J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | /* $Id: Rijndael.java,v 1.6 2000/02/10 01:31:41 gelderen Exp $ |
| 27 | * |
| 28 | * Copyright (C) 1995-2000 The Cryptix Foundation Limited. |
| 29 | * All rights reserved. |
| 30 | * |
| 31 | * Use, modification, copying and distribution of this softwareas is subject |
| 32 | * the terms and conditions of the Cryptix General Licence. You should have |
| 33 | * received a copy of the Cryptix General Licence along with this library; |
| 34 | * if not, you can download a copy from http://www.cryptix.org/ . |
| 35 | */ |
| 36 | |
| 37 | package com.sun.crypto.provider; |
| 38 | |
| 39 | import java.security.InvalidKeyException; |
| 40 | |
| 41 | /** |
| 42 | * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit |
| 43 | * block size and variable key-size (128-, 192- and 256-bit). |
| 44 | * <p> |
| 45 | * Rijndael was designed by <a href="mailto:rijmen@esat.kuleuven.ac.be">Vincent |
| 46 | * Rijmen</a> and <a href="mailto:Joan.Daemen@village.uunet.be">Joan Daemen</a>. |
| 47 | */ |
| 48 | final class AESCrypt extends SymmetricCipher implements AESConstants |
| 49 | { |
| 50 | private boolean ROUNDS_12 = false; |
| 51 | private boolean ROUNDS_14 = false; |
| 52 | |
| 53 | /** Session and Sub keys */ |
| 54 | private Object[] sessionK = null; |
| 55 | private int[] K = null; |
| 56 | |
| 57 | /** (ROUNDS-1) * 4 */ |
| 58 | private int limit = 0; |
| 59 | |
| 60 | AESCrypt() { |
| 61 | // empty |
| 62 | } |
| 63 | |
| 64 | /** |
| 65 | * Returns this cipher's block size. |
| 66 | * |
| 67 | * @return this cipher's block size |
| 68 | */ |
| 69 | int getBlockSize() { |
| 70 | return AES_BLOCK_SIZE; |
| 71 | } |
| 72 | |
| 73 | void init(boolean decrypting, String algorithm, byte[] key) |
| 74 | throws InvalidKeyException { |
| 75 | if (!algorithm.equalsIgnoreCase("AES") |
| 76 | && !algorithm.equalsIgnoreCase("Rijndael")) { |
| 77 | throw new InvalidKeyException |
| 78 | ("Wrong algorithm: AES or Rijndael required"); |
| 79 | } |
| 80 | if (!isKeySizeValid(key.length)) { |
| 81 | throw new InvalidKeyException("Invalid AES key length: " + |
| 82 | key.length + " bytes"); |
| 83 | } |
| 84 | |
| 85 | // generate session key and reset sub key. |
| 86 | sessionK = makeKey(key); |
| 87 | setSubKey(decrypting); |
| 88 | } |
| 89 | |
| 90 | private void setSubKey(boolean decrypting) { |
| 91 | int[][] Kd = (int[][]) sessionK[decrypting ? 1 : 0]; |
| 92 | int rounds = Kd.length; |
| 93 | this.K = new int[rounds*4]; |
| 94 | for(int i=0; i<rounds; i++) { |
| 95 | for(int j=0; j<4; j++) { |
| 96 | K[i*4 + j] = Kd[i][j]; |
| 97 | } |
| 98 | } |
| 99 | |
| 100 | if (decrypting) { |
| 101 | int j0 = K[K.length-4]; |
| 102 | int j1 = K[K.length-3]; |
| 103 | int j2 = K[K.length-2]; |
| 104 | int j3 = K[K.length-1]; |
| 105 | |
| 106 | for (int i=this.K.length-1; i>3; i--) { |
| 107 | this.K[i] = this.K[i-4]; |
| 108 | } |
| 109 | K[0] = j0; |
| 110 | K[1] = j1; |
| 111 | K[2] = j2; |
| 112 | K[3] = j3; |
| 113 | } |
| 114 | |
| 115 | ROUNDS_12 = (rounds>=13); |
| 116 | ROUNDS_14 = (rounds==15); |
| 117 | |
| 118 | rounds--; |
| 119 | limit=rounds*4; |
| 120 | } |
| 121 | |
| 122 | private static int[] |
| 123 | alog = new int[256], |
| 124 | log = new int[256]; |
| 125 | |
| 126 | private static final byte[] |
| 127 | S = new byte[256], |
| 128 | Si = new byte[256]; |
| 129 | |
| 130 | private static final int[] |
| 131 | T1 = new int[256], |
| 132 | T2 = new int[256], |
