359 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93, // 360 | (byte) 0x40, (byte) 0xc0, (byte) 0x2b, (byte) 0x96, // 361 | (byte) 0x90, (byte) 0xc4, (byte) 0xdc, (byte) 0x04, // 362 | (byte) 0xda, (byte) 0xef, (byte) 0x7f, (byte) 0x6a, // 363 | (byte) 0xfe, (byte) 0x5c}; 364 | 365 | SivMode sivMode = new SivMode(); 366 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 367 | sivMode.decrypt(aesKey, macKey, ciphertext, ad); 368 | }); 369 | } 370 | 371 | @Test 372 | public void testSivDecryptWithInvalidCiphertext() { 373 | final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, // 374 | (byte) 0xfb, (byte) 0xfa, (byte) 0xf9, (byte) 0xf8, // 375 | (byte) 0xf7, (byte) 0xf6, (byte) 0xf5, (byte) 0xf4, // 376 | (byte) 0xf3, (byte) 0xf2, (byte) 0xf1, (byte) 0xf0}; 377 | 378 | final byte[] aesKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, // 379 | (byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, // 380 | (byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, // 381 | (byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0x00}; 382 | 383 | final byte[] ciphertext = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, // 384 | (byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, // 385 | (byte) 0x95, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, // 386 | (byte) 0x0a, (byte) 0x2e, (byte) 0xcc}; 387 | 388 | SivMode sivMode = new SivMode(); 389 | Assertions.assertThrows(IllegalBlockSizeException.class, () -> { 390 | sivMode.decrypt(aesKey, macKey, ciphertext); 391 | }); 392 | } 393 | 394 | /** 395 | * https://tools.ietf.org/html/rfc5297#appendix-A.2 396 | */ 397 | @Test 398 | public void testNonceBasedAuthenticatedEncryption() { 399 | final byte[] macKey = {(byte) 0x7f, (byte) 0x7e, (byte) 0x7d, (byte) 0x7c, // 400 | (byte) 0x7b, (byte) 0x7a, (byte) 0x79, (byte) 0x78, // 401 | (byte) 0x77, (byte) 0x76, (byte) 0x75, (byte) 0x74, // 402 | (byte) 0x73, (byte) 0x72, (byte) 0x71, (byte) 0x70}; 403 | 404 | final byte[] aesKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, // 405 | (byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, // 406 | (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, // 407 | (byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f}; 408 | 409 | final byte[] ad1 = {(byte) 0x00, (byte) 0x11, (byte) 0x22, (byte) 0x33, // 410 | (byte) 0x44, (byte) 0x55, (byte) 0x66, (byte) 0x77, // 411 | (byte) 0x88, (byte) 0x99, (byte) 0xaa, (byte) 0xbb, // 412 | (byte) 0xcc, (byte) 0xdd, (byte) 0xee, (byte) 0xff, // 413 | (byte) 0xde, (byte) 0xad, (byte) 0xda, (byte) 0xda, // 414 | (byte) 0xde, (byte) 0xad, (byte) 0xda, (byte) 0xda, // 415 | (byte) 0xff, (byte) 0xee, (byte) 0xdd, (byte) 0xcc, // 416 | (byte) 0xbb, (byte) 0xaa, (byte) 0x99, (byte) 0x88, // 417 | (byte) 0x77, (byte) 0x66, (byte) 0x55, (byte) 0x44, // 418 | (byte) 0x33, (byte) 0x22, (byte) 0x11, (byte) 0x00}; 419 | 420 | final byte[] ad2 = {(byte) 0x10, (byte) 0x20, (byte) 0x30, (byte) 0x40, // 421 | (byte) 0x50, (byte) 0x60, (byte) 0x70, (byte) 0x80, // 422 | (byte) 0x90, (byte) 0xa0}; 423 | 424 | final byte[] nonce = {(byte) 0x09, (byte) 0xf9, (byte) 0x11, (byte) 0x02, // 425 | (byte) 0x9d, (byte) 0x74, (byte) 0xe3, (byte) 0x5b, // 426 | (byte) 0xd8, (byte) 0x41, (byte) 0x56, (byte) 0xc5, // 427 | (byte) 0x63, (byte) 0x56, (byte) 0x88, (byte) 