Merge branch 'main' into 1913-openpgp-v6-null-pointer

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPrivateKeyParameters.java

@@ -26,6 +26,23 @@ public class HSSPrivateKeyParameters
 
     private HSSPublicKeyParameters publicKey;
 
+    public HSSPrivateKeyParameters(LMSPrivateKeyParameters key, long index, long indexLimit)
+    {
+        super(true);
+
+        this.l = 1;
+        this.keys = Collections.singletonList(key);
+        this.sig = Collections.emptyList();
+        this.index = index;
+        this.indexLimit = indexLimit;
+        this.isShard = false;
+
+        //
+        // Correct Intermediate LMS values will be constructed during reset to index.
+        //
+        resetKeyToIndex();
+    }
+
     public HSSPrivateKeyParameters(int l, List<LMSPrivateKeyParameters> keys, List<LMSSignature> sig, long index, long indexLimit)
     {
         super(true);
@@ -104,7 +121,16 @@ else if (src instanceof byte[])
             try // 1.5 / 1.6 compatibility
             {
                 in = new DataInputStream(new ByteArrayInputStream((byte[])src));
-                return getInstance(in);
+                try
+                {
+                    return getInstance(in);
+                }
+                catch (Exception e)
+                {
+                    // old style single LMS key.
+                    LMSPrivateKeyParameters lmsKey = LMSPrivateKeyParameters.getInstance(src);
+                    return new HSSPrivateKeyParameters(lmsKey, lmsKey.getIndex(), lmsKey.getIndex() + lmsKey.getUsagesRemaining());
+                }
             }
             finally
             {

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -43,7 +43,6 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCParameters;
 import org.bouncycastle.pqc.crypto.hqc.HQCPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPrivateKeyParameters;
-import org.bouncycastle.pqc.crypto.lms.LMSPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
@@ -158,26 +157,13 @@ else if (algOID.equals(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig))
             byte[] keyEnc = lmsKey.getOctets();
             ASN1BitString pubKey = keyInfo.getPublicKeyData();
 
-            if (Pack.bigEndianToInt(keyEnc, 0) == 1)
+            if (pubKey != null)
             {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
-
-                    return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), Arrays.copyOfRange(pubEnc, 4, pubEnc.length));
-                }
-                return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
-            }
-            else
-            {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
+                byte[] pubEnc = pubKey.getOctets();
 
-                    return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
-                }
-                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
+                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
             }
+            return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
         }
         else if (algOID.on(BCObjectIdentifiers.sphincsPlus) || algOID.on(BCObjectIdentifiers.sphincsPlus_interop))
         {

core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java

@@ -40,7 +40,6 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.LMSKeyParameters;
-import org.bouncycastle.pqc.crypto.lms.LMSPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMParameters;
@@ -452,19 +451,11 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
         private LMSKeyParameters getLmsKeyParameters(byte[] keyEnc)
             throws IOException
         {
-            if (Pack.bigEndianToInt(keyEnc, 0) == 1)
+            if (keyEnc.length == 64)
             {
-                return LMSPublicKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
-            }
-            else
-            {
-                // public key with extra tree height
-                if (keyEnc.length == 64)
-                {
-                    keyEnc = Arrays.copyOfRange(keyEnc, 4, keyEnc.length);
-                }
-                return HSSPublicKeyParameters.getInstance(keyEnc);
+                keyEnc = Arrays.copyOfRange(keyEnc, 4, keyEnc.length);
             }
+            return HSSPublicKeyParameters.getInstance(keyEnc);
         }
     }
 

core/src/main/java/org/bouncycastle/pqc/math/ntru/Polynomial.java

@@ -147,28 +147,33 @@ public byte[] s3ToBytes(int messageSize)
 
     public void s3ToBytes(byte[] msg, int msgOff)
     {
-        byte c;
+        int degree = params.packDegree(), limit = degree - 5;
 
