Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / libcore / 319a3b994703aac84df7bcde272adfcb3cdbbbf0 / . / jdk / src / share / classes / com / sun / crypto / provider / AESCrypt.java
blob: 94a2d28d583177b0d977ee94d7300f086a0092dd [file] [log] [blame]
J. Duke319a3b92007-12-01 00:00:00 +0000[diff] [blame^]1/*
2 * Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26/* $Id: Rijndael.java,v 1.6 2000/02/10 01:31:41 gelderen Exp $
27 *
28 * Copyright (C) 1995-2000 The Cryptix Foundation Limited.
29 * All rights reserved.
30 *
31 * Use, modification, copying and distribution of this softwareas is subject
32 * the terms and conditions of the Cryptix General Licence. You should have
33 * received a copy of the Cryptix General Licence along with this library;
34 * if not, you can download a copy from http://www.cryptix.org/ .
35 */
36
37package com.sun.crypto.provider;
38
39import java.security.InvalidKeyException;
40
41/**
42 * Rijndael --pronounced Reindaal-- is a symmetric cipher with a 128-bit
43 * block size and variable key-size (128-, 192- and 256-bit).
44 * <p>
45 * Rijndael was designed by <a href="mailto:rijmen@esat.kuleuven.ac.be">Vincent
46 * Rijmen</a> and <a href="mailto:Joan.Daemen@village.uunet.be">Joan Daemen</a>.
47 */
48final class AESCrypt extends SymmetricCipher implements AESConstants
49{
50 private boolean ROUNDS_12 = false;
51 private boolean ROUNDS_14 = false;
52
53 /** Session and Sub keys */
54 private Object[] sessionK = null;
55 private int[] K = null;
56
57 /** (ROUNDS-1) * 4 */
58 private int limit = 0;
59
60 AESCrypt() {
61 // empty
62 }
63
64 /**
65 * Returns this cipher's block size.
66 *
67 * @return this cipher's block size
68 */
69 int getBlockSize() {
70 return AES_BLOCK_SIZE;
71 }
72
73 void init(boolean decrypting, String algorithm, byte[] key)
74 throws InvalidKeyException {
75 if (!algorithm.equalsIgnoreCase("AES")
76 && !algorithm.equalsIgnoreCase("Rijndael")) {
77 throw new InvalidKeyException
78 ("Wrong algorithm: AES or Rijndael required");
79 }
80 if (!isKeySizeValid(key.length)) {
81 throw new InvalidKeyException("Invalid AES key length: " +
82 key.length + " bytes");
83 }
84
85 // generate session key and reset sub key.
86 sessionK = makeKey(key);
87 setSubKey(decrypting);
88 }
89
90 private void setSubKey(boolean decrypting) {
91 int[][] Kd = (int[][]) sessionK[decrypting ? 1 : 0];
92 int rounds = Kd.length;
93 this.K = new int[rounds*4];
94 for(int i=0; i<rounds; i++) {
95 for(int j=0; j<4; j++) {
96 K[i*4 + j] = Kd[i][j];
97 }
98 }
99
100 if (decrypting) {
101 int j0 = K[K.length-4];
102 int j1 = K[K.length-3];
103 int j2 = K[K.length-2];
104 int j3 = K[K.length-1];
105
106 for (int i=this.K.length-1; i>3; i--) {
107 this.K[i] = this.K[i-4];
108 }
109 K[0] = j0;
110 K[1] = j1;
111 K[2] = j2;
112 K[3] = j3;
113 }
114
115 ROUNDS_12 = (rounds>=13);
116 ROUNDS_14 = (rounds==15);
117
118 rounds--;
119 limit=rounds*4;
120 }
121
122 private static int[]
123 alog = new int[256],
124 log = new int[256];
125
126 private static final byte[]
127 S = new byte[256],
128 Si = new byte[256];
129
130 private static final int[]
131 T1 = new int[256],
132 T2 = new int[256],
133 T3 = new int[256],
134 T4 = new int[256],
135 T5 = new int[256],
136 T6 = new int[256],
137 T7 = new int[256],
138 T8 = new int[256];
139
140 private static final int[]
141 U1 = new int[256],
142 U2 = new int[256],
143 U3 = new int[256],
144 U4 = new int[256];
145
146 private static final byte[] rcon = new byte[30];
147
148
149 // Static code - to intialise S-boxes and T-boxes
150 static
151 {
152 int ROOT = 0x11B;
153 int i, j = 0;
154
155 //
156 // produce log and alog tables, needed for multiplying in the
