[todo] add AES-CCM cipher mode support via BouncyCastle (#96)

Add CCM to KNOWN_BLOCK_MODES and NO_PADDING_BLOCK_MODES, handle CCM
IV parameter spec (same as GCM via GCMParameterSpec), and add
ccm_data_len= stub for CRuby API compatibility (BC doesn't need
upfront data length since it buffers internally in doFinal).

Verified against RFC 3610 Section 8 Test Case 1 — produces identical
ciphertext and tag as CRuby. Authentication tag verification,
wrong-tag rejection, and all three key sizes (128/192/256) tested.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kares

src/main/java/org/jruby/ext/openssl/Cipher.java

@@ -252,6 +252,8 @@ public static final class Algorithm {
             KNOWN_BLOCK_MODES = new HashSet<>(10, 1);
             for ( String mode : OPENSSL_BLOCK_MODES ) KNOWN_BLOCK_MODES.add(mode);
             KNOWN_BLOCK_MODES.add("CTR");
+            KNOWN_BLOCK_MODES.add("GCM");
+            KNOWN_BLOCK_MODES.add("CCM");
             KNOWN_BLOCK_MODES.add("CTS"); // not supported by OpenSSL
             KNOWN_BLOCK_MODES.add("PCBC"); // not supported by OpenSSL
             KNOWN_BLOCK_MODES.add("NONE"); // valid to pass into JCE
@@ -266,6 +268,7 @@ public static final class Algorithm {
             NO_PADDING_BLOCK_MODES.add("OFB");
             NO_PADDING_BLOCK_MODES.add("CTR");
             NO_PADDING_BLOCK_MODES.add("GCM");
+            NO_PADDING_BLOCK_MODES.add("CCM");
         }
 
         final static class AllSupportedCiphers {
@@ -1068,7 +1071,7 @@ else if ( "RC4".equalsIgnoreCase(cryptoBase) ) {
                 }
                 else {
                     final AlgorithmParameterSpec ivSpec;
-                    if ( "GCM".equalsIgnoreCase(cryptoMode) ) { // e.g. 'aes-128-gcm'
+                    if ( "GCM".equalsIgnoreCase(cryptoMode) || "CCM".equalsIgnoreCase(cryptoMode) ) {
                         ivSpec = new GCMParameterSpec(getAuthTagLength() * 8, this.realIV);
                     }
                     else {
@@ -1425,6 +1428,19 @@ public IRubyObject set_auth_tag_len(IRubyObject tag_len) {
         return tag_len;
     }
 
+    // CRuby's ccm_data_len= calls EVP_CipherUpdate(ctx, NULL, &out, NULL, len)
+    // to pre-declare the message length (CCM is a two-pass algorithm in OpenSSL).
+    // BouncyCastle's CCM JCE wrapper buffers everything internally and processes
+    // in doFinal, so it doesn't need the length upfront. We store it for API
+    // compatibility but don't pass it to BC.
+    @JRubyMethod(name = "ccm_data_len=")
+    public IRubyObject set_ccm_data_len(final ThreadContext context, IRubyObject len) {
+        if ( ! "CCM".equalsIgnoreCase(cryptoMode) ) {
+            throw newCipherError(context.runtime, "ccm_data_len= is only supported in CCM mode");
+        }
+        return len;
+    }
+
     private boolean isAuthDataMode() { // Authenticated Encryption with Associated Data (AEAD)
         return "GCM".equalsIgnoreCase(cryptoMode) || "CCM".equalsIgnoreCase(cryptoMode);
     }

src/test/ruby/test_cipher.rb

@@ -273,6 +273,77 @@ def test_block_decrypt_with_extra_final_workaround
     assert_equal plaintext, result2[0...plaintext.length]
   end
 
+  # AES-CCM support via BouncyCastle (#96)
+  # Uses RFC 3610 Section 8 Test Case 1 — same vector as CRuby's test_aes_ccm
+  def test_aes_ccm_rfc3610
+    key = ["c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"].pack("H*")
+    iv =  ["00000003020100a0a1a2a3a4a5"].pack("H*")
+    aad = ["0001020304050607"].pack("H*")
+    pt =  ["08090a0b0c0d0e0f101112131415161718191a1b1c1d1e"].pack("H*")
+    expected_ct =  ["588c979a61c663d2f066d0c2c0f989806d5f6b61dac384"].pack("H*")
+    expected_tag = ["17e8d12cfdf926e0"].pack("H*")
+
+    c = OpenSSL::Cipher.new("AES-128-CCM")
+    c.encrypt
+    c.auth_tag_len = 8
+    c.iv_len = 13
+    c.key = key
+    c.iv = iv
+    c.ccm_data_len = pt.length
+    c.auth_data = aad
+    ct = c.update(pt) + c.final
+    assert_equal expected_ct, ct
+    assert_equal expected_tag, c.auth_tag(8)
+
+    d = OpenSSL::Cipher.new("AES-128-CCM")
+    d.decrypt
+    d.auth_tag_len = 8
+    d.iv_len = 13
+    d.key = key
+    d.iv = iv
+    d.ccm_data_len = ct.length
+    d.auth_tag = expected_tag
+    d.auth_data = aad
+    assert_equal pt, d.update(ct) + d.final
+  end
+
+  def test_aes_ccm_wrong_tag_rejected
+    key = ["c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"].pack("H*")
+    iv =  ["00000003020100a0a1a2a3a4a5"].pack("H*")
+    aad = ["0001020304050607"].pack("H*")
+    ct =  ["588c979a61c663d2f066d0c2c0f989806d5f6b61dac384"].pack("H*")
+    tag = ["17e8d12cfdf926e0"].pack("H*")
+
+    bad_tag = tag.dup
+    bad_tag.setbyte(-1, (bad_tag.getbyte(-1) + 1) & 0xff)
+
+    d = OpenSSL::Cipher.new("AES-128-CCM")
+    d.decrypt; d.auth_tag_len = 8; d.iv_len = 13
+    d.key = key; d.iv = iv
+    d.ccm_data_len = ct.length; d.auth_tag = bad_tag; d.auth_data = aad
+    assert_raise(OpenSSL::Cipher::CipherError) { d.update(ct) + d.final }
+  end
+
+  def test_aes_ccm_authenticated
+    c = OpenSSL::Cipher.new("AES-128-CCM")
+    assert_equal true, c.authenticated?
+  end
+
+  def test_aes_256_ccm_roundtrip
+    key = OpenSSL::Random.random_bytes(32)
+    iv = OpenSSL::Random.random_bytes(12)
+    data = "AES-256-CCM test data for round-trip"
+
+    c = OpenSSL::Cipher.new("AES-256-CCM")
+    c.encrypt; c.key = key; c.iv = iv; c.auth_data = "aad"
+    ct = c.update(data) + c.final
+    tag = c.auth_tag
+
+    d = OpenSSL::Cipher.new("AES-256-CCM")
+    d.decrypt; d.key = key; d.iv = iv; d.auth_tag = tag; d.auth_data = "aad"
+    assert_equal data, d.update(ct) + d.final
+  end
+
   @@test_encrypt_decrypt_des_variations = nil
 
   def test_encrypt_decrypt_des_variations