| 133 | T3 = new int[256], |
| 134 | T4 = new int[256], |
| 135 | T5 = new int[256], |
| 136 | T6 = new int[256], |
| 137 | T7 = new int[256], |
| 138 | T8 = new int[256]; |
| 139 | |
| 140 | private static final int[] |
| 141 | U1 = new int[256], |
| 142 | U2 = new int[256], |
| 143 | U3 = new int[256], |
| 144 | U4 = new int[256]; |
| 145 | |
| 146 | private static final byte[] rcon = new byte[30]; |
| 147 | |
| 148 | |
| 149 | // Static code - to intialise S-boxes and T-boxes |
| 150 | static |
| 151 | { |
| 152 | int ROOT = 0x11B; |
| 153 | int i, j = 0; |
| 154 | |
| 155 | // |
| 156 | // produce log and alog tables, needed for multiplying in the |
| 157 | // field GF(2^m) (generator = 3) |
| 158 | // |
| 159 | alog[0] = 1; |
| 160 | for (i = 1; i < 256; i++) |
| 161 | { |
| 162 | j = (alog[i-1] << 1) ^ alog[i-1]; |
| 163 | if ((j & 0x100) != 0) { |
| 164 | j ^= ROOT; |
| 165 | } |
| 166 | alog[i] = j; |
| 167 | } |
| 168 | for (i = 1; i < 255; i++) { |
| 169 | log[alog[i]] = i; |
| 170 | } |
| 171 | byte[][] A = new byte[][] |
| 172 | { |
| 173 | {1, 1, 1, 1, 1, 0, 0, 0}, |
| 174 | {0, 1, 1, 1, 1, 1, 0, 0}, |
| 175 | {0, 0, 1, 1, 1, 1, 1, 0}, |
| 176 | {0, 0, 0, 1, 1, 1, 1, 1}, |
| 177 | {1, 0, 0, 0, 1, 1, 1, 1}, |
| 178 | {1, 1, 0, 0, 0, 1, 1, 1}, |
| 179 | {1, 1, 1, 0, 0, 0, 1, 1}, |
| 180 | {1, 1, 1, 1, 0, 0, 0, 1} |
| 181 | }; |
| 182 | byte[] B = new byte[] { 0, 1, 1, 0, 0, 0, 1, 1}; |
| 183 | |
| 184 | // |
| 185 | // substitution box based on F^{-1}(x) |
| 186 | // |
| 187 | int t; |
| 188 | byte[][] box = new byte[256][8]; |
| 189 | box[1][7] = 1; |
| 190 | for (i = 2; i < 256; i++) { |
| 191 | j = alog[255 - log[i]]; |
| 192 | for (t = 0; t < 8; t++) { |
| 193 | box[i][t] = (byte)((j >>> (7 - t)) & 0x01); |
| 194 | } |
| 195 | } |
| 196 | // |
| 197 | // affine transform: box[i] <- B + A*box[i] |
| 198 | // |
| 199 | byte[][] cox = new byte[256][8]; |
| 200 | for (i = 0; i < 256; i++) { |
| 201 | for (t = 0; t < 8; t++) { |
| 202 | cox[i][t] = B[t]; |
| 203 | for (j = 0; j < 8; j++) { |
| 204 | cox[i][t] ^= A[t][j] * box[i][j]; |
| 205 | } |
| 206 | } |
| 207 | } |
| 208 | // |
| 209 | // S-boxes and inverse S-boxes |
| 210 | // |
| 211 | for (i = 0; i < 256; i++) { |
| 212 | S[i] = (byte)(cox[i][0] << 7); |
| 213 | for (t = 1; t < 8; t++) { |
| 214 | S[i] ^= cox[i][t] << (7-t); |
| 215 | } |
| 216 | Si[S[i] & 0xFF] = (byte) i; |
| 217 | } |
| 218 | // |
| 219 | // T-boxes |
| 220 | // |
| 221 | byte[][] G = new byte[][] { |
| 222 | {2, 1, 1, 3}, |
| 223 | {3, 2, 1, 1}, |
| 224 | {1, 3, 2, 1}, |
| 225 | {1, 1, 3, 2} |
| 226 | }; |
| 227 | byte[][] AA = new byte[4][8]; |
| 228 | for (i = 0; i < 4; i++) { |
| 229 | for (j = 0; j < 4; j++) AA[i][j] = G[i][j]; |
| 230 | AA[i][i+4] = 1; |
| 231 | } |
| 232 | byte pivot, tmp; |
| 233 | byte[][] iG = new byte[4][4]; |
| 234 | for (i = 0; i < 4; i++) { |
| 235 | pivot = AA[i][i]; |
| 236 | if (pivot == 0) { |
| 237 | t = i + 1; |
| 238 | while ((AA[t][i] == 0) && (t < 4)) { |
| 239 | t++; |
| 240 | } |
| 241 | if (t == 4) { |
| 242 | throw new RuntimeException("G matrix is not invertible"); |
| 243 | } |
| 244 | else { |
| 245 | for (j = 0; j < 8; j++) { |
| 246 | tmp = AA[i][j]; |
| 247 | AA[i][j] = AA[t][j]; |
| 248 | AA[t][j] = (byte) tmp; |
| 249 | } |
| 250 | pivot = AA[i][i]; |
| 251 | } |
| 252 | } |
| 253 | for (j = 0; j < 8; j++) { |
| 254 | if (AA[i][j] != 0) { |
| 255 | AA[i][j] = (byte) |
| 256 | alog[(255 + log[AA[i][j] & 0xFF] - log[pivot & 0xFF]) % 255]; |
