Merge remote-tracking branch 'origin/main'

Author: royb

core/src/main/java/org/bouncycastle/crypto/params/ECNamedDomainParameters.java

@@ -3,14 +3,26 @@
 import java.math.BigInteger;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x9.ECNamedCurveTable;
 import org.bouncycastle.asn1.x9.X9ECParameters;
+import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.math.ec.ECConstants;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 
 public class ECNamedDomainParameters
     extends ECDomainParameters
 {
+    public static ECNamedDomainParameters lookup(ASN1ObjectIdentifier name)
+    {
+        X9ECParameters x9 = CustomNamedCurves.getByOID(name);
+        if (x9 == null)
+        {
+            x9 = ECNamedCurveTable.getByOID(name);
+        }
+        return new ECNamedDomainParameters(name, x9);
+    }
+
     private ASN1ObjectIdentifier name;
 
     public ECNamedDomainParameters(ASN1ObjectIdentifier name, ECCurve curve, ECPoint G, BigInteger n)

core/src/main/java/org/bouncycastle/crypto/util/OpenSSHPrivateKeyUtil.java

@@ -13,12 +13,13 @@
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
 import org.bouncycastle.asn1.sec.ECPrivateKey;
-import org.bouncycastle.asn1.x9.ECNamedCurveTable;
+import org.bouncycastle.asn1.x9.X962Parameters;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.DSAParameters;
 import org.bouncycastle.crypto.params.DSAPrivateKeyParameters;
+import org.bouncycastle.crypto.params.ECDomainParameters;
 import org.bouncycastle.crypto.params.ECNamedDomainParameters;
 import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
 import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
@@ -199,13 +200,24 @@ else if (sequence.size() == 4)
                     && sequence.getObjectAt(2) instanceof ASN1TaggedObject)
                 {
                     ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(sequence);
-                    ASN1ObjectIdentifier curveOID = ASN1ObjectIdentifier.getInstance(ecPrivateKey.getParametersObject());
-                    X9ECParameters x9Params = ECNamedCurveTable.getByOID(curveOID);
-                    result = new ECPrivateKeyParameters(
-                        ecPrivateKey.getKey(),
-                        new ECNamedDomainParameters(
-                            curveOID,
-                            x9Params));
+
+                    X962Parameters parameters = X962Parameters.getInstance(
+                        ecPrivateKey.getParametersObject().toASN1Primitive());
+                    ECDomainParameters domainParams;
+                    if (parameters.isNamedCurve())
+                    {
+                        ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(parameters.getParameters());
+                        domainParams = ECNamedDomainParameters.lookup(oid);
+                    }
+                    else
+                    {
+                        X9ECParameters x9 = X9ECParameters.getInstance(parameters.getParameters());
+                        domainParams = new ECDomainParameters(x9);
+                    }
+
+                    BigInteger d = ecPrivateKey.getKey();
+
+                    result = new ECPrivateKeyParameters(d, domainParams);
                 }
             }
         }

core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyFactory.java

@@ -26,7 +26,6 @@
 import org.bouncycastle.asn1.x9.X962Parameters;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.DHParameters;
 import org.bouncycastle.crypto.params.DHPrivateKeyParameters;
@@ -155,33 +154,24 @@ else if (algOID.equals(X9ObjectIdentifiers.id_dsa))
         }
         else if (algOID.equals(X9ObjectIdentifiers.id_ecPublicKey))
         {
-            X962Parameters params = X962Parameters.getInstance(algId.getParameters());
+            ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(keyInfo.parsePrivateKey());
 
-            X9ECParameters x9;
-            ECDomainParameters dParams;
-
-            if (params.isNamedCurve())
+            X962Parameters parameters = X962Parameters.getInstance(algId.getParameters().toASN1Primitive());
+            ECDomainParameters domainParams;
+            if (parameters.isNamedCurve())
             {
-                ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters();
-
-                x9 = CustomNamedCurves.getByOID(oid);
-                if (x9 == null)
-                {
-                    x9 = ECNamedCurveTable.getByOID(oid);
-                }
-                dParams = new ECNamedDomainParameters(oid, x9);
+                ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(parameters.getParameters());
+                domainParams = ECNamedDomainParameters.lookup(oid);
             }
             else
             {
-                x9 = X9ECParameters.getInstance(params.getParameters());
-                dParams = new ECDomainParameters(
-                    x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed());
+                X9ECParameters x9 = X9ECParameters.getInstance(parameters.getParameters());
+                domainParams = new ECDomainParameters(x9);
             }
 
