summary refs log tree commit diff
path: root/crypto
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2016-04-29 18:44:27 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2016-04-29 18:44:27 +0700
commit6e8dbc336ca82ff68bc59a846749ccc8d3ab176e (patch)
tree8bfd130467a344e2e67a378d0198603c160fb71f /crypto
parentFix XML comment (diff)
downloadBouncyCastle.NET-ed25519-6e8dbc336ca82ff68bc59a846749ccc8d3ab176e.tar.xz
Port of HKDF from Java API
Diffstat (limited to 'crypto')
-rw-r--r--crypto/BouncyCastle.Android.csproj2
-rw-r--r--crypto/BouncyCastle.csproj2
-rw-r--r--crypto/BouncyCastle.iOS.csproj2
-rw-r--r--crypto/crypto.csproj15
-rw-r--r--crypto/src/crypto/generators/HKDFBytesGenerator.cs153
-rw-r--r--crypto/src/crypto/parameters/HKDFParameters.cs119
-rw-r--r--crypto/test/UnitTests.csproj1
-rw-r--r--crypto/test/src/crypto/test/HKDFGeneratorTest.cs310
-rw-r--r--crypto/test/src/crypto/test/RegressionTest.cs1
9 files changed, 605 insertions, 0 deletions
diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj
index 0b6f376bf..309298614 100644
--- a/crypto/BouncyCastle.Android.csproj
+++ b/crypto/BouncyCastle.Android.csproj
@@ -639,6 +639,7 @@
     <Compile Include="src\crypto\engines\SerpentEngineBase.cs" />
     <Compile Include="src\crypto\engines\TnepresEngine.cs" />
     <Compile Include="src\crypto\generators\BCrypt.cs" />
+    <Compile Include="src\crypto\generators\HKDFBytesGenerator.cs" />
     <Compile Include="src\crypto\generators\OpenBsdBCrypt.cs" />
     <Compile Include="src\crypto\IAsymmetricBlockCipher.cs" />
     <Compile Include="src\crypto\IAsymmetricCipherKeyPairGenerator.cs" />
@@ -668,6 +669,7 @@
     <Compile Include="src\crypto\KeyGenerationParameters.cs" />
     <Compile Include="src\crypto\MaxBytesExceededException.cs" />
     <Compile Include="src\crypto\OutputLengthException.cs" />
+    <Compile Include="src\crypto\parameters\HKDFParameters.cs" />
     <Compile Include="src\crypto\PbeParametersGenerator.cs" />
     <Compile Include="src\crypto\prng\BasicEntropySourceProvider.cs" />
     <Compile Include="src\crypto\prng\CryptoApiEntropySourceProvider.cs" />
diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj
index 5f0a58ad8..90c067007 100644
--- a/crypto/BouncyCastle.csproj
+++ b/crypto/BouncyCastle.csproj
@@ -633,6 +633,7 @@
     <Compile Include="src\crypto\engines\SerpentEngineBase.cs" />
     <Compile Include="src\crypto\engines\TnepresEngine.cs" />
     <Compile Include="src\crypto\generators\BCrypt.cs" />
+    <Compile Include="src\crypto\generators\HKDFBytesGenerator.cs" />
     <Compile Include="src\crypto\generators\OpenBsdBCrypt.cs" />
     <Compile Include="src\crypto\IAsymmetricBlockCipher.cs" />
     <Compile Include="src\crypto\IAsymmetricCipherKeyPairGenerator.cs" />
@@ -662,6 +663,7 @@
     <Compile Include="src\crypto\KeyGenerationParameters.cs" />
     <Compile Include="src\crypto\MaxBytesExceededException.cs" />
     <Compile Include="src\crypto\OutputLengthException.cs" />
+    <Compile Include="src\crypto\parameters\HKDFParameters.cs" />
     <Compile Include="src\crypto\PbeParametersGenerator.cs" />
     <Compile Include="src\crypto\prng\BasicEntropySourceProvider.cs" />
     <Compile Include="src\crypto\prng\CryptoApiEntropySourceProvider.cs" />
diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj
index eeaf3bb12..88fb1747e 100644
--- a/crypto/BouncyCastle.iOS.csproj
+++ b/crypto/BouncyCastle.iOS.csproj
@@ -634,6 +634,7 @@
     <Compile Include="src\crypto\engines\SerpentEngineBase.cs" />
     <Compile Include="src\crypto\engines\TnepresEngine.cs" />
     <Compile Include="src\crypto\generators\BCrypt.cs" />
+    <Compile Include="src\crypto\generators\HKDFBytesGenerator.cs" />
     <Compile Include="src\crypto\generators\OpenBsdBCrypt.cs" />
