Merge branch 'main' into 1958-aead-parameters

# Conflicts:
#	core/src/test/java/org/bouncycastle/crypto/test/CipherTest.java

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurve.java

@@ -19,11 +19,6 @@
 public class ECJPAKECurve
 {
     private final ECCurve.Fp curve;
-    private final BigInteger a;
-    private final BigInteger b;
-    private final BigInteger q;
-    private final BigInteger h;
-    private final BigInteger n;
     private final ECPoint g;
 
     /**
@@ -54,116 +49,123 @@ public class ECJPAKECurve
      * @throws NullPointerException     if any argument is null
      * @throws IllegalArgumentException if any of the above validations fail
      */
-    public ECJPAKECurve(BigInteger a, BigInteger b, BigInteger q, BigInteger h, BigInteger n, ECPoint g, ECCurve.Fp curve)
+    public ECJPAKECurve(BigInteger q, BigInteger a, BigInteger b, BigInteger n, BigInteger h, BigInteger g_x, BigInteger g_y)
     {
+        ECJPAKEUtil.validateNotNull(a, "a");
+        ECJPAKEUtil.validateNotNull(b, "b");
+        ECJPAKEUtil.validateNotNull(q, "q");
+        ECJPAKEUtil.validateNotNull(n, "n");
+        ECJPAKEUtil.validateNotNull(h, "h");
+        ECJPAKEUtil.validateNotNull(g_x, "g_x");
+        ECJPAKEUtil.validateNotNull(g_y, "g_y");
+
         /*
          * Don't skip the checks on user-specified groups.
          */
-        this(a, b, q, h, n, g, curve, false);
+        
+        /*
+         * Note that these checks do not guarantee that n and q are prime.
+         * We just have reasonable certainty that they are prime.
+         */
+        if (!q.isProbablePrime(20))
+        {
+            throw new IllegalArgumentException("Field size q must be prime");
+        }
+
+        if (a.compareTo(BigInteger.ZERO) < 0 || a.compareTo(q) >= 0)
+        {
+            throw new IllegalArgumentException("The parameter 'a' is not in the field [0, q-1]");
+        }
+
+        if (b.compareTo(BigInteger.ZERO) < 0 || b.compareTo(q) >= 0)
+        {
+            throw new IllegalArgumentException("The parameter 'b' is not in the field [0, q-1]");
+        }
+
+        BigInteger d = calculateDeterminant(q, a, b);
+        if (d.equals(BigInteger.ZERO))
+        {
+            throw new IllegalArgumentException("The curve is singular, i.e the discriminant is equal to 0 mod q.");
+        }
+
+        if (!n.isProbablePrime(20))
+        {
+            throw new IllegalArgumentException("The order n must be prime");
+        }
+
+        /*
+         * TODO It's expensive to calculate the actual total number of points. Probably the best that could be done is
+         * checking that the point count is within the Hasse bound?
+         */
+//        BigInteger totalPoints = n.multiply(h);
+
+        ECCurve.Fp curve = new ECCurve.Fp(q, a, b, n, h);
+        ECPoint g = curve.createPoint(g_x, g_y);
+
+        if (!g.isValid())
+        {
+            throw new IllegalArgumentException("The base point G does not lie on the curve.");
+        }
+
+        this.curve = curve;
+        this.g = g;
     }
 
     /**
      * Internal package-private constructor used by the pre-approved
      * groups in {@link ECJPAKECurves}.
      * These pre-approved curves can avoid the expensive checks.
      */
-    ECJPAKECurve(BigInteger a, BigInteger b, BigInteger q, BigInteger h, BigInteger n, ECPoint g, ECCurve.Fp curve, boolean skipChecks)
+    ECJPAKECurve(ECCurve.Fp curve, ECPoint g)
     {
-        ECJPAKEUtil.validateNotNull(a, "a");
-        ECJPAKEUtil.validateNotNull(b, "b");
-        ECJPAKEUtil.validateNotNull(q, "q");
-        ECJPAKEUtil.validateNotNull(h, "h");
-        ECJPAKEUtil.validateNotNull(n, "n");
-        ECJPAKEUtil.validateNotNull(g, "g");
         ECJPAKEUtil.validateNotNull(curve, "curve");
+        ECJPAKEUtil.validateNotNull(g, "g");
+        ECJPAKEUtil.validateNotNull(curve.getOrder(), "n");
+        ECJPAKEUtil.validateNotNull(curve.getCofactor(), "h");
 
