8338587: Internal XOF Methods for SHAKE128 and SHAKE256
Reviewed-by: valeriep, weijun
This commit is contained in:
parent
88cccc14db
commit
c54fc08aa3
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -25,7 +25,7 @@
|
||||
package sun.security.ec.ed;
|
||||
|
||||
import sun.security.ec.ParametersMap;
|
||||
import sun.security.provider.SHAKE256;
|
||||
import sun.security.provider.SHA3.SHAKE256;
|
||||
import sun.security.util.ObjectIdentifier;
|
||||
import sun.security.util.KnownOIDs;
|
||||
import sun.security.util.math.*;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -38,7 +38,7 @@ import java.security.*;
|
||||
import java.util.function.Function;
|
||||
|
||||
import sun.security.jca.JCAUtil;
|
||||
import sun.security.provider.SHAKE256;
|
||||
import sun.security.provider.SHA3.SHAKE256;
|
||||
import sun.security.timestamp.*;
|
||||
import sun.security.util.*;
|
||||
import sun.security.x509.*;
|
||||
|
@ -32,7 +32,7 @@ import java.security.cert.*;
|
||||
import java.security.spec.PSSParameterSpec;
|
||||
import java.util.*;
|
||||
|
||||
import sun.security.provider.SHAKE256;
|
||||
import sun.security.provider.SHA3.SHAKE256;
|
||||
import sun.security.timestamp.TimestampToken;
|
||||
import sun.security.util.*;
|
||||
import sun.security.x509.AlgorithmId;
|
||||
|
@ -34,6 +34,8 @@ import java.util.Objects;
|
||||
|
||||
import jdk.internal.vm.annotation.IntrinsicCandidate;
|
||||
|
||||
import static java.lang.Math.min;
|
||||
|
||||
/**
|
||||
* This class implements the Secure Hash Algorithm SHA-3 developed by
|
||||
* the National Institute of Standards and Technology along with the
|
||||
@ -46,7 +48,7 @@ import jdk.internal.vm.annotation.IntrinsicCandidate;
|
||||
* @since 9
|
||||
* @author Valerie Peng
|
||||
*/
|
||||
abstract class SHA3 extends DigestBase {
|
||||
public abstract class SHA3 extends DigestBase {
|
||||
|
||||
private static final int WIDTH = 200; // in bytes, e.g. 1600 bits
|
||||
private static final int DM = 5; // dimension of state matrix
|
||||
@ -65,9 +67,24 @@ abstract class SHA3 extends DigestBase {
|
||||
0x8000000000008080L, 0x80000001L, 0x8000000080008008L,
|
||||
};
|
||||
|
||||
// The starting byte combining the 2 or 4-bit domain separator and
|
||||
// leading bits of the 10*1 padding, see Table 6 in B.2 of FIPS PUB 202
|
||||
// for examples
|
||||
private final byte suffix;
|
||||
|
||||
// the state matrix flattened into an array
|
||||
private long[] state = new long[DM*DM];
|
||||
|
||||
// The byte offset in the state where the next squeeze() will start.
|
||||
// -1 indicates that either we are in the absorbing phase (only
|
||||
// update() calls were made so far) in an extendable-output function (XOF)
|
||||
// or the class was initialized as a hash.
|
||||
// The first squeeze() call (after a possibly empty sequence of update()
|
||||
// calls) will set it to 0 at its start.
|
||||
// When a squeeze() call uses up all available bytes from this state
|
||||
// and so a new keccak() call is made, squeezeOffset is reset to 0.
|
||||
protected int squeezeOffset = -1;
|
||||
|
||||
static final VarHandle asLittleEndian
|
||||
= MethodHandles.byteArrayViewVarHandle(long[].class,
|
||||
ByteOrder.LITTLE_ENDIAN).withInvokeExactBehavior();
|
||||
@ -75,7 +92,7 @@ abstract class SHA3 extends DigestBase {
|
||||
/**
|
||||
* Creates a new SHA-3 object.