| 257 | } |
| 258 | } |
| 259 | for (t = 0; t < 4; t++) { |
| 260 | if (i != t) { |
| 261 | for (j = i+1; j < 8; j++) { |
| 262 | AA[t][j] ^= mul(AA[i][j], AA[t][i]); |
| 263 | } |
| 264 | AA[t][i] = 0; |
| 265 | } |
| 266 | } |
| 267 | } |
| 268 | for (i = 0; i < 4; i++) { |
| 269 | for (j = 0; j < 4; j++) { |
| 270 | iG[i][j] = AA[i][j + 4]; |
| 271 | } |
| 272 | } |
| 273 | |
| 274 | int s; |
| 275 | for (t = 0; t < 256; t++) { |
| 276 | s = S[t]; |
| 277 | T1[t] = mul4(s, G[0]); |
| 278 | T2[t] = mul4(s, G[1]); |
| 279 | T3[t] = mul4(s, G[2]); |
| 280 | T4[t] = mul4(s, G[3]); |
| 281 | |
| 282 | s = Si[t]; |
| 283 | T5[t] = mul4(s, iG[0]); |
| 284 | T6[t] = mul4(s, iG[1]); |
| 285 | T7[t] = mul4(s, iG[2]); |
| 286 | T8[t] = mul4(s, iG[3]); |
| 287 | |
| 288 | U1[t] = mul4(t, iG[0]); |
| 289 | U2[t] = mul4(t, iG[1]); |
| 290 | U3[t] = mul4(t, iG[2]); |
| 291 | U4[t] = mul4(t, iG[3]); |
| 292 | } |
| 293 | // |
| 294 | // round constants |
| 295 | // |
| 296 | rcon[0] = 1; |
| 297 | int r = 1; |
| 298 | for (t = 1; t < 30; t++) { |
| 299 | r = mul(2, r); |
| 300 | rcon[t] = (byte) r; |
| 301 | } |
| 302 | log = null; |
| 303 | alog = null; |
| 304 | } |
| 305 | |
| 306 | // multiply two elements of GF(2^m) |
| 307 | private static final int mul (int a, int b) { |
| 308 | return (a != 0 && b != 0) ? |
| 309 | alog[(log[a & 0xFF] + log[b & 0xFF]) % 255] : |
| 310 | 0; |
| 311 | } |
| 312 | |
| 313 | // convenience method used in generating Transposition boxes |
| 314 | private static final int mul4 (int a, byte[] b) { |
| 315 | if (a == 0) return 0; |
| 316 | a = log[a & 0xFF]; |
| 317 | int a0 = (b[0] != 0) ? alog[(a + log[b[0] & 0xFF]) % 255] & 0xFF : 0; |
| 318 | int a1 = (b[1] != 0) ? alog[(a + log[b[1] & 0xFF]) % 255] & 0xFF : 0; |
| 319 | int a2 = (b[2] != 0) ? alog[(a + log[b[2] & 0xFF]) % 255] & 0xFF : 0; |
| 320 | int a3 = (b[3] != 0) ? alog[(a + log[b[3] & 0xFF]) % 255] & 0xFF : 0; |
| 321 | return a0 << 24 | a1 << 16 | a2 << 8 | a3; |
| 322 | } |
| 323 | |
| 324 | // check if the specified length (in bytes) is a valid keysize for AES |
| 325 | static final boolean isKeySizeValid(int len) { |
| 326 | for (int i = 0; i < AES_KEYSIZES.length; i++) { |
| 327 | if (len == AES_KEYSIZES[i]) { |
| 328 | return true; |
| 329 | } |
| 330 | } |
| 331 | return false; |
| 332 | } |
| 333 | |
| 334 | /** |
| 335 | * Encrypt exactly one block of plaintext. |
| 336 | */ |
| 337 | void encryptBlock(byte[] in, int inOffset, |
| 338 | byte[] out, int outOffset) |
| 339 | { |
| 340 | int keyOffset = 0; |
| 341 | int t0 = ((in[inOffset++] ) << 24 | |
| 342 | (in[inOffset++] & 0xFF) << 16 | |
| 343 | (in[inOffset++] & 0xFF) << 8 | |
| 344 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 345 | int t1 = ((in[inOffset++] ) << 24 | |
| 346 | (in[inOffset++] & 0xFF) << 16 | |
| 347 | (in[inOffset++] & 0xFF) << 8 | |
| 348 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 349 | int t2 = ((in[inOffset++] ) << 24 | |
| 350 | (in[inOffset++] & 0xFF) << 16 | |
| 351 | (in[inOffset++] & 0xFF) << 8 | |
| 352 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 353 | int t3 = ((in[inOffset++] ) << 24 | |
| 354 | (in[inOffset++] & 0xFF) << 16 | |
| 355 | (in[inOffset++] & 0xFF) << 8 | |
| 356 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 357 | |
| 358 | // apply round transforms |
| 359 | while( keyOffset < limit ) |
| 360 | { |
| 361 | int a0, a1, a2; |
| 362 | a0 = T1[(t0 >>> 24) ] ^ |