-            ECPrivateKey ec = ECPrivateKey.getInstance(keyInfo.parsePrivateKey());
-            BigInteger d = ec.getKey();
+            BigInteger d = ecPrivateKey.getKey();
 
-            return new ECPrivateKeyParameters(d, dParams);
+            return new ECPrivateKeyParameters(d, domainParams);
         }
         else if (algOID.equals(EdECObjectIdentifiers.id_X25519))
         {

core/src/main/java/org/bouncycastle/crypto/util/PublicKeyFactory.java

@@ -32,14 +32,12 @@
 import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
 import org.bouncycastle.asn1.x9.DHPublicKey;
 import org.bouncycastle.asn1.x9.DomainParameters;
-import org.bouncycastle.asn1.x9.ECNamedCurveTable;
 import org.bouncycastle.asn1.x9.ValidationParams;
 import org.bouncycastle.asn1.x9.X962Parameters;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.asn1.x9.X9ECPoint;
 import org.bouncycastle.asn1.x9.X9IntegerConverter;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.DHParameters;
 import org.bouncycastle.crypto.params.DHPublicKeyParameters;
@@ -291,13 +289,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
             if (params.isNamedCurve())
             {
                 ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters();
-
-                X9ECParameters x9 = CustomNamedCurves.getByOID(oid);
-                if (x9 == null)
-                {
-                    x9 = ECNamedCurveTable.getByOID(oid);
-                }
-                dParams = new ECNamedDomainParameters(oid, x9);
+                dParams = ECNamedDomainParameters.lookup(oid);
             }
             else if (params.isImplicitlyCA())
             {

core/src/main/java/org/bouncycastle/pqc/asn1/KyberPrivateKey.java

@@ -13,15 +13,15 @@
 /**
  *
  *    Crystal Kyber Private Key Format.
- *    See https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-00.html for details.
+ *    See https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-01.html for details.
  *    <pre>
  *        KyberPrivateKey ::= SEQUENCE {
- *        version     INTEGER {v0(0)}   -- version (round 3)
- *        s           OCTET STRING,     -- EMPTY
- *        hpk         OCTET STRING      -- EMPTY
- *        nonce       OCTET STRING,     -- d
- *        publicKey   [0] IMPLICIT KyberPublicKey OPTIONAL,
- *                                      -- see next section
+ *            version     INTEGER {v0(0)}   -- version (round 3)
+ *            s           OCTET STRING,     -- sample s
+ *            publicKey   [0] IMPLICIT KyberPublicKey OPTIONAL,
+ *                                          -- see next section
+ *            hpk         OCTET STRING      -- H(pk)
+ *            nonce       OCTET STRING,     -- z
  *        }
  *    </pre>
  */

core/src/main/java/org/bouncycastle/pqc/asn1/KyberPublicKey.java

@@ -12,7 +12,7 @@
 /**
  *
  *    Crystal Kyber Public Key Format.
- *    See https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-00.html for details.
+ *    See https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-01.html for details.
  *    <pre>
  *        KyberPublicKey ::= SEQUENCE {
  *         t           OCTET STRING,

docs/releasenotes.html

@@ -23,6 +23,7 @@ <h2>2.0 Release History</h2>
 Date:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2024, TBD.
 <h3>2.1.2 Defects Fixed</h3>
 <ul>
+<li>Leading zeroes were sometimes dropped from Ed25519 signatures leading to verification errors in the PGP API. This has been fixed.</li>
 </ul>
 <h3>2.1.3 Additional Features and Functionality</h3>
 <ul>

pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java

@@ -455,19 +455,18 @@ else if (getKeyAlgorithm() == PublicKeyAlgorithmTags.EDDSA_LEGACY)
             {
                 byte[] a = BigIntegers.asUnsignedByteArray(sigValues[0].getValue());
                 byte[] b = BigIntegers.asUnsignedByteArray(sigValues[1].getValue());
-                if (a.length + b.length == Ed25519.SIGNATURE_SIZE)
-                {
-                    signature = new byte[Ed25519.SIGNATURE_SIZE];
-                    System.arraycopy(a, 0, signature, Ed25519.PUBLIC_KEY_SIZE - a.length, a.length);
-                    System.arraycopy(b, 0, signature, Ed25519.SIGNATURE_SIZE - b.length, b.length);
-                }
-                else
+                if (a.length + b.length > Ed25519.SIGNATURE_SIZE)
                 {
                     signature = new byte[Ed448.SIGNATURE_SIZE];
                     System.arraycopy(a, 0, signature, Ed448.PUBLIC_KEY_SIZE - a.length, a.length);
                     System.arraycopy(b, 0, signature, Ed448.SIGNATURE_SIZE - b.length, b.length);
                 }
-
+                else
+                {
+                    signature = new byte[Ed25519.SIGNATURE_SIZE];
+                    System.arraycopy(a, 0, signature, Ed25519.PUBLIC_KEY_SIZE - a.length, a.length);
+                    System.arraycopy(b, 0, signature, Ed25519.SIGNATURE_SIZE - b.length, b.length);
+                }
             }
             else
             {

pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientInfoGenerator.java

@@ -57,6 +57,8 @@ public class JceKeyAgreeRecipientInfoGenerator
     private PrivateKey senderPrivateKey;
 
     private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper());
+    private EnvelopedDataHelper wrappingHelper = null;
+
     private SecureRandom random;
     private KeyPair ephemeralKP;
     private byte[] userKeyingMaterial;
@@ -90,6 +92,20 @@ public JceKeyAgreeRecipientInfoGenerator setProvider(String providerName)
         return this;
     }
 
+    public JceKeyAgreeRecipientInfoGenerator setKeyWrappingProvider(Provider provider)
+    {
+        this.wrappingHelper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider));
+
+        return this;
+    }
+
+    public JceKeyAgreeRecipientInfoGenerator setKeyWrappingProvider(String providerName)
+    {
+        this.wrappingHelper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName));
+
+        return this;
+    }
+
     public JceKeyAgreeRecipientInfoGenerator setSecureRandom(SecureRandom random)
     {
         this.random = random;
@@ -203,16 +219,18 @@ else if (CMSUtils.isGOST(keyAgreementOID))
 
                 SecretKey keyEncryptionKey = keyAgreement.generateSecret(keyEncAlg.getId());
 
+                EnvelopedDataHelper keyWrapHelper = (wrappingHelper != null) ? wrappingHelper : helper;
+
                 // Wrap the content encryption key with the agreement key
-                Cipher keyEncryptionCipher = helper.createCipher(keyEncAlg);
+                Cipher keyEncryptionCipher = keyWrapHelper.createCipher(keyEncAlg);
                 ASN1OctetString encryptedKey;
 
                 if (keyEncAlg.equals(CryptoProObjectIdentifiers.id_Gost28147_89_None_KeyWrap)
                     || keyEncAlg.equals(CryptoProObjectIdentifiers.id_Gost28147_89_CryptoPro_KeyWrap))
                 {
                     keyEncryptionCipher.init(Cipher.WRAP_MODE, keyEncryptionKey, new GOST28147WrapParameterSpec(CryptoProObjectIdentifiers.id_Gost28147_89_CryptoPro_A_ParamSet, userKeyingMaterial));
 
-                    byte[] encKeyBytes = keyEncryptionCipher.wrap(helper.getJceKey(contentEncryptionKey));
+                    byte[] encKeyBytes = keyEncryptionCipher.wrap(keyWrapHelper.getJceKey(contentEncryptionKey));
 
                     Gost2814789EncryptedKey encKey = new Gost2814789EncryptedKey(
                         Arrays.copyOfRange(encKeyBytes, 0, encKeyBytes.length - 4),
@@ -224,7 +242,7 @@ else if (CMSUtils.isGOST(keyAgreementOID))
                 {
                     keyEncryptionCipher.init(Cipher.WRAP_MODE, keyEncryptionKey, random);
 
-                    byte[] encryptedKeyBytes = keyEncryptionCipher.wrap(helper.getJceKey(contentEncryptionKey));
+                    byte[] encryptedKeyBytes = keyEncryptionCipher.wrap(keyWrapHelper.getJceKey(contentEncryptionKey));
 
                     encryptedKey = new DEROctetString(encryptedKeyBytes);
                 }