Initial implementation of OpenPGP EdDSA and usage of the Curve25519 in ECDH.

filipnavara · filipnavara · commit 9f98858fb3ea · 2020-12-04T11:35:53.000+01:00
diff --git a/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs b/crypto/src/asn1/gnu/GNUObjectIdentifiers.cs
@@ -28,9 +28,9 @@ public abstract class GnuObjectIdentifiers
 		public static readonly DerObjectIdentifier Crc					= new DerObjectIdentifier("1.3.6.1.4.1.11591.14"); // CRC algorithms
 		public static readonly DerObjectIdentifier Crc32				= new DerObjectIdentifier("1.3.6.1.4.1.11591.14.1"); // CRC 32
 
-        /** 1.3.6.1.4.1.11591.15 - ellipticCurve */
-        public static readonly DerObjectIdentifier EllipticCurve = new DerObjectIdentifier("1.3.6.1.4.1.11591.15");
+		/** 1.3.6.1.4.1.11591.15 - ellipticCurve */
+		public static readonly DerObjectIdentifier EllipticCurve = new DerObjectIdentifier("1.3.6.1.4.1.11591.15");
 
-        public static readonly DerObjectIdentifier Ed25519   = EllipticCurve.Branch("1");
+		public static readonly DerObjectIdentifier Ed25519   = EllipticCurve.Branch("1");
 	}
 }
diff --git a/crypto/src/asn1/misc/MiscObjectIdentifiers.cs b/crypto/src/asn1/misc/MiscObjectIdentifiers.cs
@@ -74,6 +74,9 @@ public abstract class MiscObjectIdentifiers
         public static readonly DerObjectIdentifier cryptlib_algorithm_blowfish_CFB = cryptlib_algorithm.Branch("1.3");
         public static readonly DerObjectIdentifier cryptlib_algorithm_blowfish_OFB = cryptlib_algorithm.Branch("1.4");
 
+        // OpenPGP (draft-ietf-openpgp-rfc4880bis-10)
+        public static readonly DerObjectIdentifier Curve25519 = cryptlib_algorithm.Branch("5.1");
+
         //
         // Blake2b
         //
diff --git a/crypto/src/bcpg/PublicKeyPacket.cs b/crypto/src/bcpg/PublicKeyPacket.cs
@@ -48,6 +48,7 @@ internal PublicKeyPacket(
                     key = new ECDHPublicBcpgKey(bcpgIn);
                     break;
                 case PublicKeyAlgorithmTag.ECDsa:
+                case PublicKeyAlgorithmTag.EdDsa:
                     key = new ECDsaPublicBcpgKey(bcpgIn);
                     break;
                 default:
diff --git a/crypto/src/bcpg/SignaturePacket.cs b/crypto/src/bcpg/SignaturePacket.cs
@@ -147,6 +147,7 @@ internal SignaturePacket(
 					signature = new MPInteger[]{ p, g, y };
                     break;
                 case PublicKeyAlgorithmTag.ECDsa:
+                case PublicKeyAlgorithmTag.EdDsa:
                     MPInteger ecR = new MPInteger(bcpgIn);
                     MPInteger ecS = new MPInteger(bcpgIn);
                     signature = new MPInteger[]{ ecR, ecS };
diff --git a/crypto/src/crypto/ec/CustomNamedCurves.cs b/crypto/src/crypto/ec/CustomNamedCurves.cs
@@ -3,6 +3,8 @@
 
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.GM;
+using Org.BouncyCastle.Asn1.Gnu;
+using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.Sec;
 using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Math;
@@ -789,7 +791,8 @@ private static void DefineCurveAlias(string name, DerObjectIdentifier oid)
 
         static CustomNamedCurves()
         {
-            DefineCurve("curve25519", Curve25519Holder.Instance);
+            DefineCurveWithOid("ed25519", GnuObjectIdentifiers.Ed25519, Curve25519Holder.Instance);
+            DefineCurveWithOid("curve25519", MiscObjectIdentifiers.Curve25519, Curve25519Holder.Instance);
 
