aesjcop.java

完整的加密算法程序源代码

/*
 * AesJcop - the AES encryption method developed for usage within Javacard 2.1.1
 *
 * The Aes cipher is originally designed by Joan Daemen and Vincent Rijmen, 1998.
 * homepage: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
 *
 * author of the changes: Franz Helmut Philip Kalchmair
 * email: bier444@yahoo.de
 * date: 10/03
 *
 * developed on Jcop Tools 2.2/IBM Zurich using the Javacards Jcop 21id and Jcop 31bio.
 * You can reach them on: http://www.zurich.ibm.com/jcop/news/news.html
 *
 * Issue:
 * This source is part of my diploma thesis (JKU Linz, Austria).
 *
 *
 * The Java code developed by the designers uses datatypes, which are not supported
 * by Javacard: Integer, multi-dimensional arrays, static variables, ...
 *
 * It was my job to convert the integers to shorts, the integer arrays to short arrays,
 * the multi-dimensional arrays to one dimensional arryas.
 * But this was not enough. A big problem is the little memory.
 * So it was my job to "recycle" variables.
 * Instead of the integer arryas T1,T2,T3,T4,T5,T6,T7,T8,U1,U2,U3,U4 i use the
 * byte arrays box and cox, which i converted to short arrays.
 * This and some other changes caused the success.
 *
 * Usage for testing the code within the Jcop Tools VM:
 *   Command                                             Comment
 *   /select 112233445566                                Select applet
 *   /send 0000010000                                    Init S und T Boxes for Encryption, Keylength 16
 *                                                       use key 000102030405060708090a0b0c0d0e0f
 *   /send 00020000#(000102030405060708090a0b0c0d0e0f)   Send Encrypt-Command with 16 bytes of data
 *                                                       Result --> 0A940BB5416EF045F1C39458C653EA5A
 *
 *   /send 0000040000                                    Init T-Boxes for Decryption
 *   /send 00040000#(0A940BB5416EF045F1C39458C653EA5A)   Decrypt 16 bytes
 *                                                       Result --> 000102030405060708090a0b0c0d0e0f
 *
 * If you have questions, please send me a mail.
 *
 */

package AesJcop;

import javacard.framework.*;

public class AesJcop extends javacard.framework.Applet
{
    // Constants, variables, and auxillary routines.
    private  byte[] rcon;

    // 3x4x2
    private  short[] shifts;

    // Key Routines & Variables
    private short ROUNDS;
    private short i, j, k, s, t, r;
    private short[] box, cox;

    // Key: 16 or 32 bytes
    private byte[] key0 = new byte[] { 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
                                       0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 };
    private byte[] key;

    // Array to calculate key K for en/decryption
    private short[] K;

    // Key size in bytes.  Valid values are 16, 24, and 32.
    private short KEY_SIZE;

    // Block size in bytes.  Valid values are 16, 24, and 32.
    private short BLOCK_SIZE = 16;

    //private short BC = BLOCK_SIZE / 4;
    private short BC = 4;

    private byte[] S, Si;
    private short[] alog = new short[256];
    private short[] log = new short[256];


  public static void install(byte[] bArray, short bOffset, byte bLength){
    (new AesJcop()).register(bArray, (short)(bOffset + 1), bArray[bOffset]);
  }

  public void process(APDU apdu){
    byte[] buf = apdu.getBuffer();
    byte[] inText = new byte[16];
    short offset = (short)ISO7816.OFFSET_CDATA;

    if (selectingApplet()) {
      return;
    }

    if (buf[ISO7816.OFFSET_INS]==0x00)
    {
      if (buf[ISO7816.OFFSET_P1]<0x03)
      {
        if (buf[ISO7816.OFFSET_P2]==0x00) KEY_SIZE = 16;
        if (buf[ISO7816.OFFSET_P2]==0x01) KEY_SIZE = 32;
        key = new byte[KEY_SIZE];
        Util.arrayCopy( key0, (short)0, key, (short)0, (short)KEY_SIZE);
        initS();
      }
      if (buf[ISO7816.OFFSET_P1]==0x01 || buf[ISO7816.OFFSET_P1]==0x03)
      {
        initT((byte)0x01);
        setKey( key, (byte)0x01 );
      }
      if (buf[ISO7816.OFFSET_P1]==0x02 || buf[ISO7816.OFFSET_P1]==0x04)
      {
        initT((byte)0x02);
        setKey( key, (byte)0x02 );
        initT((byte)0x03);
      }
      return;
    }

    // 5 bytes Header + 16 bytes data + 1 byte End
    if (apdu.setIncomingAndReceive() != 16)
      ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);

    // Initializes S-Boxes only once !
    // Positive Usage of non existing Garbage Collection
    // This trick causes a much better performance.

