Rework HPKE into JCA Provider model.

common/src/jni/main/cpp/conscrypt/jniutil.cc

@@ -254,6 +254,12 @@ int throwInvalidKeyException(JNIEnv* env, const char* message) {
     return conscrypt::jniutil::throwException(env, "java/security/InvalidKeyException", message);
 }
 
+int throwIllegalArgumentException(JNIEnv* env, const char* message) {
+    JNI_TRACE("throwIllegalArgumentException %s", message);
+    return conscrypt::jniutil::throwException(
+            env, "java/lang/IllegalArgumentException", message);
+}
+
 int throwIllegalBlockSizeException(JNIEnv* env, const char* message) {
     JNI_TRACE("throwIllegalBlockSizeException %s", message);
     return conscrypt::jniutil::throwException(
@@ -344,11 +350,16 @@ int throwForEvpError(JNIEnv* env, int reason, const char* message,
                      int (*defaultThrow)(JNIEnv*, const char*)) {
     switch (reason) {
         case EVP_R_MISSING_PARAMETERS:
+        case EVP_R_INVALID_PEER_KEY:
+        case EVP_R_DECODE_ERROR:
             return throwInvalidKeyException(env, message);
             break;
         case EVP_R_UNSUPPORTED_ALGORITHM:
             return throwNoSuchAlgorithmException(env, message);
             break;
+        case EVP_R_INVALID_BUFFER_SIZE:
+            return throwIllegalArgumentException(env, message);
+            break;
         default:
             return defaultThrow(env, message);
             break;

common/src/jni/main/cpp/conscrypt/native_crypto.cc

@@ -4007,11 +4007,12 @@ const EVP_HPKE_KEM* getHpkeKem(JNIEnv* env, jint kemValue) {
     }
 }
 
-static jobject NativeCrypto_EVP_HPKE_CTX_setup_recipient(JNIEnv* env, jclass, jint kemValue,
-                                                         jint kdfValue, jint aeadValue,
-                                                         jbyteArray privateKeyArray,
-                                                         jbyteArray encArray,
-                                                         jbyteArray infoArray) {
+static jobject NativeCrypto_EVP_HPKE_CTX_setup_base_mode_recipient(JNIEnv* env, jclass,
+                                                                   jint kemValue,jint kdfValue,
+                                                                   jint aeadValue,
+                                                                   jbyteArray privateKeyArray,
+                                                                   jbyteArray encArray,
+                                                                   jbyteArray infoArray) {
     CHECK_ERROR_QUEUE_ON_RETURN;
     JNI_TRACE("EVP_HPKE_CTX_setup_recipient(%d, %d, %d, %p, %p, %p)", kemValue, kdfValue, aeadValue,
               privateKeyArray, encArray, infoArray);
@@ -4082,10 +4083,11 @@ static jobject NativeCrypto_EVP_HPKE_CTX_setup_recipient(JNIEnv* env, jclass, ji
     return ctxObject.release();
 }
 
-static jobjectArray NativeCrypto_EVP_HPKE_CTX_setup_sender(JNIEnv* env, jclass, jint kemValue,
-                                                           jint kdfValue, jint aeadValue,
-                                                           jbyteArray publicKeyArray,
-                                                           jbyteArray infoArray) {
+static jobjectArray NativeCrypto_EVP_HPKE_CTX_setup_base_mode_sender(JNIEnv* env, jclass,
+                                                                     jint kemValue,jint kdfValue,
+                                                                     jint aeadValue,
+                                                                     jbyteArray publicKeyArray,
+                                                                     jbyteArray infoArray) {
     CHECK_ERROR_QUEUE_ON_RETURN;
     JNI_TRACE("EVP_HPKE_CTX_setup_sender(%d, %d, %d, %p, %p)", kemValue, kdfValue, aeadValue,
               publicKeyArray, infoArray);
@@ -4165,7 +4167,7 @@ static jobjectArray NativeCrypto_EVP_HPKE_CTX_setup_sender(JNIEnv* env, jclass,
     return result.release();
 }
 
