Implement cleaner in remaining algorithms (#944)

Removes the deprecated finalize() method from the non key algorithms and
implements a runnable function to handle native memory cleanup in their
places.

Signed-off-by: Sabrina Lee <[email protected]>
Co-authored-by: Sabrina Lee <[email protected]>

Author: sabrinajlee

src/main/java/com/ibm/crypto/plus/provider/AESCCMCipher.java

@@ -106,6 +106,8 @@ public AESCCMCipher(OpenJCEPlusProvider provider) {
             throw provider.providerException("Failed to initialize cipher context", e);
         }
         buffer = new byte[AES_BLOCK_SIZE * 2];
+
+        this.provider.registerCleanable(this, cleanOCKResources(Key, ockContext));
     }
 
 
@@ -732,25 +734,6 @@ int getMode() {
         return (encrypting) ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE;
     }
 
-
-    @Override
-    protected synchronized void finalize() throws Throwable {
-        //final String methodName = "finalize";
-        // OCKDebug.Msg (debPrefix, methodName, "finalize called");
-        try {
-            if (ockContext != null) {
-                CCMCipher.doCCM_cleanup(ockContext);
-            }
-            if (Key != null) {
-                Arrays.fill(Key, (byte) 0x00);
-                Key = null;
-            }
-        } finally {
-            super.finalize();
-        }
-    }
-
-
     private void checkReinit() {
         if (requireReinit) {
             throw new IllegalStateException(
@@ -790,4 +773,22 @@ protected int engineUpdate(ByteBuffer input, ByteBuffer output) throws ShortBuff
                 "engineUpdate is not supported for AESCCM.  Only engineDoFinal is supported.");
     }
 
+    private Runnable cleanOCKResources(byte[] Key, OCKContext ockContext) {
+        return() -> {
+            try {
+                if (ockContext != null) {
+                    CCMCipher.doCCM_cleanup(ockContext);
+                }
+                if (Key != null) {
+                    Arrays.fill(Key, (byte) 0x00);
+                }
+            } catch (Exception e) {
+                if (OpenJCEPlusProvider.getDebug() != null) {
+                    OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
+                    e.printStackTrace();
+                }
+            }
+        };
+    }
+
 } // End of class

src/main/java/com/ibm/crypto/plus/provider/AESCipher.java

@@ -296,7 +296,7 @@ private void internalInit(int opmode, Key key, byte[] iv) throws InvalidKeyExcep
         try {
             if ((symmetricCipher == null) || (symmetricCipher.getKeyLength() != rawKey.length)) {
                 symmetricCipher = SymmetricCipher.getInstanceAES(provider.getOCKContext(), mode,
-                        padding, rawKey.length);
+                        padding, rawKey.length, provider);
                 // Check whether used algorithm is CBC and whether hardware supports is available
                 use_z_fast_command = symmetricCipher.getHardwareSupportStatus();
             }

src/main/java/com/ibm/crypto/plus/provider/AESGCMCipher.java

@@ -144,6 +144,8 @@ public AESGCMCipher(OpenJCEPlusProvider provider) {
             throw provider.providerException("Failed to initialize cipher context", e);
         }
         buffer = new byte[AES_BLOCK_SIZE * 2];
+
+        this.provider.registerCleanable(this, cleanOCKResources(Key));
     }
 
 
@@ -333,7 +335,7 @@ protected int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[]
                 }
 
                 int ret = GCMCipher.doGCMFinal_Encrypt(ockContext, Key, IV, tagLenInBytes, input,
-                        inputOffset, inputLen, output, outputOffset, authData);
+                        inputOffset, inputLen, output, outputOffset, authData, provider);
                 authData = null; // Before returning from doFinal(), restore AAD to uninitialized state
 
                 if (generateIV) {
@@ -356,7 +358,7 @@ protected int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[]
                 }
 