    Util.arrayCopy( buf, offset, inText, (short)0, (short)16);

    switch(buf[ISO7816.OFFSET_INS]&0xff){
      case (byte)0x02:
        encrypt(inText, (short)0, buf, (short)0);
        apdu.setOutgoingAndSend((short)0, (short)16);
        return;
      case (byte)0x04:
        decrypt(inText, (short)0, buf, (short)0);
        apdu.setOutgoingAndSend((short)0, (short)16);
        return;
      default:
        ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
    }
  }



  /// Multiply two elements of GF(2^m).
  private short mul( short a, short b )
  {
    return ( a != 0 && b != 0 ) ?
        (short)(alog[( log[a & 0xFF] + log[b & 0xFF] ) % 255]) : (short)0;
  }

  private short mul4( short a, byte b0, byte b1 )
  {
    if ( a == 0 )
      return 0;
    a = log[a & 0xFF];
    i = ( b0 != 0 ) ?
        (short)(alog[( a + log[b0 & 0xFF] ) % 255] & 0xFF) : 0;
    j = ( b1 != 0 ) ?
        (short)(alog[( a + log[b1 & 0xFF] ) % 255] & 0xFF) : 0;
    return (short)(i << 8 | j);
  }


  //  initializer - to intialise S-boxes and T-boxes
  private void initS()
  {
    // Produce log and alog tables, needed for multiplying in the
    // field GF(2^m) (generator = 3).
    alog[0] = 1;
    j = 0;
    for ( i = 1; i < 256; ++i )
    {
      j = (short)(( alog[i - 1] << 1 ) ^ alog[i - 1]);
      if ( ( j & 0x100 ) != 0 )
        j ^= 0x11B;
      alog[i] = j;
    }
    for ( i = 1; i < 255; ++i ) log[alog[i]] = i;

    byte[] A, B;
    byte pivot;

    // 8x8
    A = new byte[] {
        1, 1, 1, 1, 1, 0, 0, 0,
        0, 1, 1, 1, 1, 1, 0, 0,
        0, 0, 1, 1, 1, 1, 1, 0,
        0, 0, 0, 1, 1, 1, 1, 1,
        1, 0, 0, 0, 1, 1, 1, 1,
        1, 1, 0, 0, 0, 1, 1, 1,
        1, 1, 1, 0, 0, 0, 1, 1,
        1, 1, 1, 1, 0, 0, 0, 1
    };

    B = new byte[] { 0, 1, 1, 0, 0, 0, 1, 1 };

    // Substitution box based on F^{-1}(x).
    box = new short[1024];
    cox = new short[1024];
    box[7] = (short)(1<<8 | 0);
    for ( i = 2; i < 256; ++i )
    {
      j = (short)(alog[255 - log[i]]);
      for ( t = 0; t < 4; ++t )
        box[i*4+t] = (short)( ( ( j >>> ( 7 - (2*t+1) ) ) & 0x01 ) << 8 | ( ( j >>> ( 7 - 2*t ) ) & 0x01 ) );
    }
    // Affine transform:  box[i] <- B + A*box[i].
    for ( i = 0; i < 256; ++i )
      for ( t = 0; t < 4; ++t )
      {
        r = (short)(2*t);
        s = (short)(4*i);
        byte b0 = B[r];
        byte b1 = B[r+1];
        for ( j = 0; j < 4; ++j ) {
          b0 ^= A[r*8+2*j] * (box[s+j]&0xff) ^ A[r*8+2*j+1] * (box[s+j]>>8);
          b1 ^= A[(r+1)*8+2*j] * (box[s+j]&0xff) ^ A[(r+1)*8+2*j+1] * (box[s+j]>>8);
        }
        cox[s+t] = (short)(b1<<8 | b0);
      }
    // S-boxes and inverse S-boxes.
    S = new byte[256];
    Si = new byte[256];
    for ( i = 0; i < 256; ++i )
    {
      r = (short)(i*4);
      S[i] = (byte) ( (cox[r+0]&0xff) << 7 );
      for ( t = 1; t < 8; ++t ) {
        S[i] ^= ( (t%2==1)?(cox[r + (t>>1)]>>(1+t)) : (cox[r + (t>>1)]&0xff) << (7 - t) );
      }
      Si[S[i] & 0xFF] = (byte) i;
    }


/*
    I had the idea to write the ready calculated values of the S- and Si-Boxes
    into the source code. It's a special thing of the javacards, that this code
    does not work then.
    So i left the above code, which calculates the S- and Si-Boxes.