     <Compile Include="src\crypto\IAsymmetricBlockCipher.cs" />
     <Compile Include="src\crypto\IAsymmetricCipherKeyPairGenerator.cs" />
@@ -663,6 +664,7 @@
     <Compile Include="src\crypto\KeyGenerationParameters.cs" />
     <Compile Include="src\crypto\MaxBytesExceededException.cs" />
     <Compile Include="src\crypto\OutputLengthException.cs" />
+    <Compile Include="src\crypto\parameters\HKDFParameters.cs" />
     <Compile Include="src\crypto\PbeParametersGenerator.cs" />
     <Compile Include="src\crypto\prng\BasicEntropySourceProvider.cs" />
     <Compile Include="src\crypto\prng\CryptoApiEntropySourceProvider.cs" />
diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj
index 6ab8faf50..580aa7390 100644
--- a/crypto/crypto.csproj
+++ b/crypto/crypto.csproj
@@ -3794,6 +3794,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\generators\HKDFBytesGenerator.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\generators\KDF1BytesGenerator.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -4244,6 +4249,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "src\crypto\parameters\HKDFParameters.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "src\crypto\parameters\IESParameters.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
@@ -11450,6 +11460,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "test\src\crypto\test\HKDFGeneratorTest.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "test\src\crypto\test\IDEATest.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
diff --git a/crypto/src/crypto/generators/HKDFBytesGenerator.cs b/crypto/src/crypto/generators/HKDFBytesGenerator.cs
new file mode 100644
index 000000000..c2e667c95
--- /dev/null
+++ b/crypto/src/crypto/generators/HKDFBytesGenerator.cs
@@ -0,0 +1,153 @@
+using System;
+
+using Org.BouncyCastle.Crypto.Macs;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Generators
+{
+    /**
+     * HMAC-based Extract-and-Expand Key Derivation Function (HKDF) implemented
+     * according to IETF RFC 5869, May 2010 as specified by H. Krawczyk, IBM
+     * Research &amp; P. Eronen, Nokia. It uses a HMac internally to compute de OKM
+     * (output keying material) and is likely to have better security properties
+     * than KDF's based on just a hash function.
+     */
+    public class HkdfBytesGenerator
+        : IDerivationFunction
+    {
+        private HMac hMacHash;
+        private int hashLen;
+
+        private byte[] info;
+        private byte[] currentT;
+
+        private int generatedBytes;
+
+        /**
+         * Creates a HKDFBytesGenerator based on the given hash function.
+         *
+         * @param hash the digest to be used as the source of generatedBytes bytes
+         */
+        public HkdfBytesGenerator(IDigest hash)
+        {
+            this.hMacHash = new HMac(hash);
+            this.hashLen = hash.GetDigestSize();
+        }
+
+        public virtual void Init(IDerivationParameters parameters)
+        {
+            if (!(parameters is HkdfParameters))
+                throw new ArgumentException("HKDF parameters required for HkdfBytesGenerator", "parameters");
+
+            HkdfParameters hkdfParameters = (HkdfParameters)parameters;
+            if (hkdfParameters.SkipExtract)
+            {
+                // use IKM directly as PRK
+                hMacHash.Init(new KeyParameter(hkdfParameters.GetIkm()));
+            }
+            else
+            {
+                hMacHash.Init(Extract(hkdfParameters.GetSalt(), hkdfParameters.GetIkm()));
+            }
+
+            info = hkdfParameters.GetInfo();
+
+            generatedBytes = 0;
+            currentT = new byte[hashLen];
+        }
+
+        /**
+         * Performs the extract part of the key derivation function.
