0.1.0-beta02 adds support for composite builds.

Java implementation of Digest has engineGetDigestLength querying MessageDigest.digestLength which is causing an endless loop. This should call delegate.digestLength instead.

Some algorithms (e.g. TupleHash), before updating the buffer, the input needs to be preceded with an encoding of its length. Currently, Digest.update are all declared as final and unable to be overridden by implementations.

The jvm implementation of Mac extends javax.crypto.Mac which automatically calls reset() after doFinal()

Current nonJvm implementation of Mac calls engine.doFinal() w/o calling reset() afterwards. This is incorrect.

A 0 length key is technically valid and the Mac.Engine should not use require when it is instantiated.

Android API 23 and below never calls engineReset() when doFinal() is invoked.

API 23:

    public final byte[] doFinal() throws IllegalStateException {
        if (!isInitMac) {
            throw new IllegalStateException();
        }
        return getSpi().engineDoFinal();
    }

API 24:

    public final byte[] doFinal() throws IllegalStateException {
        chooseFirstProvider();
        if (initialized == false) {
            throw new IllegalStateException("MAC not initialized");
        }
        byte[] mac = spi.engineDoFinal();
        spi.engineReset();
        return mac;
    }

Currently, Xof is implemented where it accepts any Algorithm. There is no distinction between what can, and cannot be an Xof.

Add

public interface XofAlgorithm: Algorithm

And then modify Xof to

public sealed class Xof<A: XofAlgorithm> {
    // ...
}

So that implementations can do

public sealed class SHAKEDigest: Digest, XofAlgorithm {
    // ...
}

This way, only SHAKEDigest (or KMAC) can be wrapped in XofFactory.XofDelegate.

Still seeing issues on Android whereby API 23 and below are trying to choose a provider, even though the MacSpi is provided (i.e. not null) and should be delegated to...

Here's the relevant change that occurred in API 24

https://cs.android.com/android/_/android/platform/libcore/+/875528bc07cbafb3f99fcd877e9be3e6cf6058ea:ojluni/src/main/java/javax/crypto/Mac.java;dlc=fa68edd520fe9c0e4cfafe43a86a973ad1143a0c

Current implementation of Digest requires that when chunking, array copying be done into the buffer, then calling of compress to pass the buffer. This is very counterproductive. The caller is already passing in the ByteArray, why copy it?

There should be another compress function that takes ByteArray and bufOffs as arguments such that when Digest.update is called, the ByteArray can be passed directly w/o the need to array copy.

This is a bit tricky to implement, but can definitely be done w/o breaking compatibility.

1. Add to Digest

   protected open fun compress(input: ByteArray, offset: Int) {
       throw NotImplementedError()
   }

2. From DigestDelegate, if calling the added compress function throws NotImplementedError, fallback to using the old compress method (indicative of the inheritor not yet implementing the new method).
3. Deprecate the old compress method and inform implementors to simply call compress(buffer, 0) to pass it to their override of the new protected open function compress method.

😢

See 05nelsonm/encoding#124

All modules in core have the same package name, so the same issue that Craig is running into with Java9 Module split packages would occur for anyone using JPMS where core is a direct or transitive dependency, too...

This would be a major breaking change.

06-06 15:52:15.751  3156  3175 E TestRunner: java.security.InvalidKeyException: key == null
06-06 15:52:15.751  3156  3175 E TestRunner: 	at javax.crypto.Mac.init(Mac.java:321)
06-06 15:52:15.751  3156  3175 E TestRunner: 	at org.kotlincrypto.core.Mac.<init>(Mac.kt:60)
06-06 15:52:15.751  3156  3175 E TestRunner: 	at org.kotlincrypto.macs.Hmac.<init>(Hmac.kt:57)
06-06 15:52:15.751  3156  3175 E TestRunner: 	at org.kotlincrypto.macs.Hmac.<init>(Hmac.kt:45)
06-06 15:52:15.751  3156  3175 E TestRunner: 	at org.kotlincrypto.macs.HmacSHA3_512.<init>(HmacSHA3_512.kt:36)

Android API 23 and below seem to be affected.

As we're installing our own engine with the engineInit overridden and no-op'd, would be better to send a static key than use null in order to avoid any potential issues. It does absolutely nothing but set Mac.isInitialized to true.

Need to include a check for the runtime environment

if (
    System.getProperty("java.runtime.name")
        ?.contains("android", ignoreCase = true) != true
) {
    // Not Android runtime
    return@lazy null
}

Note that the only thing this results in is reset being called twice during android unit tests.

Current implementation has remaining variable subtracting offset from the passed len. This is incorrect and the remaining local variable should actually just be len.

Any plan or roadmap for wasmJS support? It is experimental, but I am interested in it. Thanks for your work!

nonJvm source set for Mac is not validating arguments before calling engine.update. Nothing is affected by this bug as currently, all input is directed to a Digest for Hmac and is checked there, but a check should be performed for posterity's sake.