|
||||
*/
|
||||
SHA3(String name, int digestLength, byte suffix, int c) {
|
||||
private SHA3(String name, int digestLength, byte suffix, int c) {
|
||||
super(name, digestLength, (WIDTH - c));
|
||||
this.suffix = suffix;
|
||||
}
|
||||
@ -103,54 +120,141 @@ abstract class SHA3 extends DigestBase {
|
||||
keccak();
|
||||
}
|
||||
|
||||
void finishAbsorb() {
|
||||
int numOfPadding =
|
||||
setPaddingBytes(suffix, buffer, (int)(bytesProcessed % blockSize));
|
||||
if (numOfPadding < 1) {
|
||||
throw new ProviderException("Incorrect pad size: " + numOfPadding);
|
||||
}
|
||||
implCompress(buffer, 0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the digest. Subclasses do not need to reset() themselves,
|
||||
* DigestBase calls implReset() when necessary.
|
||||
*/
|
||||
void implDigest(byte[] out, int ofs) {
|
||||
// Moving this allocation to the block where it is used causes a little
|
||||
// performance drop, that is why it is here.
|
||||
byte[] byteState = new byte[8];
|
||||
int numOfPadding =
|
||||
setPaddingBytes(suffix, buffer, (int)(bytesProcessed % blockSize));
|
||||
if (numOfPadding < 1) {
|
||||
throw new ProviderException("Incorrect pad size: " + numOfPadding);
|
||||
if (engineGetDigestLength() == 0) {
|
||||
// This is an XOF, so the digest() call is illegal.
|
||||
throw new ProviderException("Calling digest() is not allowed in an XOF");
|
||||
}
|
||||
implCompress(buffer, 0);
|
||||
int availableBytes = blockSize; // i.e. buffer.length
|
||||
|
||||
finishAbsorb();
|
||||
|
||||
int availableBytes = blockSize;
|
||||
int numBytes = engineGetDigestLength();
|
||||
|
||||
while (numBytes > availableBytes) {
|
||||
for (int i = 0; i < availableBytes / 8 ; i++) {
|
||||
for (int i = 0; i < availableBytes / 8; i++) {
|
||||
asLittleEndian.set(out, ofs, state[i]);
|
||||
ofs += 8;
|
||||
}
|
||||
numBytes -= availableBytes;
|
||||
keccak();
|
||||
}
|
||||
int numLongs = (numBytes + 7) / 8;
|
||||
int numLongs = numBytes / 8;
|
||||
|
||||
for (int i = 0; i < numLongs - 1; i++) {
|
||||
for (int i = 0; i < numLongs; i++) {
|
||||
asLittleEndian.set(out, ofs, state[i]);
|
||||
ofs += 8;
|
||||
}
|
||||
if (numBytes == numLongs * 8) {
|
||||
asLittleEndian.set(out, ofs, state[numLongs - 1]);
|
||||
} else {
|
||||
asLittleEndian.set(byteState, 0, state[numLongs - 1]);
|
||||
System.arraycopy(byteState, 0,
|
||||
out, ofs, numBytes - (numLongs - 1) * 8);
|
||||
if (numBytes % 8 != 0) {
|
||||
asLittleEndian.set(byteState, 0, state[numLongs]);
|
||||
System.arraycopy(byteState, 0, out, ofs, numBytes % 8);
|
||||
}
|
||||
}
|
||||
|
||||
void implSqueeze(byte[] output, int offset, int numBytes) {
|
||||
// Moving this allocation to the block where it is used causes a little
|
||||
// performance drop, that is why it is here.
|
||||
byte[] byteState = new byte[8];
|
||||
if (engineGetDigestLength() != 0) {
|
||||
// This is not an XOF, so the squeeze() call is illegal.
