Example 6 with CipherParameters
use of org.bouncycastle.crypto.CipherParameters in project oxAuth by GluuFederation.
the class JweDecrypterImpl method decryptEncryptionKey.
@Override
public byte[] decryptEncryptionKey(String encodedEncryptedKey) throws InvalidJweException {
if (getKeyEncryptionAlgorithm() == null) {
throw new InvalidJweException("The key encryption algorithm is null");
}
if (encodedEncryptedKey == null) {
throw new InvalidJweException("The encoded encryption key is null");
}
try {
if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA_OAEP || getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA1_5) {
if (rsaPrivateKey == null && privateKey == null) {
throw new InvalidJweException("The RSA private key is null");
}
//Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm(), "BC");
Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm());
if (rsaPrivateKey != null) {
KeyFactory keyFactory = KeyFactory.getInstance(getKeyEncryptionAlgorithm().getFamily(), "BC");
RSAPrivateKeySpec privKeySpec = new RSAPrivateKeySpec(rsaPrivateKey.getModulus(), rsaPrivateKey.getPrivateExponent());
java.security.interfaces.RSAPrivateKey privKey = (java.security.interfaces.RSAPrivateKey) keyFactory.generatePrivate(privKeySpec);
cipher.init(Cipher.DECRYPT_MODE, privKey);
} else {
cipher.init(Cipher.DECRYPT_MODE, privateKey);
}
byte[] decryptedKey = cipher.doFinal(Base64Util.base64urldecode(encodedEncryptedKey));
return decryptedKey;
} else if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A128KW || getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A256KW) {
if (sharedSymmetricKey == null) {
throw new InvalidJweException("The shared symmetric key is null");
}
if (sharedSymmetricKey.length != 16) {
// 128 bit
MessageDigest sha = MessageDigest.getInstance("SHA-1");
sharedSymmetricKey = sha.digest(sharedSymmetricKey);
sharedSymmetricKey = Arrays.copyOf(sharedSymmetricKey, 16);
}
byte[] encryptedKey = Base64Util.base64urldecode(encodedEncryptedKey);
SecretKeySpec keyEncryptionKey = new SecretKeySpec(sharedSymmetricKey, "AES");
AESWrapEngine aesWrapEngine = new AESWrapEngine();
CipherParameters params = new KeyParameter(keyEncryptionKey.getEncoded());
aesWrapEngine.init(false, params);
byte[] decryptedKey = aesWrapEngine.unwrap(encryptedKey, 0, encryptedKey.length);
return decryptedKey;
} else {
throw new InvalidJweException("The key encryption algorithm is not supported");
}
} catch (NoSuchPaddingException e) {
throw new InvalidJweException(e);
} catch (NoSuchAlgorithmException e) {
throw new InvalidJweException(e);
} catch (IllegalBlockSizeException e) {
throw new InvalidJweException(e);
} catch (BadPaddingException e) {
throw new InvalidJweException(e);
} catch (NoSuchProviderException e) {
throw new InvalidJweException(e);
} catch (InvalidKeyException e) {
throw new InvalidJweException(e);
} catch (InvalidKeySpecException e) {
throw new InvalidJweException(e);
} catch (InvalidCipherTextException e) {
throw new InvalidJweException(e);
}
}
Also used :
InvalidCipherTextException(org.bouncycastle.crypto.InvalidCipherTextException)
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
CipherParameters(org.bouncycastle.crypto.CipherParameters)
java.security(java.security)
RSAPrivateKeySpec(java.security.spec.RSAPrivateKeySpec)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
AESWrapEngine(org.bouncycastle.crypto.engines.AESWrapEngine)
BlockCipher(org.bouncycastle.crypto.BlockCipher)
GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
RSAPrivateKey(org.xdi.oxauth.model.crypto.signature.RSAPrivateKey)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
Example 7 with CipherParameters
use of org.bouncycastle.crypto.CipherParameters in project oxAuth by GluuFederation.
the class JweDecrypterImpl method decryptCipherText.
