CryptoKit AES.GCM implementation

whyoleg · whyoleg · commit b16b8b7f1911 · 2025-05-16T11:03:56.000+03:00
diff --git a/cryptography-providers-tests-api/src/commonMain/kotlin/support.kt b/cryptography-providers-tests-api/src/commonMain/kotlin/support.kt
@@ -5,6 +5,7 @@
 package dev.whyoleg.cryptography.providers.tests.api
 
 import dev.whyoleg.cryptography.*
+import dev.whyoleg.cryptography.BinarySize.Companion.bytes
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.materials.key.*
 import dev.whyoleg.cryptography.serialization.asn1.*
@@ -52,6 +53,14 @@ fun AlgorithmTestScope<AES.CBC>.supportsPadding(padding: Boolean): Boolean = sup
     }
 }
 
+// CryptoKit supports only the default tag size
+fun AlgorithmTestScope<AES.GCM>.supportsTagSize(tagSize: BinarySize): Boolean = supports {
+    when {
+        provider.isCryptoKit && tagSize != 16.bytes -> "non-default tag size"
+        else                                        -> null
+    }
+}
+
 // WebCrypto BROWSER(or only chromium) doesn't support 192bits
 // https://bugs.chromium.org/p/chromium/issues/detail?id=533699
 fun AlgorithmTestScope<out AES<*>>.supportsKeySize(keySizeBits: Int): Boolean = supports {
diff --git a/cryptography-providers-tests/src/commonMain/kotlin/compatibility/AesGcmCompatibilityTest.kt b/cryptography-providers-tests/src/commonMain/kotlin/compatibility/AesGcmCompatibilityTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023-2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2023-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.tests.compatibility
@@ -43,6 +43,8 @@ abstract class AesGcmCompatibilityTest(provider: CryptographyProvider) :
 
         val parametersList = buildList {
             tagSizes.forEach { tagSize ->
+                if (!supportsTagSize(tagSize.bits)) return@forEach
+
                 // size of IV = 12
                 (List(ivIterations) { ByteString(CryptographyRandom.nextBytes(12)) } + listOf(null)).forEach { iv ->
                     val parameters = CipherParameters(tagSize, iv)
@@ -94,6 +96,7 @@ abstract class AesGcmCompatibilityTest(provider: CryptographyProvider) :
         val keys = validateKeys()
 
         api.ciphers.getParameters<CipherParameters> { (tagSize, iv), parametersId, _ ->
+            if (!supportsTagSize(tagSize.bits)) return@getParameters
             api.ciphers.getData<AuthenticatedCipherData>(parametersId) { (keyReference, associatedData, plaintext, ciphertext), _, _ ->
                 keys[keyReference]?.forEach { key ->
                     val cipher = key.cipher(tagSize.bits)
diff --git a/cryptography-providers-tests/src/commonMain/kotlin/default/AesGcmTest.kt b/cryptography-providers-tests/src/commonMain/kotlin/default/AesGcmTest.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023-2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2023-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.tests.default
@@ -21,6 +21,7 @@ abstract class AesGcmTest(provider: CryptographyProvider) : AesBasedTest<AES.GCM
         assertEquals(keySize.inBytes, key.encodeToByteString(AES.Key.Format.RAW).size)
 
         listOf(96, 104, 112, 120, 128).forEach { tagSizeBits ->
+            if (!supportsTagSize(tagSizeBits.bits)) return@forEach
             val tagSize = tagSizeBits.bits.inBytes
             key.cipher(tagSizeBits.bits).run {
                 listOf(0, 15, 16, 17, 319, 320, 321).forEach { inputSize ->
@@ -60,6 +61,7 @@ abstract class AesGcmTest(provider: CryptographyProvider) : AesBasedTest<AES.GCM
 
         val key = algorithm.keyGenerator(keySize).generateKey()
         listOf(96, 104, 112, 120, 128).forEach { tagSizeBits ->
+            if (!supportsTagSize(tagSizeBits.bits)) return@forEach
             val cipher = key.cipher(tagSizeBits.bits)
             repeat(100) {
                 val size = CryptographyRandom.nextInt(20000)
@@ -75,6 +77,7 @@ abstract class AesGcmTest(provider: CryptographyProvider) : AesBasedTest<AES.GCM
 
         val key = algorithm.keyGenerator(keySize).generateKey()
         listOf(96, 104, 112, 120, 128).forEach { tagSizeBits ->
+            if (!supportsTagSize(tagSizeBits.bits)) return@forEach
             val cipher = key.cipher(tagSizeBits.bits)
             repeat(100) {
                 val size = CryptographyRandom.nextInt(20000)
diff --git a/cryptography-providers/cryptokit/src/commonMain/kotlin/CryptoKitCryptographyProvider.kt b/cryptography-providers/cryptokit/src/commonMain/kotlin/CryptoKitCryptographyProvider.kt
@@ -20,17 +20,17 @@ internal object CryptoKitCryptographyProvider : CryptographyProvider() {
 
