Support encryption/decryption streaming in Apple provider

Author: whyoleg

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAesCbc.kt

@@ -5,63 +5,25 @@
 package dev.whyoleg.cryptography.providers.apple.algorithms
 
 import dev.whyoleg.cryptography.algorithms.*
-import dev.whyoleg.cryptography.providers.apple.internal.*
-import dev.whyoleg.cryptography.random.*
 import platform.CoreCrypto.*
 
 internal object CCAesCbc : CCAes<AES.CBC.Key>(), AES.CBC {
     override fun wrapKey(key: ByteArray): AES.CBC.Key = AesCbcKey(key)
 
     private class AesCbcKey(private val key: ByteArray) : AES.CBC.Key {
-        override fun cipher(padding: Boolean): AES.IvCipher = AesCbcCipher(key, padding)
+        override fun cipher(padding: Boolean): AES.IvCipher = CCAesIvCipher(
+            algorithm = kCCAlgorithmAES,
+            mode = kCCModeCBC,
+            padding = if (padding) ccPKCS7Padding else ccNoPadding,
+            key = key,
+            ivSize = 16
+        ) {
+            require(it % kCCBlockSizeAES128.toInt() == 0) { "Ciphertext is not padded" }
+        }
+
         override fun encodeToByteArrayBlocking(format: AES.Key.Format): ByteArray = when (format) {
             AES.Key.Format.RAW -> key.copyOf()
             AES.Key.Format.JWK -> error("JWK is not supported")
         }
     }
 }
-
-private const val ivSizeBytes = 16 //bytes for CBC
-private const val blockSizeBytes = 16 //bytes for CBC
-
-private class AesCbcCipher(key: ByteArray, padding: Boolean) : AES.IvCipher {
-    private val cipher = CCCipher(
-        algorithm = kCCAlgorithmAES,
-        mode = kCCModeCBC,
-        padding = if (padding) ccPKCS7Padding else ccNoPadding,
-        key = key
-    )
-
-    override fun encryptBlocking(plaintext: ByteArray): ByteArray {
-        val iv = CryptographyRandom.nextBytes(ivSizeBytes)
-        return iv + encryptWithIvBlocking(iv, plaintext)
-    }
-
-    override fun encryptWithIvBlocking(iv: ByteArray, plaintext: ByteArray): ByteArray {
-        require(iv.size == ivSizeBytes) { "IV size is wrong" }
-
-        return cipher.encrypt(iv, plaintext)
-    }
-
-    override fun decryptBlocking(ciphertext: ByteArray): ByteArray {
-        require(ciphertext.size >= ivSizeBytes) { "Ciphertext is too short" }
-        require(ciphertext.size % blockSizeBytes == 0) { "Ciphertext is not padded" }
-
-        return cipher.decrypt(
-            iv = ciphertext,
-            ciphertext = ciphertext,
-            ciphertextStartIndex = ivSizeBytes
-        )
-    }
-
-    override fun decryptWithIvBlocking(iv: ByteArray, ciphertext: ByteArray): ByteArray {
-        require(iv.size == ivSizeBytes) { "IV size is wrong" }
-        require(ciphertext.size % blockSizeBytes == 0) { "Ciphertext is not padded" }
-
-        return cipher.decrypt(
-            iv = iv,
-            ciphertext = ciphertext,
-            ciphertextStartIndex = 0
-        )
-    }
-}

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAesCtr.kt

@@ -5,61 +5,24 @@
 package dev.whyoleg.cryptography.providers.apple.algorithms
 
 import dev.whyoleg.cryptography.algorithms.*
-import dev.whyoleg.cryptography.providers.apple.internal.*
-import dev.whyoleg.cryptography.random.*
 import kotlinx.cinterop.*
 import platform.CoreCrypto.*
 
 internal object CCAesCtr : CCAes<AES.CTR.Key>(), AES.CTR {
     override fun wrapKey(key: ByteArray): AES.CTR.Key = AesCtrKey(key)
 