-        if (!skipChecks)
-        {
+        this.curve = curve;
+        this.g = g;
+    }
 
-            /*
-             * Note that these checks do not guarantee that n and q are prime.
-             * We just have reasonable certainty that they are prime.
-             */
-            if (!q.isProbablePrime(20))
-            {
-                throw new IllegalArgumentException("Field size q must be prime");
-            }
-
-            if (!n.isProbablePrime(20))
-            {
-                throw new IllegalArgumentException("The order n must be prime");
-            }
-
-            if ((a.pow(3).multiply(BigInteger.valueOf(4)).add(b.pow(2).multiply(BigInteger.valueOf(27))).mod(q)) == BigInteger.valueOf(0))
-            {
-                throw new IllegalArgumentException("The curve is singular, i.e the discriminant is equal to 0 mod q.");
-            }
-
-            if (!g.isValid())
-            {
-                throw new IllegalArgumentException("The base point G does not lie on the curve.");
-            }
-
-            BigInteger totalPoints = n.multiply(h);
-            if (!totalPoints.equals(curve.getOrder()))
-            {
-                throw new IllegalArgumentException("n is not equal to the order of your curve");
-            }
-
-            if (a.compareTo(BigInteger.ZERO) == -1 || a.compareTo(q.subtract(BigInteger.ONE)) == 1)
-            {
-                throw new IllegalArgumentException("The parameter 'a' is not in the field [0, q-1]");
-            }
-
-            if (b.compareTo(BigInteger.ZERO) == -1 || b.compareTo(q.subtract(BigInteger.ONE)) == 1)
-            {
-                throw new IllegalArgumentException("The parameter 'b' is not in the field [0, q-1]");
-            }
-        }
+    public ECCurve.Fp getCurve()
+    {
+        return curve;
+    }
 
-        this.a = a;
-        this.b = b;
-        this.h = h;
-        this.n = n;
-        this.q = q;
-        this.g = g;
-        this.curve = curve;
+    public ECPoint getG()
+    {
+        return g;
     }
 
     public BigInteger getA()
     {
-        return a;
+        return curve.getA().toBigInteger();
     }
 
     public BigInteger getB()
     {
-        return b;
+        return curve.getB().toBigInteger();
     }
 
     public BigInteger getN()
     {
-        return n;
+        return curve.getOrder();
     }
 
     public BigInteger getH()
     {
-        return h;
+        return curve.getCofactor();
     }
 
     public BigInteger getQ()
     {
-        return q;
+        return curve.getQ();
     }
 
-    public ECPoint getG()
+    private static BigInteger calculateDeterminant(BigInteger q, BigInteger a, BigInteger b)
     {
-        return g;
+        BigInteger a3x4 = a.multiply(a).mod(q).multiply(a).mod(q).shiftLeft(2);
+        BigInteger b2x27 = b.multiply(b).mod(q).multiply(BigInteger.valueOf(27));
+        return a3x4.add(b2x27).mod(q);
     }
-
-    public ECCurve.Fp getCurve()
-    {
-        return curve;
-    }
-
-
 }

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurves.java

@@ -1,9 +1,8 @@
 package org.bouncycastle.crypto.agreement.ecjpake;
 
-import java.math.BigInteger;
-
+import org.bouncycastle.asn1.nist.NISTNamedCurves;
+import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.math.ec.ECCurve;
-import org.bouncycastle.math.ec.ECPoint;
 
 /**
  * Standard pre-computed elliptic curves for use by EC J-PAKE.
@@ -18,87 +17,33 @@
  */
 public class ECJPAKECurves
 {
-
     /**
      * From NIST.
      * 128-bit security.
      */
     public static final ECJPAKECurve NIST_P256;
 
