Use Provider for android API 21-23 to set spiImpl (#44)

Author: 05nelsonm

library/common/api/common.api

@@ -22,3 +22,6 @@ public abstract interface class org/kotlincrypto/core/Updatable {
 	public abstract fun update ([BII)V
 }
 
+public final class org/kotlincrypto/core/_AndroidSdkIntKt {
+}
+

library/common/src/jvmMain/kotlin/org/kotlincrypto/core/-AndroidSdkInt.kt

@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2023 Matthew Nelson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+package org.kotlincrypto.core
+
+@InternalKotlinCryptoApi
+public val KC_ANDROID_SDK_INT: Int? by lazy {
+    try {
+        val clazz = Class.forName("android.os.Build\$VERSION")
+
+        try {
+            clazz?.getField("SDK_INT")?.getInt(null)
+        } catch (_: Throwable) {
+            clazz?.getField("SDK")?.get(null)?.toString()?.toIntOrNull()
+        }
+    } catch (_: Throwable) {
+        null
+    }
+}

library/mac/src/jvmMain/kotlin/org/kotlincrypto/core/Mac.kt

@@ -15,6 +15,7 @@
  **/
 package org.kotlincrypto.core
 
+import org.kotlincrypto.core.internal.AndroidApi21to23MacSpiProvider
 import org.kotlincrypto.core.internal.commonInit
 import org.kotlincrypto.core.internal.commonToString
 import java.nio.ByteBuffer
@@ -48,8 +49,11 @@ public actual abstract class Mac
 protected actual constructor(
     algorithm: String,
     private val engine: Engine,
-) : javax.crypto.Mac(engine, null, algorithm),
-    Algorithm,
+) : javax.crypto.Mac(
+    /* macSpi    */ engine,
+    /* provider  */ AndroidApi21to23MacSpiProvider.createOrNull(engine, algorithm),
+    /* algorithm */ algorithm
+),  Algorithm,
     Copyable<Mac>,
     Resettable,
     Updatable

library/mac/src/jvmMain/kotlin/org/kotlincrypto/core/internal/AndroidApi21to23MacSpiProvider.kt

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2023 Matthew Nelson
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+package org.kotlincrypto.core.internal
+
+import org.kotlincrypto.core.KC_ANDROID_SDK_INT
+import org.kotlincrypto.core.InternalKotlinCryptoApi
+import java.security.NoSuchAlgorithmException
+import java.security.Provider
+import javax.crypto.MacSpi
+
+/**
+ * Android API 21-23 requires that a Provider be set, otherwise
+ * when [javax.crypto.Mac.init] is called it will not use the
+ * provided [org.kotlincrypto.core.Mac.Engine] (i.e., [spi]).
+ *
+ * This simply wraps the [org.kotlincrypto.core.Mac.Engine]
+ * such that initial [javax.crypto.Mac.init] call sets it
+ * as the spiImpl, and does not look to system providers
+ * for an instance that supports the [algorithm].
+ *
+ * See: https://github.com/KotlinCrypto/core/issues/37
+ * See: https://github.com/KotlinCrypto/core/issues/41
+ * See: https://github.com/KotlinCrypto/core/issues/42
+ * */
+@Suppress("DEPRECATION")
+internal class AndroidApi21to23MacSpiProvider private constructor(
+    @Volatile
+    private var spi: MacSpi?,
+    private val algorithm: String,
+): Provider("KC", 0.0, "") {
+
+    override fun getService(type: String?, algorithm: String?): Service = synchronized(this) {
+        if (type == "Mac" && algorithm == this.algorithm && spi != null) {
+            SpiProviderService()
+        } else {
+            throw NoSuchAlgorithmException("type[$type] and algorithm[$algorithm] not supported")
+        }
+    }
+
+    private inner class SpiProviderService: Service(
+        /* provider   */ this,
+        /* type       */ "Mac",
+        /* algorithm  */ algorithm,
+        /* className  */ "",
+        /* aliases    */ null,
+        /* attributes */ null
+    ) {
+        override fun newInstance(constructorParameter: Any?): Any = synchronized(this@AndroidApi21to23MacSpiProvider) {
+            // simply return this if spi reference was dropped. b/c this is not
+            // an instance of MacSpi, android's implementation of javax.crypto.Mac
+            // will throw an exception which is what we want.
+            val engine = spi ?: throw NoSuchAlgorithmException("algorithm[$algorithm] not supported")
+
+            // javax.crypto.Mac.init was called with a blanked key via org.kotlincrypto.Mac's
+            // init block in order to set javax.crypto.Mac.initialized to true. return
+            // the MacSpi (i.e. org.kotlincrypto.Mac.Engine), and null the reference as
+            // we cannot provide a new instance if called again and do not want to return the
+            // same, already initialized org.kotlincrypto.Mac.Engine
+            spi = null
+
+            return engine
+        }
+    }
+
+    internal companion object {
+
+        @JvmStatic
+        @JvmSynthetic
+        internal fun createOrNull(engine: MacSpi, algorithm: String): AndroidApi21to23MacSpiProvider? {
+            @OptIn(InternalKotlinCryptoApi::class)
+            return KC_ANDROID_SDK_INT?.let { sdkInt ->
+                if (sdkInt in 21..23) {
+                    AndroidApi21to23MacSpiProvider(engine, algorithm)
+                } else {
+                    null
+                }
+            }
+        }
+    }
+}