+         *
+         * @param salt the salt to use
+         * @param ikm  the input keying material
+         * @return the PRK as KeyParameter
+         */
+        private KeyParameter Extract(byte[] salt, byte[] ikm)
+        {
+            hMacHash.Init(new KeyParameter(ikm));
+            if (salt == null)
+            {
+                // TODO check if hashLen is indeed same as HMAC size
+                hMacHash.Init(new KeyParameter(new byte[hashLen]));
+            }
+            else
+            {
+                hMacHash.Init(new KeyParameter(salt));
+            }
+
+            hMacHash.BlockUpdate(ikm, 0, ikm.Length);
+
+            byte[] prk = new byte[hashLen];
+            hMacHash.DoFinal(prk, 0);
+            return new KeyParameter(prk);
+        }
+
+        /**
+         * Performs the expand part of the key derivation function, using currentT
+         * as input and output buffer.
+         *
+         * @throws DataLengthException if the total number of bytes generated is larger than the one
+         * specified by RFC 5869 (255 * HashLen)
+         */
+        private void ExpandNext()
+        {
+            int n = generatedBytes / hashLen + 1;
+            if (n >= 256)
+            {
+                throw new DataLengthException(
+                    "HKDF cannot generate more than 255 blocks of HashLen size");
+            }
+            // special case for T(0): T(0) is empty, so no update
+            if (generatedBytes != 0)
+            {
+                hMacHash.BlockUpdate(currentT, 0, hashLen);
+            }
+            hMacHash.BlockUpdate(info, 0, info.Length);
+            hMacHash.Update((byte)n);
+            hMacHash.DoFinal(currentT, 0);
+        }
+
+        public virtual IDigest Digest
+        {
+            get { return hMacHash.GetUnderlyingDigest(); }
+        }
+
+        public virtual int GenerateBytes(byte[] output, int outOff, int len)
+        {
+            if (generatedBytes + len > 255 * hashLen)
+            {
+                throw new DataLengthException(
+                    "HKDF may only be used for 255 * HashLen bytes of output");
+            }
+
+            if (generatedBytes % hashLen == 0)
+            {
+                ExpandNext();
+            }
+
+            // copy what is left in the currentT (1..hash
+            int toGenerate = len;
+            int posInT = generatedBytes % hashLen;
+            int leftInT = hashLen - generatedBytes % hashLen;
+            int toCopy = System.Math.Min(leftInT, toGenerate);
+            Array.Copy(currentT, posInT, output, outOff, toCopy);
+            generatedBytes += toCopy;
+            toGenerate -= toCopy;
+            outOff += toCopy;
+
+            while (toGenerate > 0)
+            {
+                ExpandNext();
+                toCopy = System.Math.Min(hashLen, toGenerate);
+                Array.Copy(currentT, 0, output, outOff, toCopy);
+                generatedBytes += toCopy;
+                toGenerate -= toCopy;
+                outOff += toCopy;
+            }
+
+            return len;
+        }
+    }
+}
diff --git a/crypto/src/crypto/parameters/HKDFParameters.cs b/crypto/src/crypto/parameters/HKDFParameters.cs
new file mode 100644
index 000000000..6d1465e4c
--- /dev/null
+++ b/crypto/src/crypto/parameters/HKDFParameters.cs
@@ -0,0 +1,119 @@
+using System;
+
+using Org.BouncyCastle.Crypto.Macs;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Crypto.Parameters
+{
+    /**
+     * Parameter class for the HkdfBytesGenerator class.