-static jobjectArray NativeCrypto_EVP_HPKE_CTX_setup_sender_with_seed_for_testing(
+static jobjectArray NativeCrypto_EVP_HPKE_CTX_setup_base_mode_sender_with_seed_for_testing(
         JNIEnv* env, jclass, jint kemValue, jint kdfValue, jint aeadValue,
         jbyteArray publicKeyArray, jbyteArray infoArray, jbyteArray seedArray) {
     CHECK_ERROR_QUEUE_ON_RETURN;
@@ -11092,9 +11094,9 @@ static JNINativeMethod sNativeCryptoMethods[] = {
         CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_free, "(J)V"),
         CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_open, "(" REF_EVP_HPKE_CTX "[B[B)[B"),
         CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_seal, "(" REF_EVP_HPKE_CTX "[B[B)[B"),
-        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_recipient, "(III[B[B[B)Ljava/lang/Object;"),
-        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_sender, "(III[B[B)[Ljava/lang/Object;"),
-        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_sender_with_seed_for_testing,
+        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_base_mode_recipient, "(III[B[B[B)Ljava/lang/Object;"),
+        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_base_mode_sender, "(III[B[B)[Ljava/lang/Object;"),
+        CONSCRYPT_NATIVE_METHOD(EVP_HPKE_CTX_setup_base_mode_sender_with_seed_for_testing,
                                 "(III[B[B[B)[Ljava/lang/Object;"),
         CONSCRYPT_NATIVE_METHOD(HMAC_CTX_new, "()J"),
         CONSCRYPT_NATIVE_METHOD(HMAC_CTX_free, "(J)V"),

common/src/main/java/org/conscrypt/DuckTypedHpkeSpi.java

@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package org.conscrypt;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Duck typed implementation of {@link HpkeSpi}.
+ * <p>
+ * Will wrap any Object which implements all of the methods in HpkeSpi and delegate to them
+ * by reflection.
+ */
+@Internal
+public class DuckTypedHpkeSpi implements HpkeSpi {
+  private final Object delegate;
+  private final Map<String, Method> methods = new HashMap<>();
+
+  private DuckTypedHpkeSpi(Object delegate) throws NoSuchMethodException {
+    this.delegate = delegate;
+
+    Class<?> sourceClass = delegate.getClass();
+    for (Method targetMethod : HpkeSpi.class.getMethods()) {
+      if (targetMethod.isSynthetic()) {
+        continue;
+      }
+
+      Method sourceMethod =
+          sourceClass.getMethod(targetMethod.getName(), targetMethod.getParameterTypes());
+      // Check that the return types match too.
+      Class<?> sourceReturnType = sourceMethod.getReturnType();
+      Class<?> targetReturnType = targetMethod.getReturnType();
+      if (!targetReturnType.isAssignableFrom(sourceReturnType)) {
+        throw new NoSuchMethodException(sourceMethod + " return value (" + sourceReturnType
+            + ") incompatible with target return value (" + targetReturnType + ")");
+      }
+      methods.put(sourceMethod.getName(), sourceMethod);
+    }
+  }
+
+  public static DuckTypedHpkeSpi newInstance(Object delegate) {
+    try {
+      return new DuckTypedHpkeSpi(delegate);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private Object invoke(String methodName, Object... args) {
+    Method method = methods.get(methodName);
+    if (method == null) {
+      throw new IllegalStateException("DuckTypedHpkSpi internal error");
+    }
+    try {
+      return method.invoke(delegate, args);
+    } catch (InvocationTargetException | IllegalAccessException e) {
+      throw new IllegalStateException("DuckTypedHpkSpi internal error", e);
+    }
+  }
+
+  // Visible for testing
+  public Object getDelegate() {
+    return delegate;
+  }
+
+  @Override
+  public void engineInitSender(
+          PublicKey recipientKey, byte[] info, PrivateKey senderKey, byte[] psk, byte[] psk_id)
+          throws InvalidKeyException {
+    invoke("engineInitSender", recipientKey, info, senderKey, psk, psk_id);
+  }
+
+  @Override
+  public void engineInitSenderForTesting(PublicKey recipientKey, byte[] info, PrivateKey senderKey,
+          byte[] psk, byte[] psk_id, byte[] sKe) throws InvalidKeyException {
+    invoke("engineInitSenderForTesting",
+            recipientKey, info, senderKey, psk, psk_id, sKe);
+  }
+
+  @Override
+  public void engineInitRecipient(byte[] encapsulated, PrivateKey key, byte[] info,
+          PublicKey senderKey, byte[] psk, byte[] psk_id) throws InvalidKeyException {
+    invoke("engineInitRecipient", encapsulated, key, info, senderKey, psk, psk_id);
+  }
+
+  @Override
+  public byte[] engineSeal(byte[] plaintext, byte[] aad) {
+    return (byte[]) invoke("engineSeal", plaintext, aad);
+  }
+
+  @Override
+  public byte[] engineExport(int length, byte[] exporterContext) {
+    return (byte[]) invoke("engineExport", length, exporterContext);
+  }
+
+  @Override
+  public byte[] engineOpen(byte[] ciphertext, byte[] aad) throws GeneralSecurityException {
+    return (byte[]) invoke("engineOpen", ciphertext, aad);
+  }
+
+  @Override
+  public byte[] getEncapsulated() {
+    return (byte[]) invoke("getEncapsulated");
+  }
+}