     private class AesCtrKey(private val key: ByteArray) : AES.CTR.Key {
-        override fun cipher(): AES.IvCipher = AesCtrCipher(key)
+        override fun cipher(): AES.IvCipher = CCAesIvCipher(
+            algorithm = kCCAlgorithmAES,
+            mode = kCCModeCTR,
+            padding = 0.convert(), // not applicable
+            key = key,
+            ivSize = 16
+        )
+
         override fun encodeToByteArrayBlocking(format: AES.Key.Format): ByteArray = when (format) {
             AES.Key.Format.RAW -> key.copyOf()
             AES.Key.Format.JWK -> error("JWK is not supported")
         }
     }
 }
-
-private const val ivSizeBytes = 16 //bytes for CTR
-
-private class AesCtrCipher(key: ByteArray) : AES.IvCipher {
-    private val cipher = CCCipher(
-        algorithm = kCCAlgorithmAES,
-        mode = kCCModeCTR,
-        padding = 0.convert(), // not applicable
-        key = key
-    )
-
-    override fun encryptBlocking(plaintext: ByteArray): ByteArray {
-        val iv = CryptographyRandom.nextBytes(ivSizeBytes)
-        return iv + encryptWithIvBlocking(iv, plaintext)
-    }
-
-    override fun encryptWithIvBlocking(iv: ByteArray, plaintext: ByteArray): ByteArray {
-        require(iv.size == ivSizeBytes) { "IV size is wrong" }
-
-        return cipher.encrypt(iv, plaintext)
-    }
-
-    override fun decryptBlocking(ciphertext: ByteArray): ByteArray {
-        require(ciphertext.size >= ivSizeBytes) { "Ciphertext is too short" }
-
-        return cipher.decrypt(
-            iv = ciphertext,
-            ciphertext = ciphertext,
-            ciphertextStartIndex = ivSizeBytes
-        )
-    }
-
-    override fun decryptWithIvBlocking(iv: ByteArray, ciphertext: ByteArray): ByteArray {
-        require(iv.size == ivSizeBytes) { "IV size is wrong" }
-
-        return cipher.decrypt(
-            iv = iv,
-            ciphertext = ciphertext,
-            ciphertextStartIndex = 0
-        )
-    }
-}

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAesEcb.kt

@@ -7,41 +7,50 @@ package dev.whyoleg.cryptography.providers.apple.algorithms
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.operations.*
 import platform.CoreCrypto.*
 
 internal object CCAesEcb : CCAes<AES.ECB.Key>(), AES.ECB {
     override fun wrapKey(key: ByteArray): AES.ECB.Key = AesEcbKey(key)
 
     private class AesEcbKey(private val key: ByteArray) : AES.ECB.Key {
-        override fun cipher(padding: Boolean): Cipher = AesEcbCipher(key, padding)
+        override fun cipher(padding: Boolean): Cipher = CCAesEcbCipher(key, padding)
         override fun encodeToByteArrayBlocking(format: AES.Key.Format): ByteArray = when (format) {
             AES.Key.Format.RAW -> key.copyOf()
             AES.Key.Format.JWK -> error("JWK is not supported")
         }
     }
 }
 
-private const val blockSizeBytes = 16 //bytes for ECB
-
-private class AesEcbCipher(key: ByteArray, padding: Boolean) : Cipher {
-    private val cipher = CCCipher(
-        algorithm = kCCAlgorithmAES,
-        mode = kCCModeECB,
-        padding = if (padding) ccPKCS7Padding else ccNoPadding,
-        key = key
-    )
-
-    override fun encryptBlocking(plaintext: ByteArray): ByteArray {
-        return cipher.encrypt(null, plaintext)
+private class CCAesEcbCipher(
+    private val key: ByteArray,
+    private val padding: Boolean,
+) : BaseCipher {
+    override fun createEncryptFunction(): CipherFunction {
+        return CCCipherFunction(
+            algorithm = kCCAlgorithmAES,
+            mode = kCCModeECB,
+            padding = if (padding) ccPKCS7Padding else ccNoPadding,
+            operation = kCCEncrypt,
+            blockSize = kCCBlockSizeAES128.toInt(),
+            key = key,
+            iv = null,
+            ivStartIndex = 0
+        )
     }
 
-    override fun decryptBlocking(ciphertext: ByteArray): ByteArray {
-        require(ciphertext.size % blockSizeBytes == 0) { "Ciphertext is not padded" }
-
-        return cipher.decrypt(
+    override fun createDecryptFunction(): CipherFunction {
+        return CCCipherFunction(
+            algorithm = kCCAlgorithmAES,
+            mode = kCCModeECB,
+            padding = if (padding) ccPKCS7Padding else ccNoPadding,
+            operation = kCCDecrypt,
+            blockSize = kCCBlockSizeAES128.toInt(),
+            key = key,
             iv = null,
-            ciphertext = ciphertext,
-            ciphertextStartIndex = 0
-        )
+            ivStartIndex = 0
+        ) {
+            require(it % kCCBlockSizeAES128.toInt() == 0) { "Ciphertext is not padded" }
+        }
     }
 }

