corretto · amirhosv · Oct 24, 2024 · Aug 14, 2024 · Aug 15, 2024 · Aug 17, 2024
@@ -1,3 +1,4 @@
 [submodule "aws-lc"]
 	path = aws-lc
-	url = https://github.com/awslabs/aws-lc
+	url = https://github.com/sgmenda-aws/aws-lc
+	branch = experimental-pq-hybrid-with-hpke
@@ -261,6 +261,8 @@ add_library(
         csrc/env.cpp
         csrc/hkdf.cpp
         csrc/hmac.cpp
+        csrc/hpke_cipher.cpp
+        csrc/hpke_gen.cpp
         csrc/keyutils.cpp
         csrc/java_evp_keys.cpp
         csrc/libcrypto_rng.cpp

@@ -1,3 +1,9 @@
+# EXPERIMENTAL BRANCH
+
+This branch includes an experimental implementation of HPKE.
+
+---
+
 # Amazon Corretto Crypto Provider
 The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard [JCA/JCE](https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html) interfaces.
 This means that it can be used as a drop in replacement for many different Java applications.

@@ -12,6 +12,8 @@ plugins {
     id "io.github.gradle-nexus.publish-plugin" version "1.1.0"
 }
 
+ext.experimentalPqHybrid = true
+
 group = 'software.amazon.cryptools'
 version = '2.4.1'
 ext.isFips = Boolean.getBoolean('FIPS')
@@ -192,7 +194,7 @@ task buildAwsLc {
             }
         }
 
-        if (!isLegacyBuild) {
+        if (!isLegacyBuild && !experimentalPqHybrid) {
             exec {
                 workingDir awslcSrcPath
                 commandLine "git", "fetch", "--tags"

@@ -6,6 +6,7 @@
 #include "env.h"
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/hpke.h>
 #include <openssl/mem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
@@ -103,6 +104,7 @@ OPENSSL_auto(BN_CTX);
 OPENSSL_auto(EVP_MD_CTX);
 OPENSSL_auto(EVP_PKEY);
 OPENSSL_auto(EVP_PKEY_CTX);
+OPENSSL_auto(EVP_HPKE_KEY);
 
 class OPENSSL_buffer_auto {
 private:

@@ -0,0 +1,158 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+#include "auto_free.h"
+#include "bn.h"
+#include "buffer.h"
+#include "env.h"
+#include "generated-headers.h"
+#include "keyutils.h"
+#include "util.h"
+#include <openssl/evp.h>
+#include <openssl/hpke.h>
+#include <openssl/nid.h>
+
+using namespace AmazonCorrettoCryptoProvider;
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeCipher
+ * Method:    hpkeWrap
+ * Signature: (J[BIIII[BI)I
+ */
+JNIEXPORT jint JNICALL Java_com_amazon_corretto_crypto_provider_HpkeCipher_hpkeCipher(JNIEnv* pEnv,
+    jclass,
+    jlong keyHandle,
+    jint javaCipherMode,
+    jint kemId,
+    jint kdfId,
+    jint aeadId,
+    jbyteArray input,
+    jint inputOffset,
+    jint inputLen,
+    jbyteArray output,
+    jint outputOffset)
+{
+    try {
+        raii_env env(pEnv);
+
+        if (!input) {
+            throw_java_ex(EX_NPE, "Empty input array");
+        }
+        if (!output) {
+            throw_java_ex(EX_NPE, "Empty output array");
+        }
+
+        const EVP_HPKE_KEY* key = reinterpret_cast<EVP_HPKE_KEY*>(keyHandle);
+        const auto kem = EVP_HPKE_KEM_find_by_id(kemId);
+        const auto kdf = EVP_HPKE_KDF_find_by_id(kdfId);
+        const auto aead = EVP_HPKE_AEAD_find_by_id(aeadId);
+        const auto aead_overhead = EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(aead));
+
+        if (kemId != EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(key))) {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "KEM in the key does not match the param");
+        }
+
+        // FIXME: support setting these values
+        std::vector<uint8_t> info(0);
+        std::vector<uint8_t> ad(0);
+
+        size_t result = -1;
+
+        if (javaCipherMode == 3 /* Wrap */) {
+            // Serialize public key
+            std::vector<uint8_t> public_key_r(EVP_HPKE_KEM_public_key_len(kem));
+            size_t public_key_r_len;
+            CHECK_OPENSSL(EVP_HPKE_KEY_public_key(key, public_key_r.data(), &public_key_r_len, public_key_r.size()));
+
+            // The input is the plaintext message
+            java_buffer msgBuf = java_buffer::from_array(env, input, inputOffset, inputLen);
+
+            // We write the enc and the ciphertext to the output buffer
+            const auto encBufLen = EVP_HPKE_KEM_enc_len(kem);
+            const auto ctBufLen = inputLen + aead_overhead;
+            const auto outBufLen = encBufLen + ctBufLen;
+            java_buffer encBuf = java_buffer::from_array(env, output, outputOffset, encBufLen);
+            java_buffer ctBuf = java_buffer::from_array(env, output, outputOffset + encBufLen, ctBufLen);
+            size_t enc_len = 0;
+            size_t ct_len = 0;
+
+            {
+                jni_borrow msg(env, msgBuf, "input msg");
+                jni_borrow enc(env, encBuf, "output enc");
+                jni_borrow ct(env, ctBuf, "output ciphertext");
+
+                CHECK_OPENSSL(EVP_HPKE_seal(enc.data(), &enc_len, enc.len(), ct.data(), &ct_len, ct.len(), kem, kdf,
+                    aead, public_key_r.data(), public_key_r_len, info.data(), info.size(), msg.data(), msg.len(),
+                    ad.data(), ad.size()));
+                if (enc_len != encBufLen) {
+                    throw_java_ex(EX_RUNTIME_CRYPTO, "Unexpected error, enc buffer length is wrong!");
+                }
+                if (ct_len != ctBufLen) {
+                    throw_java_ex(EX_RUNTIME_CRYPTO, "Unexpected error, ciphertext buffer length is wrong!");
+                }
+                result = outBufLen;
+            }
+        } else if (javaCipherMode == 4 /* Unwrap */) {
+            // The input the enc and the ciphertext
+            const auto encBufLen = EVP_HPKE_KEM_enc_len(kem);
+            if (inputLen < (encBufLen + aead_overhead)) {
+                throw_java_ex(EX_RUNTIME_CRYPTO, "input too short to unwrap with HPKE");
+            }
+            const auto ctBufLen = inputLen - encBufLen;
+            java_buffer encBuf = java_buffer::from_array(env, input, inputOffset, encBufLen);
+            java_buffer ctBuf = java_buffer::from_array(env, input, inputOffset + encBufLen, ctBufLen);
+
+            // We write the plaintext message to the output buffer
+            java_buffer msgBuf = java_buffer::from_array(env, output, outputOffset);
+            size_t msg_len = 0;
+            {
+                jni_borrow msg(env, msgBuf, "output msg");
+                jni_borrow enc(env, encBuf, "input enc");
+                jni_borrow ct(env, ctBuf, "input ciphertext");
+
+                CHECK_OPENSSL(EVP_HPKE_open(msg.data(), &msg_len, msg.len(), key, kdf, aead, enc.data(), enc.len(),
+                    info.data(), info.size(), ct.data(), ct.len(), ad.data(), ad.size()))
+                result = msg_len;
+            }
+        } else {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "Unsupported cipher mode");
+        }
+        return (jint)result;
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return -1;
+    }
+}
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeCipher
+ * Method:    hpkeOutputSize
+ * Signature: (IIIII)I
+ */
+JNIEXPORT jint JNICALL Java_com_amazon_corretto_crypto_provider_HpkeCipher_hpkeOutputSize(
+    JNIEnv* pEnv, jclass, jint javaCipherMode, jint kemId, jint kdfId, jint aeadId, jint inputLen)
+{
+    const auto kem = EVP_HPKE_KEM_find_by_id(kemId);
+    const auto aead = EVP_HPKE_AEAD_find_by_id(aeadId);
+    const auto aead_overhead = EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(aead));
+    const auto enc_len = EVP_HPKE_KEM_enc_len(kem);
+
+    try {
+        raii_env env(pEnv);
+
+        if (javaCipherMode == 3 /* Wrap */) {
+            // We write the enc and the ciphertext to the output buffer
+            return (inputLen + enc_len + aead_overhead);
+        } else if (javaCipherMode == 4 /* Unwrap */) {
+            // We write the plaintext to the output buffer
+            if (inputLen < (enc_len + aead_overhead)) {
+                throw_java_ex(EX_RUNTIME_CRYPTO, "input too short to unwrap with HPKE");
+            }
+            return (inputLen - enc_len - aead_overhead);
+        } else {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "Unsupported cipher mode");
+        }
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return -1;
+    }
+}
@@ -0,0 +1,36 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+#include "auto_free.h"
+#include "bn.h"
+#include "buffer.h"
+#include "env.h"
+#include "generated-headers.h"
+#include "keyutils.h"
+#include "util.h"
+#include <openssl/evp.h>
+#include <openssl/hpke.h>
+#include <openssl/nid.h>
+
+using namespace AmazonCorrettoCryptoProvider;
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeGen
+ * Method:    generateEvpHpkeKemKeyFromSpec
+ * Signature: (I)J
+ */
+JNIEXPORT jlong JNICALL Java_com_amazon_corretto_crypto_provider_HpkeGen_generateEvpHpkeKemKeyFromSpec(
+    JNIEnv* pEnv, jclass, jint hpke_kem_id)
+{
+    EVP_HPKE_KEY_auto key;
+    try {
+        raii_env env(pEnv);
+        key.set(EVP_HPKE_KEY_new());
+        const EVP_HPKE_KEM* kem = EVP_HPKE_KEM_find_by_id(hpke_kem_id);
+        CHECK_OPENSSL(kem != NULL);
+        CHECK_OPENSSL(EVP_HPKE_KEY_generate(key, kem));
+        return reinterpret_cast<jlong>(key.take());
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return 0;
+    }
+}
@@ -152,6 +152,12 @@ private void buildServiceMap() {
     }
 