| 363 | T2[(t1 >>> 16) & 0xFF] ^ |
| 364 | T3[(t2 >>> 8) & 0xFF] ^ |
| 365 | T4[(t3 ) & 0xFF] ^ K[keyOffset++]; |
| 366 | a1 = T1[(t1 >>> 24) ] ^ |
| 367 | T2[(t2 >>> 16) & 0xFF] ^ |
| 368 | T3[(t3 >>> 8) & 0xFF] ^ |
| 369 | T4[(t0 ) & 0xFF] ^ K[keyOffset++]; |
| 370 | a2 = T1[(t2 >>> 24) ] ^ |
| 371 | T2[(t3 >>> 16) & 0xFF] ^ |
| 372 | T3[(t0 >>> 8) & 0xFF] ^ |
| 373 | T4[(t1 ) & 0xFF] ^ K[keyOffset++]; |
| 374 | t3 = T1[(t3 >>> 24) ] ^ |
| 375 | T2[(t0 >>> 16) & 0xFF] ^ |
| 376 | T3[(t1 >>> 8) & 0xFF] ^ |
| 377 | T4[(t2 ) & 0xFF] ^ K[keyOffset++]; |
| 378 | t0 = a0; t1 = a1; t2 = a2; |
| 379 | } |
| 380 | |
| 381 | // last round is special |
| 382 | int tt = K[keyOffset++]; |
| 383 | out[outOffset++] = (byte)(S[(t0 >>> 24) ] ^ (tt >>> 24)); |
| 384 | out[outOffset++] = (byte)(S[(t1 >>> 16) & 0xFF] ^ (tt >>> 16)); |
| 385 | out[outOffset++] = (byte)(S[(t2 >>> 8) & 0xFF] ^ (tt >>> 8)); |
| 386 | out[outOffset++] = (byte)(S[(t3 ) & 0xFF] ^ (tt )); |
| 387 | tt = K[keyOffset++]; |
| 388 | out[outOffset++] = (byte)(S[(t1 >>> 24) ] ^ (tt >>> 24)); |
| 389 | out[outOffset++] = (byte)(S[(t2 >>> 16) & 0xFF] ^ (tt >>> 16)); |
| 390 | out[outOffset++] = (byte)(S[(t3 >>> 8) & 0xFF] ^ (tt >>> 8)); |
| 391 | out[outOffset++] = (byte)(S[(t0 ) & 0xFF] ^ (tt )); |
| 392 | tt = K[keyOffset++]; |
| 393 | out[outOffset++] = (byte)(S[(t2 >>> 24) ] ^ (tt >>> 24)); |
| 394 | out[outOffset++] = (byte)(S[(t3 >>> 16) & 0xFF] ^ (tt >>> 16)); |
| 395 | out[outOffset++] = (byte)(S[(t0 >>> 8) & 0xFF] ^ (tt >>> 8)); |
| 396 | out[outOffset++] = (byte)(S[(t1 ) & 0xFF] ^ (tt )); |
| 397 | tt = K[keyOffset++]; |
| 398 | out[outOffset++] = (byte)(S[(t3 >>> 24) ] ^ (tt >>> 24)); |
| 399 | out[outOffset++] = (byte)(S[(t0 >>> 16) & 0xFF] ^ (tt >>> 16)); |
| 400 | out[outOffset++] = (byte)(S[(t1 >>> 8) & 0xFF] ^ (tt >>> 8)); |
| 401 | out[outOffset ] = (byte)(S[(t2 ) & 0xFF] ^ (tt )); |
| 402 | } |
| 403 | |
| 404 | |
| 405 | /** |
| 406 | * Decrypt exactly one block of plaintext. |
| 407 | */ |
| 408 | void decryptBlock(byte[] in, int inOffset, |
| 409 | byte[] out, int outOffset) |
| 410 | { |
| 411 | int keyOffset = 4; |
| 412 | int t0 = ((in[inOffset++] ) << 24 | |
| 413 | (in[inOffset++] & 0xFF) << 16 | |
| 414 | (in[inOffset++] & 0xFF) << 8 | |
| 415 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 416 | int t1 = ((in[inOffset++] ) << 24 | |
| 417 | (in[inOffset++] & 0xFF) << 16 | |
| 418 | (in[inOffset++] & 0xFF) << 8 | |
| 419 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 420 | int t2 = ((in[inOffset++] ) << 24 | |
| 421 | (in[inOffset++] & 0xFF) << 16 | |
| 422 | (in[inOffset++] & 0xFF) << 8 | |
| 423 | (in[inOffset++] & 0xFF) ) ^ K[keyOffset++]; |
| 424 | int t3 = ((in[inOffset++] ) << 24 | |
| 425 | (in[inOffset++] & 0xFF) << 16 | |
| 426 | (in[inOffset++] & 0xFF) << 8 | |
| 427 | (in[inOffset ] & 0xFF) ) ^ K[keyOffset++]; |
| 428 | |
| 429 | int a0, a1, a2; |
| 430 | if(ROUNDS_12) |
| 431 | { |
| 432 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 433 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 434 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 435 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 436 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 437 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 438 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 439 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 440 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 441 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 442 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 443 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 444 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 445 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 446 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 447 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 448 | |
