001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      https://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.commons.codec.binary;
019
020import java.math.BigInteger;
021import java.util.Arrays;
022import java.util.Objects;
023
024import org.apache.commons.codec.CodecPolicy;
025
026/**
027 * Provides Base64 encoding and decoding as defined by <a href="http://www.ietf.org/rfc/rfc2045.txt">RFC 2045</a>.
028 *
029 * <p>
030 * This class implements section <cite>6.8. Base64 Content-Transfer-Encoding</cite> from RFC 2045 <cite>Multipurpose
031 * Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</cite> by Freed and Borenstein.
032 * </p>
033 * <p>
034 * The class can be parameterized in the following manner with various constructors:
035 * </p>
036 * <ul>
037 * <li>URL-safe mode: Default off.</li>
038 * <li>Line length: Default 76. Line length that aren't multiples of 4 will still essentially end up being multiples of
039 * 4 in the encoded data.
040 * <li>Line separator: Default is CRLF ("\r\n")</li>
041 * </ul>
042 * <p>
043 * The URL-safe parameter is only applied to encode operations. Decoding seamlessly handles both modes.
044 * </p>
045 * <p>
046 * Since this class operates directly on byte streams, and not character streams, it is hard-coded to only
047 * encode/decode character encodings which are compatible with the lower 127 ASCII chart (ISO-8859-1, Windows-1252,
048 * UTF-8, etc).
049 * </p>
050 * <p>
051 * This class is thread-safe.
052 * </p>
053 * <p>
054 * You can configure instances with the {@link Builder}.
055 * </p>
056 * <pre>
057 * Base64 base64 = Base64.builder()
058 *   .setDecodingPolicy(DecodingPolicy.LENIENT) // default is lenient, null resets to default
059 *   .setEncodeTable(customEncodeTable)         // default is built in, null resets to default
060 *   .setLineLength(0)                          // default is none
061 *   .setLineSeparator('\r', '\n')              // default is CR LF, null resets to default
062 *   .setPadding('=')                           // default is =
063 *   .setUrlSafe(false)                         // default is false
064 *   .get()
065 * </pre>
066 *
067 * @see <a href="http://www.ietf.org/rfc/rfc2045.txt">RFC 2045</a>
068 * @since 1.0
069 */
070public class Base64 extends BaseNCodec {
071
072    /**
073     * Builds {@link Base64} instances.
074     *
075     * @since 1.17.0
076     */
077    public static class Builder extends AbstractBuilder<Base64, Builder> {
078
079        /**
080         * Constructs a new instance.
081         */
082        public Builder() {
083            super(STANDARD_ENCODE_TABLE);
084        }
085
086        @Override
087        public Base64 get() {
088            return new Base64(getLineLength(), getLineSeparator(), getPadding(), getEncodeTable(), getDecodingPolicy());
089        }
090
091        /**
092         * Sets the URL-safe encoding policy.
093         *
094         * @param urlSafe URL-safe encoding policy, null resets to the default.
095         * @return {@code this} instance.
096         */
097        public Builder setUrlSafe(final boolean urlSafe) {
098            return setEncodeTable(toUrlSafeEncodeTable(urlSafe));
099        }
100
101    }
102
103    /**
104     * BASE64 characters are 6 bits in length.
105     * They are formed by taking a block of 3 octets to form a 24-bit string,
106     * which is converted into 4 BASE64 characters.
107     */
108    private static final int BITS_PER_ENCODED_BYTE = 6;
109    private static final int BYTES_PER_UNENCODED_BLOCK = 3;
110    private static final int BYTES_PER_ENCODED_BLOCK = 4;
111    private static final int DECODING_TABLE_LENGTH = 256;
112
113    /**
114     * This array is a lookup table that translates 6-bit positive integer index values into their "Base64 Alphabet" equivalents as specified in Table 1 of RFC
115     * 2045.
116     * <p>
117     * Thanks to "commons" project in ws.apache.org for this code. https://svn.apache.org/repos/asf/webservices/commons/trunk/modules/util/
118     * </p>
119     */
120    // @formatter:off
121    private static final byte[] STANDARD_ENCODE_TABLE = {
122            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
123            'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
124            'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
125            'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
126            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'
127    };
128    /**
129     * This is a copy of the STANDARD_ENCODE_TABLE above, but with + and / changed to - and _ to make the encoded Base64 results more URL-SAFE. This table is
130     * only used when the Base64's mode is set to URL-SAFE.
131     */
132    // @formatter:off
133    private static final byte[] URL_SAFE_ENCODE_TABLE = {
134            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
135            'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
136            'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
137            'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
138            '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_'
139    };
140    // @formatter:on
141    /**
142     * This array is a lookup table that translates Unicode characters drawn from the "Base64 Alphabet" (as specified
143     * in Table 1 of RFC 2045) into their 6-bit positive integer equivalents. Characters that are not in the Base64
144     * alphabet but fall within the bounds of the array are translated to -1.