                 int ret = GCMCipher.doGCMFinal_Decrypt(ockContext, Key, IV, tagLenInBytes, input,
-                        inputOffset, inputLen, output, outputOffset, authData);
+                        inputOffset, inputLen, output, outputOffset, authData, provider);
                 authData = null; // Before returning from doFinal(), restore AAD to uninitialized state
                 return ret;
             }
@@ -989,7 +991,7 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
                 if (!encrypting) {
                     // OCKDebug.Msg(debPrefix, methodName, "Calling do_GCM_InitForUpdateDecrypt");
                     outLen = GCMCipher.do_GCM_InitForUpdateDecrypt(ockContext, Key, IV,
-                            tagLenInBytes, buffer, 0, len, output, outputOffset, authData);
+                            tagLenInBytes, buffer, 0, len, output, outputOffset, authData, provider);
                     // OCKDebug.Msg(debPrefix, methodName, "returning ret from
                     // InitForUpdateDecrypt=" + outLen);
                 } else {
@@ -1007,7 +1009,7 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
                     }
                     // OCKDebug.Msg(debPrefix, methodName, "Calling do_GCM_InitForUpdateEncrypt");
                     outLen = GCMCipher.do_GCM_InitForUpdateEncrypt(ockContext, Key, IV,
-                            tagLenInBytes, buffer, 0, len, output, outputOffset, authData);
+                            tagLenInBytes, buffer, 0, len, output, outputOffset, authData, provider);
                     // OCKDebug.Msg(debPrefix, methodName, "returning ret from
                     // InitForUpdateEncrypt=" + outLen);
                 }
@@ -1043,7 +1045,7 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
                         // GCMCipher.do_GCM_UpdateDecrypt");
 
                         outLen = GCMCipher.do_GCM_UpdForUpdateDecrypt(ockContext, Key, IV,
-                                tagLenInBytes, buffer, 0, len, output, outputOffset, authData);
+                                tagLenInBytes, buffer, 0, len, output, outputOffset, authData, provider);
 
                         // OCKDebug.Msg(debPrefix, methodName, "returning ret from
                         // GCMCipher.do_GCM_UpdForUpdateDecrypt=" + outLen);
@@ -1055,7 +1057,7 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
                         // OCKDebug.Msg(debPrefix, methodName, "FirstUpdate generateIV");
 
                         outLen = GCMCipher.do_GCM_UpdForUpdateEncrypt(ockContext, Key, IV,
-                                tagLenInBytes, buffer, 0, len, output, outputOffset, authData);
+                                tagLenInBytes, buffer, 0, len, output, outputOffset, authData, provider);
                         // OCKDebug.Msg(debPrefix, methodName, "returning ret from
                         // GCMCipher.do_GCM_UpdForUpdateEncrypt=" + outLen);
                         // outLen = cipher.encrypt(buffer, 0, len, output, outputOffset);
@@ -1089,13 +1091,13 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
                         if (!encrypting) {
                             outLen = GCMCipher.do_GCM_UpdForUpdateDecrypt(ockContext, Key, IV,
                                     tagLenInBytes, buffer, 0, buffered, output, outputOffset,
-                                    authData);
+                                    authData, provider);
                             // outLen = cipher.decrypt(buffer, 0, buffered, output, outputOffset);
                         } // decrypting
                         else {
                             outLen = GCMCipher.do_GCM_UpdForUpdateEncrypt(ockContext, Key, IV,
                                     tagLenInBytes, buffer, 0, buffered, output, outputOffset,
-                                    authData);
+                                    authData, provider);
                             // outLen = cipher.encrypt(buffer, 0, buffered, output, outputOffset);
                             // encrypt mode. Zero out internal (input) buffer
                             Arrays.fill(buffer, (byte) 0x00);
@@ -1110,15 +1112,15 @@ protected int doUpdate(byte[] input, int inputOffset, int inputLen, byte[] outpu
 
