[PQ] Add experimental support for HPKE

.gitmodules

@@ -1,3 +1,4 @@
 [submodule "aws-lc"]
 	path = aws-lc
-	url = https://github.com/awslabs/aws-lc
+	url = https://github.com/aws/aws-lc
+	branch = experimental-pq-hybrid

CMakeLists.txt

@@ -261,6 +261,8 @@ add_library(
         csrc/env.cpp
         csrc/hkdf.cpp
         csrc/hmac.cpp
+        csrc/hpke_cipher.cpp
+        csrc/hpke_gen.cpp
         csrc/keyutils.cpp
         csrc/java_evp_keys.cpp
         csrc/libcrypto_rng.cpp

README.md

@@ -1,3 +1,9 @@
+# EXPERIMENTAL BRANCH
+
+This branch includes an experimental implementation of HPKE.
+
+---
+
 # Amazon Corretto Crypto Provider
 The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard [JCA/JCE](https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html) interfaces.
 This means that it can be used as a drop in replacement for many different Java applications.
@@ -45,6 +51,7 @@ Cipher algorithms:
 * RSA/ECB/OAEPPadding
 * RSA/ECB/OAEPWithSHA-1AndMGF1Padding
 * RSA/ECB/OAEPWithSHA1AndMGF1Padding
+* HPKE
 
 Signature algorithms:
 * SHA1withRSA
@@ -68,6 +75,7 @@ Signature algorithms:
 KeyPairGenerator:
 * EC
 * RSA
+* HPKE
 
 KeyGenerator:
 * AES

build.gradle

@@ -16,9 +16,10 @@ group = 'software.amazon.cryptools'
 version = '2.4.1'
 ext.isFips = Boolean.getBoolean('FIPS')
 if (ext.isFips) {
-    ext.awsLcGitVersionId = 'AWS-LC-FIPS-2.0.13'
+    // TODO: replace with tags once stable
+    ext.awsLcGitVersionId = '72c276e9c709a2d9b94e41b06da6abf2b3805a4a'
 } else {
-    ext.awsLcGitVersionId = 'v1.30.1'
+    ext.awsLcGitVersionId = '72c276e9c709a2d9b94e41b06da6abf2b3805a4a'
 }
 
 // Check for user inputted git version ID.

csrc/auto_free.h

@@ -6,6 +6,7 @@
 #include "env.h"
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/hpke.h>
 #include <openssl/mem.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
@@ -103,6 +104,7 @@ OPENSSL_auto(BN_CTX);
 OPENSSL_auto(EVP_MD_CTX);
 OPENSSL_auto(EVP_PKEY);
 OPENSSL_auto(EVP_PKEY_CTX);
+OPENSSL_auto(EVP_HPKE_KEY);
 
 class OPENSSL_buffer_auto {
 private:

csrc/hpke_cipher.cpp

@@ -0,0 +1,173 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+#include "auto_free.h"
+#include "bn.h"
+#include "buffer.h"
+#include "env.h"
+#include "generated-headers.h"
+#include "keyutils.h"
+#include "util.h"
+#include <openssl/evp.h>
+#include <openssl/hpke.h>
+#include <openssl/nid.h>
+
+using namespace AmazonCorrettoCryptoProvider;
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeCipher
+ * Method:    hpkeWrap
+ * Signature: (JIIIIB[IIB[IB[I)I
+ */
+JNIEXPORT jint JNICALL Java_com_amazon_corretto_crypto_provider_HpkeCipher_hpkeCipher(JNIEnv* pEnv,
+    jclass,
+    jlong keyHandle,
+    jint javaCipherMode,
+    jint kemId,
+    jint kdfId,
+    jint aeadId,
+    jbyteArray input,
+    jint inputOffset,
+    jint inputLen,
+    jbyteArray aad,
+    jint aadLen,
+    jbyteArray output,
+    jint outputOffset)
+{
+    try {
+        raii_env env(pEnv);
+
+        if (!input) {
+            throw_java_ex(EX_NPE, "Empty input array");
+        }
+        if (!output) {
+            throw_java_ex(EX_NPE, "Empty output array");
+        }
+        if (inputLen < 0) {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "Negative input length");
+        }
+        const size_t input_length = (size_t)inputLen;
+
+        const EVP_HPKE_KEY* key = reinterpret_cast<EVP_HPKE_KEY*>(keyHandle);
+        const EVP_HPKE_KEM* kem = EVP_HPKE_KEM_find_by_id(kemId);
+        const EVP_HPKE_KDF* kdf = EVP_HPKE_KDF_find_by_id(kdfId);
+        const EVP_HPKE_AEAD* aead = EVP_HPKE_AEAD_find_by_id(aeadId);
+        const size_t aead_overhead = EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(aead));
+
+        if (kemId != EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(key))) {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "KEM in the key does not match the param");
+        }
+
+        std::vector<uint8_t> info(0);
+        java_buffer aadBuf = java_buffer::from_array(env, aad, 0, aadLen);
+
+        size_t result = -1;
+
+        if ((javaCipherMode == 1 /* Encrypt */) || (javaCipherMode == 3 /* Wrap */)) {
+            // Serialize public key
+            std::vector<uint8_t> public_key_r(EVP_HPKE_KEM_public_key_len(kem));
+            size_t public_key_r_len;
+            CHECK_OPENSSL(EVP_HPKE_KEY_public_key(key, public_key_r.data(), &public_key_r_len, public_key_r.size()));
+
+            // The input is the plaintext message
+            java_buffer msgBuf = java_buffer::from_array(env, input, inputOffset, input_length);
+
+            // We write the enc and the ciphertext to the output buffer
+            const size_t encBufLen = EVP_HPKE_KEM_enc_len(kem);
+            const size_t ctBufLen = input_length + aead_overhead;
+            const size_t outBufLen = encBufLen + ctBufLen;
+            java_buffer encBuf = java_buffer::from_array(env, output, outputOffset, encBufLen);
+            java_buffer ctBuf = java_buffer::from_array(env, output, outputOffset + encBufLen, ctBufLen);
+            size_t enc_len = 0;
+            size_t ct_len = 0;
+
+            {
+                jni_borrow msg(env, msgBuf, "input msg");
+                jni_borrow aad(env, aadBuf, "aad");
+                jni_borrow enc(env, encBuf, "output enc");
+                jni_borrow ct(env, ctBuf, "output ciphertext");
+
+                CHECK_OPENSSL(EVP_HPKE_seal(enc.data(), &enc_len, enc.len(), ct.data(), &ct_len, ct.len(), kem, kdf,
+                    aead, public_key_r.data(), public_key_r_len, info.data(), info.size(), msg.data(), msg.len(),
+                    aad.data(), aad.len()));
+                if (enc_len != encBufLen) {
+                    throw_java_ex(EX_RUNTIME_CRYPTO, "Unexpected error, enc buffer length is wrong!");
+                }
+                if (ct_len != ctBufLen) {
+                    throw_java_ex(EX_RUNTIME_CRYPTO, "Unexpected error, ciphertext buffer length is wrong!");
+                }
+                result = outBufLen;
+            }
+        } else if ((javaCipherMode == 2 /* Decrypt */) || (javaCipherMode == 4 /* Unwrap */)) {
+            // The input is the enc and the ciphertext
+            const size_t encBufLen = EVP_HPKE_KEM_enc_len(kem);
+            if (input_length < (encBufLen + aead_overhead)) {
+                throw_java_ex(EX_RUNTIME_CRYPTO, "input too short to unwrap with HPKE");
+            }
+            const size_t ctBufLen = input_length - encBufLen;
+            java_buffer encBuf = java_buffer::from_array(env, input, inputOffset, encBufLen);
+            java_buffer ctBuf = java_buffer::from_array(env, input, inputOffset + encBufLen, ctBufLen);
+
+            // We write the plaintext message to the output buffer
+            java_buffer msgBuf = java_buffer::from_array(env, output, outputOffset);
+            size_t msg_len = 0;
+            {
+                jni_borrow enc(env, encBuf, "input enc");
+                jni_borrow ct(env, ctBuf, "input ciphertext");
+                jni_borrow aad(env, aadBuf, "aad");
+                jni_borrow msg(env, msgBuf, "output msg");
+
+                CHECK_OPENSSL(EVP_HPKE_open(msg.data(), &msg_len, msg.len(), key, kdf, aead, enc.data(), enc.len(),
+                    info.data(), info.size(), ct.data(), ct.len(), aad.data(), aad.len()))
+                result = msg_len;
+            }
+        } else {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "Unsupported cipher mode");
+        }
+        return (jint)result;
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return -1;
+    }
+}
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeCipher
+ * Method:    hpkeOutputSize
+ * Signature: (IIIII)I
+ */
+JNIEXPORT jint JNICALL Java_com_amazon_corretto_crypto_provider_HpkeCipher_hpkeOutputSize(
+    JNIEnv* pEnv, jclass, jint javaCipherMode, jint kemId, jint kdfId, jint aeadId, jint inputLen)
+{
+    const EVP_HPKE_KEM* kem = EVP_HPKE_KEM_find_by_id(kemId);
+    const EVP_HPKE_AEAD* aead = EVP_HPKE_AEAD_find_by_id(aeadId);
+    const size_t aead_overhead = EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(aead));
+    const size_t enc_len = EVP_HPKE_KEM_enc_len(kem);
+
+    try {
+        raii_env env(pEnv);
+
+        if (inputLen < 0) {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "negative input length");
+        }
+        const size_t input_length = (size_t)inputLen;
+
+        size_t ret = -1;
+
+        if ((javaCipherMode == 1 /* Encrypt */) || (javaCipherMode == 3 /* Wrap */)) {
+            // We write the enc and the ciphertext to the output buffer
+            ret = input_length + enc_len + aead_overhead;
+        } else if ((javaCipherMode == 2 /* Decrypt */) || (javaCipherMode == 4 /* Unwrap */)) {
+            // We write the plaintext to the output buffer
+            if (input_length < (enc_len + aead_overhead)) {
+                throw_java_ex(EX_RUNTIME_CRYPTO, "input too short to unwrap with HPKE");
+            }
+            ret = (input_length - enc_len - aead_overhead);
+        } else {
+            throw_java_ex(EX_RUNTIME_CRYPTO, "Unsupported cipher mode");
+        }
+        return (jint)ret;
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return -1;
+    }
+}

