Code Review Request for 7030966, Support AEAD CipherSuites (JSSE part of JEP 115)
Xuelei Fan
xuelei.fan at oracle.com
Sun Jan 20 02:31:30 UTC 2013
webrev: http://cr.openjdk.java.net./~xuelei/7030966/webrev.03/
A significant update of CipherBox.java.
We are not able to know whether a cipher for a particular key size is
available or not until the cipher is successfully initialized. For
example, we can get instance for "AES/GCM/NoPadding". But we don't known
whether the instance can work with AES-128 or AES-256 or not unless we
the Cipher.init() is called.
In the past, when a CipherBox is constructed, the cipher is always
initialized. However, for AEAD ciphers, we cannot initialized the cipher
in the constructor. We need an additional method to tell whether a
CipherBox is available or not for AEAD ciphers. The
CipherSuite.BulkCipher.isAvailable() will use this method to test the
availability of a cipher suites.
Thanks,
Xuelei
-------------- next part --------------
/*
* Is this cipher available?
*
* This method can only be called by CipherSuite.BulkCipher.isAvailable()
* to test the availability of a cipher suites. Please DON'T use it in
* other places, otherwise, the behavior may be unexpected because we may
* initialize AEAD cipher improperly in the method.
*/
Boolean isAvailable() {
// We won't know whether a cipher for a particular key size is
// available until the cipher is successfully initialized.
//
// We do not initialize AEAD cipher in the constructor. Need to
// initialize the cipher to ensure that the AEAD mode for a
// particular key size is supported.
if (cipherType == AEAD_CIPHER) {
try {
Authenticator authenticator =
new Authenticator(protocolVersion);
byte[] nonce = authenticator.sequenceNumber();
byte[] iv = Arrays.copyOf(fixedIv,
fixedIv.length + nonce.length);
System.arraycopy(nonce, 0, iv, fixedIv.length, nonce.length);
GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv);
cipher.init(mode, key, spec, random);
} catch (Exception e) {
return Boolean.FALSE;
}
} // Otherwise, we have initialized the cipher in the constructor.
return Boolean.TRUE;
}
More information about the security-dev
mailing list