RFC 8446: Implement HKDF functionality in TlsCrypto

peterdettman · peterdettman · commit cbba912e07e1 · 2019-04-25T18:30:07.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCrypto.java
@@ -167,6 +167,16 @@ public interface TlsCrypto
      */
     TlsHash createHash(short hashAlgorithm);
 
+    /**
+     * Create a suitable HMAC using the hash algorithm identifier passed in.
+     * <p>
+     * See enumeration class {@link HashAlgorithm} for appropriate argument values.
+     * </p>
+     * @param hashAlgorithm the hash algorithm the HMAC should use.
+     * @return a {@link TlsHMAC}.
+     */
+    TlsHMAC createHMAC(short hashAlgorithm);
+
     /**
      * Create a suitable HMAC for the MAC algorithm identifier passed in.
      * <p>
@@ -212,4 +222,11 @@ public interface TlsCrypto
      * @return an initialized SRP6 verifier generator,
      */
     TlsSRP6VerifierGenerator createSRP6VerifierGenerator(TlsSRPConfig srpConfig);
+
+    /**
+     * Setup an initial "secret" for a chain of HKDF calls (RFC 5869), containing a string of HashLen zeroes.
+     * 
+     * @param hashAlgorithm the hash algorithm to instantiate HMAC with. See {@link HashAlgorithm} for values.
+     */
+    TlsSecret hkdfInit(short hashAlgorithm);
 }
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCryptoUtils.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCryptoUtils.java
@@ -0,0 +1,26 @@
+package org.bouncycastle.tls.crypto;
+
+import java.io.IOException;
+
+import org.bouncycastle.tls.TlsUtils;
+import org.bouncycastle.util.Strings;
+
+public abstract class TlsCryptoUtils
+{
+    public static TlsSecret hkdfExpandLabel(TlsSecret secret, short hashAlgorithm, String label, byte[] context, int length)
+        throws IOException
+    {
+        byte[] expandedLabel = Strings.toByteArray("tls13 " + label);
+
+        byte[] hkdfLabel = new byte[2 + (1 + expandedLabel.length) + (1 + context.length)];
+
+        TlsUtils.checkUint16(length);
+        TlsUtils.writeUint16(length, hkdfLabel, 0);
+
+        TlsUtils.writeOpaque8(expandedLabel, hkdfLabel, 2);
+
+        TlsUtils.writeOpaque8(context, hkdfLabel, 2 + (1 + expandedLabel.length));
+
+        return secret.hkdfExpand(hashAlgorithm, hkdfLabel, length);
+    }
+}
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsMAC.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsMAC.java
@@ -30,6 +30,14 @@ public interface TlsMAC
      */
     byte[] calculateMAC();
 
+    /**
+     * Write the calculated MAC to an output buffer.
+     *
+     * @param output output array to write the MAC to.
+     * @param outOff offset into the output array to write the MAC to.
+     */
+    void calculateMAC(byte[] output, int outOff);
+
     /**
      * Return the length of the MAC generated by this service.
      *
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsSecret.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsSecret.java
@@ -3,6 +3,7 @@
 import java.io.IOException;
 
 import org.bouncycastle.tls.EncryptionAlgorithm;
+import org.bouncycastle.tls.HashAlgorithm;
 import org.bouncycastle.tls.MACAlgorithm;
 
 /**
@@ -56,4 +57,23 @@ public interface TlsSecret
      * @return the secret's internal data.
      */
     byte[] extract();
+
+    /**
+     * RFC 5869 HKDF-Expand function, with this secret's data as the pseudo-random key ('prk').
+     * 
+     * @param hashAlgorithm the hash algorithm to instantiate HMAC with. See {@link HashAlgorithm} for values.
+     * @param info optional context and application specific information (can be zero-length).
+     * @param length length of output keying material in octets.
+     * @return output keying material (of 'length' octets).
+     */
+    TlsSecret hkdfExpand(short hashAlgorithm, byte[] info, int length);
+
+    /**
+     * RFC 5869 HKDF-Extract function, with this secret's data as the 'salt'.
+     * 
+     * @param hashAlgorithm the hash algorithm to instantiate HMAC with. See {@link HashAlgorithm} for values.
+     * @param ikm input keying material.
+     * @return a pseudo-random key (of HashLen octets).
+     */
+    TlsSecret hkdfExtract(short hashAlgorithm, byte[] ikm);
 }
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/AbstractTlsSecret.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/AbstractTlsSecret.java
@@ -4,7 +4,9 @@
 