|
||||
throw new ProviderException("Squeezing is only allowed in XOF mode.");
|
||||
}
|
||||
|
||||
if (squeezeOffset == -1) {
|
||||
finishAbsorb();
|
||||
squeezeOffset = 0;
|
||||
}
|
||||
|
||||
int availableBytes = blockSize - squeezeOffset;
|
||||
|
||||
while (numBytes > availableBytes) {
|
||||
int longOffset = squeezeOffset / 8;
|
||||
int bytesToCopy = 0;
|
||||
|
||||
if (longOffset * 8 < squeezeOffset) {
|
||||
asLittleEndian.set(byteState, 0, state[longOffset]);
|
||||
longOffset++;
|
||||
bytesToCopy = longOffset * 8 - squeezeOffset;
|
||||
System.arraycopy(byteState, 8 - bytesToCopy,
|
||||
output, offset, bytesToCopy);
|
||||
offset += bytesToCopy;
|
||||
}
|
||||
for (int i = longOffset; i < blockSize / 8; i++) {
|
||||
asLittleEndian.set(output, offset, state[i]);
|
||||
offset += 8;
|
||||
}
|
||||
keccak();
|
||||
squeezeOffset = 0;
|
||||
numBytes -= availableBytes;
|
||||
availableBytes = blockSize;
|
||||
}
|
||||
// now numBytes <= availableBytes
|
||||
int longOffset = squeezeOffset / 8;
|
||||
|
||||
if (longOffset * 8 < squeezeOffset) {
|
||||
asLittleEndian.set(byteState, 0, state[longOffset]);
|
||||
int bytesToCopy = min((longOffset + 1) * 8 - squeezeOffset, numBytes);
|
||||
System.arraycopy(byteState, squeezeOffset - 8 * longOffset,
|
||||
output, offset, bytesToCopy);
|
||||
longOffset++;
|
||||
numBytes -= bytesToCopy;
|
||||
offset += bytesToCopy;
|
||||
squeezeOffset += bytesToCopy;
|
||||
|
||||
if (numBytes == 0) return;
|
||||
}
|
||||
|
||||
int numLongs = numBytes / 8;
|
||||
|
||||
for (int i = longOffset; i < longOffset + numLongs; i++) {
|
||||
asLittleEndian.set(output, offset, state[i]);
|
||||
offset += 8;
|
||||
numBytes -= 8;
|
||||
squeezeOffset += 8;
|
||||
}
|
||||
|
||||
if (numBytes > 0) {
|
||||
asLittleEndian.set(byteState, 0, state[squeezeOffset / 8]);
|
||||
System.arraycopy(byteState, 0, output, offset, numBytes);
|
||||
squeezeOffset += numBytes;
|
||||
}
|
||||
}
|
||||
|
||||
byte[] implSqueeze(int numBytes) {
|
||||
byte[] result = new byte[numBytes];
|
||||
implSqueeze(result, 0, numBytes);
|
||||
return result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Resets the internal state to start a new hash.
|
||||
*/
|
||||
void implReset() {
|
||||
Arrays.fill(state, 0L);
|
||||
squeezeOffset = -1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility function for padding the specified data based on the
|
||||
* pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" required
|
||||
* for SHA-3 hash (section 6.1).
|
||||
* pad10*1 algorithm (section 5.1) and the 2-bit suffix "01" or 4-bit
|
||||
* suffix "1111" required for SHA-3 hash functions (section 6.1) and
|
||||
* extendable-output functions (section 6.1) respectively.
|
||||
*/
|
||||
private static int setPaddingBytes(byte suffix, byte[] in, int len) {
|
||||
if (len != in.length) {
|
||||
@ -169,16 +273,20 @@ abstract class SHA3 extends DigestBase {
|
||||
* rate r = 1600 and capacity c.