    S = new byte[] {
      99,124,119,123,-14,107,111,-59,48,1,103,43,-2,-41,-85,118,
      -54,-126,-55,125,-6,89,71,-16,-83,-44,-94,-81,-100,-92,114,-64,
      -73,-3,-109,38,54,63,-9,-52,52,-91,-27,-15,113,-40,49,21,
      4,-57,35,-61,24,-106,5,-102,7,18,-128,-30,-21,39,-78,117,
      9,-125,44,26,27,110,90,-96,82,59,-42,-77,41,-29,47,-124,
      83,-47,0,-19,32,-4,-79,91,106,-53,-66,57,74,76,88,-49,
      -48,-17,-86,-5,67,77,51,-123,69,-7,2,127,80,60,-97,-88,
      81,-93,64,-113,-110,-99,56,-11,-68,-74,-38,33,16,-1,-13,-46,
      -51,12,19,-20,95,-105,68,23,-60,-89,126,61,100,93,25,115,
      96,-127,79,-36,34,42,-112,-120,70,-18,-72,20,-34,94,11,-37,
      -32,50,58,10,73,6,36,92,-62,-45,-84,98,-111,-107,-28,121,
      -25,-56,55,109,-115,-43,78,-87,108,86,-12,-22,101,122,-82,8,
      -70,120,37,46,28,-90,-76,-58,-24,-35,116,31,75,-67,-117,-118,
      112,62,-75,102,72,3,-10,14,97,53,87,-71,-122,-63,29,-98,
      -31,-8,-104,17,105,-39,-114,-108,-101,30,-121,-23,-50,85,40,-33,
      -116,-95,-119,13,-65,-26,66,104,65,-103,45,15,-80,84,-69,22
    };

    Si = new byte[] {
      82,9,106,-43,48,54,-91,56,-65,64,-93,-98,-127,-13,-41,-5,
      124,-29,57,-126,-101,47,-1,-121,52,-114,67,68,-60,-34,-23,-53,
      84,123,-108,50,-90,-62,35,61,-18,76,-107,11,66,-6,-61,78,
      8,46,-95,102,40,-39,36,-78,118,91,-94,73,109,-117,-47,37,
      114,-8,-10,100,-122,104,-104,22,-44,-92,92,-52,93,101,-74,-110,
      108,112,72,80,-3,-19,-71,-38,94,21,70,87,-89,-115,-99,-124,
      -112,-40,-85,0,-116,-68,-45,10,-9,-28,88,5,-72,-77,69,6,
      -48,44,30,-113,-54,63,15,2,-63,-81,-67,3,1,19,-118,107,
      58,-111,17,65,79,103,-36,-22,-105,-14,-49,-50,-16,-76,-26,115,
      -106,-84,116,34,-25,-83,53,-123,-30,-7,55,-24,28,117,-33,110,
      71,-15,26,113,29,41,-59,-119,111,-73,98,14,-86,24,-66,27,
      -4,86,62,75,-58,-46,121,32,-102,-37,-64,-2,120,-51,90,-12,
      31,-35,-88,51,-120,7,-57,49,-79,18,16,89,39,-128,-20,95,
      96,81,127,-87,25,-75,74,13,45,-27,122,-97,-109,-55,-100,-17,
      -96,-32,59,77,-82,42,-11,-80,-56,-21,-69,60,-125,83,-103,97,
      23,43,4,126,-70,119,-42,38,-31,105,20,99,85,33,12,125
    };
*/

    // Round constants.
    rcon = new byte[30];
    rcon[0] = 1;
    r = 1;
    for ( t = 1; t < 30; )
      rcon[t++] = (byte)( r = mul( (short)2, r ) );

    shifts = new short[] {
      0, 0, 1, 3, 2, 2 , 3, 1 ,
      0, 0, 1, 5, 2, 4 , 3, 3 ,
      0, 0, 1, 7, 3, 5 , 4, 4
    };

  }

  private void initT(byte mode)
  {