-    static
-    {
-        //a
-        BigInteger a_p256 = new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16);
-        //b
-        BigInteger b_p256 = new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16);
-        //q
-        BigInteger q_p256 = new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16);
-        //h
-        BigInteger h_p256 = BigInteger.ONE;
-        //n
-        BigInteger n_p256 = new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16);
-        //g
-        ECCurve.Fp curve_p256 = new ECCurve.Fp(q_p256, a_p256, b_p256, n_p256, h_p256);
-        ECPoint g_p256 = curve_p256.createPoint(
-            new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16),
-            new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16));
-
-        NIST_P256 = new ECJPAKECurve(a_p256, b_p256, q_p256, h_p256, n_p256, g_p256, curve_p256, true);
-    }
-
     /**
      * From NIST.
      * 192-bit security.
      */
     public static final ECJPAKECurve NIST_P384;
 
-    static
-    {
-        //a
-        BigInteger a_p384 = new BigInteger("fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc", 16);
-        //b
-        BigInteger b_p384 = new BigInteger("b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef", 16);
-        //q
-        BigInteger q_p384 = new BigInteger("fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff", 16);
-        //h
-        BigInteger h_p384 = BigInteger.ONE;
-        //n
-        BigInteger n_p384 = new BigInteger("ffffffffffffffffffffffffffffffffc7634d81581a0db248b0a77aecec196accc52973", 16);
-        //g
-        ECCurve.Fp curve_p384 = new ECCurve.Fp(q_p384, a_p384, b_p384, n_p384, h_p384);
-        ECPoint g_p384 = curve_p384.createPoint(
-            new BigInteger("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", 16),
-            new BigInteger("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f", 16));
-
-        NIST_P384 = new ECJPAKECurve(a_p384, b_p384, q_p384, h_p384, n_p384, g_p384, curve_p384, true);
-    }
-
     /**
      * From NIST.
-     * 128-bit security.
+     * 256-bit security.
      */
     public static final ECJPAKECurve NIST_P521;
 
     static
     {
-        //a
-        BigInteger a_p521 = new BigInteger("fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc", 16);
-        //b
-        BigInteger b_p521 = new BigInteger("b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef", 16);
-        //q
-        BigInteger q_p521 = new BigInteger("fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff", 16);
-        //h
-        BigInteger h_p521 = BigInteger.ONE;
-        //n
-        BigInteger n_p521 = new BigInteger("ffffffffffffffffffffffffffffffffc7634d81581a0db248b0a77aecec196accc52973", 16);
-        //g
-        ECCurve.Fp curve_p521 = new ECCurve.Fp(q_p521, a_p521, b_p521, n_p521, h_p521);
-        ECPoint g_p521 = curve_p521.createPoint(
-            new BigInteger("aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7", 16),
-            new BigInteger("3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f", 16));
-
-        NIST_P521 = new ECJPAKECurve(a_p521, b_p521, q_p521, h_p521, n_p521, g_p521, curve_p521, true);
+        NIST_P256 = fromX9ECParameters(NISTNamedCurves.getByName("P-256"));
+        NIST_P384 = fromX9ECParameters(NISTNamedCurves.getByName("P-384"));
+        NIST_P521 = fromX9ECParameters(NISTNamedCurves.getByName("P-521"));
     }
 
-
+    private static ECJPAKECurve fromX9ECParameters(X9ECParameters x9)
+    {
+        return new ECJPAKECurve((ECCurve.Fp)x9.getCurve(), x9.getG());
+    }
 }

core/src/main/java/org/bouncycastle/crypto/examples/ECJPAKEExample.java

@@ -39,7 +39,7 @@ public static void main(String args[])
          */
         ECJPAKECurve curve = ECJPAKECurves.NIST_P256;
 
-        ECCurve ecCurve = curve.getCurve();
+//        ECCurve ecCurve = curve.getCurve();
         BigInteger a = curve.getA();
         BigInteger b = curve.getB();
         ECPoint g = curve.getG();