+     */
+    public class HkdfParameters
+        : IDerivationParameters
+    {
+        private readonly byte[] ikm;
+        private readonly bool skipExpand;
+        private readonly byte[] salt;
+        private readonly byte[] info;
+
+        private HkdfParameters(byte[] ikm, bool skip, byte[] salt, byte[] info)
+        {
+            if (ikm == null)
+                throw new ArgumentNullException("ikm");
+
+            this.ikm = Arrays.Clone(ikm);
+            this.skipExpand = skip;
+
+            if (salt == null || salt.Length == 0)
+            {
+                this.salt = null;
+            }
+            else
+            {
+                this.salt = Arrays.Clone(salt);
+            }
+
+            if (info == null)
+            {
+                this.info = new byte[0];
+            }
+            else
+            {
+                this.info = Arrays.Clone(info);
+            }
+        }
+
+        /**
+         * Generates parameters for HKDF, specifying both the optional salt and
+         * optional info. Step 1: Extract won't be skipped.
+         *
+         * @param ikm  the input keying material or seed
+         * @param salt the salt to use, may be null for a salt for hashLen zeros
+         * @param info the info to use, may be null for an info field of zero bytes
+         */
+        public HkdfParameters(byte[] ikm, byte[] salt, byte[] info)
+            : this(ikm, false, salt, info)
+        {
+        }
+
+        /**
+         * Factory method that makes the HKDF skip the extract part of the key
+         * derivation function.
+         *
+         * @param ikm  the input keying material or seed, directly used for step 2:
+         *             Expand
+         * @param info the info to use, may be null for an info field of zero bytes
+         * @return HKDFParameters that makes the implementation skip step 1
+         */
+        public static HkdfParameters SkipExtractParameters(byte[] ikm, byte[] info)
+        {
+            return new HkdfParameters(ikm, true, null, info);
+        }
+
+        public static HkdfParameters DefaultParameters(byte[] ikm)
+        {
+            return new HkdfParameters(ikm, false, null, null);
+        }
+
+        /**
+         * Returns the input keying material or seed.
+         *
+         * @return the keying material
+         */
+        public virtual byte[] GetIkm()
+        {
+            return Arrays.Clone(ikm);
+        }
+
+        /**
+         * Returns if step 1: extract has to be skipped or not
+         *
+         * @return true for skipping, false for no skipping of step 1
+         */
+        public virtual bool SkipExtract
+        {
+            get { return skipExpand; }
+        }
+
+        /**
+         * Returns the salt, or null if the salt should be generated as a byte array
+         * of HashLen zeros.
+         *
+         * @return the salt, or null
+         */
+        public virtual byte[] GetSalt()
+        {
+            return Arrays.Clone(salt);
+        }
+
+        /**
+         * Returns the info field, which may be empty (null is converted to empty).
+         *
+         * @return the info field, never null
+         */
+        public virtual byte[] GetInfo()
+        {
+            return Arrays.Clone(info);
+        }
+    }
+}
diff --git a/crypto/test/UnitTests.csproj b/crypto/test/UnitTests.csproj
index d3250d89a..b4c53092b 100644
--- a/crypto/test/UnitTests.csproj
+++ b/crypto/test/UnitTests.csproj
@@ -193,6 +193,7 @@
     <Compile Include="src\crypto\test\GcmReorderTest.cs" />
     <Compile Include="src\crypto\test\HCFamilyTest.cs" />
     <Compile Include="src\crypto\test\HCFamilyVecTest.cs" />
+    <Compile Include="src\crypto\test\HKDFGeneratorTest.cs" />
     <Compile Include="src\crypto\test\IDEATest.cs" />
     <Compile Include="src\crypto\test\ISAACTest.cs" />
     <Compile Include="src\crypto\test\ISO9796Test.cs" />
diff --git a/crypto/test/src/crypto/test/HKDFGeneratorTest.cs b/crypto/test/src/crypto/test/HKDFGeneratorTest.cs
new file mode 100644
index 000000000..d6e2149df
--- /dev/null
+++ b/crypto/test/src/crypto/test/HKDFGeneratorTest.cs
@@ -0,0 +1,310 @@
+using System;
+
+using NUnit.Framework;
+
+using Org.BouncyCastle.Crypto.Digests;
+using Org.BouncyCastle.Crypto.Generators;
+using Org.BouncyCastle.Crypto.Parameters;
+
+using Org.BouncyCastle.Utilities.Encoders;
+using Org.BouncyCastle.Utilities.Test;
+
+namespace Org.BouncyCastle.Crypto.Tests
+{
+    /**
+     * HKDF tests - vectors from RFC 5869, + 2 more, 101 and 102
+     */
+    [TestFixture]
+    public class HkdfGeneratorTest
+        : SimpleTest
+    {
+        public HkdfGeneratorTest()
+        {
+        }
+
+        private void CompareOkm(int test, byte[] calculatedOkm, byte[] testOkm)
