forked from wolfSSL/wolfcrypt-jni
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWolfCrypt.java
More file actions
409 lines (343 loc) · 13.2 KB
/
WolfCrypt.java
File metadata and controls
409 lines (343 loc) · 13.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
/* WolfCrypt.java
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
package com.wolfssl.wolfcrypt;
import java.nio.charset.StandardCharsets;
/**
* Main wrapper for the native WolfCrypt implementation
*/
public class WolfCrypt extends WolfObject {
/** wolfCrypt SUCCESS code */
public static final int SUCCESS = 0;
/** wolfCrypt FAILURE code */
public static final int FAILURE = -1;
/** wolfSSL SUCCESS code */
public static final int WOLFSSL_SUCCESS = 1;
/** Size of 128 bits in bytes */
public static final int SIZE_OF_128_BITS = 16;
/** Size of 160 bits in bytes */
public static final int SIZE_OF_160_BITS = 20;
/** Size of 192 bits in bytes */
public static final int SIZE_OF_192_BITS = 24;
/** Size of 256 bits in bytes */
public static final int SIZE_OF_256_BITS = 32;
/** Size of 384 bits in bytes */
public static final int SIZE_OF_384_BITS = 48;
/** Size of 512 bits in bytes */
public static final int SIZE_OF_512_BITS = 64;
/** Size of 1024 bits in bytes */
public static final int SIZE_OF_1024_BITS = 128;
/** Size of 2048 bits in bytes */
public static final int SIZE_OF_2048_BITS = 256;
/*
* Native wolfCrypt hash types, from wolfssl/wolfcrypt/types.h
* wc_HashType enum.
*/
/** wolfSSL hash type: None */
public static int WC_HASH_TYPE_NONE =
WolfCrypt.getWC_HASH_TYPE_NONE();
/** wolfSSL hash type: MD2 */
public static int WC_HASH_TYPE_MD2 =
WolfCrypt.getWC_HASH_TYPE_MD2();
/** wolfSSL hash type: MD4 */
public static int WC_HASH_TYPE_MD4 =
WolfCrypt.getWC_HASH_TYPE_MD4();
/** wolfSSL hash type: MD5 */
public static int WC_HASH_TYPE_MD5 =
WolfCrypt.getWC_HASH_TYPE_MD5();
/** wolfSSL hash type: SHA-1 */
public static int WC_HASH_TYPE_SHA =
WolfCrypt.getWC_HASH_TYPE_SHA();
/** wolfSSL hash type: SHA-224 */
public static int WC_HASH_TYPE_SHA224 =
WolfCrypt.getWC_HASH_TYPE_SHA224();
/** wolfSSL hash type: SHA-256 */
public static int WC_HASH_TYPE_SHA256 =
WolfCrypt.getWC_HASH_TYPE_SHA256();
/** wolfSSL hash type: SHA-384 */
public static int WC_HASH_TYPE_SHA384 =
WolfCrypt.getWC_HASH_TYPE_SHA384();
/** wolfSSL hash type: SHA-512 */
public static int WC_HASH_TYPE_SHA512 =
WolfCrypt.getWC_HASH_TYPE_SHA512();
/** wolfSSL hash type: MD5-SHA */
public static int WC_HASH_TYPE_MD5_SHA =
WolfCrypt.getWC_HASH_TYPE_MD5_SHA();
/** wolfSSL hash type: SHA3-224 */
public static int WC_HASH_TYPE_SHA3_224 =
WolfCrypt.getWC_HASH_TYPE_SHA3_224();
/** wolfSSL hash type: SHA3-256 */
public static int WC_HASH_TYPE_SHA3_256 =
WolfCrypt.getWC_HASH_TYPE_SHA3_256();
/** wolfSSL hash type: SHA3-384 */
public static int WC_HASH_TYPE_SHA3_384 =
WolfCrypt.getWC_HASH_TYPE_SHA3_384();
/** wolfSSL hash type: SHA3-512 */
public static int WC_HASH_TYPE_SHA3_512 =
WolfCrypt.getWC_HASH_TYPE_SHA3_512();
/** Native JNI function bindings */
private static native int getWC_HASH_TYPE_NONE();
private static native int getWC_HASH_TYPE_MD2();
private static native int getWC_HASH_TYPE_MD4();
private static native int getWC_HASH_TYPE_MD5();
private static native int getWC_HASH_TYPE_SHA();
private static native int getWC_HASH_TYPE_SHA224();
private static native int getWC_HASH_TYPE_SHA256();
private static native int getWC_HASH_TYPE_SHA384();
private static native int getWC_HASH_TYPE_SHA512();
private static native int getWC_HASH_TYPE_MD5_SHA();