| 449 | if(ROUNDS_14) |
| 450 | { |
| 451 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 452 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 453 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 454 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 455 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 456 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 457 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 458 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 459 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 460 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 461 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 462 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 463 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 464 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 465 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 466 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 467 | } |
| 468 | } |
| 469 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 470 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 471 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 472 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 473 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 474 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 475 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 476 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 477 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 478 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 479 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 480 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 481 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 482 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 483 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 484 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 485 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 486 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 487 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 488 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 489 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 490 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 491 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 492 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 493 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 494 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 495 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 496 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 497 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 498 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 499 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 500 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 501 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 502 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 503 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 504 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 505 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 506 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 507 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 508 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 509 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 510 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 511 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 512 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 513 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 514 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 515 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 516 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 517 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 518 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 519 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 520 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 521 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 522 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 523 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 524 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 525 | t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 526 | T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++]; |
| 527 | t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^ |
| 528 | T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++]; |
| 529 | t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^ |
| 530 | T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 531 | t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^ |
| 532 | T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++]; |
| 533 | a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^ |
| 534 | T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++]; |
| 535 | a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^ |
| 536 | T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++]; |
| 537 | a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^ |
| 538 | T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++]; |
| 539 | t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^ |
| 540 | T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++]; |
| 541 | |
| 542 | t1 = K[0]; |
| 543 | out[outOffset++] = (byte)(Si[(a0 >>> 24) ] ^ (t1 >>> 24)); |
| 544 | out[outOffset++] = (byte)(Si[(t3 >>> 16) & 0xFF] ^ (t1 >>> 16)); |
| 545 | out[outOffset++] = (byte)(Si[(a2 >>> 8) & 0xFF] ^ (t1 >>> 8)); |
| 546 | out[outOffset++] = (byte)(Si[(a1 ) & 0xFF] ^ (t1 )); |
| 547 | t1 = K[1]; |
| 548 | out[outOffset++] = (byte)(Si[(a1 >>> 24) ] ^ (t1 >>> 24)); |
| 549 | out[outOffset++] = (byte)(Si[(a0 >>> 16) & 0xFF] ^ (t1 >>> 16)); |
| 550 | out[outOffset++] = (byte)(Si[(t3 >>> 8) & 0xFF] ^ (t1 >>> 8)); |
| 551 | out[outOffset++] = (byte)(Si[(a2 ) & 0xFF] ^ (t1 )); |
| 552 | t1 = K[2]; |
| 553 | out[outOffset++] = (byte)(Si[(a2 >>> 24) ] ^ (t1 >>> 24)); |
| 554 | out[outOffset++] = (byte)(Si[(a1 >>> 16) & 0xFF] ^ (t1 >>> 16)); |
| 555 | out[outOffset++] = (byte)(Si[(a0 >>> 8) & 0xFF] ^ (t1 >>> 8)); |
| 556 | out[outOffset++] = (byte)(Si[(t3 ) & 0xFF] ^ (t1 )); |
| 557 | t1 = K[3]; |
| 558 | out[outOffset++] = (byte)(Si[(t3 >>> 24) ] ^ (t1 >>> 24)); |
| 559 | out[outOffset++] = (byte)(Si[(a2 >>> 16) & 0xFF] ^ (t1 >>> 16)); |
| 560 | out[outOffset++] = (byte)(Si[(a1 >>> 8) & 0xFF] ^ (t1 >>> 8)); |
| 561 | out[outOffset ] = (byte)(Si[(a0 ) & 0xFF] ^ (t1 )); |
| 562 | } |
| 563 | |