@Override
public String decryptCipherText(String encodedCipherText, byte[] contentMasterKey, byte[] initializationVector, byte[] authenticationTag, byte[] additionalAuthenticatedData) throws InvalidJweException {
if (getBlockEncryptionAlgorithm() == null) {
throw new InvalidJweException("The block encryption algorithm is null");
}
if (contentMasterKey == null) {
throw new InvalidJweException("The content master key (CMK) is null");
}
if (initializationVector == null) {
throw new InvalidJweException("The initialization vector is null");
}
if (authenticationTag == null) {
throw new InvalidJweException("The authentication tag is null");
}
if (additionalAuthenticatedData == null) {
throw new InvalidJweException("The additional authentication data is null");
}
try {
if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128GCM || getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256GCM) {
final int MAC_SIZE_BITS = 128;
byte[] cipherText = Base64Util.base64urldecode(encodedCipherText);
KeyParameter key = new KeyParameter(contentMasterKey);
AEADParameters aeadParameters = new AEADParameters(key, MAC_SIZE_BITS, initializationVector, additionalAuthenticatedData);
SecretKeySpec sks = new SecretKeySpec(contentMasterKey, "AES");
BlockCipher blockCipher = new AESEngine();
CipherParameters params = new KeyParameter(sks.getEncoded());
blockCipher.init(false, params);
GCMBlockCipher aGCMBlockCipher = new GCMBlockCipher(blockCipher);
aGCMBlockCipher.init(false, aeadParameters);
byte[] input = new byte[cipherText.length + authenticationTag.length];
System.arraycopy(cipherText, 0, input, 0, cipherText.length);
System.arraycopy(authenticationTag, 0, input, cipherText.length, authenticationTag.length);
int len = aGCMBlockCipher.getOutputSize(input.length);
byte[] out = new byte[len];
int outOff = aGCMBlockCipher.processBytes(input, 0, input.length, out, 0);
aGCMBlockCipher.doFinal(out, outOff);
String plaintext = new String(out, Charset.forName(Util.UTF8_STRING_ENCODING));
return plaintext;
} else if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128CBC_PLUS_HS256 || getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256CBC_PLUS_HS512) {
byte[] cipherText = Base64Util.base64urldecode(encodedCipherText);
byte[] cek = KeyDerivationFunction.generateCek(contentMasterKey, getBlockEncryptionAlgorithm());
Cipher cipher = Cipher.getInstance(getBlockEncryptionAlgorithm().getAlgorithm());
IvParameterSpec ivParameter = new IvParameterSpec(initializationVector);
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(cek, "AES"), ivParameter);
byte[] decodedPlainTextBytes = cipher.doFinal(cipherText);
String decodedPlainText = new String(decodedPlainTextBytes, Charset.forName(Util.UTF8_STRING_ENCODING));
// Integrity check
String securedInputValue = new String(additionalAuthenticatedData, Charset.forName(Util.UTF8_STRING_ENCODING)) + "." + encodedCipherText;
byte[] cik = KeyDerivationFunction.generateCik(contentMasterKey, getBlockEncryptionAlgorithm());
SecretKey secretKey = new SecretKeySpec(cik, getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
Mac mac = Mac.getInstance(getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
mac.init(secretKey);
byte[] integrityValue = mac.doFinal(securedInputValue.getBytes(Util.UTF8_STRING_ENCODING));
if (!Arrays.equals(integrityValue, authenticationTag)) {
throw new InvalidJweException("The authentication tag is not valid");
}
return decodedPlainText;
} else {
throw new InvalidJweException("The block encryption algorithm is not supported");
}
} catch (InvalidCipherTextException e) {
throw new InvalidJweException(e);
} catch (NoSuchPaddingException e) {
throw new InvalidJweException(e);
} catch (BadPaddingException e) {
throw new InvalidJweException(e);
} catch (InvalidAlgorithmParameterException e) {
throw new InvalidJweException(e);
} catch (NoSuchAlgorithmException e) {
throw new InvalidJweException(e);
} catch (IllegalBlockSizeException e) {
throw new InvalidJweException(e);
} catch (UnsupportedEncodingException e) {
throw new InvalidJweException(e);
} catch (NoSuchProviderException e) {
throw new InvalidJweException(e);
} catch (InvalidKeyException e) {
throw new InvalidJweException(e);
} catch (InvalidParameterException e) {
throw new InvalidJweException(e);
}
}
Also used :
InvalidCipherTextException(org.bouncycastle.crypto.InvalidCipherTextException)
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
InvalidParameterException(org.xdi.oxauth.model.exception.InvalidParameterException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
AESEngine(org.bouncycastle.crypto.engines.AESEngine)
BlockCipher(org.bouncycastle.crypto.BlockCipher)
GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
CipherParameters(org.bouncycastle.crypto.CipherParameters)
AEADParameters(org.bouncycastle.crypto.params.AEADParameters)
IvParameterSpec(javax.crypto.spec.IvParameterSpec)
BlockCipher(org.bouncycastle.crypto.BlockCipher)
GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)
GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)
Example 8 with CipherParameters
use of org.bouncycastle.crypto.CipherParameters in project oxAuth by GluuFederation.
the class JweEncrypterImpl method generateEncryptedKey.