library/mac/src/jvmTest/kotlin/org/kotlincrypto/core/JvmMacUnitTest.kt

@@ -15,15 +15,24 @@
  **/
 package org.kotlincrypto.core
 
+import junit.framework.TestCase.assertEquals
 import java.security.InvalidKeyException
 import javax.crypto.spec.SecretKeySpec
 import kotlin.test.Test
+import kotlin.test.assertNull
 import kotlin.test.fail
 
 class JvmMacUnitTest {
 
     private val key = ByteArray(20) { it.toByte() }
 
+    @Test
+    fun givenJvm_whenNotAndroid_providerIsNotSet() {
+        val mac = TestMac(key, "My Algorithm", doFinal = { key })
+        assertEquals(key, mac.doFinal())
+        assertNull(mac.provider)
+    }
+
     @Test
     fun givenJvm_whenJavaxCryptoMacInitInvoked_thenThrowsException() {
         val mac = TestMac(key, "My Algorithm")

test-android/src/androidInstrumentedTest/kotlin/org/kotlincrypto/test/AndroidMacTest.kt

@@ -17,28 +17,44 @@
 
 package org.kotlincrypto.test
 
+import android.os.Build
 import org.kotlincrypto.core.InternalKotlinCryptoApi
 import org.kotlincrypto.core.Mac
+import java.security.NoSuchAlgorithmException
+import java.security.NoSuchProviderException
+import java.security.Provider
 import javax.crypto.spec.SecretKeySpec
-import kotlin.test.Test
+import kotlin.test.*
 
 class AndroidMacTest {
 
+    private val key = ByteArray(50) { it.toByte() }
+
     @OptIn(InternalKotlinCryptoApi::class)
     class TestMac: Mac {
 
-        constructor(key: ByteArray): this(Engine("HmacSHA256", key))
+        private val engine: Engine
+
+        fun updateCount(): Int = engine.count
 
-        private constructor(engine: Engine): super(engine.algorithm, engine)
+        constructor(key: ByteArray): this(Engine("Anything????", key))
+
+        private constructor(engine: Engine): super(engine.algorithm, engine) {
+            this.engine = engine
+        }
 
         private class Engine: Mac.Engine {
 
+            var count = 0
             val algorithm: String
             val delegate: javax.crypto.Mac
 
             constructor(algorithm: String, key: ByteArray): super(key) {
                 this.algorithm = algorithm
-                this.delegate = getInstance(algorithm)
+
+                // Use HmacSHA256 for the tests such that we can get a non-static
+                // result.
+                this.delegate = getInstance("HmacSHA256")
                 this.delegate.init(SecretKeySpec(key, "HmacSHA256"))
             }
 
@@ -53,6 +69,7 @@ class AndroidMacTest {
 
             override fun update(input: ByteArray, offset: Int, len: Int) {
                 delegate.update(input, offset, len)
+                count++
             }
 
             override fun doFinal(): ByteArray = delegate.doFinal()
@@ -65,9 +82,78 @@ class AndroidMacTest {
     }
 
     @Test
-    fun givenAndroid_whenMacInstantiated_thenPasses() {
-        // https://github.com/KotlinCrypto/core/issues/37
-        val key = ByteArray(50) { it.toByte() }
-        TestMac(key).doFinal()
+    fun givenAndroid_whenMacInstantiated_thenUsesProvidedEngine() {
+        val testMac = TestMac(key)
+        testMac.apply { update(key) }.doFinal()
+
+        assertEquals(1, testMac.updateCount())
+    }
+
+    @Test
+    fun givenAndroid_whenApi23OrBelow_thenUsesProvider() {
+        val provider = TestMac(key).provider
+        if (Build.VERSION.SDK_INT in 21..23) {
+            assertNotNull(provider)
+        } else {
+            assertNull(provider)
+        }
+    }
+
+    @Test
+    fun givenAndroid_whenProvider_getServiceThrowsException() {
+        val (mac, provider) = testMacAndProviderOrNull() ?: return
+
+        try {
+            provider.getService("Mac", mac.algorithm)
+            fail()
+        } catch (_: NoSuchAlgorithmException) {
+            // pass
+        }
+    }
+
+    @Test
+    fun givenAndroid_whenMacGetInstanceForAlgorithm_thenIsNotCachedInMacSERVICE() {
+        val (mac, _) = testMacAndProviderOrNull() ?: return
+
+        try {
+            javax.crypto.Mac.getInstance(mac.algorithm)
+            fail()
+        } catch (_: NoSuchAlgorithmException) {
+            // pass
+        }
+    }
+
+    @Test
+    fun givenAndroid_whenMacGetInstanceForAlgorithmAndProviderName_thenIsNotCachedInMacSERVICE() {
+        val (mac, provider) = testMacAndProviderOrNull() ?: return
+
+        try {
+            javax.crypto.Mac.getInstance(mac.algorithm, provider.name)
+            fail()
+        } catch (_: NoSuchProviderException) {
+            // pass
+        }
+    }
+
+    @Test
+    fun givenAndroid_whenMacGetInstanceForAlgorithmAndProvider_thenIsNotCachedInMacSERVICE() {
+        val (mac, provider) = testMacAndProviderOrNull() ?: return
+
+        try {
+            // Even if the provider is used in getInstance, the spi should
+            // be de-referenced which would return null and then throw
+            // an exception here. We do NOT want any provider apis used
+            // to obtain an instance of the spi.
+            javax.crypto.Mac.getInstance(mac.algorithm, provider)
+            fail()
+        } catch (_: NoSuchAlgorithmException) {
+            // pass
+        }
+    }
+
+    private fun testMacAndProviderOrNull(): Pair<Mac, Provider>? {
+        val mac = TestMac(key)
+        val provider = mac.provider ?: return null
+        return Pair(mac, provider)
     }
 }