 import org.bouncycastle.tls.crypto.TlsCertificate;
 import org.bouncycastle.tls.crypto.TlsCipher;
+import org.bouncycastle.tls.crypto.TlsCrypto;
 import org.bouncycastle.tls.crypto.TlsCryptoParameters;
+import org.bouncycastle.tls.crypto.TlsHMAC;
 import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.util.Arrays;
 
@@ -26,6 +28,8 @@ protected AbstractTlsSecret(byte[] data)
         this.data = data;
     }
 
+    protected abstract TlsSecret adoptLocalSecret(byte[] data);
+
     protected void checkAlive()
     {
         if (data == null)
@@ -68,6 +72,60 @@ public synchronized byte[] extract()
         return result;
     }
 
+    public synchronized TlsSecret hkdfExpand(short hashAlgorithm, byte[] info, int length)
+    {
+        checkAlive();
+
+        byte[] prk = data;
+
+        TlsCrypto crypto = getCrypto();
+        TlsHMAC hmac = crypto.createHMAC(hashAlgorithm);
+
+        hmac.setKey(prk, 0, prk.length);
+
+        byte[] okm = new byte[length];
+
+        int hashLen = hmac.getMacLength();
+        byte[] t = new byte[hashLen];
+        byte counter = 0x00;
+
+        int pos = 0;
+        while (pos < length)
+        {
+            if (counter != 0x00)
+            {
+                hmac.update(t, 0, t.length);
+            }
+            hmac.update(info, 0, info.length);
+            hmac.update(new byte[]{ ++counter }, 0, 1);
+
+            hmac.calculateMAC(t, 0);
+
+            int copyLength = Math.min(hashLen, length - pos);
+            System.arraycopy(t, 0, okm, pos, copyLength);
+            pos += copyLength;
+        }
+
+        return adoptLocalSecret(okm);
+    }
+
+    public synchronized TlsSecret hkdfExtract(short hashAlgorithm, byte[] ikm)
+    {
+        checkAlive();
+
+        byte[] salt = data;
+
+        TlsCrypto crypto = getCrypto();
+        TlsHMAC hmac = crypto.createHMAC(hashAlgorithm);
+
+        hmac.setKey(salt, 0, salt.length);
+        hmac.update(ikm, 0, ikm.length);
+
+        byte[] prk = hmac.calculateMAC();
+
+        return adoptLocalSecret(prk);
+    }
+
     synchronized byte[] copyData()
     {
         return Arrays.clone(data);
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java
@@ -597,9 +597,14 @@ protected BlockCipher createSEEDBlockCipher()
         return new CBCBlockCipher(new SEEDEngine());
     }
 
+    public TlsHMAC createHMAC(short hashAlgorithm)
+    {
+        return new HMacOperator(createDigest(hashAlgorithm));
+    }
+
     public TlsHMAC createHMAC(int macAlgorithm)
     {
-        return new HMacOperator(createDigest(TlsUtils.getHashAlgorithmForHMACAlgorithm(macAlgorithm)));
+        return createHMAC(TlsUtils.getHashAlgorithmForHMACAlgorithm(macAlgorithm));
     }
 
     public TlsSRP6Client createSRP6Client(TlsSRPConfig srpConfig)
@@ -676,6 +681,11 @@ public BigInteger generateVerifier(byte[] salt, byte[] identity, byte[] password
         };
     }
 
+    public TlsSecret hkdfInit(short hashAlgorithm)
+    {
+        return adoptLocalSecret(new byte[HashAlgorithm.getOutputSize(hashAlgorithm)]);
+    }
+
     private class BlockOperator
         implements TlsBlockCipherImpl
     {
@@ -792,6 +802,11 @@ public byte[] calculateMAC()
             return rv;
         }
 