     @Suppress("UNCHECKED_CAST")
     override fun <A : CryptographyAlgorithm> getOrNull(identifier: CryptographyAlgorithmId<A>): A? = when (identifier) {
-        MD5    -> CryptoKitDigest(MD5, SwiftHash::md5, SwiftHashAlgorithmMd5)
-        SHA1   -> CryptoKitDigest(SHA1, SwiftHash::sha1, SwiftHashAlgorithmSha1)
-        SHA256 -> CryptoKitDigest(SHA256, SwiftHash::sha256, SwiftHashAlgorithmSha256)
-        SHA384 -> CryptoKitDigest(SHA384, SwiftHash::sha384, SwiftHashAlgorithmSha384)
-        SHA512 -> CryptoKitDigest(SHA512, SwiftHash::sha512, SwiftHashAlgorithmSha512)
-        HMAC -> CryptoKitHmac
-        HKDF -> CryptoKitHkdf
-//        AES.GCM ->
+        MD5     -> CryptoKitDigest(MD5, SwiftHash::md5, SwiftHashAlgorithmMd5)
+        SHA1    -> CryptoKitDigest(SHA1, SwiftHash::sha1, SwiftHashAlgorithmSha1)
+        SHA256  -> CryptoKitDigest(SHA256, SwiftHash::sha256, SwiftHashAlgorithmSha256)
+        SHA384  -> CryptoKitDigest(SHA384, SwiftHash::sha384, SwiftHashAlgorithmSha384)
+        SHA512  -> CryptoKitDigest(SHA512, SwiftHash::sha512, SwiftHashAlgorithmSha512)
+        HMAC    -> CryptoKitHmac
+        HKDF    -> CryptoKitHkdf
+        AES.GCM -> CryptoKitAesGcm
 //        ECDSA   ->
 //        ECDH   ->
-        else   -> null
+        else    -> null
     } as A?
 }
 