|
||||
*/
|
||||
private void keccak() {
|
||||
keccak(state);
|
||||
}
|
||||
|
||||
public static void keccak(long[] stateArr) {
|
||||
long a0, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12;
|
||||
long a13, a14, a15, a16, a17, a18, a19, a20, a21, a22, a23, a24;
|
||||
// move data into local variables
|
||||
a0 = state[0]; a1 = state[1]; a2 = state[2]; a3 = state[3]; a4 = state[4];
|
||||
a5 = state[5]; a6 = state[6]; a7 = state[7]; a8 = state[8]; a9 = state[9];
|
||||
a10 = state[10]; a11 = state[11]; a12 = state[12]; a13 = state[13]; a14 = state[14];
|
||||
a15 = state[15]; a16 = state[16]; a17 = state[17]; a18 = state[18]; a19 = state[19];
|
||||
a20 = state[20]; a21 = state[21]; a22 = state[22]; a23 = state[23]; a24 = state[24];
|
||||
a0 = stateArr[0]; a1 = stateArr[1]; a2 = stateArr[2]; a3 = stateArr[3]; a4 = stateArr[4];
|
||||
a5 = stateArr[5]; a6 = stateArr[6]; a7 = stateArr[7]; a8 = stateArr[8]; a9 = stateArr[9];
|
||||
a10 = stateArr[10]; a11 = stateArr[11]; a12 = stateArr[12]; a13 = stateArr[13]; a14 = stateArr[14];
|
||||
a15 = stateArr[15]; a16 = stateArr[16]; a17 = stateArr[17]; a18 = stateArr[18]; a19 = stateArr[19];
|
||||
a20 = stateArr[20]; a21 = stateArr[21]; a22 = stateArr[22]; a23 = stateArr[23]; a24 = stateArr[24];
|
||||
|
||||
// process the lanes through step mappings
|
||||
// process the stateArr through step mappings
|
||||
for (int ir = 0; ir < NR; ir++) {
|
||||
// Step mapping Theta as defined in section 3.2.1.
|
||||
long c0 = a0^a5^a10^a15^a20;
|
||||
@ -280,11 +388,11 @@ abstract class SHA3 extends DigestBase {
|
||||
a0 ^= RC_CONSTANTS[ir];
|
||||
}
|
||||
|
||||
state[0] = a0; state[1] = a1; state[2] = a2; state[3] = a3; state[4] = a4;
|
||||
state[5] = a5; state[6] = a6; state[7] = a7; state[8] = a8; state[9] = a9;
|
||||
state[10] = a10; state[11] = a11; state[12] = a12; state[13] = a13; state[14] = a14;
|
||||
state[15] = a15; state[16] = a16; state[17] = a17; state[18] = a18; state[19] = a19;
|
||||
state[20] = a20; state[21] = a21; state[22] = a22; state[23] = a23; state[24] = a24;
|
||||
stateArr[0] = a0; stateArr[1] = a1; stateArr[2] = a2; stateArr[3] = a3; stateArr[4] = a4;
|
||||
stateArr[5] = a5; stateArr[6] = a6; stateArr[7] = a7; stateArr[8] = a8; stateArr[9] = a9;
|
||||
stateArr[10] = a10; stateArr[11] = a11; stateArr[12] = a12; stateArr[13] = a13; stateArr[14] = a14;
|
||||
stateArr[15] = a15; stateArr[16] = a16; stateArr[17] = a17; stateArr[18] = a18; stateArr[19] = a19;
|
||||
stateArr[20] = a20; stateArr[21] = a21; stateArr[22] = a22; stateArr[23] = a23; stateArr[24] = a24;
|
||||
}
|
||||
|
||||
public Object clone() throws CloneNotSupportedException {
|
||||
@ -328,4 +436,85 @@ abstract class SHA3 extends DigestBase {
|
||||
super("SHA3-512", 64, (byte)0x06, 128);
|
||||
}
|
||||
}
|
||||
|
||||
public abstract static class SHA3XOF extends SHA3 {
|
||||
public SHA3XOF(String name, int digestLength, byte offset, int c) {
|
||||
super(name, digestLength, offset, c);
|
||||
}
|
||||
public void update(byte in) {
|
||||
if (squeezeOffset != -1) {
|
||||
throw new ProviderException("update() after squeeze() is not allowed.");
|
||||
}
|
||||
engineUpdate(in);
|
||||
}
|
||||
public void update(byte[] in, int off, int len) {
|
||||
if (squeezeOffset != -1) {
|
||||
throw new ProviderException("update() after squeeze() is not allowed.");
|
||||
}
|
||||
engineUpdate(in, off, len);
|
||||
}
|
||||
|
||||
public void update(byte[] in) {
|
||||
if (squeezeOffset != -1) {
|
||||
throw new ProviderException("update() after squeeze() is not allowed.");
|
||||
}
|
||||
engineUpdate(in, 0, in.length);
|
||||
}
|
||||
|
||||
public byte[] digest() {
|
||||
return engineDigest();
|
||||
}
|
||||
|
||||
public void squeeze(byte[] output, int offset, int numBytes) {
|
||||
implSqueeze(output, offset, numBytes);
|
||||
}
|
||||
public byte[] squeeze(int numBytes) {
|
||||
return implSqueeze(numBytes);
|
||||
}
|
||||
|
||||
public void reset() {
|
||||
engineReset();
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* The SHAKE128 extendable output function.