private static native int getWC_HASH_TYPE_SHA3_224();
private static native int getWC_HASH_TYPE_SHA3_256();
private static native int getWC_HASH_TYPE_SHA3_384();
private static native int getWC_HASH_TYPE_SHA3_512();
private static native byte[] wcBase16Encode(byte[] input);
private static native byte[] wcBase16Decode(byte[] input);
private static native byte[] wcKeyPemToDer(byte[] pem, String password);
private static native byte[] wcCertPemToDer(byte[] pem);
private static native byte[] wcPubKeyPemToDer(byte[] pem);
private static native void nativeSetIOTimeout(int timeoutSec);
/* Public mappings of some SSL/TLS level enums/defines */
/** wolfSSL file type: PEM */
public static int SSL_FILETYPE_PEM = 1;
/** wolfSSL file type: ASN.1/DER */
public static int SSL_FILETYPE_ASN1 = 2;
/**
* CRL option, will perform CRL checking on each certificate in the
* chain. Checking only leaf certificate is the default behavior.
*/
public static int WOLFSSL_CRL_CHECKALL = 1;
/**
* CRL option, will enable CRL checking on leaf certificate.
*/
public static int WOLFSSL_CRL_CHECK = 2;
/**
* OCSP option, will use override URL for OCSP requests.
* Must match native WOLFSSL_OCSP_URL_OVERRIDE value in ssl.h.
*/
public static int WOLFSSL_OCSP_URL_OVERRIDE = 1;
/**
* OCSP option, will not send nonce in OCSP requests.
* Must match native WOLFSSL_OCSP_NO_NONCE value in ssl.h.
*/
public static int WOLFSSL_OCSP_NO_NONCE = 2;
/**
* OCSP option, will perform OCSP checking on each certificate in the
* chain. Checking only leaf certificate is the default behavior.
* Must match native WOLFSSL_OCSP_CHECKALL value in ssl.h.
*/
public static int WOLFSSL_OCSP_CHECKALL = 4;
/**
* Tests if CRL (HAVE_CRL) has been enabled in native wolfCrypt.
*
* @return true if enabled, otherwise false if not compiled in
*/
public static native boolean CrlEnabled();
/**
* Tests if OCSP (HAVE_OCSP) has been enabled in native wolfCrypt.
*
* @return true if enabled, otherwise false if not compiled in
*/
public static native boolean OcspEnabled();
/**
* Tests if Base16 (WOLFSSL_BASE16) has been enabled in native wolfCrypt.
*
* @return true if enabled, otherwise false if not compiled in
*/
public static native boolean Base16Enabled();
/**
* Tests if I/O timeout (HAVE_IO_TIMEOUT) has been enabled in wolfSSL.
*
* @return true if enabled, otherwise false if not compiled in
*/
public static native boolean IoTimeoutEnabled();
/** Maximum allowed I/O timeout value in seconds (1 hour) */
private static final int MAX_IO_TIMEOUT_SEC = 3600;
/**
* Set the I/O timeout used by native wolfSSL for HTTP-based operations
* including OCSP lookups and CRL fetching.
*
* Wraps native wolfIO_SetTimeout(). Requires native wolfSSL to be
* compiled with HAVE_IO_TIMEOUT.
*
* This sets a global (library-wide) timeout value in native
* wolfSSL. All threads and certificate validations in the same
* JVM share this single timeout setting.
*
* @param timeoutSec timeout value in seconds, 0 to 3600 inclusive.
* A value of 0 disables the timeout (default behavior).
*
* @throws WolfCryptException if HAVE_IO_TIMEOUT is not compiled
* into native wolfSSL
* @throws IllegalArgumentException if timeoutSec is negative or
* exceeds 3600 seconds
*/
public static void setIOTimeout(int timeoutSec) {
if (timeoutSec < 0) {
throw new IllegalArgumentException(
"Timeout value must not be negative");
}
if (timeoutSec > MAX_IO_TIMEOUT_SEC) {
throw new IllegalArgumentException(
"Timeout value must not exceed " +
MAX_IO_TIMEOUT_SEC + " seconds");
}
nativeSetIOTimeout(timeoutSec);
}
/**
* Constant time byte array comparison.