             //DefineCurveWithOid("secp112r1", SecObjectIdentifiers.SecP112r1, SecP112R1Holder.Instance);
             //DefineCurveWithOid("secp112r2", SecObjectIdentifiers.SecP112r2, SecP112R2Holder.Instance);
diff --git a/crypto/src/crypto/signers/EdDsa255519Signer.cs b/crypto/src/crypto/signers/EdDsa255519Signer.cs
@@ -0,0 +1,47 @@
+using System;
+
+using Org.BouncyCastle.Math;
+
+namespace Org.BouncyCastle.Crypto.Signers
+{
+	public class EdDsa22519Signer : IDsa
+	{
+		private Ed25519Signer signer;
+
+		public virtual string AlgorithmName => "EDDSA";
+
+		public EdDsa22519Signer()
+		{
+			signer = new Ed25519Signer();
+		}
+
+		public virtual void Init(bool forSigning, ICipherParameters parameters)
+		{
+			signer.Init(forSigning, parameters);
+		}
+
+		public virtual BigInteger[] GenerateSignature(byte[] message)
+		{
+			signer.BlockUpdate(message, 0, message.Length);
+			byte[] sigBytes = signer.GenerateSignature();
+			byte[] rBytes = new byte[32];
+			Array.Copy(sigBytes, rBytes, 32);
+			byte[] sBytes = new byte[sigBytes.Length - 32];
+			Array.Copy(sigBytes, 32, sBytes, 0, sigBytes.Length - 32);
+			BigInteger r = new BigInteger(1, rBytes);
+			BigInteger s = new BigInteger(1, sBytes);
+			return new BigInteger[2] { r, s };
+		}
+
+		public virtual bool VerifySignature(byte[] message, BigInteger r, BigInteger s)
+		{
+			signer.BlockUpdate(message, 0, message.Length);
+			byte[] rBytes = r.ToByteArrayUnsigned();
+			byte[] sBytes = s.ToByteArrayUnsigned();
+			byte[] sigBytes = new byte[rBytes.Length + sBytes.Length];
+			Array.Copy(rBytes, sigBytes, rBytes.Length);
+			Array.Copy(sBytes, 0, sigBytes, rBytes.Length, sBytes.Length);
+			return signer.VerifySignature(sigBytes);
+		}
+	}
+}
diff --git a/crypto/src/openpgp/PgpEncryptedDataGenerator.cs b/crypto/src/openpgp/PgpEncryptedDataGenerator.cs
@@ -3,13 +3,15 @@
 using System.Diagnostics;
 using System.IO;
 
+using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.IO;
 using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math;
 using Org.BouncyCastle.Math.EC;
+using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
@@ -105,7 +107,7 @@ private byte[] EncryptSessionInfo(byte[] sessionInfo, SecureRandom random)
                 if (pubKey.Algorithm != PublicKeyAlgorithmTag.ECDH)
                 {
                     IBufferedCipher c;
-				    switch (pubKey.Algorithm)
+                    switch (pubKey.Algorithm)
                     {
                         case PublicKeyAlgorithmTag.RsaEncrypt:
                         case PublicKeyAlgorithmTag.RsaGeneral:
@@ -119,37 +121,57 @@ private byte[] EncryptSessionInfo(byte[] sessionInfo, SecureRandom random)
                             throw new PgpException("Can't use DSA for encryption.");
                         case PublicKeyAlgorithmTag.ECDsa:
                             throw new PgpException("Can't use ECDSA for encryption.");
+                        case PublicKeyAlgorithmTag.EdDsa:
+                            throw new PgpException("Can't use EdDSA for encryption.");
                         default:
                             throw new PgpException("unknown asymmetric algorithm: " + pubKey.Algorithm);
                     }
 
                     AsymmetricKeyParameter akp = pubKey.GetKey();
-				    c.Init(true, new ParametersWithRandom(akp, random));
+                    c.Init(true, new ParametersWithRandom(akp, random));
                     return c.DoFinal(sessionInfo);
                 }
 
                 ECDHPublicBcpgKey ecKey = (ECDHPublicBcpgKey)pubKey.PublicKeyPacket.Key;
+                KeyParameter key;
+                byte[] encodedPublicKey;
 
-                // Generate the ephemeral key pair
-                IAsymmetricCipherKeyPairGenerator gen = GeneratorUtilities.GetKeyPairGenerator("ECDH");
-                gen.Init(new ECKeyGenerationParameters(ecKey.CurveOid, random));
+                if (ecKey.CurveOid.Id.Equals(MiscObjectIdentifiers.Curve25519.Id))
+                {
+                    byte[] privateKey = new byte[X25519.PointSize];
+                    X25519.GeneratePrivateKey(random, privateKey);
+                    byte[] sharedKey = new byte[32];
+                    X25519.CalculateAgreement(privateKey, 0, BigIntegers.AsUnsignedByteArray(ecKey.EncodedPoint), 1, sharedKey, 0);
+                    byte[] publicKey = new byte[X25519.PointSize + 1];
+                    publicKey[0] = 0x40; // compressed point
+                    X25519.GeneratePublicKey(privateKey, 0, publicKey, 1);
+                    encodedPublicKey = publicKey;
+                    key = new KeyParameter(Rfc6637Utilities.CreateKey(pubKey.PublicKeyPacket, sharedKey));
+                }
+                else
+                {
+                    // Generate the ephemeral key pair
+                    IAsymmetricCipherKeyPairGenerator gen = GeneratorUtilities.GetKeyPairGenerator("ECDH");
+                    gen.Init(new ECKeyGenerationParameters(ecKey.CurveOid, random));
 