145     * <p>
146     * Note: '+' and '-' both decode to 62. '/' and '_' both decode to 63. This means decoder seamlessly handles both
147     * URL_SAFE and STANDARD base64. (The encoder, on the other hand, needs to know ahead of time what to emit).
148     * </p>
149     * <p>
150     * Thanks to "commons" project in ws.apache.org for this code.
151     * https://svn.apache.org/repos/asf/webservices/commons/trunk/modules/util/
152     * </p>
153     */
154    private static final byte[] DECODE_TABLE = {
155        //   0   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F
156            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
157            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
158            -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, 62, -1, 63, // 20-2f + - /
159            52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, // 30-3f 0-9
160            -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, // 40-4f A-O
161            15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, // 50-5f P-Z _
162            -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, // 60-6f a-o
163            41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51                      // 70-7a p-z
164    };
165
166    /**
167     * Base64 uses 6-bit fields.
168     */
169    /** Mask used to extract 6 bits, used when encoding */
170    private static final int MASK_6_BITS = 0x3f;
171
172    // The static final fields above are used for the original static byte[] methods on Base64.
173    // The private member fields below are used with the new streaming approach, which requires
174    // some state be preserved between calls of encode() and decode().
175
176    /** Mask used to extract 4 bits, used when decoding final trailing character. */
177    private static final int MASK_4_BITS = 0xf;
178    /** Mask used to extract 2 bits, used when decoding final trailing character. */
179    private static final int MASK_2_BITS = 0x3;
180
181    /**
182     * Creates a new Builder.
183     *
184     * @return a new Builder.
185     * @since 1.17.0
186     */
187    public static Builder builder() {
188        return new Builder();
189    }
190
191    /**
192     * Decodes Base64 data into octets.
193     * <p>
194     * <strong>Note:</strong> this method seamlessly handles data encoded in URL-safe or normal mode.
195     * </p>
196     *
197     * @param base64Data
198     *            Byte array containing Base64 data
199     * @return Array containing decoded data.
200     */
201    public static byte[] decodeBase64(final byte[] base64Data) {
202        return new Base64().decode(base64Data);
203    }
204
205    /**
206     * Decodes a Base64 String into octets.
207     * <p>
208     * <strong>Note:</strong> this method seamlessly handles data encoded in URL-safe or normal mode.
209     * </p>
210     *
211     * @param base64String
212     *            String containing Base64 data
213     * @return Array containing decoded data.
214     * @since 1.4
215     */
216    public static byte[] decodeBase64(final String base64String) {
217        return new Base64().decode(base64String);
218    }
219
220    /**
221     * Decodes a byte64-encoded integer according to crypto standards such as W3C's XML-Signature.
222     *
223     * @param array
224     *            a byte array containing base64 character data
225     * @return A BigInteger
226     * @since 1.4
227     */
228    public static BigInteger decodeInteger(final byte[] array) {
229        return new BigInteger(1, decodeBase64(array));
230    }
231
232    /**
233     * Encodes binary data using the base64 algorithm but does not chunk the output.
234     *
235     * @param binaryData
236     *            binary data to encode
237     * @return byte[] containing Base64 characters in their UTF-8 representation.
238     */
239    public static byte[] encodeBase64(final byte[] binaryData) {
240        return encodeBase64(binaryData, false);
241    }
242
243    /**
244     * Encodes binary data using the base64 algorithm, optionally chunking the output into 76 character blocks.
245     *
246     * @param binaryData
247     *            Array containing binary data to encode.
248     * @param isChunked
249     *            if {@code true} this encoder will chunk the base64 output into 76 character blocks
250     * @return Base64-encoded data.
251     * @throws IllegalArgumentException
252     *             Thrown when the input array needs an output array bigger than {@link Integer#MAX_VALUE}
253     */
254    public static byte[] encodeBase64(final byte[] binaryData, final boolean isChunked) {
255        return encodeBase64(binaryData, isChunked, false);
256    }
257
258    /**
259     * Encodes binary data using the base64 algorithm, optionally chunking the output into 76 character blocks.
260     *
261     * @param binaryData
262     *            Array containing binary data to encode.
263     * @param isChunked
264     *            if {@code true} this encoder will chunk the base64 output into 76 character blocks
265     * @param urlSafe
266     *            if {@code true} this encoder will emit - and _ instead of the usual + and / characters.
267     *            <strong>Note: No padding is added when encoding using the URL-safe alphabet.</strong>
268     * @return Base64-encoded data.
269     * @throws IllegalArgumentException
270     *             Thrown when the input array needs an output array bigger than {@link Integer#MAX_VALUE}
271     * @since 1.4
272     */
273    public static byte[] encodeBase64(final byte[] binaryData, final boolean isChunked, final boolean urlSafe) {
274        return encodeBase64(binaryData, isChunked, urlSafe, Integer.MAX_VALUE);
275    }
276
277    /**
278     * Encodes binary data using the base64 algorithm, optionally chunking the output into 76 character blocks.
