Merge remote-tracking branch 'origin/rfc-6508-sakke' into rfc-6508-sakke

# Conflicts:
#	core/src/main/java/org/bouncycastle/crypto/generators/ECCSIKeyPairGenerator.java
#	core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java
#	core/src/main/java/org/bouncycastle/crypto/params/ECCSIKeyGenerationParameters.java
#	core/src/main/java/org/bouncycastle/crypto/signers/ECCSISigner.java

Author: gefeili

HOWTO.md

@@ -0,0 +1,129 @@
+# Bouncy Castle Java API How To
+## Using Bouncy Castle with GraalVM Native Image
+### Problem: Provider Not Registered at Build Time with `UnsupportedFeatureError` Exception
+#### Error message
+```text
+Trying to verify a provider that was not registered at build time: BC version...
+```
+#### Cause:
+Bouncy Castle security provider isn't properly registered during GraalVM native image build process.
+
+### Solution 1: Static Initializer Approach (No GraalVM SDK)
+#### Step 1. Create Initializer Class 
+```java
+package com.yourpackage.crypto;  // ← Replace with your actual package
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import java.security.Security;
+
+public class BCInitializer {
+    static {
+        // Force provider registration during image build
+        Security.addProvider(new BouncyCastleProvider());
+    }
+}
+```
+
+#### Step 2. And then in the native-image build configuration 
+For Maven (`pom.xml`)
+```xml
+<plugin>
+    <groupId>org.graalvm.buildtools</groupId>
+    <artifactId>native-maven-plugin</artifactId>
+    <version>0.9.28</version>
+    <configuration>
+        <buildArgs>
+            <!-- Initialize Bouncy Castle and our initializer -->
+            <arg>--initialize-at-build-time=org.bouncycastle,com.yourpackage.crypto.BCInitializer</arg>
+            <!-- Required for SecureRandom components -->
+            <arg>--initialize-at-run-time=org.bouncycastle.jcajce.provider.drbg.DRBG$Default,org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV</arg>
+        </buildArgs>
+    </configuration>
+</plugin>
+```
+
+For Gradle (`build.gradle`),
+```gradle
+    buildArgs.add('--initialize-at-build-time=com.yourpackage.crypto.BCInitializer')
+    buildArgs.add("--initialize-at-run-time=org.bouncycastle.jcajce.provider.drbg.DRBG\$Default,org.bouncycastle.jcajce.provider.drbg.DRBG\$NonceAndIV")
+```
+# Key Configuration
+
+| Argument                        | Purpose                                                         |
+| ------------------------------- |-----------------------------------------------------------------|
+| `--initialize-at-build-time`    | Forces inclusion of BC classes and triggers static initializer. |
+| `--initialize-at-run-time`      | Solves stateful SecureRandom initialization issues.             |
+|`--enable-all-security-services`	| (optional) Enables JCE security infrastructure                  |
+
+
+### Solution 2: GraalVM Feature Approach (With SDK)
+
+#### Step 1: Create a Native Image Feature
+```java
+package com.yourpackage.crypto;  // ← Replace with your actual package
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.graalvm.nativeimage.hosted.Feature;
+
+import java.security.Security;
+
+/**
+ * A GraalVM Feature that registers the Bouncy Castle provider.
+ * This is required so that native image builds verify and include the provider.
+ */
+public class BouncyCastleFeature implements Feature {
+    
+    @Override
+    public void afterRegistration(AfterRegistrationAccess access) {
+        // Register the Bouncy Castle provider
+        Security.addProvider(new BouncyCastleProvider());
+    }
+}
+```
+
+#### Step 2: Configure Dependencies and Build
+##### 2.1 add dependency
+```xml
+<dependency>
+    <groupId>org.graalvm.sdk</groupId>
+    <artifactId>graal-sdk</artifactId>
+    <version>21.0.0</version> <!-- Match your GraalVM version -->
+    <scope>provided</scope>
+</dependency>
+```
+##### 2.2 add plugin
+```xml
+<plugin>
+    <groupId>org.graalvm.buildtools</groupId>
+    <artifactId>native-maven-plugin</artifactId>
+    <version>0.9.28</version>
+    <configuration>
+        <buildArgs>
+            <arg>--features=com.yourpackage.crypto.BouncyCastleFeature</arg>  <!-- replace with correct package path -->
+            <arg>--initialize-at-build-time=org.bouncycastle</arg>
+            <arg>--initialize-at-run-time=org.bouncycastle.jcajce.provider.drbg.DRBG$Default,org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV</arg>
+        </buildArgs>
+    </configuration>
+</plugin>
+```
+Key Configuration Explanations:
+`--features=...`
+- Registers custom feature class that adds BouncyCastle provider at build time
+- Required for JCE security provider verification
+
+### Troubleshooting
+#### Common Issues
+##### Classpath Conflicts:
+
+```text
+Error: Class-path entry contains class from image builder
+```
+Fix: Add `-H:+AllowDeprecatedBuilderClassesOnImageClasspath` (temporary) or ensure graal-sdk has provided scope
+
+##### Missing Algorithms:
+Example of the error message:
+```text
+No such algorithm: AES/CBC/PKCS5Padding
+```
+
+Fix: Verify `--initialize-at-build-time` includes `org.bouncycastle`