                             outLen += GCMCipher.do_GCM_UpdForUpdateDecrypt(ockContext, Key, IV,
                                     tagLenInBytes, input, inputOffset, inputConsumed, output,
-                                    outputOffset, authData);
+                                    outputOffset, authData, provider);
                             // outLen += cipher.decrypt(input, inputOffset, inputConsumed,
                             // output, outputOffset);
                         } else {
 
 
                             outLen += GCMCipher.do_GCM_UpdForUpdateEncrypt(ockContext, Key, IV,
                                     tagLenInBytes, input, inputOffset, inputConsumed, output,
-                                    outputOffset, authData);
+                                    outputOffset, authData, provider);
 
                         }
                         inputOffset += inputConsumed;
@@ -1272,13 +1274,13 @@ private int finalNoPadding(byte[] in, int inOfs, byte[] out, int outOfs, int len
 
         if (!encrypting) {
             outLen = GCMCipher.do_GCM_FinalForUpdateDecrypt(ockContext, Key, IV, tagLenInBytes, in,
-                    inOfs, len, out, outOfs, authData);
+                    inOfs, len, out, outOfs, authData, provider);
             // OCKDebug.Msg(debPrefix, methodName, "outLen from
             // GCMCipher.do_GCM_FinalForUpdateDecrypt=" + outLen);
 
         } else {
             outLen = GCMCipher.do_GCM_FinalForUpdateEncrypt(ockContext, Key, IV, tagLenInBytes, in,
-                    inOfs, len, out, outOfs, authData);
+                    inOfs, len, out, outOfs, authData, provider);
             // OCKDebug.Msg(debPrefix, methodName, "outLen from
             // GCMCipher.do_GCM_FinalForUpdateEncrypt=" + outLen);
 
@@ -1413,22 +1415,6 @@ private void endDoFinal() {
         diffBlocksize = blockSize;
     }
 
-    @Override
-    protected synchronized void finalize() throws Throwable {
-        //final String methodName = "finalize";
-        // OCKDebug.Msg (debPrefix, methodName, "finalize called");
-        try {
-
-            //JS00684 - Leave cleanup of internal variables to GCMCipher that caches them
-            if (Key != null) {
-                Arrays.fill(Key, (byte) 0x00);
-                Key = null;
-            }
-        } finally {
-            super.finalize();
-        }
-    }
-
     private void checkReinit() {
         if (requireReinit) {
             throw new IllegalStateException(
@@ -1467,4 +1453,20 @@ private void resetVars(boolean afterFailure) {
         this.buffered = 0;
         Arrays.fill(buffer, (byte) 0x0);
     }
+
+    private Runnable cleanOCKResources(byte[] Key) {
+        return() -> {
+            try {
+                //JS00684 - Leave cleanup of internal variables to GCMCipher that caches them
+                if (Key != null) {
+                    Arrays.fill(Key, (byte) 0x00);
+                }
+            } catch (Exception e) {
+                if (OpenJCEPlusProvider.getDebug() != null) {
+                    OpenJCEPlusProvider.getDebug().println("An error occurred while cleaning : " + e.getMessage());
+                    e.printStackTrace();
+                }
+            }
+        };
+    }
 }

src/main/java/com/ibm/crypto/plus/provider/ChaCha20Cipher.java

@@ -232,7 +232,7 @@ private void internalInit(int opmode, Key newKey, byte[] newNonceBytes, int newC
         try {
             if (symmetricCipher == null) {
                 symmetricCipher = SymmetricCipher.getInstanceChaCha20(provider.getOCKContext(),
-                        padding);
+                        padding, provider);
             }
 
             if (isEncrypt) {

src/main/java/com/ibm/crypto/plus/provider/ChaCha20Poly1305Cipher.java

@@ -328,7 +328,7 @@ private void internalInit(int opmode, Key newKey, byte[] newNonceBytes)
         try {
             if (poly1305Cipher == null) {
                 poly1305Cipher = Poly1305Cipher.getInstance(provider.getOCKContext(),
-                        OCK_CHACHA20_POLY1305, padding);
+                        OCK_CHACHA20_POLY1305, padding, provider);
             }
 