279     *
280     * @param binaryData
281     *            Array containing binary data to encode.
282     * @param isChunked
283     *            if {@code true} this encoder will chunk the base64 output into 76 character blocks
284     * @param urlSafe
285     *            if {@code true} this encoder will emit - and _ instead of the usual + and / characters.
286     *            <strong>Note: No padding is added when encoding using the URL-safe alphabet.</strong>
287     * @param maxResultSize
288     *            The maximum result size to accept.
289     * @return Base64-encoded data.
290     * @throws IllegalArgumentException
291     *             Thrown when the input array needs an output array bigger than maxResultSize
292     * @since 1.4
293     */
294    public static byte[] encodeBase64(final byte[] binaryData, final boolean isChunked,
295                                      final boolean urlSafe, final int maxResultSize) {
296        if (BinaryCodec.isEmpty(binaryData)) {
297            return binaryData;
298        }
299        // Create this so can use the super-class method
300        // Also ensures that the same roundings are performed by the ctor and the code
301        final Base64 b64 = isChunked ? new Base64(urlSafe) : new Base64(0, CHUNK_SEPARATOR, urlSafe);
302        final long len = b64.getEncodedLength(binaryData);
303        if (len > maxResultSize) {
304            throw new IllegalArgumentException("Input array too big, the output array would be bigger (" +
305                len +
306                ") than the specified maximum size of " +
307                maxResultSize);
308        }
309        return b64.encode(binaryData);
310    }
311
312    /**
313     * Encodes binary data using the base64 algorithm and chunks the encoded output into 76 character blocks
314     *
315     * @param binaryData
316     *            binary data to encode
317     * @return Base64 characters chunked in 76 character blocks
318     */
319    public static byte[] encodeBase64Chunked(final byte[] binaryData) {
320        return encodeBase64(binaryData, true);
321    }
322
323    /**
324     * Encodes binary data using the base64 algorithm but does not chunk the output.
325     *
326     * NOTE:  We changed the behavior of this method from multi-line chunking (commons-codec-1.4) to
327     * single-line non-chunking (commons-codec-1.5).
328     *
329     * @param binaryData
330     *            binary data to encode
331     * @return String containing Base64 characters.
332     * @since 1.4 (NOTE:  1.4 chunked the output, whereas 1.5 does not).
333     */
334    public static String encodeBase64String(final byte[] binaryData) {
335        return StringUtils.newStringUsAscii(encodeBase64(binaryData, false));
336    }
337
338    /**
339     * Encodes binary data using a URL-safe variation of the base64 algorithm but does not chunk the output. The
340     * url-safe variation emits - and _ instead of + and / characters.
341     * <strong>Note: No padding is added.</strong>
342     * @param binaryData
343     *            binary data to encode
344     * @return byte[] containing Base64 characters in their UTF-8 representation.
345     * @since 1.4
346     */
347    public static byte[] encodeBase64URLSafe(final byte[] binaryData) {
348        return encodeBase64(binaryData, false, true);
349    }
350
351    /**
352     * Encodes binary data using a URL-safe variation of the base64 algorithm but does not chunk the output. The
353     * url-safe variation emits - and _ instead of + and / characters.
354     * <strong>Note: No padding is added.</strong>
355     * @param binaryData
356     *            binary data to encode
357     * @return String containing Base64 characters
358     * @since 1.4
359     */
360    public static String encodeBase64URLSafeString(final byte[] binaryData) {
361        return StringUtils.newStringUsAscii(encodeBase64(binaryData, false, true));
362    }
363
364    /**
365     * Encodes to a byte64-encoded integer according to crypto standards such as W3C's XML-Signature.
366     *
367     * @param bigInteger
368     *            a BigInteger
369     * @return A byte array containing base64 character data
370     * @throws NullPointerException
371     *             if null is passed in
372     * @since 1.4
373     */
374    public static byte[] encodeInteger(final BigInteger bigInteger) {
375        Objects.requireNonNull(bigInteger, "bigInteger");
376        return encodeBase64(toIntegerBytes(bigInteger), false);
377    }
378
379    /**
380     * Tests a given byte array to see if it contains only valid characters within the Base64 alphabet. Currently the
381     * method treats whitespace as valid.
382     *
383     * @param arrayOctet
384     *            byte array to test
385     * @return {@code true} if all bytes are valid characters in the Base64 alphabet or if the byte array is empty;
386     *         {@code false}, otherwise
387     * @deprecated 1.5 Use {@link #isBase64(byte[])}, will be removed in 2.0.
388     */
389    @Deprecated
390    public static boolean isArrayByteBase64(final byte[] arrayOctet) {
391        return isBase64(arrayOctet);
392    }
393
394    /**
395     * Returns whether or not the {@code octet} is in the base 64 alphabet.