+        {
+            if (!AreEqual(calculatedOkm, testOkm))
+            {
+                Fail("HKDF failed generator test " + test);
+            }
+        }
+
+        public override void PerformTest()
+        {
+            {
+                // === A.1. Test Case 1 - Basic test case with SHA-256 ===
+
+                IDigest hash = new Sha256Digest();
+                byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+                byte[] salt = Hex.Decode("000102030405060708090a0b0c");
+                byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(1, okm, Hex.Decode(
+                    "3cb25f25faacd57a90434f64d0362f2a" +
+                    "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +
+                    "34007208d5b887185865"));
+            }
+
+            // === A.2. Test Case 2 - Test with SHA-256 and longer inputs/outputs
+            // ===
+            {
+                IDigest hash = new Sha256Digest();
+                byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+                    + "101112131415161718191a1b1c1d1e1f"
+                    + "202122232425262728292a2b2c2d2e2f"
+                    + "303132333435363738393a3b3c3d3e3f"
+                    + "404142434445464748494a4b4c4d4e4f");
+                byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+                    + "707172737475767778797a7b7c7d7e7f"
+                    + "808182838485868788898a8b8c8d8e8f"
+                    + "909192939495969798999a9b9c9d9e9f"
+                    + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
+                byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+                    + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+                    + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+                    + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+                    + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+                int l = 82;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(2, okm, Hex.Decode(
+                    "b11e398dc80327a1c8e7f78c596a4934" +
+                    "4f012eda2d4efad8a050cc4c19afa97c" +
+                    "59045a99cac7827271cb41c65e590e09" +
+                    "da3275600c2f09b8367793a9aca3db71" +
+                    "cc30c58179ec3e87c14c01d5c1f3434f" +
+                    "1d87"));
+            }
+
+            {
+                // === A.3. Test Case 3 - Test with SHA-256 and zero-length
+                // salt/info ===
+
+                // setting salt to an empty byte array means that the salt is set to
+                // HashLen zero valued bytes
+                // setting info to null generates an empty byte array as info
+                // structure
+
+                IDigest hash = new Sha256Digest();
+                byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+                byte[] salt = new byte[0];
+                byte[] info = null;
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(3, okm, Hex.Decode(
+                    "8da4e775a563c18f715f802a063c5a31" +
+                    "b8a11f5c5ee1879ec3454e5f3c738d2d" +
+                    "9d201395faa4b61a96c8"));
+            }
+
+            {
+                // === A.4. Test Case 4 - Basic test case with SHA-1 ===
+
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b");
+                byte[] salt = Hex.Decode("000102030405060708090a0b0c");
+                byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(4, okm, Hex.Decode(
+                    "085a01ea1b10f36933068b56efa5ad81" +
+                        "a4f14b822f5b091568a9cdd4f155fda2" +
+                        "c22e422478d305f3f896"));
+            }
+
+            // === A.5. Test Case 5 - Test with SHA-1 and longer inputs/outputs ===
+            {
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+                    + "101112131415161718191a1b1c1d1e1f"
+                    + "202122232425262728292a2b2c2d2e2f"
+                    + "303132333435363738393a3b3c3d3e3f"
+                    + "404142434445464748494a4b4c4d4e4f");
+                byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+                    + "707172737475767778797a7b7c7d7e7f"
+                    + "808182838485868788898a8b8c8d8e8f"
+                    + "909192939495969798999a9b9c9d9e9f"
+                    + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
+                byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+                    + "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+                    + "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+                    + "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+                    + "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+                int l = 82;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(5, okm, Hex.Decode(