-        for (int i = 0; i < params.packDegree() / 5; i++)
+        int i = 0;
+        while (i <= limit)
         {
-            c = (byte)(this.coeffs[5 * i + 4] & 255);
-            c = (byte)(3 * c + this.coeffs[5 * i + 3] & 255);
-            c = (byte)(3 * c + this.coeffs[5 * i + 2] & 255);
-            c = (byte)(3 * c + this.coeffs[5 * i + 1] & 255);
-            c = (byte)(3 * c + this.coeffs[5 * i + 0] & 255);
-            msg[i + msgOff] = c;
+            int c0 = (coeffs[i + 0] & 0xFF);
+            int c1 = (coeffs[i + 1] & 0xFF) * 3;
+            int c2 = (coeffs[i + 2] & 0xFF) * 9;
+            int c3 = (coeffs[i + 3] & 0xFF) * 27;
+            int c4 = (coeffs[i + 4] & 0xFF) * 81;
+
+            msg[msgOff++] = (byte)(c0 + c1 + c2 + c3 + c4);
+            i += 5;
         }
 
-        // if 5 does not divide NTRU_N-1
-        if (params.packDegree() > (params.packDegree() / 5) * 5)
+        if (i < degree)
         {
-            int i = params.packDegree() / 5;
-            c = 0;
-            for (int j = params.packDegree() - (5 * i) - 1; j >= 0; j--)
+            int j = degree - 1;
+            int c = coeffs[j] & 0xFF;
+
+            while (--j >= i)
             {
-                c = (byte)(3 * c + this.coeffs[5 * i + j] & 255);
+                c *= 3;
+                c += coeffs[j] & 0xFF;
             }
-            msg[i + msgOff] = c;
+
+            msg[msgOff++] = (byte)c;
         }
     }
 

prov/src/main/java/org/bouncycastle/pqc/jcajce/provider/lms/BCLMSPrivateKey.java

@@ -27,7 +27,7 @@ public class BCLMSPrivateKey
     public BCLMSPrivateKey(
         LMSKeyParameters keyParams)
     {
-        this.keyParams = keyParams;
+        this.keyParams = (keyParams instanceof HSSPrivateKeyParameters) ? (HSSPrivateKeyParameters)keyParams : new HSSPrivateKeyParameters((LMSPrivateKeyParameters)keyParams, ((LMSPrivateKeyParameters)keyParams).getIndex(), ((LMSPrivateKeyParameters)keyParams).getIndex() + ((LMSPrivateKeyParameters)keyParams).getUsagesRemaining());
     }
 
     public BCLMSPrivateKey(PrivateKeyInfo keyInfo)

prov/src/main/java/org/bouncycastle/pqc/jcajce/provider/lms/BCLMSPublicKey.java

@@ -26,7 +26,7 @@ public class BCLMSPublicKey
     public BCLMSPublicKey(
         LMSKeyParameters keyParams)
     {
-        this.keyParams = keyParams;
+        this.keyParams = (keyParams instanceof HSSPublicKeyParameters) ? keyParams : new HSSPublicKeyParameters(1, (LMSPublicKeyParameters)keyParams);
     }
 
     public BCLMSPublicKey(SubjectPublicKeyInfo keyInfo)

prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/LMSTest.java

@@ -31,8 +31,11 @@
 public class LMSTest
     extends TestCase
 {
-    private static final byte[] nestedPublicKey = Base64.decode("MFAwDQYLKoZIhvcNAQkQAxEDPwAEPAAAAAEAAAAFAAAAARmSUd5GHVvFNVl0JBcv+GJX8+FaUrz1mNrCHGZ1z8c4j9kgSBhaEYlu+//bc2yOhQ==");
-    private static final byte[] nestedPrivateKey = Base64.decode("MIGhAgEBMA0GCyqGSIb3DQEJEAMRBE4ETAAAAAEAAAAAAAAABQAAAAEZklHeRh1bxTVZdCQXL/hiAAAAAAAAACAAAAAgXs4Bdu2gpyoEccTNWwAA81qLeSqn2yW+LWYVAi2hadyBPQAAAAABAAAABQAAAAEZklHeRh1bxTVZdCQXL/hiV/PhWlK89Zjawhxmdc/HOI/ZIEgYWhGJbvv/23NsjoU=");
+    private static final byte[] nestedPublicKey = Base64.decode("MFAwDQYLKoZIhvcNAQkQAxEDPwAEPAAAAAEAAAAFAAAAAa3sRFhG3xQtT/xfuJJswgV80jvx/sFlYxteNrZ0hheITiUL/bJ8wJpphIpoSB/E9g==");
+    private static final byte[] nestedPrivateKey = Base64.decode("MIG6AgEBMA0GCyqGSIb3DQEJEAMRBGcEZQAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAUAAAABrexEWEbfFC1P/F+4kmzCBQAAAAAAAAAgAAAAIO01yI+Hj7eX+P2clcPDW0SzllJ4uzQt1JenbcllHpQngT0AAAAAAQAAAAUAAAABrexEWEbfFC1P/F+4kmzCBXzSO/H+wWVjG142tnSGF4hOJQv9snzAmmmEimhIH8T2");
+
+    private static byte[] lmsPublicEnc = Base64.decode("MFAwDQYLKoZIhvcNAQkQAxEDPwAEPAAAAAEAAAAFAAAAAXjGRFXZMjGgOKA/sHWwYWNl6eTf5nI+RcEvlnIKQHQXpxNDreZCkeFm6x9CBN4YlA==");
+    private static byte[] lmsPrivateEnc = Base64.decode("MIGhAgEBMA0GCyqGSIb3DQEJEAMRBE4ETAAAAAEAAAAAAAAABQAAAAF4xkRV2TIxoDigP7B1sGFjAAAAAAAAACAAAAAghIRA7xa5TChn4+0KIh1LvGLp14alEkmcz3m3v7kTiBeBPQAAAAABAAAABQAAAAF4xkRV2TIxoDigP7B1sGFjZenk3+ZyPkXBL5ZyCkB0F6cTQ63mQpHhZusfQgTeGJQ=");
 
     public void setUp()
     {
@@ -42,6 +45,20 @@ public void setUp()
         }
     }
 
+    public void testLmsOldKeyEncoding()
+        throws Exception
+    {
+        PKCS8EncodedKeySpec lmsPrivateKeySpec = new PKCS8EncodedKeySpec(lmsPrivateEnc);
+        X509EncodedKeySpec lmsPublicKeySpec = new X509EncodedKeySpec(lmsPublicEnc);
+
+        KeyFactory kFact = KeyFactory.getInstance("LMS", "BC");
+
+        PrivateKey lmsPrivateKey = kFact.generatePrivate(lmsPrivateKeySpec);
+        PublicKey lmsPublicKey = kFact.generatePublic(lmsPublicKeySpec);
+
+        trySigning(new KeyPair(lmsPublicKey, lmsPrivateKey));
+    }
+
     public void testKeyPairGenerators()
         throws Exception
     {
@@ -89,7 +106,6 @@ private void trySigning(KeyPair keyPair)
     public void testKeyEncoding()
         throws Exception
     {
-
         KeyFactory kf = KeyFactory.getInstance("LMS", "BC");
 
         PublicKey oldLmsPub = kf.generatePublic(new X509EncodedKeySpec(nestedPublicKey));
@@ -124,7 +140,7 @@ public void testKeyFactoryLMSKey()
 
         PublicKey pub1 = kFact.generatePublic(x509KeySpec);
 
-        assertEquals(kp.getPublic(), pub1);
+        assertTrue(Arrays.areEqual(kp.getPublic().getEncoded(), pub1.getEncoded()));
 
         PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(kp.getPrivate().getEncoded());