@Override
public String generateEncryptedKey(byte[] contentMasterKey) throws InvalidJweException {
if (getKeyEncryptionAlgorithm() == null) {
throw new InvalidJweException("The key encryption algorithm is null");
}
if (contentMasterKey == null) {
throw new InvalidJweException("The content master key (CMK) is null");
}
try {
if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA_OAEP || getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA1_5) {
if (publicKey != null) {
Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm(), "BC");
//Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encryptedKey = cipher.doFinal(contentMasterKey);
String encodedEncryptedKey = Base64Util.base64urlencode(encryptedKey);
return encodedEncryptedKey;
} else {
throw new InvalidJweException("The RSA public key is null");
}
} else if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A128KW || getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A256KW) {
if (sharedSymmetricKey == null) {
throw new InvalidJweException("The shared symmetric key is null");
}
if (sharedSymmetricKey.length != 16) {
// 128 bit
MessageDigest sha = MessageDigest.getInstance("SHA-1");
sharedSymmetricKey = sha.digest(sharedSymmetricKey);
sharedSymmetricKey = Arrays.copyOf(sharedSymmetricKey, 16);
}
SecretKeySpec keyEncryptionKey = new SecretKeySpec(sharedSymmetricKey, "AES");
AESWrapEngine aesWrapEngine = new AESWrapEngine();
CipherParameters params = new KeyParameter(keyEncryptionKey.getEncoded());
aesWrapEngine.init(true, params);
byte[] wrappedKey = aesWrapEngine.wrap(contentMasterKey, 0, contentMasterKey.length);
String encodedEncryptedKey = Base64Util.base64urlencode(wrappedKey);
return encodedEncryptedKey;
} else {
throw new InvalidJweException("The key encryption algorithm is not supported");
}
} catch (NoSuchPaddingException e) {
throw new InvalidJweException(e);
} catch (NoSuchAlgorithmException e) {
throw new InvalidJweException(e);
} catch (IllegalBlockSizeException e) {
throw new InvalidJweException(e);
} catch (BadPaddingException e) {
throw new InvalidJweException(e);
} catch (InvalidKeyException e) {
throw new InvalidJweException(e);
} catch (NoSuchProviderException e) {
throw new InvalidJweException(e);
}
}
Also used :
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
CipherParameters(org.bouncycastle.crypto.CipherParameters)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
AESWrapEngine(org.bouncycastle.crypto.engines.AESWrapEngine)
BlockCipher(org.bouncycastle.crypto.BlockCipher)
GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
Example 9 with CipherParameters
use of org.bouncycastle.crypto.CipherParameters in project robovm by robovm.
the class DSASigner method engineInitVerify.
protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
CipherParameters param;
if (publicKey instanceof DSAKey) {
param = DSAUtil.generatePublicKeyParameter(publicKey);
} else {
try {
byte[] bytes = publicKey.getEncoded();
publicKey = new BCDSAPublicKey(SubjectPublicKeyInfo.getInstance(bytes));
if (publicKey instanceof DSAKey) {
param = DSAUtil.generatePublicKeyParameter(publicKey);
} else {
throw new InvalidKeyException("can't recognise key type in DSA based signer");
}
} catch (Exception e) {
throw new InvalidKeyException("can't recognise key type in DSA based signer");
}
}
digest.reset();
signer.init(false, param);
}
Also used :
CipherParameters(org.bouncycastle.crypto.CipherParameters)
DSAKey(java.security.interfaces.DSAKey)
InvalidKeyException(java.security.InvalidKeyException)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
InvalidKeyException(java.security.InvalidKeyException)
Example 10 with CipherParameters
use of org.bouncycastle.crypto.CipherParameters in project robovm by robovm.
the class CipherSpi method engineInit.