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCAesIvCipher.kt

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.providers.apple.algorithms
+
+import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.algorithms.*
+import dev.whyoleg.cryptography.providers.base.operations.*
+import dev.whyoleg.cryptography.random.*
+import platform.CoreCrypto.*
+
+internal class CCAesIvCipher(
+    private val algorithm: CCAlgorithm,
+    private val mode: CCMode,
+    private val padding: CCPadding,
+    private val key: ByteArray,
+    private val ivSize: Int,
+    private val validateCiphertextInputSize: (Int) -> Unit = {},
+) : BaseAesIvCipher {
+    override fun createEncryptFunction(): CipherFunction {
+        val iv = CryptographyRandom.nextBytes(ivSize)
+        return BaseAesImplicitIvEncryptFunction(iv, createEncryptFunctionWithIv(iv))
+    }
+
+    override fun createDecryptFunction(): CipherFunction {
+        return BaseAesImplicitIvDecryptFunction(ivSize, ::createDecryptFunctionWithIv)
+    }
+
+    override fun createEncryptFunctionWithIv(iv: ByteArray): CipherFunction {
+        require(iv.size == ivSize) { "IV size is wrong" }
+
+        return CCCipherFunction(
+            algorithm = algorithm,
+            mode = mode,
+            padding = padding,
+            operation = kCCEncrypt,
+            blockSize = kCCBlockSizeAES128.toInt(),
+            key = key,
+            iv = iv,
+            ivStartIndex = 0
+        )
+    }
+
+    private fun createDecryptFunctionWithIv(iv: ByteArray, startIndex: Int): CipherFunction {
+        require(iv.size - startIndex >= ivSize) { "IV size is wrong" }
+
+        return CCCipherFunction(
+            algorithm = algorithm,
+            mode = mode,
+            padding = padding,
+            operation = kCCDecrypt,
+            blockSize = kCCBlockSizeAES128.toInt(),
+            key = key,
+            iv = iv,
+            ivStartIndex = startIndex,
+            validateFullInputSize = validateCiphertextInputSize
+        )
+    }
+
+    override fun createDecryptFunctionWithIv(iv: ByteArray): CipherFunction {
+        return createDecryptFunctionWithIv(iv, 0)
+    }
+}

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCDigest.kt

@@ -8,6 +8,7 @@ import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.*
 import kotlinx.cinterop.*
 
 internal class CCDigest<CTX : CPointed>(

cryptography-providers/apple/src/commonMain/kotlin/algorithms/CCHmac.kt

@@ -9,6 +9,7 @@ import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.materials.key.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.*
 import dev.whyoleg.cryptography.random.*
 import kotlinx.cinterop.*
 import platform.CoreCrypto.*

cryptography-providers/apple/src/commonMain/kotlin/algorithms/SecEcdsa.kt

@@ -10,6 +10,7 @@ import dev.whyoleg.cryptography.bigint.*
 import dev.whyoleg.cryptography.materials.key.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.*
 import dev.whyoleg.cryptography.serialization.asn1.*
 import dev.whyoleg.cryptography.serialization.asn1.modules.*
 import dev.whyoleg.cryptography.serialization.pem.*

cryptography-providers/apple/src/commonMain/kotlin/algorithms/SecRsaOaep.kt

@@ -8,6 +8,7 @@ import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.operations.*
 import platform.Security.*
 
 internal object SecRsaOaep : SecRsa<RSA.OAEP.PublicKey, RSA.OAEP.PrivateKey, RSA.OAEP.KeyPair>(), RSA.OAEP {
@@ -41,18 +42,18 @@ internal object SecRsaOaep : SecRsa<RSA.OAEP.PublicKey, RSA.OAEP.PrivateKey, RSA
     }
 }
 
-private class RsaOaepEncryptor(private val publicKey: SecKeyRef, private val algorithm: SecKeyAlgorithm?) : AuthenticatedEncryptor {
-    override fun encryptBlocking(plaintext: ByteArray, associatedData: ByteArray?): ByteArray {
+private class RsaOaepEncryptor(private val publicKey: SecKeyRef, private val algorithm: SecKeyAlgorithm?) : BaseAuthenticatedEncryptor {
+    override fun createEncryptFunction(associatedData: ByteArray?): CipherFunction {
         require(associatedData == null) { "Associated data inclusion is not supported" }
 
-        return secEncrypt(publicKey, algorithm, plaintext)
+        return SecCipherFunction(publicKey, algorithm, ::SecKeyCreateEncryptedData)
     }
 }
 