| 564 | |
| 565 | /** |
| 566 | * Expand a user-supplied key material into a session key. |
| 567 | * |
| 568 | * @param key The 128/192/256-bit user-key to use. |
| 569 | * @exception InvalidKeyException If the key is invalid. |
| 570 | */ |
| 571 | private static Object[] makeKey(byte[] k) throws InvalidKeyException { |
| 572 | if (k == null) { |
| 573 | throw new InvalidKeyException("Empty key"); |
| 574 | } |
| 575 | if (!isKeySizeValid(k.length)) { |
| 576 | throw new InvalidKeyException("Invalid AES key length: " + |
| 577 | k.length + " bytes"); |
| 578 | } |
| 579 | int ROUNDS = getRounds(k.length); |
| 580 | int ROUND_KEY_COUNT = (ROUNDS + 1) * 4; |
| 581 | |
| 582 | int BC = 4; |
| 583 | int[][] Ke = new int[ROUNDS + 1][4]; // encryption round keys |
| 584 | int[][] Kd = new int[ROUNDS + 1][4]; // decryption round keys |
| 585 | |
| 586 | int KC = k.length/4; // keylen in 32-bit elements |
| 587 | |
| 588 | int[] tk = new int[KC]; |
| 589 | int i, j; |
| 590 | |
| 591 | // copy user material bytes into temporary ints |
| 592 | for (i = 0, j = 0; i < KC; i++, j+=4) { |
| 593 | tk[i] = (k[j] ) << 24 | |
| 594 | (k[j+1] & 0xFF) << 16 | |
| 595 | (k[j+2] & 0xFF) << 8 | |
| 596 | (k[j+3] & 0xFF); |
| 597 | } |
| 598 | |
| 599 | // copy values into round key arrays |
| 600 | int t = 0; |
| 601 | for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) { |
| 602 | Ke[t / 4][t % 4] = tk[j]; |
| 603 | Kd[ROUNDS - (t / 4)][t % 4] = tk[j]; |
| 604 | } |
| 605 | int tt, rconpointer = 0; |
| 606 | while (t < ROUND_KEY_COUNT) { |
| 607 | // extrapolate using phi (the round key evolution function) |
| 608 | tt = tk[KC - 1]; |
| 609 | tk[0] ^= (S[(tt >>> 16) & 0xFF] ) << 24 ^ |
| 610 | (S[(tt >>> 8) & 0xFF] & 0xFF) << 16 ^ |
| 611 | (S[(tt ) & 0xFF] & 0xFF) << 8 ^ |
| 612 | (S[(tt >>> 24) ] & 0xFF) ^ |
| 613 | (rcon[rconpointer++] ) << 24; |
| 614 | if (KC != 8) |
| 615 | for (i = 1, j = 0; i < KC; i++, j++) tk[i] ^= tk[j]; |
| 616 | else { |
| 617 | for (i = 1, j = 0; i < KC / 2; i++, j++) tk[i] ^= tk[j]; |
| 618 | tt = tk[KC / 2 - 1]; |
| 619 | tk[KC / 2] ^= (S[(tt ) & 0xFF] & 0xFF) ^ |
| 620 | (S[(tt >>> 8) & 0xFF] & 0xFF) << 8 ^ |
| 621 | (S[(tt >>> 16) & 0xFF] & 0xFF) << 16 ^ |
| 622 | (S[(tt >>> 24) ] ) << 24; |
| 623 | for (j = KC / 2, i = j + 1; i < KC; i++, j++) tk[i] ^= tk[j]; |
| 624 | } |
| 625 | // copy values into round key arrays |
| 626 | for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) { |
| 627 | Ke[t / 4][t % 4] = tk[j]; |
| 628 | Kd[ROUNDS - (t / 4)][t % 4] = tk[j]; |
| 629 | } |
| 630 | } |
| 631 | for (int r = 1; r < ROUNDS; r++) { |
| 632 | // inverse MixColumn where needed |
| 633 | for (j = 0; j < BC; j++) { |
| 634 | tt = Kd[r][j]; |
| 635 | Kd[r][j] = U1[(tt >>> 24) & 0xFF] ^ |
| 636 | U2[(tt >>> 16) & 0xFF] ^ |
| 637 | U3[(tt >>> 8) & 0xFF] ^ |
| 638 | U4[ tt & 0xFF]; |
| 639 | } |
| 640 | } |
| 641 | // assemble the encryption (Ke) and decryption (Kd) round keys into |
| 642 | // one sessionKey object |
| 643 | Object[] result = new Object[] {Ke, Kd}; |
| 644 | return result; |
| 645 | } |
| 646 | |
| 647 | |
| 648 | /** |
| 649 | * Return The number of rounds for a given Rijndael keysize. |
| 650 | * |
| 651 | * @param keySize The size of the user key material in bytes. |
| 652 | * MUST be one of (16, 24, 32). |
| 653 | * @return The number of rounds. |
| 654 | */ |
| 655 | private static int getRounds(int keySize) { |
| 656 | return (keySize >> 2) + 6; |
| 657 | } |
| 658 | } |