*
* If arrays are of different lengths, return false right away. Apart
* from length check, this matches native wolfSSL ConstantCompare()
* logic in misc.c.
*
* @param a first byte array for comparison
* @param b second byte array for comparison
*
* @return true if equal, otherwise false
*/
public static boolean ConstantCompare(byte[] a, byte[] b) {
int i;
int compareSum = 0;
if (a.length != b.length) {
return false;
}
for (i = 0; i < a.length; i++) {
compareSum |= a[i] ^ b[i];
}
return (compareSum == 0);
}
/**
* Convert byte array to hexadecimal string representation.
*
* Wraps native Base16_Encode() function. Output uses uppercase hex
* characters (0-9, A-F), which matches native wolfSSL behavior.
*
* @param data byte array to encode as hex string
*
* @return hexadecimal string representation of input bytes
*
* @throws WolfCryptException if encoding fails, input is null,
* or native Base16 support is not compiled in
*/
public static String toHexString(byte[] data) throws WolfCryptException {
byte[] hexBytes = null;
if (data == null) {
throw new WolfCryptException("Input data is null");
}
if (data.length == 0) {
return "";
}
hexBytes = wcBase16Encode(data);
if (hexBytes == null) {
throw new WolfCryptException("Base16 encoding failed");
}
return new String(hexBytes, StandardCharsets.US_ASCII);
}
/**
* Convert hexadecimal string to byte array.
*
* Wraps native Base16_Decode() function. Accepts both uppercase (A-F)
* and lowercase (a-f) hex characters.
*
* @param hexStr hexadecimal string to decode
*
* @return decoded byte array
*
* @throws WolfCryptException if decoding fails, input is null,
* input has odd length, contains invalid hex characters, or
* native Base16 support is not compiled in
*/
public static byte[] hexStringToByteArray(String hexStr)
throws WolfCryptException {
if (hexStr == null) {
throw new WolfCryptException("Input hex string is null");
}
if (hexStr.length() == 0) {
return new byte[0];
}
if (hexStr.length() % 2 != 0) {
throw new WolfCryptException(
"Hex string must have even length");
}
return wcBase16Decode(
hexStr.getBytes(StandardCharsets.US_ASCII));
}
/**
* Convert private key from PEM to DER format.
*
* Wraps native wc_KeyPemToDer() function.
*
* @param pem PEM-encoded private key as byte array
* @param password password for encrypted PEM, or null if unencrypted
*
* @return DER-encoded private key as byte array
*
* @throws WolfCryptException if conversion fails, native operation
* encounters an error, or native ASN/PEM support is not
* compiled in (NO_ASN or WOLFSSL_NO_PEM defined)
*/
public static byte[] keyPemToDer(byte[] pem, String password)
throws WolfCryptException {
if (pem == null || pem.length == 0) {
throw new WolfCryptException("PEM input is null or empty");
}
return wcKeyPemToDer(pem, password);
}
/**
* Convert X.509 certificate from PEM to DER format.
*
* Wraps native wc_CertPemToDer() function.
*
* @param pem PEM-encoded certificate as byte array
*
* @return DER-encoded certificate as byte array
*
* @throws WolfCryptException if conversion fails, native operation
* encounters an error, or native ASN/PEM support is not
* compiled in (NO_ASN or WOLFSSL_NO_PEM defined)
*/
public static byte[] certPemToDer(byte[] pem) throws WolfCryptException {
if (pem == null || pem.length == 0) {
throw new WolfCryptException("PEM input is null or empty");
}
return wcCertPemToDer(pem);
}
/**
* Convert public key from PEM to DER format.
*
* Wraps native wc_PubKeyPemToDer() function.
*
* @param pem PEM-encoded public key as byte array
*
* @return DER-encoded public key as byte array
*
* @throws WolfCryptException if conversion fails, native operation
* encounters an error, or native ASN/PEM support is not
* compiled in (NO_ASN or WOLFSSL_NO_PEM defined)
*/
public static byte[] pubKeyPemToDer(byte[] pem) throws WolfCryptException {
if (pem == null || pem.length == 0) {
throw new WolfCryptException("PEM input is null or empty");
}
return wcPubKeyPemToDer(pem);
}
private WolfCrypt() {
}
}