-                AsymmetricCipherKeyPair ephKp = gen.GenerateKeyPair();
-                ECPrivateKeyParameters ephPriv = (ECPrivateKeyParameters)ephKp.Private;
-                ECPublicKeyParameters ephPub = (ECPublicKeyParameters)ephKp.Public;
+                    AsymmetricCipherKeyPair ephKp = gen.GenerateKeyPair();
+                    ECPrivateKeyParameters ephPriv = (ECPrivateKeyParameters)ephKp.Private;
+                    ECPublicKeyParameters ephPub = (ECPublicKeyParameters)ephKp.Public;
 
-                ECPublicKeyParameters pub = (ECPublicKeyParameters)pubKey.GetKey();
-                ECPoint S = pub.Q.Multiply(ephPriv.D).Normalize();
+                    ECPublicKeyParameters pub = (ECPublicKeyParameters)pubKey.GetKey();
+                    ECPoint S = pub.Q.Multiply(ephPriv.D).Normalize();
 
-                KeyParameter key = new KeyParameter(Rfc6637Utilities.CreateKey(pubKey.PublicKeyPacket, S));
+                    key = new KeyParameter(Rfc6637Utilities.CreateKey(pubKey.PublicKeyPacket, S));
+                    encodedPublicKey = ephPub.Q.GetEncoded(false);
+                }
 
                 IWrapper w = PgpUtilities.CreateWrapper(ecKey.SymmetricKeyAlgorithm);
                 w.Init(true, new ParametersWithRandom(key, random));
 
                 byte[] paddedSessionData = PgpPad.PadSessionData(sessionInfo, sessionKeyObfuscation);
 
                 byte[] C = w.Wrap(paddedSessionData, 0, paddedSessionData.Length);
-                byte[] VB = new MPInteger(new BigInteger(1, ephPub.Q.GetEncoded(false))).GetEncoded();
+                byte[] VB = new MPInteger(new BigInteger(1, encodedPublicKey)).GetEncoded();
 
                 byte[] rv = new byte[VB.Length + 1 + C.Length];
 
diff --git a/crypto/src/openpgp/PgpPublicKey.cs b/crypto/src/openpgp/PgpPublicKey.cs
@@ -1,7 +1,7 @@
 using System;
 using System.Collections;
 using System.IO;
-
+using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.Sec;
 using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
@@ -177,6 +177,10 @@ public PgpPublicKey(
                 {
                     bcpgKey = new ECDsaPublicBcpgKey(ecK.PublicKeyParamSet, ecK.Q);
                 }
+                else if (algorithm == PublicKeyAlgorithmTag.EdDsa)
+                {
+                    bcpgKey = new ECDsaPublicBcpgKey(ecK.PublicKeyParamSet, ecK.Q);
+                }
                 else
                 {
                     throw new PgpException("unknown EC algorithm");
@@ -495,7 +499,12 @@ public AsymmetricKeyParameter GetKey()
                     case PublicKeyAlgorithmTag.ECDsa:
                         return GetECKey("ECDSA");
                     case PublicKeyAlgorithmTag.ECDH:
-                        return GetECKey("ECDH");
+                        if (((ECPublicBcpgKey)publicPk.Key).CurveOid.Id.Equals(MiscObjectIdentifiers.Curve25519.Id))
+                            return new X25519PublicKeyParameters(((ECPublicBcpgKey)publicPk.Key).EncodedPoint.ToByteArrayUnsigned(), 0);
+                        else
+                            return GetECKey("ECDH");
+                    case PublicKeyAlgorithmTag.EdDsa:
+                        return new Ed25519PublicKeyParameters(((ECPublicBcpgKey)publicPk.Key).EncodedPoint.ToByteArrayUnsigned(), 1);
                     case PublicKeyAlgorithmTag.ElGamalEncrypt:
                     case PublicKeyAlgorithmTag.ElGamalGeneral:
                         ElGamalPublicBcpgKey elK = (ElGamalPublicBcpgKey)publicPk.Key;
diff --git a/crypto/src/openpgp/PgpPublicKeyEncryptedData.cs b/crypto/src/openpgp/PgpPublicKeyEncryptedData.cs
@@ -8,8 +8,11 @@
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Math;
 using Org.BouncyCastle.Math.EC;
+using Org.BouncyCastle.Math.EC.Custom.Djb;
+using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities.IO;
+using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Bcpg.OpenPgp
 {
@@ -210,12 +213,24 @@ private byte[] RecoverSessionData(PgpPrivateKey privKey)
                 byte[] keyEnc = new byte[keyLen];
                 Array.Copy(enc, 2 + pLen + 1, keyEnc, 0, keyEnc.Length);
 