396     *
397     * @param octet
398     *            The value to test
399     * @return {@code true} if the value is defined in the base 64 alphabet, {@code false} otherwise.
400     * @since 1.4
401     */
402    public static boolean isBase64(final byte octet) {
403        return octet == PAD_DEFAULT || octet >= 0 && octet < DECODE_TABLE.length && DECODE_TABLE[octet] != -1;
404    }
405
406    /**
407     * Tests a given byte array to see if it contains only valid characters within the Base64 alphabet. Currently the
408     * method treats whitespace as valid.
409     *
410     * @param arrayOctet
411     *            byte array to test
412     * @return {@code true} if all bytes are valid characters in the Base64 alphabet or if the byte array is empty;
413     *         {@code false}, otherwise
414     * @since 1.5
415     */
416    public static boolean isBase64(final byte[] arrayOctet) {
417        for (final byte element : arrayOctet) {
418            if (!isBase64(element) && !Character.isWhitespace(element)) {
419                return false;
420            }
421        }
422        return true;
423    }
424
425    /**
426     * Tests a given String to see if it contains only valid characters within the Base64 alphabet. Currently the
427     * method treats whitespace as valid.
428     *
429     * @param base64
430     *            String to test
431     * @return {@code true} if all characters in the String are valid characters in the Base64 alphabet or if
432     *         the String is empty; {@code false}, otherwise
433     *  @since 1.5
434     */
435    public static boolean isBase64(final String base64) {
436        return isBase64(StringUtils.getBytesUtf8(base64));
437    }
438
439    /**
440     * Returns a byte-array representation of a {@code BigInteger} without sign bit.
441     *
442     * @param bigInt
443     *            {@code BigInteger} to be converted
444     * @return a byte array representation of the BigInteger parameter
445     */
446    static byte[] toIntegerBytes(final BigInteger bigInt) {
447        int bitlen = bigInt.bitLength();
448        // round bitlen
449        bitlen = bitlen + 7 >> 3 << 3;
450        final byte[] bigBytes = bigInt.toByteArray();
451
452        if (bigInt.bitLength() % 8 != 0 && bigInt.bitLength() / 8 + 1 == bitlen / 8) {
453            return bigBytes;
454        }
455        // set up params for copying everything but sign bit
456        int startSrc = 0;
457        int len = bigBytes.length;
458
459        // if bigInt is exactly byte-aligned, just skip signbit in copy
460        if (bigInt.bitLength() % 8 == 0) {
461            startSrc = 1;
462            len--;
463        }
464        final int startDst = bitlen / 8 - len; // to pad w/ nulls as per spec
465        final byte[] resizedBytes = new byte[bitlen / 8];
466        System.arraycopy(bigBytes, startSrc, resizedBytes, startDst, len);
467        return resizedBytes;
468    }
469
470    private static byte[] toUrlSafeEncodeTable(final boolean urlSafe) {
471        return urlSafe ? URL_SAFE_ENCODE_TABLE : STANDARD_ENCODE_TABLE;
472    }
473
474    /**
475     * Encode table to use: either STANDARD or URL_SAFE or custom.
476     * Note: the DECODE_TABLE above remains static because it is able
477     * to decode both STANDARD and URL_SAFE streams, but the encodeTable must be a member variable so we can switch
478     * between the two modes.
479     */
480    private final byte[] encodeTable;
481
482    /**
483     * Decode table to use.
484     */
485    private final byte[] decodeTable;
486
487    /**
488     * Line separator for encoding. Not used when decoding. Only used if lineLength &gt; 0.
489     */
490    private final byte[] lineSeparator;
491
492    /**
493     * Convenience variable to help us determine when our buffer is going to run out of room and needs resizing.
494     * {@code encodeSize = 4 + lineSeparator.length;}
495     */
496    private final int encodeSize;
497
498    private final boolean isUrlSafe;
499
500    /**
501     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
502     * <p>
503     * When encoding the line length is 0 (no chunking), and the encoding table is STANDARD_ENCODE_TABLE.
504     * </p>
505     * <p>
506     * When decoding all variants are supported.
507     * </p>
508     */
509    public Base64() {
510        this(0);
511    }
512
513    /**
514     * Constructs a Base64 codec used for decoding (all modes) and encoding in the given URL-safe mode.
515     * <p>
516     * When encoding the line length is 76, the line separator is CRLF, and the encoding table is STANDARD_ENCODE_TABLE.
517     * </p>
518     * <p>
519     * When decoding all variants are supported.
520     * </p>
521     *
522     * @param urlSafe
523     *            if {@code true}, URL-safe encoding is used. In most cases this should be set to
524     *            {@code false}.