+                    "0bd770a74d1160f7c9f12cd5912a06eb" +
+                    "ff6adcae899d92191fe4305673ba2ffe" +
+                    "8fa3f1a4e5ad79f3f334b3b202b2173c" +
+                    "486ea37ce3d397ed034c7f9dfeb15c5e" +
+                    "927336d0441f4c4300e2cff0d0900b52" +
+                    "d3b4"));
+            }
+
+            {
+                // === A.6. Test Case 6 - Test with SHA-1 and zero-length salt/info
+                // ===
+
+                // setting salt to null should generate a new salt of HashLen zero
+                // valued bytes
+
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+                byte[] salt = null;
+                byte[] info = new byte[0];
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(6, okm, Hex.Decode(
+                    "0ac1af7002b3d761d1e55298da9d0506" +
+                    "b9ae52057220a306e07b6b87e8df21d0" +
+                    "ea00033de03984d34918"));
+            }
+
+            {
+                // === A.7. Test Case 7 - Test with SHA-1, salt not provided,
+                // zero-length info ===
+                // (salt defaults to HashLen zero octets)
+
+                // this test is identical to test 6 in all ways bar the IKM value
+
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
+                byte[] salt = null;
+                byte[] info = new byte[0];
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(7, okm, Hex.Decode(
+                    "2c91117204d745f3500d636a62f64f0a" +
+                    "b3bae548aa53d423b0d1f27ebba6f5e5" +
+                    "673a081d70cce7acfc48"));
+            }
+
+            {
+                // === A.101. Additional Test Case - Test with SHA-1, skipping extract
+                // zero-length info ===
+                // (salt defaults to HashLen zero octets)
+
+                // this test is identical to test 7 in all ways bar the IKM value
+                // which is set to the PRK value
+
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
+                byte[] info = new byte[0];
+                int l = 42;
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                CompareOkm(101, okm, Hex.Decode(
+                    "2c91117204d745f3500d636a62f64f0a" +
+                    "b3bae548aa53d423b0d1f27ebba6f5e5" +
+                    "673a081d70cce7acfc48"));
+            }
+
+            {
+                // === A.102. Additional Test Case - Test with SHA-1, maximum output ===
+                // (salt defaults to HashLen zero octets)
+
+                // this test is identical to test 7 in all ways bar the IKM value
+
+                IDigest hash = new Sha1Digest();
+                byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
+                byte[] info = new byte[0];
+                int l = 255 * hash.GetDigestSize();
+                byte[] okm = new byte[l];
+
+                HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
+
+                HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
+                hkdf.Init(parameters);
+                hkdf.GenerateBytes(okm, 0, l);
+
+                int zeros = 0;
+                for (int i = 0; i < hash.GetDigestSize(); i++)
+                {
+                    if (okm[i] == 0)
+                    {
+                        zeros++;
+                    }
+                }
+
+                if (zeros == hash.GetDigestSize())
+                {
+                    Fail("HKDF failed generator test " + 102);
+                }
+            }
+        }
+
+        public override string Name
+        {
+            get { return "HKDF"; }
+        }
+
+        public static void Main(string[] args)
+        {
+            RunTest(new HkdfGeneratorTest());
+        }
+
+        [Test]
+        public void TestFunction()
+        {
+            string resultText = Perform().ToString();
+
+            Assert.AreEqual(Name + ": Okay", resultText);
+        }
+    }
+}
diff --git a/crypto/test/src/crypto/test/RegressionTest.cs b/crypto/test/src/crypto/test/RegressionTest.cs
index 3611e4e63..ba6c341d4 100644
--- a/crypto/test/src/crypto/test/RegressionTest.cs
+++ b/crypto/test/src/crypto/test/RegressionTest.cs
@@ -90,6 +90,7 @@ namespace Org.BouncyCastle.Crypto.Tests
             new Kdf1GeneratorTest(),
             new Kdf2GeneratorTest(),
             new Mgf1GeneratorTest(),
+            new HkdfGeneratorTest(),
             new DHKekGeneratorTest(),
             new ECDHKekGeneratorTest(),
             new ShortenedDigestTest(),