0xc0}; 428 | 429 | final byte[] plaintext = {(byte) 0x74, (byte) 0x68, (byte) 0x69, (byte) 0x73, // 430 | (byte) 0x20, (byte) 0x69, (byte) 0x73, (byte) 0x20, // 431 | (byte) 0x73, (byte) 0x6f, (byte) 0x6d, (byte) 0x65, // 432 | (byte) 0x20, (byte) 0x70, (byte) 0x6c, (byte) 0x61, // 433 | (byte) 0x69, (byte) 0x6e, (byte) 0x74, (byte) 0x65, // 434 | (byte) 0x78, (byte) 0x74, (byte) 0x20, (byte) 0x74, // 435 | (byte) 0x6f, (byte) 0x20, (byte) 0x65, (byte) 0x6e, // 436 | (byte) 0x63, (byte) 0x72, (byte) 0x79, (byte) 0x70, // 437 | (byte) 0x74, (byte) 0x20, (byte) 0x75, (byte) 0x73, // 438 | (byte) 0x69, (byte) 0x6e, (byte) 0x67, (byte) 0x20, // 439 | (byte) 0x53, (byte) 0x49, (byte) 0x56, (byte) 0x2d, // 440 | (byte) 0x41, (byte) 0x45, (byte) 0x53}; 441 | 442 | final byte[] result = new SivMode().encrypt(aesKey, macKey, plaintext, ad1, ad2, nonce); 443 | 444 | final byte[] expected = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, // 445 | (byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, // 446 | (byte) 0x06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, // 447 | (byte) 0xff, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f, // 448 | (byte) 0xcb, (byte) 0x90, (byte) 0x0f, (byte) 0x2f, // 449 | (byte) 0xdd, (byte) 0xbe, (byte) 0x40, (byte) 0x43, // 450 | (byte) 0x26, (byte) 0x60, (byte) 0x19, (byte) 0x65, // 451 | (byte) 0xc8, (byte) 0x89, (byte) 0xbf, (byte) 0x17, // 452 | (byte) 0xdb, (byte) 0xa7, (byte) 0x7c, (byte) 0xeb, // 453 | (byte) 0x09, (byte) 0x4f, (byte) 0xa6, (byte) 0x63, // 454 | (byte) 0xb7, (byte) 0xa3, (byte) 0xf7, (byte) 0x48, // 455 | (byte) 0xba, (byte) 0x8a, (byte) 0xf8, (byte) 0x29, // 456 | (byte) 0xea, (byte) 0x64, (byte) 0xad, (byte) 0x54, // 457 | (byte) 0x4a, (byte) 0x27, (byte) 0x2e, (byte) 0x9c, // 458 | (byte) 0x48, (byte) 0x5b, (byte) 0x62, (byte) 0xa3, // 459 | (byte) 0xfd, (byte) 0x5c, (byte) 0x0d}; 460 | 461 | Assertions.assertArrayEquals(expected, result); 462 | } 463 | 464 | @ParameterizedTest 465 | @ValueSource(ints = {16, 24, 32}) 466 | public void testEncryptionAndDecryptionUsingJavaxCryptoApi(int keylen) throws UnauthenticCiphertextException, IllegalBlockSizeException { 467 | final byte[] dummyKey = new byte[keylen]; 468 | final SecretKey ctrKey = new SecretKeySpec(dummyKey, "AES"); 469 | final SecretKey macKey = new SecretKeySpec(dummyKey, "AES"); 470 | final SivMode sivMode = new SivMode(); 471 | final byte[] cleartext = "hello world".getBytes(); 472 | final byte[] ciphertext = sivMode.encrypt(ctrKey, macKey, cleartext); 473 | final byte[] decrypted = sivMode.decrypt(ctrKey, macKey, ciphertext); 474 | Assertions.assertArrayEquals(cleartext, decrypted); 475 | } 476 | 477 | @ParameterizedTest 478 | @ValueSource(ints = {32, 48, 64}) 479 | public void testEncryptionAndDecryptionUsingSingleJavaxCryptoApi(int keylen) throws UnauthenticCiphertextException, IllegalBlockSizeException { 480 | final byte[] dummyKey = new byte[keylen]; 481 | final SecretKey key = new SecretKeySpec(dummyKey, "AES"); 482 | final SivMode sivMode = new SivMode(); 483 | final byte[] cleartext = "hello world".getBytes(); 484 | final byte[] ciphertext = sivMode.encrypt(key, cleartext); 485 | final byte[] decrypted = sivMode.decrypt(key, ciphertext); 486 | Assertions.assertArrayEquals(cleartext, decrypted); 487 | } 488 | 489 | @Test 