525     * @since 1.4
526     */
527    public Base64(final boolean urlSafe) {
528        this(MIME_CHUNK_SIZE, CHUNK_SEPARATOR, urlSafe);
529    }
530
531    /**
532     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
533     * <p>
534     * When encoding the line length is given in the constructor, the line separator is CRLF, and the encoding table is
535     * STANDARD_ENCODE_TABLE.
536     * </p>
537     * <p>
538     * Line lengths that aren't multiples of 4 will still essentially end up being multiples of 4 in the encoded data.
539     * </p>
540     * <p>
541     * When decoding all variants are supported.
542     * </p>
543     *
544     * @param lineLength
545     *            Each line of encoded data will be at most of the given length (rounded down to the nearest multiple of
546     *            4). If lineLength &lt;= 0, then the output will not be divided into lines (chunks). Ignored when
547     *            decoding.
548     * @since 1.4
549     */
550    public Base64(final int lineLength) {
551        this(lineLength, CHUNK_SEPARATOR);
552    }
553
554    /**
555     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
556     * <p>
557     * When encoding the line length and line separator are given in the constructor, and the encoding table is
558     * STANDARD_ENCODE_TABLE.
559     * </p>
560     * <p>
561     * Line lengths that aren't multiples of 4 will still essentially end up being multiples of 4 in the encoded data.
562     * </p>
563     * <p>
564     * When decoding all variants are supported.
565     * </p>
566     *
567     * @param lineLength
568     *            Each line of encoded data will be at most of the given length (rounded down to the nearest multiple of
569     *            4). If lineLength &lt;= 0, then the output will not be divided into lines (chunks). Ignored when
570     *            decoding.
571     * @param lineSeparator
572     *            Each line of encoded data will end with this sequence of bytes.
573     * @throws IllegalArgumentException
574     *             Thrown when the provided lineSeparator included some base64 characters.
575     * @since 1.4
576     */
577    public Base64(final int lineLength, final byte[] lineSeparator) {
578        this(lineLength, lineSeparator, false);
579    }
580
581    /**
582     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
583     * <p>
584     * When encoding the line length and line separator are given in the constructor, and the encoding table is
585     * STANDARD_ENCODE_TABLE.
586     * </p>
587     * <p>
588     * Line lengths that aren't multiples of 4 will still essentially end up being multiples of 4 in the encoded data.
589     * </p>
590     * <p>
591     * When decoding all variants are supported.
592     * </p>
593     *
594     * @param lineLength
595     *            Each line of encoded data will be at most of the given length (rounded down to the nearest multiple of
596     *            4). If lineLength &lt;= 0, then the output will not be divided into lines (chunks). Ignored when
597     *            decoding.
598     * @param lineSeparator
599     *            Each line of encoded data will end with this sequence of bytes.
600     * @param urlSafe
601     *            Instead of emitting '+' and '/' we emit '-' and '_' respectively. urlSafe is only applied to encode
602     *            operations. Decoding seamlessly handles both modes.
603     *            <strong>Note: No padding is added when using the URL-safe alphabet.</strong>
604     * @throws IllegalArgumentException
605     *             Thrown when the {@code lineSeparator} contains Base64 characters.
606     * @since 1.4
607     */
608    public Base64(final int lineLength, final byte[] lineSeparator, final boolean urlSafe) {
609        this(lineLength, lineSeparator, PAD_DEFAULT, toUrlSafeEncodeTable(urlSafe), DECODING_POLICY_DEFAULT);
610    }
611
612    /**
613     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
614     * <p>
615     * When encoding the line length and line separator are given in the constructor, and the encoding table is
616     * STANDARD_ENCODE_TABLE.
617     * </p>
618     * <p>
619     * Line lengths that aren't multiples of 4 will still essentially end up being multiples of 4 in the encoded data.
620     * </p>
621     * <p>
622     * When decoding all variants are supported.
623     * </p>
624     *
625     * @param lineLength
626     *            Each line of encoded data will be at most of the given length (rounded down to the nearest multiple of
627     *            4). If lineLength &lt;= 0, then the output will not be divided into lines (chunks). Ignored when
628     *            decoding.
629     * @param lineSeparator
630     *            Each line of encoded data will end with this sequence of bytes.
631     * @param urlSafe
632     *            Instead of emitting '+' and '/' we emit '-' and '_' respectively. urlSafe is only applied to encode
633     *            operations. Decoding seamlessly handles both modes.
634     *            <strong>Note: No padding is added when using the URL-safe alphabet.</strong>
635     * @param decodingPolicy The decoding policy.
636     * @throws IllegalArgumentException
637     *             Thrown when the {@code lineSeparator} contains Base64 characters.
638     * @since 1.15
639     */
640    public Base64(final int lineLength, final byte[] lineSeparator, final boolean urlSafe, final CodecPolicy decodingPolicy) {
641        this(lineLength, lineSeparator, PAD_DEFAULT, toUrlSafeEncodeTable(urlSafe), decodingPolicy);
642    }
643
644    /**
645     * Constructs a Base64 codec used for decoding (all modes) and encoding in URL-unsafe mode.