ant/jdk14.xml

@@ -196,8 +196,6 @@
                 <exclude name="**/TlsClientRawKeysTest.java"/>
             </fileset>
 
-            <fileset dir="tls/src/test/resources" includes="**/*.*"/>
-
             <fileset dir="core/src/test/" includes="**/*.properties"/>
             <fileset dir="prov/src/main/resources" includes="**/*.properties"/>
             <fileset dir="pkix/src/test/resources" includes="**/*.*"/>

ant/jdk15+.xml

@@ -43,7 +43,6 @@
             <fileset dir="tls/src/main/java" includes="**/*.java" />
             <fileset dir="tls/src/main/javadoc" includes="**/*.html" />
             <fileset dir="tls/src/test/java" includes="**/*.java" />
-            <fileset dir="tls/src/test/resources" includes="**/*.*" />
 
             <fileset dir="pkix/src/main/java" includes="**/*.java" />
             <fileset dir="pkix/src/main/javadoc" includes="**/*.html" />

ant/jdk18+.xml

@@ -43,7 +43,6 @@
             <fileset dir="tls/src/main/jdk1.5" includes="**/*.java" />
             <fileset dir="tls/src/main/javadoc" includes="**/*.html" />
             <fileset dir="tls/src/test/java" includes="**/*.java" />
-            <fileset dir="tls/src/test/resources" includes="**/*.*" />
 
             <fileset dir="pkix/src/main/java" includes="**/*.java" />
             <fileset dir="pkix/src/main/javadoc" includes="**/*.html" />

ci/check_java.sh

@@ -15,10 +15,12 @@ export JAVA_HOME=`openjdk_21`
 export PATH=$JAVA_HOME/bin:$PATH
 
 # Checkstyle
-./gradlew check -x test;
+./gradlew clean build check -x test;
 
 
 # OSGI scanner only, no testing
-./gradlew clean build -x test
 ./osgi_scan.sh
 
+
+# module tester
+./run_mtt.sh

core/src/main/j2me/org/bouncycastle/math/ec/ECCurve.java

@@ -593,9 +593,14 @@ protected AbstractFp(BigInteger q)
             super(FiniteFields.getPrimeField(q));
         }
 
+        public BigInteger getQ()
+        {
+            return getField().getCharacteristic();
+        }
+
         public boolean isValidFieldElement(BigInteger x)
         {
-            return x != null && x.signum() >= 0 && x.compareTo(this.getField().getCharacteristic()) < 0;
+            return x != null && x.signum() >= 0 && x.compareTo(this.getQ()) < 0;
         }
 
         public ECFieldElement randomFieldElement(SecureRandom r)
@@ -604,7 +609,7 @@ public ECFieldElement randomFieldElement(SecureRandom r)
              * NOTE: BigInteger comparisons in the rejection sampling are not constant-time, so we
              * use the product of two independent elements to mitigate side-channels.
              */
-            BigInteger p = this.getField().getCharacteristic();
+            BigInteger p = this.getQ();
             ECFieldElement fe1 = this.fromBigInteger(implRandomFieldElement(r, p));
             ECFieldElement fe2 = this.fromBigInteger(implRandomFieldElement(r, p));
             return fe1.multiply(fe2);
@@ -616,7 +621,7 @@ public ECFieldElement randomFieldElementMult(SecureRandom r)
              * NOTE: BigInteger comparisons in the rejection sampling are not constant-time, so we
              * use the product of two independent elements to mitigate side-channels.
              */
-            BigInteger p = this.getField().getCharacteristic();
+            BigInteger p = this.getQ();
             ECFieldElement fe1 = this.fromBigInteger(implRandomFieldElementMult(r, p));
             ECFieldElement fe2 = this.fromBigInteger(implRandomFieldElementMult(r, p));
             return fe1.multiply(fe2);
@@ -699,12 +704,11 @@ public Fp(BigInteger q, BigInteger a, BigInteger b, BigInteger order, BigInteger
 