-private class RsaOaepDecryptor(private val privateKey: SecKeyRef, private val algorithm: SecKeyAlgorithm?) : AuthenticatedDecryptor {
-    override fun decryptBlocking(ciphertext: ByteArray, associatedData: ByteArray?): ByteArray {
+private class RsaOaepDecryptor(private val privateKey: SecKeyRef, private val algorithm: SecKeyAlgorithm?) : BaseAuthenticatedDecryptor {
+    override fun createDecryptFunction(associatedData: ByteArray?): CipherFunction {
         require(associatedData == null) { "Associated data inclusion is not supported" }
 
-        return secDecrypt(privateKey, algorithm, ciphertext)
+        return SecCipherFunction(privateKey, algorithm, ::SecKeyCreateDecryptedData)
     }
 }

cryptography-providers/apple/src/commonMain/kotlin/algorithms/SecRsaPkcs1.kt

@@ -8,6 +8,7 @@ import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.operations.*
 import platform.Security.*
 
 internal object SecRsaPkcs1 : SecRsa<RSA.PKCS1.PublicKey, RSA.PKCS1.PrivateKey, RSA.PKCS1.KeyPair>(), RSA.PKCS1 {
@@ -43,14 +44,14 @@ internal object SecRsaPkcs1 : SecRsa<RSA.PKCS1.PublicKey, RSA.PKCS1.PrivateKey,
     }
 }
 
-private class RsaPkcs1Encryptor(private val publicKey: SecKeyRef) : Encryptor {
-    override fun encryptBlocking(plaintext: ByteArray): ByteArray {
-        return secEncrypt(publicKey, kSecKeyAlgorithmRSAEncryptionPKCS1, plaintext)
+private class RsaPkcs1Encryptor(private val publicKey: SecKeyRef) : BaseEncryptor {
+    override fun createEncryptFunction(): CipherFunction {
+        return SecCipherFunction(publicKey, kSecKeyAlgorithmRSAEncryptionPKCS1, ::SecKeyCreateEncryptedData)
     }
 }
 
-private class RsaPkcs1Decryptor(private val privateKey: SecKeyRef) : Decryptor {
-    override fun decryptBlocking(ciphertext: ByteArray): ByteArray {
-        return secDecrypt(privateKey, kSecKeyAlgorithmRSAEncryptionPKCS1, ciphertext)
+private class RsaPkcs1Decryptor(private val privateKey: SecKeyRef) : BaseDecryptor {
+    override fun createDecryptFunction(): CipherFunction {
+        return SecCipherFunction(privateKey, kSecKeyAlgorithmRSAEncryptionPKCS1, ::SecKeyCreateDecryptedData)
     }
 }

cryptography-providers/apple/src/commonMain/kotlin/algorithms/SecRsaRaw.kt

@@ -8,6 +8,7 @@ import dev.whyoleg.cryptography.*
 import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.apple.internal.*
+import dev.whyoleg.cryptography.providers.base.operations.*
 import platform.Security.*
 
 internal object SecRsaRaw : SecRsa<RSA.RAW.PublicKey, RSA.RAW.PrivateKey, RSA.RAW.KeyPair>(), RSA.RAW {
@@ -35,14 +36,14 @@ internal object SecRsaRaw : SecRsa<RSA.RAW.PublicKey, RSA.RAW.PrivateKey, RSA.RA
     }
 }
 
-private class RsaRawEncryptor(private val publicKey: SecKeyRef) : Encryptor {
-    override fun encryptBlocking(plaintext: ByteArray): ByteArray {
-        return secEncrypt(publicKey, kSecKeyAlgorithmRSAEncryptionRaw, plaintext)
+private class RsaRawEncryptor(private val publicKey: SecKeyRef) : BaseEncryptor {
+    override fun createEncryptFunction(): CipherFunction {
+        return SecCipherFunction(publicKey, kSecKeyAlgorithmRSAEncryptionRaw, ::SecKeyCreateEncryptedData)
     }
 }
 
-private class RsaRawDecryptor(private val privateKey: SecKeyRef) : Decryptor {
-    override fun decryptBlocking(ciphertext: ByteArray): ByteArray {
-        return secDecrypt(privateKey, kSecKeyAlgorithmRSAEncryptionRaw, ciphertext)
+private class RsaRawDecryptor(private val privateKey: SecKeyRef) : BaseDecryptor {
+    override fun createDecryptFunction(): CipherFunction {
+        return SecCipherFunction(privateKey, kSecKeyAlgorithmRSAEncryptionRaw, ::SecKeyCreateDecryptedData)
     }
 }