This repository was archived by the owner on Nov 22, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 213
Expand file tree
/
Copy pathHkdf.java
More file actions
190 lines (170 loc) · 6.14 KB
/
Hkdf.java
File metadata and controls
190 lines (170 loc) · 6.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
/*
* Copyright (C) 2015 Square, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package keywhiz.hkdf;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.SecureRandom;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import static java.util.Objects.requireNonNull;
/**
* HMAC-based Extract-and-Expand Key Derivation Function (HKDF) from
* <a href="http://tools.ietf.org/html/rfc5869">RFC-5869</a>. HKDF is a standard means to generate
* a derived key of arbitrary length.
*
* <pre>{@code
* // Instantiate an Hkdf object with a hash function.
* Hkdf hkdf = new Hkdf(Hash.SHA256);
*
* // Using some protected input keying material (IKM), extract a pseudo-random key (PRK) with a
* // random salt. Remember to store the salt so the key can be derived again.
* SecretKey prk = hkdf.extract(Hkdf.randomSalt(), ikm);
*
* // Expand the prk with some information related to your data and the length of the output key.
* SecretKey derivedKey = hkdf.expand(prk, "id: 5".getBytes(StandardCharsets.UTF_8), 32);
* }</pre>
*
* HKDF is a generic means for generating derived keys. In some cases, you may want to use it in a
* different manner. Consult the RFC for security considerations, when to omit a salt, skipping the
* extraction step, etc.
*/
public class Hkdf {
private static Hash DEFAULT_HASH = Hash.SHA256;
private final Hash hash;
private final Provider provider;
private Hkdf(Hash hash, Provider provider) {
this.hash = hash;
this.provider = provider;
}
/**
* @return Hkdf constructed with default hash and derivation provider
*/
public static Hkdf usingDefaults() {
return new Hkdf(DEFAULT_HASH, null);
}
/**
* @param hash Supported hash function constant
* @return Hkdf constructed with a specific hash function
*/
public static Hkdf usingHash(Hash hash) {
return new Hkdf(requireNonNull(hash), null);
}
/**
* @param provider provider for key derivation, particularly useful when using HSMs
* @return Hkdf constructed with a specific JCE provider for key derivation
*/
public static Hkdf usingProvider(Provider provider) {
return new Hkdf(DEFAULT_HASH, requireNonNull(provider));
}
/**
* HKDF-Extract(salt, IKM) -> PRK
*
* @param salt optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros.
* @param ikm input keying material
* @return a pseudorandom key (of HashLen bytes)
*/
public SecretKey extract(SecretKey salt, byte[] ikm) {
requireNonNull(ikm, "ikm must not be null");
if (salt == null) {
salt = new SecretKeySpec(new byte[hash.getByteLength()], hash.getAlgorithm());
}
Mac mac = initMac(salt);
byte[] keyBytes = mac.doFinal(ikm);
return new SecretKeySpec(keyBytes, hash.getAlgorithm());
}
/**
* HKDF-Expand(PRK, info, L) -> OKM
*
* @param key a pseudorandom key of at least HashLen bytes (usually, the output from the extract step)
* @param info context and application specific information (can be empty)
* @param outputLength length of output keying material in bytes (<= 255*HashLen)
* @return output keying material
*/
public byte[] expand(SecretKey key, byte[] info, int outputLength) {
requireNonNull(key, "key must not be null");
if (outputLength < 1) {
throw new IllegalArgumentException("outputLength must be positive");
}
int hashLen = hash.getByteLength();
if (outputLength > 255 * hashLen) {
throw new IllegalArgumentException("outputLength must be less than or equal to 255*HashLen");
}
if (info == null) {
info = new byte[0];
}
/*
The output OKM is calculated as follows:
N = ceil(L/HashLen)
T = T(1) | T(2) | T(3) | ... | T(N)
OKM = first L bytes of T
where:
T(0) = empty string (zero length)
T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
T(3) = HMAC-Hash(PRK, T(2) | info | 0x03)
...
*/
int n = (outputLength % hashLen == 0) ?
outputLength / hashLen :
(outputLength / hashLen) + 1;
byte[] hashRound = new byte[0];
ByteBuffer generatedBytes = ByteBuffer.allocate(Math.multiplyExact(n, hashLen));
Mac mac = initMac(key);
for (int roundNum = 1; roundNum <= n; roundNum++) {
mac.reset();
ByteBuffer t = ByteBuffer.allocate(hashRound.length + info.length + 1);
t.put(hashRound);
t.put(info);
t.put((byte)roundNum);
hashRound = mac.doFinal(t.array());
generatedBytes.put(hashRound);
}
byte[] result = new byte[outputLength];
generatedBytes.rewind();
generatedBytes.get(result, 0, outputLength);
return result;
}
/**
* Generates a random salt value to be used with {@link #extract(javax.crypto.SecretKey, byte[])}.
*
* @return randomly generated SecretKey to use for PRK extraction.
*/
public SecretKey randomSalt() {
SecureRandom random = new SecureRandom();
byte[] randBytes = new byte[hash.getByteLength()];
random.nextBytes(randBytes);
return new SecretKeySpec(randBytes, hash.getAlgorithm());
}
private Mac initMac(SecretKey key) {
Mac mac;
try {
if (provider != null) {
mac = Mac.getInstance(hash.getAlgorithm(), provider);
} else {
mac = Mac.getInstance(hash.getAlgorithm());
}
mac.init(key);
return mac;
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
} catch (InvalidKeyException e) {
throw new IllegalArgumentException(e);
}
}
}