Found that if you call javax.crypto.Mac.init, it re-initializes and resets the Mac.

// This passes...
        val mac = Mac.getInstance("HmacSHA256")
        val key = ByteArray(50) { it.toByte() }
        val keySpec = SecretKeySpec(key, mac.algorithm)
        mac.init(keySpec)
        mac.update(key)
        val b1 = mac.doFinal()
        mac.init(SecretKeySpec(ByteArray(25) { it.toByte() }, mac.algorithm))
        mac.update(key)
        val b2 = mac.doFinal()
        try {
            assertContentEquals(b1, b2)
            throw IllegalStateException()
        } catch (_: AssertionError) {
            // pass
        }

This is related to #41 because use of a Provider as a work around to android's horrible APIs forcing us into a provider type API architecture (awful). Whenever init is called, a new MacSpi should be produced, but we can't do that.

1. KotlinCrypto is not using a Provider like infra, it's direct usage only (i.e. HmacSHA256(key) initializes the Mac so you never get IllegalStateException).
2. Nobody should ever call init on a Mac in Java after it's been initialized, they should use a new instance of javax.crypto.Mac (which is why the provider architecture is awful because it allows this type of functionality as you are forced into a lazy init API). So, if someone is using KotlinCrypto, they know it's already initialized. My concern is any java libraries that consumers might pass an org.kotlincrypto.Mac which may clone and then call javax.crypto.Mac.init.

Either the current org.kotlincrypto.Mac API needs to be broken to follow Java, or after engineInit is called for the first time (org.kotlincrypto.Mac init block calls init with a blank key so that javax.crypto.Mac.initialized gets set to true), throw an InvalidKeyException. It must be either or, as if someone tries to re-initialize the javax.crypto.Mac with a different key and current behavior is simply that engineInit is no-op'd, they are under the assumption that the new key is being used when in fact it is not, so any output would be incorrect.

See KotlinCrypto/hash#33 (comment)

For Digest and Mac jvm source sets, add a static function that will allow people to easily "wrap" what could be retrieved from getInstance

// org.kotlincrypto.core.Mac [JVM]
public actual abstract class Mac protected constructor(
    // ...
) : // ... {

    // ...

    public companion object {
        @JvmStatic
        @Throws(IllegalArgumentException::class, NoSuchAlgorithmException::class)
        fun from(algorithm: String, key: Key): org.kotlincrypto.core.Mac {
            return MacJvmWrapper(getInstance(algorithm), key)
        }

        @JvmStatic
        @Throws(IllegalArgumentException::class)
        fun from(mac: javax.crypto.Mac): org.kotlincrypto.core.Mac {
            if (mac is org.kotlincrypto.core.Mac) return mac

            // MacJvmWrapper MUST check if the javax.crypto.Mac is initialized or not
            // and throw an illegal argument exception if unable to do so
            return MacJvmWrapper(mac, null)
        }
    }
}

// org.kotlincrypto.core.Digest [JVM]
public actual abstract class Digest protected constructor(
    // ...
): // ... {

    // ...

    public companion object {
        @JvmStatic
        @Throws(NoSuchAlgorithmException::class)
        fun from(algorithm: String): org.kotlincrypto.core.Digest {
            return DigestJvmWrapper(getinstance(algorithm))
        }

        @JvmStatic
        fun from(digest: MessageDigest): org.kotlincrypto.core.Digest {
            if (digest is org.kotlincrypto.core.Digest) return digest

            return DigestJvmWrapper(digest)
        }
    }
}

This is already being done in hash and MACs libs for multiplatform implementations in order to test against Java.

FIPS PUB 202 introduced Extendable-Output Functions which are distinctly different than a Digest or a Mac. As such, in order to implement SHAKE128, SHAKE256, CSHAKE128, CSHAKE256, KMAC128, and KMAC256, a new abstraction is needed which provides such functionality.

Digest and Mac should implement Cloneable and the Java implementation should be typealias to java.lang.Cloneable

Currently, all modules that are to be published configure the SigningExtension to set useGpgCmd(). Artifact signing is not necessary for -SNAPSHOT versions.

Wrap plugin configuration around an if check

if (!version.toString().endsWith("-SNAPSHOT")) {
    extensions.configure<SigningExtension>("signing") {
        useGpgCmd()
    }
}

Add a BOM publication

The core abstractions Mac and Digest are meant to be implemented in separate repositories. As such, their constructors should be annotated with InternalKotlinCryptoApi so that consumers are aware.

Now that the API for kotlinx-io has been stabilized, adapters can be created based off of core libraries to provide Source and Sink for core classes Digest, Mac and Xof

Need to think on how best to do this while maintaining the modularity. Might be better if it lives in a wholly separate repository such as KotlinCrypto/adapters.

See for API: Kotlin/kotlinx-io#178