             if (this.encrypting) {

src/main/java/com/ibm/crypto/plus/provider/DESedeCipher.java

@@ -240,7 +240,7 @@ private void internalInit(int opmode, Key key, byte[] iv) throws InvalidKeyExcep
         try {
             if (symmetricCipher == null) {
                 symmetricCipher = SymmetricCipher.getInstanceDESede(provider.getOCKContext(), mode,
-                        padding);
+                        padding, provider);
             }
 
             if (isEncrypt) {

src/main/java/com/ibm/crypto/plus/provider/HASHDRBG.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -33,7 +33,7 @@ protected HASHDRBG(OpenJCEPlusProvider provider, String ockRandomAlgo) {
         this.randomAlgo = ockRandomAlgo;
         basicRandom = BasicRandom.getInstance(provider.getOCKContext());
         try {
-            extendedRandom = ExtendedRandom.getInstance(provider.getOCKContext(), ockRandomAlgo);
+            extendedRandom = ExtendedRandom.getInstance(provider.getOCKContext(), ockRandomAlgo, provider);
         } catch (Exception e) {
             throw provider.providerException("Failed to get HASHDRBG algorithm", e);
         }
@@ -89,7 +89,7 @@ private void readObject(java.io.ObjectInputStream s)
         basicRandom = BasicRandom.getInstance(provider.getOCKContext());
         try {
             // Recreate OCK object per tag [SERIALIZATION] in DesignNotes.txt
-            extendedRandom = ExtendedRandom.getInstance(provider.getOCKContext(), randomAlgo);
+            extendedRandom = ExtendedRandom.getInstance(provider.getOCKContext(), randomAlgo, provider);
         } catch (Exception e) {
             throw provider.providerException("Failed to get HASHDRBG algorithm", e);
         }

src/main/java/com/ibm/crypto/plus/provider/HKDFGenerator.java

@@ -49,7 +49,7 @@ public HKDFGenerator(OpenJCEPlusProvider provider, String digestAlgorithm)
         this.provider = provider;
         this.digestAlgorithm = digestAlgorithm;
         try {
-            hkdfObj = HKDF.getInstance(this.provider.getOCKContext(), this.digestAlgorithm);
+            hkdfObj = HKDF.getInstance(this.provider.getOCKContext(), this.digestAlgorithm, provider);
             hkdfLen = hkdfObj.getMacLength();
         } catch (Exception ex) {
             throw new NoSuchAlgorithmException("cannot initialize hkdf");

src/main/java/com/ibm/crypto/plus/provider/HKDFKeyDerivation.java

@@ -76,7 +76,7 @@ private HKDFKeyDerivation(OpenJCEPlusProvider provider, SupportedHmac supportedH
         this.digestAlgName = supportedHmac.digestAlg;
         this.hmacLen = supportedHmac.hmacLen;
         try {
-            hkdfObj = HKDF.getInstance(this.provider.getOCKContext(), this.digestAlgName);
+            hkdfObj = HKDF.getInstance(this.provider.getOCKContext(), this.digestAlgName, provider);
             if (hkdfObj.getMacLength() != this.hmacLen) {
                 throw new ProviderException("Mismatch between expected and OCK provided HMAC length");
             }

src/main/java/com/ibm/crypto/plus/provider/HmacCore.java

@@ -25,7 +25,7 @@ abstract class HmacCore extends MacSpi {
     HmacCore(OpenJCEPlusProvider provider, String ockDigestAlgo, int blockLength) {
         try {
             this.provider = provider;
-            this.hmac = HMAC.getInstance(provider.getOCKContext(), ockDigestAlgo);
+            this.hmac = HMAC.getInstance(provider.getOCKContext(), ockDigestAlgo, provider);
         } catch (Exception e) {
             throw provider.providerException("Failure in HmacCore", e);
         }