-                ECPoint publicPoint = x9Params.Curve.DecodePoint(pEnc);
+                KeyParameter key;
 
-                ECPrivateKeyParameters privKeyParams = (ECPrivateKeyParameters)privKey.Key;
-                ECPoint S = publicPoint.Multiply(privKeyParams.D).Normalize();
-
-                KeyParameter key = new KeyParameter(Rfc6637Utilities.CreateKey(privKey.PublicKeyPacket, S));
+                if (privKey.Key is X25519PrivateKeyParameters x25519privKeyParams)
+                {
+                    byte[] sharedKey = new byte[32];
+                    byte[] reversedPrivateKey = new byte[32];
+                    x25519privKeyParams.Encode(reversedPrivateKey, 0);
+                    Array.Reverse((Array)reversedPrivateKey);
+                    X25519.ScalarMult(reversedPrivateKey, 0, pEnc, 1, sharedKey, 0);
+                    key = new KeyParameter(Rfc6637Utilities.CreateKey(privKey.PublicKeyPacket, sharedKey));
+                }
+                else
+                {
+                    ECPoint publicPoint = x9Params.Curve.DecodePoint(pEnc);
+                    ECPrivateKeyParameters privKeyParams = (ECPrivateKeyParameters)privKey.Key;
+                    ECPoint S = publicPoint.Multiply(privKeyParams.D).Normalize();
+                    key = new KeyParameter(Rfc6637Utilities.CreateKey(privKey.PublicKeyPacket, S));
+                }
 
                 IWrapper w = PgpUtilities.CreateWrapper(ecKey.SymmetricKeyAlgorithm);
                 w.Init(false, key);
diff --git a/crypto/src/openpgp/PgpSecretKey.cs b/crypto/src/openpgp/PgpSecretKey.cs
@@ -1,7 +1,7 @@
 using System;
 using System.Collections;
 using System.IO;
-
+using Org.BouncyCastle.Asn1.Misc;
 using Org.BouncyCastle.Asn1.X9;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Generators;
@@ -674,11 +674,17 @@ internal PgpPrivateKey DoExtractPrivateKey(byte[] rawPassPhrase, bool clearPassP
                     privateKey = new DsaPrivateKeyParameters(dsaPriv.X, dsaParams);
                     break;
                 case PublicKeyAlgorithmTag.ECDH:
-                    privateKey = GetECKey("ECDH", bcpgIn);
+                    if (((ECPublicBcpgKey)secret.PublicKeyPacket.Key).CurveOid.Id.Equals(MiscObjectIdentifiers.Curve25519.Id))
+                        privateKey = new X25519PrivateKeyParameters(new ECSecretBcpgKey(bcpgIn).X.ToByteArrayUnsigned(), 0);
+                    else
+                        privateKey = GetECKey("ECDH", bcpgIn);
                     break;
                 case PublicKeyAlgorithmTag.ECDsa:
                     privateKey = GetECKey("ECDSA", bcpgIn);
                     break;
+                case PublicKeyAlgorithmTag.EdDsa:
+                    privateKey = new Ed25519PrivateKeyParameters(new ECSecretBcpgKey(bcpgIn).X.ToByteArrayUnsigned(), 0);
+                    break;
                 case PublicKeyAlgorithmTag.ElGamalEncrypt:
                 case PublicKeyAlgorithmTag.ElGamalGeneral:
                     ElGamalPublicBcpgKey elPub = (ElGamalPublicBcpgKey)pubPk.Key;
diff --git a/crypto/src/openpgp/PgpUtilities.cs b/crypto/src/openpgp/PgpUtilities.cs
@@ -95,7 +95,10 @@ public static string GetSignatureName(
                 case PublicKeyAlgorithmTag.ECDsa:
                     encAlg = "ECDSA";
                     break;
-                case PublicKeyAlgorithmTag.ElGamalEncrypt: // in some malformed cases.
+				case PublicKeyAlgorithmTag.EdDsa:
+					encAlg = "EdDSA";
+					break;
+				case PublicKeyAlgorithmTag.ElGamalEncrypt: // in some malformed cases.
 				case PublicKeyAlgorithmTag.ElGamalGeneral:
 					encAlg = "ElGamal";
 					break;
diff --git a/crypto/src/openpgp/Rfc6637Utilities.cs b/crypto/src/openpgp/Rfc6637Utilities.cs
@@ -1,4 +1,4 @@
-﻿using System;
+using System;
 using System.IO;
 