490 | public void testShiftLeft() { 491 | final byte[] output = new byte[4]; 492 | 493 | SivMode.shiftLeft(new byte[] {(byte) 0x77, (byte) 0x3A, (byte) 0x87, (byte) 0x22}, output); 494 | Assertions.assertArrayEquals(new byte[] {(byte) 0xEE, (byte) 0x75, (byte) 0x0E, (byte) 0x44}, output); 495 | 496 | SivMode.shiftLeft(new byte[] {(byte) 0x56, (byte) 0x12, (byte) 0x34, (byte) 0x99}, output); 497 | Assertions.assertArrayEquals(new byte[] {(byte) 0xAC, (byte) 0x24, (byte) 0x69, (byte) 0x32}, output); 498 | 499 | SivMode.shiftLeft(new byte[] {(byte) 0xCF, (byte) 0xAB, (byte) 0xBA, (byte) 0x78}, output); 500 | Assertions.assertArrayEquals(new byte[] {(byte) 0x9F, (byte) 0x57, (byte) 0x74, (byte) 0xF0}, output); 501 | 502 | SivMode.shiftLeft(new byte[] {(byte) 0x89, (byte) 0x65, (byte) 0x43, (byte) 0x21}, output); 503 | Assertions.assertArrayEquals(new byte[] {(byte) 0x12, (byte) 0xCA, (byte) 0x86, (byte) 0x42}, output); 504 | } 505 | 506 | @Test 507 | public void testDouble() { 508 | Assertions.assertArrayEquals( 509 | new byte[] {(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 510 | (byte) 0x00, (byte) 0x00,}, 511 | SivMode.dbl(new byte[] {(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, 512 | (byte) 0x00, (byte) 0x00, (byte) 0x00,})); 513 | 514 | Assertions.assertArrayEquals( 515 | new byte[] {(byte) 0x22, (byte) 0x44, (byte) 0x66, (byte) 0x88, (byte) 0xAA, (byte) 0xCC, (byte) 0xEF, (byte) 0x10, (byte) 0x22, (byte) 0x44, (byte) 0x66, (byte) 0x88, (byte) 0x22, (byte) 0x44, 516 | (byte) 0x22, (byte) 0x44,}, 517 | SivMode.dbl(new byte[] {(byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, (byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, (byte) 0x11, 518 | (byte) 0x22, (byte) 0x11, (byte) 0x22,})); 519 | 520 | Assertions.assertArrayEquals( 521 | new byte[] {(byte) 0x10, (byte) 0x88, (byte) 0x44, (byte) 0x23, (byte) 0x32, (byte) 0xEE, (byte) 0xAA, (byte) 0x66, (byte) 0x22, (byte) 0x66, (byte) 0xAA, (byte) 0xEE, (byte) 0x22, (byte) 0x44, 522 | (byte) 0x89, (byte) 0x97,}, 523 | SivMode.dbl(new byte[] {(byte) 0x88, (byte) 0x44, (byte) 0x22, (byte) 0x11, (byte) 0x99, (byte) 0x77, (byte) 0x55, (byte) 0x33, (byte) 0x11, (byte) 0x33, (byte) 0x55, (byte) 0x77, (byte) 0x11, 524 | (byte) 0x22, (byte) 0x44, (byte) 0x88,})); 525 | 526 | Assertions.assertArrayEquals( 527 | new byte[] {(byte) 0xF5, (byte) 0x79, (byte) 0xF5, (byte) 0x78, (byte) 0x02, (byte) 0x46, (byte) 0x02, (byte) 0x46, (byte) 0xAD, (byte) 0xB8, (byte) 0x24, (byte) 0x68, (byte) 0xAD, (byte) 0xB8, 528 | (byte) 0x24, (byte) 0xEF,}, 529 | SivMode.dbl(new byte[] {(byte) 0xFA, (byte) 0xBC, (byte) 0xFA, (byte) 0xBC, (byte) 0x01, (byte) 0x23, (byte) 0x01, (byte) 0x23, (byte) 0x56, (byte) 0xDC, (byte) 0x12, (byte) 0x34, (byte) 0x56, 530 | (byte) 0xDC, (byte) 0x12, (byte) 0x34,})); 531 | } 532 | 533 | @Test 534 | public void testXor() { 535 | Assertions.assertArrayEquals(new byte[] {}, SivMode.xor(new byte[0], new byte[0])); 536 | Assertions.assertArrayEquals(new byte[3], SivMode.xor(new byte[3], new byte[3])); 537 | Assertions.assertArrayEquals(new byte[] {(byte) 0x01, (byte) 0x02, (byte) 0x03}, SivMode.xor(new byte[] {(byte) 0xFF, (byte) 0x55, (byte) 0x81}, new byte[] {(byte) 0xFE, (byte) 0x57, (byte) 0x82})); 538 | Assertions.assertArrayEquals(new byte[] {(byte) 0x01, (byte) 0x02, (byte) 