protected void engineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException {
CipherParameters param;
if (params == null || params instanceof OAEPParameterSpec) {
if (key instanceof RSAPublicKey) {
if (privateKeyOnly && opmode == Cipher.ENCRYPT_MODE) {
throw new InvalidKeyException("mode 1 requires RSAPrivateKey");
}
param = RSAUtil.generatePublicKeyParameter((RSAPublicKey) key);
} else if (key instanceof RSAPrivateKey) {
if (publicKeyOnly && opmode == Cipher.ENCRYPT_MODE) {
throw new InvalidKeyException("mode 2 requires RSAPublicKey");
}
param = RSAUtil.generatePrivateKeyParameter((RSAPrivateKey) key);
} else {
throw new InvalidKeyException("unknown key type passed to RSA");
}
if (params != null) {
OAEPParameterSpec spec = (OAEPParameterSpec) params;
paramSpec = params;
if (!spec.getMGFAlgorithm().equalsIgnoreCase("MGF1") && !spec.getMGFAlgorithm().equals(PKCSObjectIdentifiers.id_mgf1.getId())) {
throw new InvalidAlgorithmParameterException("unknown mask generation function specified");
}
if (!(spec.getMGFParameters() instanceof MGF1ParameterSpec)) {
throw new InvalidAlgorithmParameterException("unkown MGF parameters");
}
Digest digest = DigestFactory.getDigest(spec.getDigestAlgorithm());
if (digest == null) {
throw new InvalidAlgorithmParameterException("no match on digest algorithm: " + spec.getDigestAlgorithm());
}
MGF1ParameterSpec mgfParams = (MGF1ParameterSpec) spec.getMGFParameters();
Digest mgfDigest = DigestFactory.getDigest(mgfParams.getDigestAlgorithm());
if (mgfDigest == null) {
throw new InvalidAlgorithmParameterException("no match on MGF digest algorithm: " + mgfParams.getDigestAlgorithm());
}
cipher = new OAEPEncoding(new RSABlindedEngine(), digest, mgfDigest, ((PSource.PSpecified) spec.getPSource()).getValue());
}
} else {
throw new IllegalArgumentException("unknown parameter type.");
}
if (!(cipher instanceof RSABlindedEngine)) {
if (random != null) {
param = new ParametersWithRandom(param, random);
} else {
param = new ParametersWithRandom(param, new SecureRandom());
}
}
bOut.reset();
switch(opmode) {
case Cipher.ENCRYPT_MODE:
case Cipher.WRAP_MODE:
cipher.init(true, param);
break;
case Cipher.DECRYPT_MODE:
case Cipher.UNWRAP_MODE:
cipher.init(false, param);
break;
default:
throw new InvalidParameterException("unknown opmode " + opmode + " passed to RSA");
}
}
Also used :
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
Digest(org.bouncycastle.crypto.Digest)
ParametersWithRandom(org.bouncycastle.crypto.params.ParametersWithRandom)
SecureRandom(java.security.SecureRandom)
InvalidKeyException(java.security.InvalidKeyException)
OAEPParameterSpec(javax.crypto.spec.OAEPParameterSpec)
CipherParameters(org.bouncycastle.crypto.CipherParameters)
InvalidParameterException(java.security.InvalidParameterException)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
RSABlindedEngine(org.bouncycastle.crypto.engines.RSABlindedEngine)
OAEPEncoding(org.bouncycastle.crypto.encodings.OAEPEncoding)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
MGF1ParameterSpec(java.security.spec.MGF1ParameterSpec)
Aggregations
CipherParameters (org.bouncycastle.crypto.CipherParameters)60
KeyParameter (org.bouncycastle.crypto.params.KeyParameter)35
ParametersWithIV (org.bouncycastle.crypto.params.ParametersWithIV)24
InvalidKeyException (java.security.InvalidKeyException)21
AESEngine (org.bouncycastle.crypto.engines.AESEngine)16
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)14
IvParameterSpec (javax.crypto.spec.IvParameterSpec)14
InvalidCipherTextException (org.bouncycastle.crypto.InvalidCipherTextException)14
PBEParameterSpec (javax.crypto.spec.PBEParameterSpec)12
ParametersWithRandom (org.bouncycastle.crypto.params.ParametersWithRandom)12
SecureRandom (java.security.SecureRandom)11
PaddedBufferedBlockCipher (org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher)11
CBCBlockCipher (org.bouncycastle.crypto.modes.CBCBlockCipher)9
BlockCipher (org.bouncycastle.crypto.BlockCipher)8
SecretKey (javax.crypto.SecretKey)7
BufferedBlockCipher (org.bouncycastle.crypto.BufferedBlockCipher)7
PBEParametersGenerator (org.bouncycastle.crypto.PBEParametersGenerator)7
GCMBlockCipher (org.bouncycastle.crypto.modes.GCMBlockCipher)7
IOException (java.io.IOException)5
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