646     * <p>
647     * When encoding the line length and line separator are given in the constructor, and the encoding table is STANDARD_ENCODE_TABLE.
648     * </p>
649     * <p>
650     * Line lengths that aren't multiples of 4 will still essentially end up being multiples of 4 in the encoded data.
651     * </p>
652     * <p>
653     * When decoding all variants are supported.
654     * </p>
655     *
656     * @param lineLength     Each line of encoded data will be at most of the given length (rounded down to the nearest multiple of 4). If lineLength &lt;= 0,
657     *                       then the output will not be divided into lines (chunks). Ignored when decoding.
658     * @param lineSeparator  Each line of encoded data will end with this sequence of bytes; the constructor makes a defensive copy. May be null.
659     * @param padding        padding byte.
660     * @param encodeTable    The manual encodeTable - a byte array of 64 chars.
661     * @param decodingPolicy The decoding policy.
662     * @throws IllegalArgumentException Thrown when the {@code lineSeparator} contains Base64 characters.
663     */
664    private Base64(final int lineLength, final byte[] lineSeparator, final byte padding, final byte[] encodeTable, final CodecPolicy decodingPolicy) {
665        super(BYTES_PER_UNENCODED_BLOCK, BYTES_PER_ENCODED_BLOCK, lineLength, toLength(lineSeparator), padding, decodingPolicy);
666        Objects.requireNonNull(encodeTable, "encodeTable");
667        if (encodeTable.length != STANDARD_ENCODE_TABLE.length) {
668            throw new IllegalArgumentException("encodeTable must have exactly 64 entries.");
669        }
670        // same array first or equal contents second
671        this.isUrlSafe = encodeTable == URL_SAFE_ENCODE_TABLE || Arrays.equals(encodeTable, URL_SAFE_ENCODE_TABLE);
672        if (encodeTable == STANDARD_ENCODE_TABLE || this.isUrlSafe) {
673            decodeTable = DECODE_TABLE;
674            // No need of a defensive copy of an internal table.
675            this.encodeTable = encodeTable;
676        } else {
677            this.encodeTable = encodeTable.clone();
678            this.decodeTable = calculateDecodeTable(this.encodeTable);
679        }
680        // TODO could be simplified if there is no requirement to reject invalid line sep when length <=0
681        // @see test case Base64Test.testConstructors()
682        if (lineSeparator != null) {
683            final byte[] lineSeparatorCopy = lineSeparator.clone();
684            if (containsAlphabetOrPad(lineSeparatorCopy)) {
685                final String sep = StringUtils.newStringUtf8(lineSeparatorCopy);
686                throw new IllegalArgumentException("lineSeparator must not contain base64 characters: [" + sep + "]");
687            }
688            if (lineLength > 0) { // null line-sep forces no chunking rather than throwing IAE
689                this.encodeSize = BYTES_PER_ENCODED_BLOCK + lineSeparatorCopy.length;
690                this.lineSeparator = lineSeparatorCopy;
691            } else {
692                this.encodeSize = BYTES_PER_ENCODED_BLOCK;
693                this.lineSeparator = null;
694            }
695        } else {
696            this.encodeSize = BYTES_PER_ENCODED_BLOCK;
697            this.lineSeparator = null;
698        }
699    }
700
701    /**
702     * Calculates a decode table for a given encode table.
703     *
704     * @param encodeTable that is used to determine decode lookup table
705     * @return decodeTable
706     */
707    private byte[] calculateDecodeTable(final byte[] encodeTable) {
708        final byte[] decodeTable = new byte[DECODING_TABLE_LENGTH];
709        Arrays.fill(decodeTable, (byte) -1);
710        for (int i = 0; i < encodeTable.length; i++) {
711            decodeTable[encodeTable[i]] = (byte) i;
712        }
713        return decodeTable;
714    }
715
716    /**
717     * <p>
718     * Decodes all of the provided data, starting at inPos, for inAvail bytes. Should be called at least twice: once
719     * with the data to decode, and once with inAvail set to "-1" to alert decoder that EOF has been reached. The "-1"
720     * call is not necessary when decoding, but it doesn't hurt, either.
721     * </p>
722     * <p>
723     * Ignores all non-base64 characters. This is how chunked (for example 76 character) data is handled, since CR and LF are
724     * silently ignored, but has implications for other bytes, too. This method subscribes to the garbage-in,
725     * garbage-out philosophy: it will not check the provided data for validity.
726     * </p>
727     * <p>
728     * Thanks to "commons" project in ws.apache.org for the bitwise operations, and general approach.
729     * https://svn.apache.org/repos/asf/webservices/commons/trunk/modules/util/
730     * </p>
731     *
732     * @param input
733     *            byte[] array of ASCII data to base64 decode.