+        public void calculateMAC(byte[] output, int outOff)
+        {
+            hmac.doFinal(output, outOff);
+        }
+
         public int getInternalBlockSize()
         {
             return ((ExtendedDigest)hmac.getUnderlyingDigest()).getByteLength();
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsSecret.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsSecret.java
@@ -40,6 +40,11 @@ public synchronized TlsSecret deriveUsingPRF(int prfAlgorithm, String label, byt
         return crypto.adoptLocalSecret(result);
     }
 
+    protected TlsSecret adoptLocalSecret(byte[] data)
+    {
+        return crypto.adoptLocalSecret(data);
+    }
+
     protected AbstractTlsCrypto getCrypto()
     {
         return crypto;
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java
@@ -216,6 +216,13 @@ protected TlsCipher createCipher(TlsCryptoParameters cryptoParams, int encryptio
         }
     }
 
+    public TlsHMAC createHMAC(short hashAlgorithm)
+    {
+        String digestName = getDigestName(hashAlgorithm).replaceAll("-", "");
+        String hmacName = "Hmac" + digestName;
+        return createHMAC(hmacName);
+    }
+
     public TlsHMAC createHMAC(int macAlgorithm)
     {
         switch (macAlgorithm)
@@ -619,6 +626,11 @@ public byte[] encrypt(byte[] input, int inOff, int length)
         };
     }
 
+    public TlsSecret hkdfInit(short hashAlgorithm)
+    {
+        return adoptLocalSecret(new byte[HashAlgorithm.getOutputSize(hashAlgorithm)]);
+    }
+
     /**
      * If you want to create your own versions of the AEAD ciphers required, override this method.
      *
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsHMAC.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsHMAC.java
@@ -4,6 +4,7 @@
 import java.util.Hashtable;
 
 import javax.crypto.Mac;
+import javax.crypto.ShortBufferException;
 import javax.crypto.spec.SecretKeySpec;
 
 import org.bouncycastle.tls.crypto.TlsHMAC;
@@ -87,6 +88,18 @@ public byte[] calculateMAC()
         return hmac.doFinal();
     }
 
+    public void calculateMAC(byte[] output, int outOff)
+    {
+        try
+        {
+            hmac.doFinal(output, outOff);
+        }
+        catch (ShortBufferException e)
+        {
+            throw new IllegalArgumentException(e.getMessage());
+        }
+    }
+
     public int getInternalBlockSize()
     {
         return internalBlockSize.intValue();
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMAC.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMAC.java
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsSecret.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsSecret.java
@@ -48,6 +48,11 @@ public synchronized TlsSecret deriveUsingPRF(int prfAlgorithm, String label, byt
         }
     }
 
+    protected TlsSecret adoptLocalSecret(byte[] data)
+    {
+        return crypto.adoptLocalSecret(data);
+    }
+
     protected AbstractTlsCrypto getCrypto()
     {
         return crypto;
diff --git a/tls/src/test/java/org/bouncycastle/tls/crypto/test/BcTlsCryptoTest.java b/tls/src/test/java/org/bouncycastle/tls/crypto/test/BcTlsCryptoTest.java
@@ -0,0 +1,14 @@
+package org.bouncycastle.tls.crypto.test;
+
+import java.security.SecureRandom;
+
+import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
+
+public class BcTlsCryptoTest
+    extends TlsCryptoTest
+{
+    public BcTlsCryptoTest()
+    {
+        super(new BcTlsCrypto(new SecureRandom()));
+    }
+}
diff --git a/tls/src/test/java/org/bouncycastle/tls/crypto/test/JcaTlsCryptoTest.java b/tls/src/test/java/org/bouncycastle/tls/crypto/test/JcaTlsCryptoTest.java
@@ -0,0 +1,15 @@
+package org.bouncycastle.tls.crypto.test;
+
+import java.security.SecureRandom;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider;
+
+public class JcaTlsCryptoTest
+    extends TlsCryptoTest
+{
+    public JcaTlsCryptoTest()
+    {
+        super(new JcaTlsCryptoProvider().setProvider(new BouncyCastleProvider()).create(new SecureRandom()));
+    }
+}
diff --git a/tls/src/test/java/org/bouncycastle/tls/crypto/test/TlsCryptoTest.java b/tls/src/test/java/org/bouncycastle/tls/crypto/test/TlsCryptoTest.java