157 // field GF(2^m) (generator = 3)
158 //
159 alog[0] = 1;
160 for (i = 1; i < 256; i++)
161 {
162 j = (alog[i-1] << 1) ^ alog[i-1];
163 if ((j & 0x100) != 0) {
164 j ^= ROOT;
165 }
166 alog[i] = j;
167 }
168 for (i = 1; i < 255; i++) {
169 log[alog[i]] = i;
170 }
171 byte[][] A = new byte[][]
172 {
173 {1, 1, 1, 1, 1, 0, 0, 0},
174 {0, 1, 1, 1, 1, 1, 0, 0},
175 {0, 0, 1, 1, 1, 1, 1, 0},
176 {0, 0, 0, 1, 1, 1, 1, 1},
177 {1, 0, 0, 0, 1, 1, 1, 1},
178 {1, 1, 0, 0, 0, 1, 1, 1},
179 {1, 1, 1, 0, 0, 0, 1, 1},
180 {1, 1, 1, 1, 0, 0, 0, 1}
181 };
182 byte[] B = new byte[] { 0, 1, 1, 0, 0, 0, 1, 1};
183
184 //
185 // substitution box based on F^{-1}(x)
186 //
187 int t;
188 byte[][] box = new byte[256][8];
189 box[1][7] = 1;
190 for (i = 2; i < 256; i++) {
191 j = alog[255 - log[i]];
192 for (t = 0; t < 8; t++) {
193 box[i][t] = (byte)((j >>> (7 - t)) & 0x01);
194 }
195 }
196 //
197 // affine transform: box[i] <- B + A*box[i]
198 //
199 byte[][] cox = new byte[256][8];
200 for (i = 0; i < 256; i++) {
201 for (t = 0; t < 8; t++) {
202 cox[i][t] = B[t];
203 for (j = 0; j < 8; j++) {
204 cox[i][t] ^= A[t][j] * box[i][j];
205 }
206 }
207 }
208 //
209 // S-boxes and inverse S-boxes
210 //
211 for (i = 0; i < 256; i++) {
212 S[i] = (byte)(cox[i][0] << 7);
213 for (t = 1; t < 8; t++) {
214 S[i] ^= cox[i][t] << (7-t);
215 }
216 Si[S[i] & 0xFF] = (byte) i;
217 }
218 //
219 // T-boxes
220 //
221 byte[][] G = new byte[][] {
222 {2, 1, 1, 3},
223 {3, 2, 1, 1},
224 {1, 3, 2, 1},
225 {1, 1, 3, 2}
226 };
227 byte[][] AA = new byte[4][8];
228 for (i = 0; i < 4; i++) {
229 for (j = 0; j < 4; j++) AA[i][j] = G[i][j];
230 AA[i][i+4] = 1;
231 }
232 byte pivot, tmp;
233 byte[][] iG = new byte[4][4];
234 for (i = 0; i < 4; i++) {
235 pivot = AA[i][i];
236 if (pivot == 0) {
237 t = i + 1;
238 while ((AA[t][i] == 0) && (t < 4)) {
239 t++;
240 }
241 if (t == 4) {
242 throw new RuntimeException("G matrix is not invertible");
243 }
244 else {
245 for (j = 0; j < 8; j++) {
246 tmp = AA[i][j];
247 AA[i][j] = AA[t][j];
248 AA[t][j] = (byte) tmp;
249 }
250 pivot = AA[i][i];
251 }
252 }
253 for (j = 0; j < 8; j++) {
254 if (AA[i][j] != 0) {
255 AA[i][j] = (byte)
256 alog[(255 + log[AA[i][j] & 0xFF] - log[pivot & 0xFF]) % 255];
257 }
258 }
259 for (t = 0; t < 4; t++) {
260 if (i != t) {
261 for (j = i+1; j < 8; j++) {
262 AA[t][j] ^= mul(AA[i][j], AA[t][i]);
263 }
264 AA[t][i] = 0;
265 }
266 }
267 }
268 for (i = 0; i < 4; i++) {
269 for (j = 0; j < 4; j++) {
270 iG[i][j] = AA[i][j + 4];
271 }
272 }
273
274 int s;
275 for (t = 0; t < 256; t++) {
276 s = S[t];
277 T1[t] = mul4(s, G[0]);
278 T2[t] = mul4(s, G[1]);
279 T3[t] = mul4(s, G[2]);
280 T4[t] = mul4(s, G[3]);
281
282 s = Si[t];
283 T5[t] = mul4(s, iG[0]);
284 T6[t] = mul4(s, iG[1]);
285 T7[t] = mul4(s, iG[2]);
286 T8[t] = mul4(s, iG[3]);
287
288 U1[t] = mul4(t, iG[0]);
289 U2[t] = mul4(t, iG[1]);
290 U3[t] = mul4(t, iG[2]);
291 U4[t] = mul4(t, iG[3]);
292 }
293 //
294 // round constants
295 //
296 rcon[0] = 1;
297 int r = 1;
298 for (t = 1; t < 30; t++) {
299 r = mul(2, r);
300 rcon[t] = (byte) r;
301 }
302 log = null;
303 alog = null;
304 }
305
306 // multiply two elements of GF(2^m)
307 private static final int mul (int a, int b) {
308 return (a != 0 && b != 0) ?
309 alog[(log[a & 0xFF] + log[b & 0xFF]) % 255] :
310 0;
311 }
312
313 // convenience method used in generating Transposition boxes
314 private static final int mul4 (int a, byte[] b) {
315 if (a == 0) return 0;
316 a = log[a & 0xFF];
317 int a0 = (b[0] != 0) ? alog[(a + log[b[0] & 0xFF]) % 255] & 0xFF : 0;
318 int a1 = (b[1] != 0) ? alog[(a + log[b[1] & 0xFF]) % 255] & 0xFF : 0;
319 int a2 = (b[2] != 0) ? alog[(a + log[b[2] & 0xFF]) % 255] & 0xFF : 0;