csrc/hpke_gen.cpp

@@ -0,0 +1,36 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+#include "auto_free.h"
+#include "bn.h"
+#include "buffer.h"
+#include "env.h"
+#include "generated-headers.h"
+#include "keyutils.h"
+#include "util.h"
+#include <openssl/evp.h>
+#include <openssl/hpke.h>
+#include <openssl/nid.h>
+
+using namespace AmazonCorrettoCryptoProvider;
+
+/*
+ * Class:     com_amazon_corretto_crypto_provider_HpkeGen
+ * Method:    generateEvpHpkeKemKeyFromSpec
+ * Signature: (I)J
+ */
+JNIEXPORT jlong JNICALL Java_com_amazon_corretto_crypto_provider_HpkeGen_generateEvpHpkeKemKeyFromSpec(
+    JNIEnv* pEnv, jclass, jint hpke_kem_id)
+{
+    EVP_HPKE_KEY_auto key;
+    try {
+        raii_env env(pEnv);
+        key.set(EVP_HPKE_KEY_new());
+        const EVP_HPKE_KEM* kem = EVP_HPKE_KEM_find_by_id(hpke_kem_id);
+        CHECK_OPENSSL(kem != NULL);
+        CHECK_OPENSSL(EVP_HPKE_KEY_generate(key, kem));
+        return reinterpret_cast<jlong>(key.take());
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return 0;
+    }
+}

csrc/keyutils.cpp

@@ -170,34 +170,13 @@ const EVP_MD* digestFromJstring(raii_env& env, jstring digestName)
 