             if (isInternal)
             {
-                this.q = q;
                 knownQs.add(q);
             }
             else if (knownQs.contains(q) || validatedQs.contains(q))
             {
-                this.q = q;
+                // No need to validate
             }
             else
             {
@@ -724,10 +728,9 @@ else if (knownQs.contains(q) || validatedQs.contains(q))
                 }
 
                 validatedQs.add(q);
-
-                this.q = q;
             }
 
+            this.q = q;
             this.r = ECFieldElement.Fp.calculateResidue(q);
             this.infinity = new ECPoint.Fp(this, null, null);
 

core/src/main/java/org/bouncycastle/asn1/x509/X509ObjectIdentifiers.java

@@ -95,6 +95,11 @@ public interface X509ObjectIdentifiers
      */
     static final ASN1ObjectIdentifier id_ecdsa_with_shake256 = pkix_algorithms.branch("33");
 
+    /**
+     * id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
+     */
+    ASN1ObjectIdentifier id_alg_noSignature = pkix_algorithms.branch("2");
+
     /** 1.3.6.1.5.5.7.9 */
     static final ASN1ObjectIdentifier id_pda = id_pkix.branch("9");
 

core/src/main/java/org/bouncycastle/asn1/x9/X9ECParameters.java

@@ -12,6 +12,7 @@
 import org.bouncycastle.math.ec.ECAlgorithms;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.math.field.FiniteField;
 import org.bouncycastle.math.field.PolynomialExtensionField;
 import org.bouncycastle.util.Arrays;
 
@@ -112,14 +113,15 @@ public X9ECParameters(
         this.h = h;
         this.seed = Arrays.clone(seed);
 
-        if (ECAlgorithms.isFpCurve(curve))
+        FiniteField field = curve.getField();
+        if (ECAlgorithms.isFpField(field))
         {
-            this.fieldID = new X9FieldID(curve.getField().getCharacteristic());
+            this.fieldID = new X9FieldID(field.getCharacteristic());
         }
-        else if (ECAlgorithms.isF2mCurve(curve))
+        else if (ECAlgorithms.isF2mField(field))
         {
-            PolynomialExtensionField field = (PolynomialExtensionField)curve.getField();
-            int[] exponents = field.getMinimalPolynomial().getExponentsPresent();
+            PolynomialExtensionField f2mField = (PolynomialExtensionField)field;
+            int[] exponents = f2mField.getMinimalPolynomial().getExponentsPresent();
             if (exponents.length == 3)
             {
                 this.fieldID = new X9FieldID(exponents[2], exponents[1]);

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurve.java

@@ -159,7 +159,7 @@ public BigInteger getH()
 
     public BigInteger getQ()
     {
-        return curve.getField().getCharacteristic();
+        return curve.getQ();
     }
 
     private static BigInteger calculateDeterminant(BigInteger q, BigInteger a, BigInteger b)

core/src/main/java/org/bouncycastle/crypto/digests/ParallelHash.java

@@ -38,8 +38,8 @@ public class ParallelHash
      * Base constructor.
      *
      * @param bitLength security strength (bits) of the underlying SHAKE function, 128 or 256.
-     * @param S the customization string - available for local use.
-     * @param B the blocksize (in bytes) for hashing.
+     * @param S         the customization string - available for local use.
+     * @param B         the blocksize (in bytes) for hashing.
      */
     public ParallelHash(int bitLength, byte[] S, int B)
     {
@@ -50,12 +50,18 @@ public ParallelHash(int bitLength, byte[] S, int B, int outputSize)
     {
         this(bitLength, S, B, outputSize, CryptoServicePurpose.ANY);
     }
+
     public ParallelHash(int bitLength, byte[] S, int B, int outputSize, CryptoServicePurpose purpose)
     {
+        if (B <= 0)
+        {
+            throw new IllegalArgumentException("block size should be greater than 0");
+        }
         this.cshake = new CSHAKEDigest(bitLength, N_PARALLEL_HASH, S);
         this.compressor = new CSHAKEDigest(bitLength, new byte[0], new byte[0]);
         this.bitLength = bitLength;
         this.B = B;
+
         this.outputLength = (outputSize + 7) / 8;
         this.buffer = new byte[B];
         this.compressorBuffer = new byte[bitLength * 2 / 8];
@@ -112,7 +118,7 @@ public void update(byte in)
     public void update(byte[] in, int inOff, int len)
         throws DataLengthException, IllegalStateException
     {
-        len = Math.max(0,  len);
+        len = Math.max(0, len);
 
         //
         // fill the current word
@@ -198,7 +204,7 @@ public int doFinal(byte[] out, int outOff, int outLen)
         {
             wrapUp(outputLength);
         }
-        
+
         int rv = cshake.doFinal(out, outOff, outLen);
 
         reset();