320 int a3 = (b[3] != 0) ? alog[(a + log[b[3] & 0xFF]) % 255] & 0xFF : 0;
321 return a0 << 24 | a1 << 16 | a2 << 8 | a3;
322 }
323
324 // check if the specified length (in bytes) is a valid keysize for AES
325 static final boolean isKeySizeValid(int len) {
326 for (int i = 0; i < AES_KEYSIZES.length; i++) {
327 if (len == AES_KEYSIZES[i]) {
328 return true;
329 }
330 }
331 return false;
332 }
333
334 /**
335 * Encrypt exactly one block of plaintext.
336 */
337 void encryptBlock(byte[] in, int inOffset,
338 byte[] out, int outOffset)
339 {
340 int keyOffset = 0;
341 int t0 = ((in[inOffset++] ) << 24 |
342 (in[inOffset++] & 0xFF) << 16 |
343 (in[inOffset++] & 0xFF) << 8 |
344 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
345 int t1 = ((in[inOffset++] ) << 24 |
346 (in[inOffset++] & 0xFF) << 16 |
347 (in[inOffset++] & 0xFF) << 8 |
348 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
349 int t2 = ((in[inOffset++] ) << 24 |
350 (in[inOffset++] & 0xFF) << 16 |
351 (in[inOffset++] & 0xFF) << 8 |
352 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
353 int t3 = ((in[inOffset++] ) << 24 |
354 (in[inOffset++] & 0xFF) << 16 |
355 (in[inOffset++] & 0xFF) << 8 |
356 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
357
358 // apply round transforms
359 while( keyOffset < limit )
360 {
361 int a0, a1, a2;
362 a0 = T1[(t0 >>> 24) ] ^
363 T2[(t1 >>> 16) & 0xFF] ^
364 T3[(t2 >>> 8) & 0xFF] ^
365 T4[(t3 ) & 0xFF] ^ K[keyOffset++];
366 a1 = T1[(t1 >>> 24) ] ^
367 T2[(t2 >>> 16) & 0xFF] ^
368 T3[(t3 >>> 8) & 0xFF] ^
369 T4[(t0 ) & 0xFF] ^ K[keyOffset++];
370 a2 = T1[(t2 >>> 24) ] ^
371 T2[(t3 >>> 16) & 0xFF] ^
372 T3[(t0 >>> 8) & 0xFF] ^
373 T4[(t1 ) & 0xFF] ^ K[keyOffset++];
374 t3 = T1[(t3 >>> 24) ] ^
375 T2[(t0 >>> 16) & 0xFF] ^
376 T3[(t1 >>> 8) & 0xFF] ^
377 T4[(t2 ) & 0xFF] ^ K[keyOffset++];
378 t0 = a0; t1 = a1; t2 = a2;
379 }
380
381 // last round is special
382 int tt = K[keyOffset++];
383 out[outOffset++] = (byte)(S[(t0 >>> 24) ] ^ (tt >>> 24));
384 out[outOffset++] = (byte)(S[(t1 >>> 16) & 0xFF] ^ (tt >>> 16));
385 out[outOffset++] = (byte)(S[(t2 >>> 8) & 0xFF] ^ (tt >>> 8));
386 out[outOffset++] = (byte)(S[(t3 ) & 0xFF] ^ (tt ));
387 tt = K[keyOffset++];
388 out[outOffset++] = (byte)(S[(t1 >>> 24) ] ^ (tt >>> 24));
389 out[outOffset++] = (byte)(S[(t2 >>> 16) & 0xFF] ^ (tt >>> 16));
390 out[outOffset++] = (byte)(S[(t3 >>> 8) & 0xFF] ^ (tt >>> 8));
391 out[outOffset++] = (byte)(S[(t0 ) & 0xFF] ^ (tt ));
392 tt = K[keyOffset++];
393 out[outOffset++] = (byte)(S[(t2 >>> 24) ] ^ (tt >>> 24));
394 out[outOffset++] = (byte)(S[(t3 >>> 16) & 0xFF] ^ (tt >>> 16));
395 out[outOffset++] = (byte)(S[(t0 >>> 8) & 0xFF] ^ (tt >>> 8));
396 out[outOffset++] = (byte)(S[(t1 ) & 0xFF] ^ (tt ));
397 tt = K[keyOffset++];
398 out[outOffset++] = (byte)(S[(t3 >>> 24) ] ^ (tt >>> 24));
399 out[outOffset++] = (byte)(S[(t0 >>> 16) & 0xFF] ^ (tt >>> 16));
400 out[outOffset++] = (byte)(S[(t1 >>> 8) & 0xFF] ^ (tt >>> 8));
401 out[outOffset ] = (byte)(S[(t2 ) & 0xFF] ^ (tt ));
402 }
403
404
405 /**
406 * Decrypt exactly one block of plaintext.
407 */
408 void decryptBlock(byte[] in, int inOffset,
409 byte[] out, int outOffset)
410 {
411 int keyOffset = 4;
412 int t0 = ((in[inOffset++] ) << 24 |
413 (in[inOffset++] & 0xFF) << 16 |
414 (in[inOffset++] & 0xFF) << 8 |
415 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
416 int t1 = ((in[inOffset++] ) << 24 |
417 (in[inOffset++] & 0xFF) << 16 |
418 (in[inOffset++] & 0xFF) << 8 |
419 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
420 int t2 = ((in[inOffset++] ) << 24 |
421 (in[inOffset++] & 0xFF) << 16 |
422 (in[inOffset++] & 0xFF) << 8 |
423 (in[inOffset++] & 0xFF) ) ^ K[keyOffset++];