734     * @param inPos
735     *            Position to start reading data from.
736     * @param inAvail
737     *            Amount of bytes available from input for decoding.
738     * @param context
739     *            the context to be used
740     */
741    @Override
742    void decode(final byte[] input, int inPos, final int inAvail, final Context context) {
743        if (context.eof) {
744            return;
745        }
746        if (inAvail < 0) {
747            context.eof = true;
748        }
749        final int decodeSize = this.encodeSize - 1;
750        for (int i = 0; i < inAvail; i++) {
751            final byte[] buffer = ensureBufferSize(decodeSize, context);
752            final byte b = input[inPos++];
753            if (b == pad) {
754                // We're done.
755                context.eof = true;
756                break;
757            }
758            if (b >= 0 && b < decodeTable.length) {
759                final int result = decodeTable[b];
760                if (result >= 0) {
761                    context.modulus = (context.modulus + 1) % BYTES_PER_ENCODED_BLOCK;
762                    context.ibitWorkArea = (context.ibitWorkArea << BITS_PER_ENCODED_BYTE) + result;
763                    if (context.modulus == 0) {
764                        buffer[context.pos++] = (byte) (context.ibitWorkArea >> 16 & MASK_8BITS);
765                        buffer[context.pos++] = (byte) (context.ibitWorkArea >> 8 & MASK_8BITS);
766                        buffer[context.pos++] = (byte) (context.ibitWorkArea & MASK_8BITS);
767                    }
768                }
769            }
770        }
771
772        // Two forms of EOF as far as base64 decoder is concerned: actual
773        // EOF (-1) and first time '=' character is encountered in stream.
774        // This approach makes the '=' padding characters completely optional.
775        if (context.eof && context.modulus != 0) {
776            final byte[] buffer = ensureBufferSize(decodeSize, context);
777
778            // We have some spare bits remaining
779            // Output all whole multiples of 8 bits and ignore the rest
780            switch (context.modulus) {
781//              case 0 : // impossible, as excluded above
782                case 1 : // 6 bits - either ignore entirely, or raise an exception
783                    validateTrailingCharacter();
784                    break;
785                case 2 : // 12 bits = 8 + 4
786                    validateCharacter(MASK_4_BITS, context);
787                    context.ibitWorkArea = context.ibitWorkArea >> 4; // dump the extra 4 bits
788                    buffer[context.pos++] = (byte) (context.ibitWorkArea & MASK_8BITS);
789                    break;
790                case 3 : // 18 bits = 8 + 8 + 2
791                    validateCharacter(MASK_2_BITS, context);
792                    context.ibitWorkArea = context.ibitWorkArea >> 2; // dump 2 bits
793                    buffer[context.pos++] = (byte) (context.ibitWorkArea >> 8 & MASK_8BITS);
794                    buffer[context.pos++] = (byte) (context.ibitWorkArea & MASK_8BITS);
795                    break;
796                default:
797                    throw new IllegalStateException("Impossible modulus " + context.modulus);
798            }
799        }
800    }
801
802    /**
803     * <p>
804     * Encodes all of the provided data, starting at inPos, for inAvail bytes. Must be called at least twice: once with
805     * the data to encode, and once with inAvail set to "-1" to alert encoder that EOF has been reached, to flush last
806     * remaining bytes (if not multiple of 3).
807     * </p>
808     * <p><strong>Note: No padding is added when encoding using the URL-safe alphabet.</strong></p>
809     * <p>
810     * Thanks to "commons" project in ws.apache.org for the bitwise operations, and general approach.
811     * https://svn.apache.org/repos/asf/webservices/commons/trunk/modules/util/
812     * </p>
813     *
814     * @param in
815     *            byte[] array of binary data to base64 encode.
816     * @param inPos
817     *            Position to start reading data from.
818     * @param inAvail
819     *            Amount of bytes available from input for encoding.
820     * @param context
821     *            the context to be used
822     */
823    @Override
824    void encode(final byte[] in, int inPos, final int inAvail, final Context context) {
825        if (context.eof) {
826            return;
827        }
828        // inAvail < 0 is how we're informed of EOF in the underlying data we're
829        // encoding.
830        if (inAvail < 0) {
831            context.eof = true;
832            if (0 == context.modulus && lineLength == 0) {
833                return; // no leftovers to process and not using chunking
834            }
835            final byte[] buffer = ensureBufferSize(encodeSize, context);
836            final int savedPos = context.pos;
837            switch (context.modulus) { // 0-2
838                case 0 : // nothing to do here
839                    break;
840                case 1 : // 8 bits = 6 + 2
841                    // top 6 bits:
842                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 2 & MASK_6_BITS];
843                    // remaining 2:
844                    buffer[context.pos++] = encodeTable[context.ibitWorkArea << 4 & MASK_6_BITS];
845                    // URL-SAFE skips the padding to further reduce size.