Original file line number	Diff line number	Diff line change
`@@ -597,9 +597,14 @@ protected BlockCipher createSEEDBlockCipher()`
`597`	`597`	`return new CBCBlockCipher(new SEEDEngine());`
`598`	`598`	`}`
`599`	`599`
	`600`	`+ public TlsHMAC createHMAC(short hashAlgorithm)`
	`601`	`+ {`
	`602`	`+ return new HMacOperator(createDigest(hashAlgorithm));`
	`603`	`+ }`
	`604`	`+`
`600`	`605`	`public TlsHMAC createHMAC(int macAlgorithm)`
`601`	`606`	`{`
`602`		`- return new HMacOperator(createDigest(TlsUtils.getHashAlgorithmForHMACAlgorithm(macAlgorithm)));`
	`607`	`+ return createHMAC(TlsUtils.getHashAlgorithmForHMACAlgorithm(macAlgorithm));`
`603`	`608`	`}`
`604`	`609`
`605`	`610`	`public TlsSRP6Client createSRP6Client(TlsSRPConfig srpConfig)`
`@@ -676,6 +681,11 @@ public BigInteger generateVerifier(byte[] salt, byte[] identity, byte[] password`
`676`	`681`	`};`
`677`	`682`	`}`
`678`	`683`
	`684`	`+ public TlsSecret hkdfInit(short hashAlgorithm)`
	`685`	`+ {`
	`686`	`+ return adoptLocalSecret(new byte[HashAlgorithm.getOutputSize(hashAlgorithm)]);`
	`687`	`+ }`
	`688`	`+`
`679`	`689`	`private class BlockOperator`
`680`	`690`	`implements TlsBlockCipherImpl`
`681`	`691`	`{`
`@@ -792,6 +802,11 @@ public byte[] calculateMAC()`
`792`	`802`	`return rv;`
`793`	`803`	`}`
`794`	`804`
	`805`	`+ public void calculateMAC(byte[] output, int outOff)`
	`806`	`+ {`
	`807`	`+ hmac.doFinal(output, outOff);`
	`808`	`+ }`
	`809`	`+`
`795`	`810`	`public int getInternalBlockSize()`
`796`	`811`	`{`
`797`	`812`	`return ((ExtendedDigest)hmac.getUnderlyingDigest()).getByteLength();`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,11 @@ public synchronized TlsSecret deriveUsingPRF(int prfAlgorithm, String label, byt`
`40`	`40`	`return crypto.adoptLocalSecret(result);`
`41`	`41`	`}`
`42`	`42`
	`43`	`+ protected TlsSecret adoptLocalSecret(byte[] data)`
	`44`	`+ {`
	`45`	`+ return crypto.adoptLocalSecret(data);`
	`46`	`+ }`
	`47`	`+`
`43`	`48`	`protected AbstractTlsCrypto getCrypto()`
`44`	`49`	`{`
`45`	`50`	`return crypto;`
Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,13 @@ protected TlsCipher createCipher(TlsCryptoParameters cryptoParams, int encryptio`
`216`	`216`	`}`
`217`	`217`	`}`
`218`	`218`
	`219`	`+ public TlsHMAC createHMAC(short hashAlgorithm)`
	`220`	`+ {`
	`221`	`+ String digestName = getDigestName(hashAlgorithm).replaceAll("-", "");`
	`222`	`+ String hmacName = "Hmac" + digestName;`
	`223`	`+ return createHMAC(hmacName);`
	`224`	`+ }`
	`225`	`+`
`219`	`226`	`public TlsHMAC createHMAC(int macAlgorithm)`
`220`	`227`	`{`
`221`	`228`	`switch (macAlgorithm)`
`@@ -619,6 +626,11 @@ public byte[] encrypt(byte[] input, int inOff, int length)`
`619`	`626`	`};`
`620`	`627`	`}`
`621`	`628`
	`629`	`+ public TlsSecret hkdfInit(short hashAlgorithm)`
	`630`	`+ {`
	`631`	`+ return adoptLocalSecret(new byte[HashAlgorithm.getOutputSize(hashAlgorithm)]);`
	`632`	`+ }`
	`633`	`+`
`622`	`634`	`/**`
`623`	`635`	`* If you want to create your own versions of the AEAD ciphers required, override this method.`
`624`	`636`	`*`