 using Org.BouncyCastle.Asn1;
@@ -70,12 +70,17 @@ public static int GetKeyLength(SymmetricKeyAlgorithmTag algID)
         public static byte[] CreateKey(PublicKeyPacket pubKeyData, ECPoint s)
         {
             byte[] userKeyingMaterial = CreateUserKeyingMaterial(pubKeyData);
-
             ECDHPublicBcpgKey ecKey = (ECDHPublicBcpgKey)pubKeyData.Key;
-
             return Kdf(ecKey.HashAlgorithm, s, GetKeyLength(ecKey.SymmetricKeyAlgorithm), userKeyingMaterial);
         }
 
+        public static byte[] CreateKey(PublicKeyPacket pubKeyData, byte[] ZB)
+        {
+            byte[] userKeyingMaterial = CreateUserKeyingMaterial(pubKeyData);
+            ECDHPublicBcpgKey ecKey = (ECDHPublicBcpgKey)pubKeyData.Key;
+            return Kdf(ecKey.HashAlgorithm, ZB, GetKeyLength(ecKey.SymmetricKeyAlgorithm), userKeyingMaterial);
+        }
+
         // RFC 6637 - Section 8
         // curve_OID_len = (byte)len(curve_OID);
         // Param = curve_OID_len || curve_OID || public_key_alg_ID || 03
@@ -118,10 +123,13 @@ public static byte[] CreateUserKeyingMaterial(PublicKeyPacket pubKeyData)
         //   return oBits leftmost bits of MB.
         private static byte[] Kdf(HashAlgorithmTag digestAlg, ECPoint s, int keyLen, byte[] parameters)
         {
-            byte[] ZB = s.XCoord.GetEncoded();
+            return Kdf(digestAlg, s.XCoord.GetEncoded(), keyLen, parameters);
+        }
 
+        private static byte[] Kdf(HashAlgorithmTag digestAlg, byte[] ZB, int keyLen, byte[] parameters)
+        {
             string digestName = PgpUtilities.GetDigestName(digestAlg);
-			IDigest digest = DigestUtilities.GetDigest(digestName);
+            IDigest digest = DigestUtilities.GetDigest(digestName);
 
             digest.Update(0x00);
             digest.Update(0x00);
diff --git a/crypto/src/security/SignerUtilities.cs b/crypto/src/security/SignerUtilities.cs
@@ -564,6 +564,13 @@ public static ISigner GetSigner(
                 return new DsaDigestSigner(new ECDsaSigner(), digest);
             }
 
+            if (Platform.EndsWith(mechanism, "WITHEDDSA"))
+            {
+                string digestName = mechanism.Substring(0, mechanism.LastIndexOf("WITH"));
+                IDigest digest = DigestUtilities.GetDigest(digestName);
+                return new DsaDigestSigner(new EdDsa22519Signer(), digest);
+            }
+
             if (Platform.EndsWith(mechanism, "withCVC-ECDSA")
                 || Platform.EndsWith(mechanism, "withPLAIN-ECDSA"))
             {

Original file line number	Diff line number	Diff line change
`@@ -28,9 +28,9 @@ public abstract class GnuObjectIdentifiers`
`28`	`28`	`public static readonly DerObjectIdentifier Crc = new DerObjectIdentifier("1.3.6.1.4.1.11591.14"); // CRC algorithms`
`29`	`29`	`public static readonly DerObjectIdentifier Crc32 = new DerObjectIdentifier("1.3.6.1.4.1.11591.14.1"); // CRC 32`
`30`	`30`
`31`		`- /** 1.3.6.1.4.1.11591.15 - ellipticCurve */`
`32`		`- public static readonly DerObjectIdentifier EllipticCurve = new DerObjectIdentifier("1.3.6.1.4.1.11591.15");`
	`31`	`+ /** 1.3.6.1.4.1.11591.15 - ellipticCurve */`
	`32`	`+ public static readonly DerObjectIdentifier EllipticCurve = new DerObjectIdentifier("1.3.6.1.4.1.11591.15");`
`33`	`33`
`34`		`- public static readonly DerObjectIdentifier Ed25519 = EllipticCurve.Branch("1");`
	`34`	`+ public static readonly DerObjectIdentifier Ed25519 = EllipticCurve.Branch("1");`
`35`	`35`	`}`
`36`	`36`	`}`