|
||||
*/
|
||||
public static final class SHAKE128 extends SHA3XOF {
|
||||
// d is the required number of output bytes.
|
||||
// If this constructor is used with d > 0, the squeezing methods
|
||||
// will throw a ProviderException.
|
||||
public SHAKE128(int d) {
|
||||
super("SHAKE128", d, (byte) 0x1F, 32);
|
||||
}
|
||||
|
||||
// If this constructor is used to get an instance of the class, then,
|
||||
// after the last update, one can get the generated bytes using the
|
||||
// squeezing methods.
|
||||
// Calling digest method will throw a ProviderException.
|
||||
public SHAKE128() {
|
||||
super("SHAKE128", 0, (byte) 0x1F, 32);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* The SHAKE256 extendable output function.
|
||||
*/
|
||||
public static final class SHAKE256 extends SHA3XOF {
|
||||
// d is the required number of output bytes.
|
||||
// If this constructor is used with d > 0, the squeezing methods will
|
||||
// throw a ProviderException.
|
||||
public SHAKE256(int d) {
|
||||
super("SHAKE256", d, (byte) 0x1F, 64);
|
||||
}
|
||||
|
||||
// If this constructor is used to get an instance of the class, then,
|
||||
// after the last update, one can get the generated bytes using the
|
||||
// squeezing methods.
|
||||
// Calling a digest method will throw a ProviderException.
|
||||
public SHAKE256() {
|
||||
super("SHAKE256", 0, (byte) 0x1F, 64);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -1,49 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation. Oracle designates this
|
||||
* particular file as subject to the "Classpath" exception as provided
|
||||
* by Oracle in the LICENSE file that accompanied this code.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
package sun.security.provider;
|
||||
|
||||
/*
|
||||
* The SHAKE128 extendable output function.
|
||||
*/
|
||||
public final class SHAKE128 extends SHA3 {
|
||||
public SHAKE128(int d) {
|
||||
super("SHAKE128", d, (byte) 0x1F, 32);
|
||||
}
|
||||
|
||||
public void update(byte in) {
|
||||
engineUpdate(in);
|
||||
}
|
||||
public void update(byte[] in, int off, int len) {
|
||||
engineUpdate(in, off, len);
|
||||
}
|
||||
|
||||
public byte[] digest() {
|
||||
return engineDigest();
|
||||
}
|
||||
|
||||
public void reset() {
|
||||
engineReset();
|
||||
}
|
||||
}
|
@ -1,49 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation. Oracle designates this
|
||||
* particular file as subject to the "Classpath" exception as provided
|
||||
* by Oracle in the LICENSE file that accompanied this code.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
package sun.security.provider;
|
||||
|
||||
/*
|
||||
* The SHAKE256 extendable output function.