424 int t3 = ((in[inOffset++] ) << 24 |
425 (in[inOffset++] & 0xFF) << 16 |
426 (in[inOffset++] & 0xFF) << 8 |
427 (in[inOffset ] & 0xFF) ) ^ K[keyOffset++];
428
429 int a0, a1, a2;
430 if(ROUNDS_12)
431 {
432 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
433 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
434 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
435 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
436 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
437 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
438 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
439 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
440 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
441 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
442 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
443 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
444 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
445 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
446 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
447 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
448
449 if(ROUNDS_14)
450 {
451 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
452 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
453 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
454 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
455 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
456 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
457 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
458 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
459 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
460 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
461 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
462 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
463 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
464 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
465 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
466 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
467 }
468 }
469 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
470 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
471 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
472 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
473 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
474 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
475 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
476 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
477 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
478 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
479 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
480 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
481 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
482 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
483 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
484 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
485 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
486 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
487 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
488 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
489 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
490 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
491 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
492 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
493 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
494 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
495 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
496 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
497 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
498 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
499 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
500 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
501 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
502 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
503 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
504 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
505 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
506 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
507 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
508 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
509 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
510 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
511 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
512 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
513 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
514 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
515 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
516 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
517 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
518 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
519 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
520 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
521 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
522 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
523 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
524 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
525 t0 = T5[(a0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
526 T7[(a2>>> 8)&0xFF] ^ T8[(a1 )&0xFF] ^ K[keyOffset++];
527 t1 = T5[(a1>>>24) ] ^ T6[(a0>>>16)&0xFF] ^
528 T7[(t3>>> 8)&0xFF] ^ T8[(a2 )&0xFF] ^ K[keyOffset++];
529 t2 = T5[(a2>>>24) ] ^ T6[(a1>>>16)&0xFF] ^
530 T7[(a0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
531 t3 = T5[(t3>>>24) ] ^ T6[(a2>>>16)&0xFF] ^
532 T7[(a1>>> 8)&0xFF] ^ T8[(a0 )&0xFF] ^ K[keyOffset++];
533 a0 = T5[(t0>>>24) ] ^ T6[(t3>>>16)&0xFF] ^
534 T7[(t2>>> 8)&0xFF] ^ T8[(t1 )&0xFF] ^ K[keyOffset++];
535 a1 = T5[(t1>>>24) ] ^ T6[(t0>>>16)&0xFF] ^
536 T7[(t3>>> 8)&0xFF] ^ T8[(t2 )&0xFF] ^ K[keyOffset++];
537 a2 = T5[(t2>>>24) ] ^ T6[(t1>>>16)&0xFF] ^
538 T7[(t0>>> 8)&0xFF] ^ T8[(t3 )&0xFF] ^ K[keyOffset++];
539 t3 = T5[(t3>>>24) ] ^ T6[(t2>>>16)&0xFF] ^
540 T7[(t1>>> 8)&0xFF] ^ T8[(t0 )&0xFF] ^ K[keyOffset++];
541
542 t1 = K[0];
543 out[outOffset++] = (byte)(Si[(a0 >>> 24) ] ^ (t1 >>> 24));
544 out[outOffset++] = (byte)(Si[(t3 >>> 16) & 0xFF] ^ (t1 >>> 16));
545 out[outOffset++] = (byte)(Si[(a2 >>> 8) & 0xFF] ^ (t1 >>> 8));
546 out[outOffset++] = (byte)(Si[(a1 ) & 0xFF] ^ (t1 ));
547 t1 = K[1];
548 out[outOffset++] = (byte)(Si[(a1 >>> 24) ] ^ (t1 >>> 24));
549 out[outOffset++] = (byte)(Si[(a0 >>> 16) & 0xFF] ^ (t1 >>> 16));
550 out[outOffset++] = (byte)(Si[(t3 >>> 8) & 0xFF] ^ (t1 >>> 8));
551 out[outOffset++] = (byte)(Si[(a2 ) & 0xFF] ^ (t1 ));
552 t1 = K[2];
553 out[outOffset++] = (byte)(Si[(a2 >>> 24) ] ^ (t1 >>> 24));
554 out[outOffset++] = (byte)(Si[(a1 >>> 16) & 0xFF] ^ (t1 >>> 16));
555 out[outOffset++] = (byte)(Si[(a0 >>> 8) & 0xFF] ^ (t1 >>> 8));
556 out[outOffset++] = (byte)(Si[(t3 ) & 0xFF] ^ (t1 ));
557 t1 = K[3];
558 out[outOffset++] = (byte)(Si[(t3 >>> 24) ] ^ (t1 >>> 24));
559 out[outOffset++] = (byte)(Si[(a2 >>> 16) & 0xFF] ^ (t1 >>> 16));
560 out[outOffset++] = (byte)(Si[(a1 >>> 8) & 0xFF] ^ (t1 >>> 8));
561 out[outOffset ] = (byte)(Si[(a0 ) & 0xFF] ^ (t1 ));
562 }
563
564
565 /**
566 * Expand a user-supplied key material into a session key.