 RSA* new_private_RSA_key_with_no_e(BIGNUM const* n, BIGNUM const* d)
 {
-#ifdef FIPS_BUILD
-    // AWS-LC-FIPS doesn't have RSA_new_private_key_no_e method yet.
-    // The following implementation has been copied from AWS-LC:
-    // https://github.com/aws/aws-lc/blob/v1.30.1/crypto/fipsmodule/rsa/rsa.c#L147
-    RSA_auto rsa = RSA_auto::from(RSA_new());
-    if (rsa.get() == nullptr) {
-        throw_openssl("RSA_new failed");
-    }
-
-    // RSA struct is not opaque in FIPS mode.
-    rsa->flags |= RSA_FLAG_NO_BLINDING;
-
-    bn_dup_into(&rsa->n, n);
-    bn_dup_into(&rsa->d, d);
-
-    return rsa.take();
-
-#else
-
     RSA* result = RSA_new_private_key_no_e(n, d);
 
     if (result == nullptr) {
         throw_openssl("RSA_new_private_key_no_e failed.");
     }
 
     return result;
-
-#endif
 }
 
 }

src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java

@@ -152,6 +152,12 @@ private void buildServiceMap() {
     }
 
     addSignatures();
+    addHPKE();
+  }
+
+  private void addHPKE() {
+    addService("KeyPairGenerator", "HPKE", "HpkeGen");
+    addService("Cipher", "HPKE", "HpkeCipher");
   }
 
   private void addSignatures() {

src/com/amazon/corretto/crypto/provider/EvpHpkeKey.java

@@ -0,0 +1,18 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+class EvpHpkeKey extends EvpKey {
+  private static final long serialVersionUID = 1;
+
+  final HpkeParameterSpec spec;
+
+  EvpHpkeKey(final InternalKey key, final boolean isPublicKey, HpkeParameterSpec spec) {
+    super(key, EvpKeyType.HPKE, isPublicKey);
+    this.spec = spec;
+  }
+
+  public HpkeParameterSpec getSpec() {
+    return spec;
+  }
+}

src/com/amazon/corretto/crypto/provider/EvpHpkePrivateKey.java

@@ -0,0 +1,29 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+import com.amazon.corretto.crypto.provider.EvpKey.CanDerivePublicKey;
+import java.security.PrivateKey;
+
+public class EvpHpkePrivateKey extends EvpHpkeKey
+    implements PrivateKey, CanDerivePublicKey<EvpHpkePublicKey> {
+  private static final long serialVersionUID = 1;
+
+  EvpHpkePrivateKey(InternalKey key, HpkeParameterSpec spec) {
+    super(key, false, spec);
+  }
+
+  EvpHpkePrivateKey(final long ptr, HpkeParameterSpec spec) {
+    this(new InternalKey(ptr), spec);
+  }
+
+  @Override
+  public EvpHpkePublicKey getPublicKey() {
+    // Once our internal key could be elsewhere, we can no longer safely release it when done
+    ephemeral = false;
+    sharedKey = true;
+    final EvpHpkePublicKey result = new EvpHpkePublicKey(internalKey, spec);
+    result.sharedKey = true;
+    return result;
+  }
+}

src/com/amazon/corretto/crypto/provider/EvpHpkePublicKey.java

@@ -0,0 +1,13 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider;
+
+import java.security.PublicKey;
+
+public class EvpHpkePublicKey extends EvpHpkeKey implements PublicKey {
+  private static final long serialVersionUID = 1;
+
+  EvpHpkePublicKey(InternalKey key, HpkeParameterSpec spec) {
+    super(key, true, spec);
+  }
+}