|
||||
*/
|
||||
public final class SHAKE256 extends SHA3 {
|
||||
public SHAKE256(int d) {
|
||||
super("SHAKE256", d, (byte) 0x1F, 64);
|
||||
}
|
||||
|
||||
public void update(byte in) {
|
||||
engineUpdate(in);
|
||||
}
|
||||
public void update(byte[] in, int off, int len) {
|
||||
engineUpdate(in, off, len);
|
||||
}
|
||||
|
||||
public byte[] digest() {
|
||||
return engineDigest();
|
||||
}
|
||||
|
||||
public void reset() {
|
||||
engineReset();
|
||||
}
|
||||
}
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2020, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -40,7 +40,7 @@ import java.security.spec.*;
|
||||
import java.util.Arrays;
|
||||
import java.util.HexFormat;
|
||||
|
||||
import sun.security.provider.SHAKE256;
|
||||
import sun.security.provider.SHA3.SHAKE256;
|
||||
|
||||
public class TestEdOps {
|
||||
|
||||
|
@ -0,0 +1,90 @@
|
||||
/*
|
||||
* Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8338587
|
||||
* @summary Ensure squeeze and digest always have the same output
|
||||
* @library /test/lib
|
||||
* @modules java.base/sun.security.provider
|
||||
*/
|
||||
|
||||
import jdk.test.lib.Asserts;
|
||||
import jdk.test.lib.security.SeededSecureRandom;
|
||||
import sun.security.provider.SHA3;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.util.Arrays;
|
||||
|
||||
public class SHAKEsqueeze {
|
||||
public static void main(String[] args) throws Exception {
|
||||
var r = SeededSecureRandom.one();
|
||||
var atlast = 0;
|
||||
// Random test on SHAKE
|
||||
for (var i = 0; i < 1_000_000; i++) {
|
||||
var s = new SHA3.SHAKE256(0);
|
||||
var in = new ByteArrayOutputStream();
|
||||
while (r.nextBoolean()) {
|
||||
var b = r.nBytes(r.nextInt(200));
|
||||
if (b.length > 0 && r.nextBoolean()) {
|
||||
// Test update(b)
|
||||
s.update(b[0]);
|
||||
in.write(b[0]);
|
||||
} else if (r.nextBoolean()) {
|
||||
// Test update(byte[])
|
||||
s.update(b);
|
||||
in.write(b);
|
||||
} else {
|
||||
// Test update(byte[], offset, len)
|
||||
var prepend = r.nextInt(100);
|
||||
var append = r.nextInt(100);
|
||||
var bb = new byte[prepend + b.length + append];
|
||||
r.nextBytes(bb);
|
||||
System.arraycopy(b, 0, bb, prepend, b.length);
|
||||
s.update(bb, prepend, b.length);
|
||||
in.write(b);
|
||||
}
|
||||
}
|
||||
|
||||
// Squeeze for multiple times
|
||||
var out = new ByteArrayOutputStream();
|
||||
do {
|
||||
var n = r.nextInt(200);
|
||||
out.write(s.squeeze(n));
|
||||
} while (out.size() == 0 || r.nextBoolean());
|
||||
var b1 = out.toByteArray();
|
||||
|
||||
// Digest for one time
|
||||
var s2 = new SHA3.SHAKE256(b1.length);
|
||||
s2.update(in.toByteArray());
|
||||
var b2 = s2.digest();
|
||||
|
||||
atlast = Arrays.hashCode(b2) * 17 + atlast;
|
||||
Asserts.assertEqualsByteArray(b1, b2);
|
||||
}
|
||||
// Just to provide a visual clue to show that the same
|
||||
// SeededSecureRandom seed results in same final result
|
||||
// so that the test can be exactly reproduced.
|
||||
System.out.println("Final hash: " + atlast);
|
||||
}
|
||||
}
|
@ -65,4 +65,10 @@ public class SeededSecureRandom extends SecureRandom {
|
||||
rnd.nextBytes(out);
|
||||
return out;
|
||||
}
|
||||
|
||||
public byte[] nBytes(int n) {
|
||||
var out = new byte[n];
|
||||
nextBytes(out);
|
||||
return out;
|
||||
}
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user