common/src/main/java/org/conscrypt/HpkeContext.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package org.conscrypt;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * Hybrid Public Key Encryption (HPKE) sender APIs.
+ *
+ * @see <a href="https://www.rfc-editor.org/rfc/rfc9180.html#hpke-export">HPKE RFC 9180</a>
+ * <p>
+ * Base class for HPKE sender and recipient contexts.
+ * <p>
+ * This is the client API for HPKE usage, all operations are delegated to an implementation
+ * class implementing {@link HpkeSpi} which is located using the JCA {@link Provider}
+ * mechanism.
+ * <p>
+ * The implementation maintains the context for an HPKE exchange, including the key schedule
+ * to use for seal and open operations.
+ *
+ * Secret key material based on the context may also be generated and exported as per RFC 9180.
+ */
+public abstract class HpkeContext {
+  protected final HpkeSpi spi;
+
+  protected HpkeContext(HpkeSpi spi) {
+    this.spi = spi;
+  }
+
+  /**
+   * Exports secret key material from this HpkeContext as described in RFC 9180.
+   *
+   * @param length  expected output length
+   * @param context optional context string, may be null or empty
+   * @return exported value
+   * @throws IllegalArgumentException if the length is not valid for the KDF in use
+   * @throws IllegalStateException if this HpkeContext has not been initialised
+   *
+   */
+  public byte[] export(int length, byte[] context) {
+    return spi.engineExport(length, context);
+  }
+
+  /**
+   * Returns the {@link HpkeSpi} being used by this HpkeContext.
+   *
+   * @return the SPI
+   */
+  public HpkeSpi getSpi() {
+    return spi;
+  }
+
+  protected static HpkeSpi findSpi(String algorithm) throws NoSuchAlgorithmException {
+    if (algorithm == null) {
+      // Same behaviour as Cipher.getInstance
+      throw new NoSuchAlgorithmException("null algorithm");
+    }
+    return findSpi(algorithm, findFirstProvider(algorithm));
+  }
+
+  private static Provider findFirstProvider(String algorithm) throws NoSuchAlgorithmException {
+    for (Provider p : Security.getProviders()) {
+      Provider.Service service = p.getService("ConscryptHpke", algorithm);
+      if (service != null) {
+        return service.getProvider();
+      }
+    }
+    throw new NoSuchAlgorithmException("No Provider found for: " + algorithm);
+  }
+
+  protected static HpkeSpi findSpi(String algorithm, String providerName) throws
+      NoSuchAlgorithmException, IllegalArgumentException, NoSuchProviderException {
+    if (providerName == null || providerName.isEmpty()) {
+      // Same behaviour as Cipher.getInstance
+      throw new IllegalArgumentException("Invalid provider name");
+    }
+    Provider provider = Security.getProvider(providerName);
+    if (provider == null) {
+      throw new NoSuchProviderException("Unknown Provider: " + providerName);
+    }
+    return findSpi(algorithm, provider);
+  }
+
+  protected static HpkeSpi findSpi(String algorithm, Provider provider) throws
+      NoSuchAlgorithmException, IllegalArgumentException {
+    if (provider == null) {
+      throw new IllegalArgumentException("null Provider");
+    }
+    Provider.Service service = provider.getService("ConscryptHpke", algorithm);
+    if (service == null) {
+      throw new NoSuchAlgorithmException("Unknown algorithm");
+    }
+    Object instance = service.newInstance(null);
+    HpkeSpi spi = (instance instanceof HpkeSpi) ? (HpkeSpi) instance
+            : DuckTypedHpkeSpi.newInstance(instance);
+    if (spi != null) {
+      return spi;
+    }
+    throw new IllegalStateException(
+        String.format("Provider %s is providing incorrect instances", provider.getName()));
+  }
+}