846                    if (encodeTable == STANDARD_ENCODE_TABLE) {
847                        buffer[context.pos++] = pad;
848                        buffer[context.pos++] = pad;
849                    }
850                    break;
851
852                case 2 : // 16 bits = 6 + 6 + 4
853                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 10 & MASK_6_BITS];
854                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 4 & MASK_6_BITS];
855                    buffer[context.pos++] = encodeTable[context.ibitWorkArea << 2 & MASK_6_BITS];
856                    // URL-SAFE skips the padding to further reduce size.
857                    if (encodeTable == STANDARD_ENCODE_TABLE) {
858                        buffer[context.pos++] = pad;
859                    }
860                    break;
861                default:
862                    throw new IllegalStateException("Impossible modulus " + context.modulus);
863            }
864            context.currentLinePos += context.pos - savedPos; // keep track of current line position
865            // if currentPos == 0 we are at the start of a line, so don't add CRLF
866            if (lineLength > 0 && context.currentLinePos > 0) {
867                System.arraycopy(lineSeparator, 0, buffer, context.pos, lineSeparator.length);
868                context.pos += lineSeparator.length;
869            }
870        } else {
871            for (int i = 0; i < inAvail; i++) {
872                final byte[] buffer = ensureBufferSize(encodeSize, context);
873                context.modulus = (context.modulus + 1) % BYTES_PER_UNENCODED_BLOCK;
874                int b = in[inPos++];
875                if (b < 0) {
876                    b += 256;
877                }
878                context.ibitWorkArea = (context.ibitWorkArea << 8) + b; // BITS_PER_BYTE
879                if (0 == context.modulus) { // 3 bytes = 24 bits = 4 * 6 bits to extract
880                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 18 & MASK_6_BITS];
881                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 12 & MASK_6_BITS];
882                    buffer[context.pos++] = encodeTable[context.ibitWorkArea >> 6 & MASK_6_BITS];
883                    buffer[context.pos++] = encodeTable[context.ibitWorkArea & MASK_6_BITS];
884                    context.currentLinePos += BYTES_PER_ENCODED_BLOCK;
885                    if (lineLength > 0 && lineLength <= context.currentLinePos) {
886                        System.arraycopy(lineSeparator, 0, buffer, context.pos, lineSeparator.length);
887                        context.pos += lineSeparator.length;
888                        context.currentLinePos = 0;
889                    }
890                }
891            }
892        }
893    }
894
895    /**
896     * Gets the line separator (for testing only).
897     *
898     * @return the line separator.
899     */
900    byte[] getLineSeparator() {
901        return lineSeparator;
902    }
903
904    /**
905     * Returns whether or not the {@code octet} is in the Base64 alphabet.
906     *
907     * @param octet
908     *            The value to test
909     * @return {@code true} if the value is defined in the Base64 alphabet {@code false} otherwise.
910     */
911    @Override
912    protected boolean isInAlphabet(final byte octet) {
913        return octet >= 0 && octet < decodeTable.length && decodeTable[octet] != -1;
914    }
915
916    /**
917     * Returns our current encode mode. True if we're URL-safe, false otherwise.
918     *
919     * @return true if we're in URL-safe mode, false otherwise.
920     * @since 1.4
921     */
922    public boolean isUrlSafe() {
923        return isUrlSafe;
924    }
925
926    /**
927     * Validates whether decoding the final trailing character is possible in the context
928     * of the set of possible base 64 values.
929     * <p>
930     * The character is valid if the lower bits within the provided mask are zero. This
931     * is used to test the final trailing base-64 digit is zero in the bits that will be discarded.
932     * </p>
933     *
934     * @param emptyBitsMask The mask of the lower bits that should be empty
935     * @param context the context to be used
936     * @throws IllegalArgumentException if the bits being checked contain any non-zero value
937     */
938    private void validateCharacter(final int emptyBitsMask, final Context context) {
939        if (isStrictDecoding() && (context.ibitWorkArea & emptyBitsMask) != 0) {
940            throw new IllegalArgumentException(
941                "Strict decoding: Last encoded character (before the paddings if any) is a valid " +
942                "base 64 alphabet but not a possible encoding. " +
943                "Expected the discarded bits from the character to be zero.");
944        }
945    }
946
947    /**
948     * Validates whether decoding allows an entire final trailing character that cannot be
949     * used for a complete byte.
950     *
951     * @throws IllegalArgumentException if strict decoding is enabled
952     */
953    private void validateTrailingCharacter() {
954        if (isStrictDecoding()) {
955            throw new IllegalArgumentException(
956                "Strict decoding: Last encoded character (before the paddings if any) is a valid " +
957                "base 64 alphabet but not a possible encoding. " +
958                "Decoding requires at least two trailing 6-bit characters to create bytes.");
959        }
960    }
961
962}