     addSignatures();
+    addHPKE();
+  }
+
+  private void addHPKE() {
+    addService("KeyPairGenerator", "HPKE", "HpkeGen");
+    addService("Cipher", "HPKE", "HpkeCipher");
   }
 
   private void addSignatures() {

@@ -0,0 +1,18 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+class EvpHpkeKey extends EvpKey {
+  private static final long serialVersionUID = 1;
+
+  final HpkeParameterSpec spec;
+
+  EvpHpkeKey(final InternalKey key, final boolean isPublicKey, HpkeParameterSpec spec) {
+    super(key, EvpKeyType.HPKE, isPublicKey);
+    this.spec = spec;
+  }
+
+  public HpkeParameterSpec getSpec() {
+    return spec;
+  }
+}
@@ -0,0 +1,29 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+import com.amazon.corretto.crypto.provider.EvpKey.CanDerivePublicKey;
+import java.security.PrivateKey;
+
+public class EvpHpkePrivateKey extends EvpHpkeKey
+    implements PrivateKey, CanDerivePublicKey<EvpHpkePublicKey> {
+  private static final long serialVersionUID = 1;
+
+  EvpHpkePrivateKey(InternalKey key, HpkeParameterSpec spec) {
+    super(key, false, spec);
+  }
+
+  EvpHpkePrivateKey(final long ptr, HpkeParameterSpec spec) {
+    this(new InternalKey(ptr), spec);
+  }
+
+  @Override
+  public EvpHpkePublicKey getPublicKey() {
+    // Once our internal key could be elsewhere, we can no longer safely release it when done
+    ephemeral = false;
+    sharedKey = true;
+    final EvpHpkePublicKey result = new EvpHpkePublicKey(internalKey, spec);
+    result.sharedKey = true;
+    return result;
+  }
+}
@@ -0,0 +1,13 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+import java.security.PublicKey;
+
+public class EvpHpkePublicKey extends EvpHpkeKey implements PublicKey {
+  private static final long serialVersionUID = 1;
+
+  EvpHpkePublicKey(InternalKey key, HpkeParameterSpec spec) {
+    super(key, true, spec);
+  }
+}
@@ -17,7 +17,8 @@
 /** Corresponds to native constants in OpenSSL which represent keytypes. */
 enum EvpKeyType {
   RSA("RSA", 6, RSAPublicKey.class, RSAPrivateKey.class),
-  EC("EC", 408, ECPublicKey.class, ECPrivateKey.class);
+  EC("EC", 408, ECPublicKey.class, ECPrivateKey.class),
+  HPKE("HPKE", 991, EvpHpkePublicKey.class, EvpHpkePrivateKey.class);
 
   final String jceName;
   final int nativeValue;