0x03}, SivMode.xor(new byte[] {(byte) 0xFF, (byte) 0x55, (byte) 0x81}, new byte[] {(byte) 0xFE, (byte) 0x57, (byte) 0x82})); 539 | Assertions.assertArrayEquals(new byte[] {(byte) 0xAB, (byte) 0x87, (byte) 0x34}, SivMode.xor(new byte[] {(byte) 0xB9, (byte) 0xB3, (byte) 0x62}, new byte[] {(byte) 0x12, (byte) 0x34, (byte) 0x56, (byte) 0x78})); 540 | } 541 | 542 | @Test 543 | public void testXorend() { 544 | Assertions.assertArrayEquals(new byte[] {}, SivMode.xorend(new byte[0], new byte[0])); 545 | Assertions.assertArrayEquals(new byte[3], SivMode.xorend(new byte[3], new byte[3])); 546 | Assertions.assertArrayEquals(new byte[] {(byte) 0x01, (byte) 0x02, (byte) 0x03}, SivMode.xorend(new byte[] {(byte) 0xFF, (byte) 0x55, (byte) 0x81}, new byte[] {(byte) 0xFE, (byte) 0x57, (byte) 0x82})); 547 | Assertions.assertArrayEquals(new byte[] {(byte) 0x01, (byte) 0x02, (byte) 0x03}, SivMode.xorend(new byte[] {(byte) 0xFF, (byte) 0x55, (byte) 0x81}, new byte[] {(byte) 0xFE, (byte) 0x57, (byte) 0x82})); 548 | Assertions.assertArrayEquals(new byte[] {(byte) 0xB8, (byte) 0xA9, (byte) 0xAB, (byte) 0x87, (byte) 0x34}, 549 | SivMode.xorend(new byte[] {(byte) 0xB8, (byte) 0xA9, (byte) 0xB9, (byte) 0xB3, (byte) 0x62}, new byte[] {(byte) 0x12, (byte) 0x34, (byte) 0x56})); 550 | Assertions.assertArrayEquals(new byte[] {(byte) 0x23, (byte) 0x80, (byte) 0x32, (byte) 0xEF, (byte) 0xDE, (byte) 0xCD, (byte) 0xAB, (byte) 0x87, (byte) 0x34}, 551 | SivMode.xorend(new byte[] {(byte) 0x23, (byte) 0x80, (byte) 0x32, (byte) 0xEF, (byte) 0xDE, (byte) 0xCD, (byte) 0xB9, (byte) 0xB3, (byte) 0x62,}, new byte[] {(byte) 0x12, (byte) 0x34, (byte) 0x56})); 552 | } 553 | 554 | @TestFactory 555 | public Stream testGeneratedTestCases() { 556 | InputStream in = EncryptionTestCase.class.getResourceAsStream("/testcases.txt"); 557 | Reader reader = new InputStreamReader(in, StandardCharsets.US_ASCII); 558 | BufferedReader bufferedReader = new BufferedReader(reader); 559 | Stream lines = bufferedReader.lines().onClose(() -> { 560 | try { 561 | bufferedReader.close(); 562 | } catch (IOException e) { 563 | throw new UncheckedIOException(e); 564 | } 565 | }); 566 | SivMode sivMode = new SivMode(); 567 | return lines.map(EncryptionTestCase::fromLine).map(testCase -> { 568 | int testIdx = testCase.getTestCaseNumber(); 569 | return DynamicContainer.dynamicContainer("test case " + testIdx, Arrays.asList( 570 | DynamicTest.dynamicTest("decrypt", () -> { 571 | byte[] actualPlaintext = sivMode.decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), testCase.getAssociatedData()); 572 | Assertions.assertArrayEquals(testCase.getPlaintext(), actualPlaintext); 573 | }), 574 | DynamicTest.dynamicTest("encrypt", () -> { 575 | byte[] actualCiphertext = sivMode.encrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getPlaintext(), testCase.getAssociatedData()); 576 | Assertions.assertArrayEquals(testCase.getCiphertext(), actualCiphertext); 577 | }), 578 | DynamicTest.dynamicTest("decrypt fails due to tampered MAC", () -> { 579 | byte[] macKey = testCase.getMacKey(); 580 | 581 | // Pick some arbitrary key byte to tamper with 582 | int tamperedByteIndex = testIdx % macKey.length; 583 | 584 | // Flip a single bit 585 | macKey[tamperedByteIndex] ^= 0x10; 586 | 587 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 588 | sivMode.decrypt(testCase.getCtrKey(), macKey, testCase.getCiphertext(), testCase.getAssociatedData()); 589 | }); 590 | }), 591 | DynamicTest.dynamicTest("decrypt fails due to tampered ciphertext", () -> { 592 | byte[] ciphertext = testCase.getCiphertext(); 593 | 594 | // Pick some arbitrary key byte to tamper with 595 | int tamperedByteIndex = testIdx % ciphertext.length; 596 | 597 | // Flip a single bit 598 | ciphertext[tamperedByteIndex] ^= 0x10; 599 | 600 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 601 | sivMode.decrypt(testCase.getCtrKey(), testCase.getMacKey(), ciphertext, testCase.getAssociatedData()); 602 | }); 603 | }), 604 | DynamicTest.dynamicTest("decrypt fails due to tampered associated data", () -> { 605 | byte[][] ad = testCase.getAssociatedData(); 606 | 607 | // Try flipping bits in the associated data elements 608 | for (int adIdx = 0; adIdx < ad.length; adIdx++) { 609 | // Skip if this ad element is empty 610 | if (ad[adIdx].length == 0) { 611 | continue; 612 | } 613 | 614 | // Pick some arbitrary byte to tamper with 615 | int tamperedByteIndex = testIdx % ad[adIdx].length; 616 | 617 | // Flip a single bit 618 | ad[adIdx][tamperedByteIndex] ^= 0x04; 619 | 620 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 621 | sivMode.decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), ad); 622 | }); 623 | 624 | // Restore ad to original value 625 | ad[adIdx][tamperedByteIndex] ^= 0x04; 626 | } 627 | }), 628 | DynamicTest.dynamicTest("decrypt fails due to prepended associated data", () -> { 629 | // Skip if there is no more room for additional AD 630 | if (testCase.getAssociatedData().length > 125) { 631 | return; 632 | } 633 | 634 | byte[][] ad = testCase.getAssociatedData(); 635 | byte[][] prependedAd = new byte[ad.length + 1][]; 636 | prependedAd[0] = new byte[testIdx % 16]; 637 | System.arraycopy(ad, 0, prependedAd, 1, ad.length); 638 | 639 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 640 | sivMode.decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), prependedAd); 641 | }); 642 | }), 643 | DynamicTest.dynamicTest("decrypt fails due to appended associated data", () -> { 644 | // Skip if there is no more room for additional AD 645 | if (testCase.getAssociatedData().length > 125) { 646 | return; 647 | } 648 | 649 | byte[][] ad = testCase.getAssociatedData(); 650 | byte[][] appendedAd = new byte[ad.length + 1][]; 651 | appendedAd[ad.length] = new byte[testIdx % 16]; 652 | System.arraycopy(ad, 0, appendedAd, 0, ad.length); 653 | 654 | Assertions.assertThrows(UnauthenticCiphertextException.class, () -> { 655 | sivMode.decrypt(testCase.getCtrKey(), testCase.getMacKey(), testCase.getCiphertext(), appendedAd); 656 | }); 657 | }) 658 | )); 659 | }); 660 | } 661 | 662 | private Provider getSunJceProvider() { 663 | Provider provider = Security.getProvider("SunJCE"); 664 | Assertions.assertNotNull(provider); 665 | return provider; 666 | } 667 | } 668 | -------------------------------------------------------------------------------- /suppression.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 8 | org\.bouncycastle:bcprov-jdk15on:.* 9 | CVE-2023-33201 10 | 11 | 12 | 16 | ^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$ 17 | CVE-2023-33202 18 | 19 | 20 | --------------------------------------------------------------------------------