diff --git a/cryptography-providers/cryptokit/src/commonMain/kotlin/algorithms/CryptoKitAesGcm.kt b/cryptography-providers/cryptokit/src/commonMain/kotlin/algorithms/CryptoKitAesGcm.kt
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2024-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.providers.cryptokit.algorithms
+
+import dev.whyoleg.cryptography.*
+import dev.whyoleg.cryptography.BinarySize.Companion.bytes
+import dev.whyoleg.cryptography.algorithms.*
+import dev.whyoleg.cryptography.materials.key.*
+import dev.whyoleg.cryptography.providers.base.*
+import dev.whyoleg.cryptography.providers.base.algorithms.*
+import dev.whyoleg.cryptography.providers.base.operations.*
+import dev.whyoleg.cryptography.providers.cryptokit.internal.swiftinterop.*
+import dev.whyoleg.cryptography.random.*
+import kotlinx.cinterop.*
+import platform.Foundation.*
+
+internal object CryptoKitAesGcm : AES.GCM {
+    override fun keyDecoder(): KeyDecoder<AES.Key.Format, AES.GCM.Key> = AesKeyDecoder()
+
+    override fun keyGenerator(keySize: BinarySize): KeyGenerator<AES.GCM.Key> = AesGcmKeyGenerator(keySize.inBytes)
+}
+
+private class AesKeyDecoder : KeyDecoder<AES.Key.Format, AES.GCM.Key> {
+    override fun decodeFromByteArrayBlocking(format: AES.Key.Format, bytes: ByteArray): AES.GCM.Key = when (format) {
+        AES.Key.Format.RAW -> {
+            require(bytes.size == 16 || bytes.size == 24 || bytes.size == 32) {
+                "AES key size must be 128, 192 or 256 bits"
+            }
+            AesGcmKey(bytes.copyOf())
+        }
+        AES.Key.Format.JWK -> error("JWK is not supported")
+    }
+}
+
+private class AesGcmKeyGenerator(private val keySizeBytes: Int) : KeyGenerator<AES.GCM.Key> {
+    override fun generateKeyBlocking(): AES.GCM.Key {
+        val key = CryptographyRandom.nextBytes(keySizeBytes)
+        return AesGcmKey(key)
+    }
+}
+
+private class AesGcmKey(private val key: ByteArray) : AES.GCM.Key {
+    override fun cipher(tagSize: BinarySize): AES.IvAuthenticatedCipher {
+        require(tagSize == 16.bytes) { "GCM tag size must be 16 bytes, but was $tagSize" }
+        return AesGcmCipher(key, tagSize.inBytes)
+    }
+
+    override fun encodeToByteArrayBlocking(format: AES.Key.Format): ByteArray = when (format) {
+        AES.Key.Format.RAW -> key.copyOf()
+        AES.Key.Format.JWK -> error("JWK is not supported")
+    }
+}
+
+private class AesGcmCipher(
+    private val key: ByteArray,
+    private val tagSize: Int,
+) : BaseAesIvAuthenticatedCipher {
+    private val ivSize: Int get() = 12
+
+    override fun createEncryptFunction(associatedData: ByteArray?): CipherFunction {
+        val iv = CryptographyRandom.nextBytes(ivSize)
+        return BaseAesImplicitIvEncryptFunction(iv, createEncryptFunctionWithIv(iv, associatedData))
+    }
+
+    override fun createDecryptFunction(associatedData: ByteArray?): CipherFunction {
+        return BaseAesImplicitIvDecryptFunction(ivSize) { iv, startIndex ->
+            createDecryptFunctionWithIv(iv, startIndex, associatedData)
+        }
+    }
+
+    override fun createEncryptFunctionWithIv(iv: ByteArray, associatedData: ByteArray?): CipherFunction {
+        require(iv.size == ivSize) { "IV size is wrong" }
+
+        return AccumulatingCipherFunction { plaintext ->
+            plaintext.useNSData { plaintextData ->
+                iv.useNSData { ivData ->
+                    key.useNSData { keyData ->
+                        (associatedData ?: EmptyByteArray).useNSData { adData ->
+                            swiftTry { error ->
+                                SwiftAesGcm.encryptWithKey(
+                                    key = keyData,
+                                    nonce = ivData,
+                                    plaintext = plaintextData,
+                                    authenticatedData = adData,
+                                    error = error
+                                )
+                            }.toByteArray().let {
+                                it.copyOfRange(ivSize, it.size)
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    private fun createDecryptFunctionWithIv(iv: ByteArray, startIndex: Int, associatedData: ByteArray?): CipherFunction {
+        require(iv.size - startIndex >= ivSize) { "IV size is wrong" }
+
+        return AccumulatingCipherFunction { ciphertext ->
+            ciphertext.useNSData(endIndex = ciphertext.size - tagSize) { ciphertextData ->
+                ciphertext.useNSData(startIndex = ciphertext.size - tagSize) { tagData ->
+                    iv.useNSData(startIndex, startIndex + ivSize) { ivData ->
+                        key.useNSData { keyData ->
+                            (associatedData ?: EmptyByteArray).useNSData { adData ->
+                                swiftTry { error ->
+                                    SwiftAesGcm.decryptWithKey(
+                                        key = keyData,
+                                        nonce = ivData,
+                                        ciphertext = ciphertextData,
+                                        tag = tagData,
+                                        authenticatedData = adData,
+                                        error = error
+                                    )
+                                }.toByteArray()
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    override fun createDecryptFunctionWithIv(iv: ByteArray, associatedData: ByteArray?): CipherFunction {
+        return createDecryptFunctionWithIv(iv, 0, associatedData)
+    }
+}
+
+@OptIn(BetaInteropApi::class)
+private fun <T : Any> swiftTry(
+    block: (error: CPointer<ObjCObjectVar<NSError?>>) -> T?,
+): T = memScoped {
+    val errorH = alloc<ObjCObjectVar<NSError?>>()
+    when (val result = block(errorH.ptr)) {
+        null -> error("Swift call failed: ${errorH.value?.localizedDescription ?: "unknown error"}")
+        else -> result
+    }
+}
diff --git a/cryptography-providers/cryptokit/src/commonMain/swift/SwiftAesGcm.swift b/cryptography-providers/cryptokit/src/commonMain/swift/SwiftAesGcm.swift
@@ -0,0 +1,36 @@
+import CryptoKit
+import Foundation
+
+@objc public class SwiftAesGcm: NSObject {
+    @objc public static func encrypt(
+        key: NSData,
+        nonce: NSData,
+        plaintext: NSData,
+        authenticatedData: NSData
+    ) throws -> Data {
+        return try AES.GCM.seal(
+            plaintext as Data,
+            using: SymmetricKey(data: key as Data),
+            nonce: try AES.GCM.Nonce(data: nonce as Data),
+            authenticating: authenticatedData
+        ).combined!
+    }
+
+    @objc public static func decrypt(
+        key: NSData,
+        nonce: NSData,
+        ciphertext: NSData,
+        tag: NSData,
+        authenticatedData: NSData
+    ) throws -> Data {
+        return try AES.GCM.open(
+            try AES.GCM.SealedBox(
+                nonce: try AES.GCM.Nonce(data: nonce),
+                ciphertext: ciphertext,
+                tag: tag
+            ),
+            using: SymmetricKey(data: key as Data),
+            authenticating: authenticatedData
+        )
+    }
+}