567 *
568 * @param key The 128/192/256-bit user-key to use.
569 * @exception InvalidKeyException If the key is invalid.
570 */
571 private static Object[] makeKey(byte[] k) throws InvalidKeyException {
572 if (k == null) {
573 throw new InvalidKeyException("Empty key");
574 }
575 if (!isKeySizeValid(k.length)) {
576 throw new InvalidKeyException("Invalid AES key length: " +
577 k.length + " bytes");
578 }
579 int ROUNDS = getRounds(k.length);
580 int ROUND_KEY_COUNT = (ROUNDS + 1) * 4;
581
582 int BC = 4;
583 int[][] Ke = new int[ROUNDS + 1][4]; // encryption round keys
584 int[][] Kd = new int[ROUNDS + 1][4]; // decryption round keys
585
586 int KC = k.length/4; // keylen in 32-bit elements
587
588 int[] tk = new int[KC];
589 int i, j;
590
591 // copy user material bytes into temporary ints
592 for (i = 0, j = 0; i < KC; i++, j+=4) {
593 tk[i] = (k[j] ) << 24 |
594 (k[j+1] & 0xFF) << 16 |
595 (k[j+2] & 0xFF) << 8 |
596 (k[j+3] & 0xFF);
597 }
598
599 // copy values into round key arrays
600 int t = 0;
601 for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) {
602 Ke[t / 4][t % 4] = tk[j];
603 Kd[ROUNDS - (t / 4)][t % 4] = tk[j];
604 }
605 int tt, rconpointer = 0;
606 while (t < ROUND_KEY_COUNT) {
607 // extrapolate using phi (the round key evolution function)
608 tt = tk[KC - 1];
609 tk[0] ^= (S[(tt >>> 16) & 0xFF] ) << 24 ^
610 (S[(tt >>> 8) & 0xFF] & 0xFF) << 16 ^
611 (S[(tt ) & 0xFF] & 0xFF) << 8 ^
612 (S[(tt >>> 24) ] & 0xFF) ^
613 (rcon[rconpointer++] ) << 24;
614 if (KC != 8)
615 for (i = 1, j = 0; i < KC; i++, j++) tk[i] ^= tk[j];
616 else {
617 for (i = 1, j = 0; i < KC / 2; i++, j++) tk[i] ^= tk[j];
618 tt = tk[KC / 2 - 1];
619 tk[KC / 2] ^= (S[(tt ) & 0xFF] & 0xFF) ^
620 (S[(tt >>> 8) & 0xFF] & 0xFF) << 8 ^
621 (S[(tt >>> 16) & 0xFF] & 0xFF) << 16 ^
622 (S[(tt >>> 24) ] ) << 24;
623 for (j = KC / 2, i = j + 1; i < KC; i++, j++) tk[i] ^= tk[j];
624 }
625 // copy values into round key arrays
626 for (j = 0; (j < KC) && (t < ROUND_KEY_COUNT); j++, t++) {
627 Ke[t / 4][t % 4] = tk[j];
628 Kd[ROUNDS - (t / 4)][t % 4] = tk[j];
629 }
630 }
631 for (int r = 1; r < ROUNDS; r++) {
632 // inverse MixColumn where needed
633 for (j = 0; j < BC; j++) {
634 tt = Kd[r][j];
635 Kd[r][j] = U1[(tt >>> 24) & 0xFF] ^
636 U2[(tt >>> 16) & 0xFF] ^
637 U3[(tt >>> 8) & 0xFF] ^
638 U4[ tt & 0xFF];
639 }
640 }
641 // assemble the encryption (Ke) and decryption (Kd) round keys into
642 // one sessionKey object
643 Object[] result = new Object[] {Ke, Kd};
644 return result;
645 }
646
647
648 /**
649 * Return The number of rounds for a given Rijndael keysize.
650 *
651 * @param keySize The size of the user key material in bytes.
652 * MUST be one of (16, 24, 32).
653 * @return The number of rounds.
654 */
655 private static int getRounds(int keySize) {
656 return (keySize >> 2) + 6;
657 }
658}