Merge branch 'main' into 1958-aead-parameters

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoParameters.java

@@ -18,15 +18,12 @@ public class MayoParameters
         40,                 // r_bytes
         120159,             // P1_bytes
         24336,              // P2_bytes
-        // P3_bytes
         24,                 // csk_bytes
         1420,               // cpk_bytes
         454,                // sig_bytes
         new int[]{8, 1, 1, 0},        // F_TAIL_78
-        new byte[]{8, 1, 1, 0},        // f_tail_arr
         24,                 // salt_bytes
         32,                 // digest_bytes
-        // pk_seed_bytes
         24                  // sk_seed_bytes
     );
 
@@ -39,22 +36,18 @@ public class MayoParameters
         81 - 17,            // v = 64
         4 * 17 + 1,         // A_cols = 4 * 17 + 1 = 69
         4,                  // k
-        // q
         32,                 // m_bytes
         544,                // O_bytes
         32,                 // v_bytes
         34,                 // r_bytes
         66560,              // P1_bytes
         34816,              // P2_bytes
-        // P3_bytes
         24,                 // csk_bytes
         4912,               // cpk_bytes
         186,                // sig_bytes
         new int[]{8, 0, 2, 8}, //F_TAIL_64
-        new byte[]{8, 0, 2, 8},        // f_tail_arr
         24,                 // salt_bytes
         32,                 // digest_bytes
-        // pk_seed_bytes
         24                  // sk_seed_bytes
     );
 
@@ -67,22 +60,18 @@ public class MayoParameters
         118 - 10,           // v = 108
         11 * 10 + 1,        // A_cols = 11 * 10 + 1 = 111
         11,                 // k
-        // q
         54,                 // m_bytes
         540,                // O_bytes
         54,                 // v_bytes
         55,                 // r_bytes
         317844,             // P1_bytes
         58320,              // P2_bytes
-        // P3_bytes
         32,                 // csk_bytes
         2986,               // cpk_bytes
         681,                // sig_bytes
         new int[]{8, 0, 1, 7}, //F_TAIL_108
-        new byte[]{8, 0, 1, 7},       // f_tail_arr
         32,                 // salt_bytes
         48,                 // digest_bytes
-        // pk_seed_bytes
         32                  // sk_seed_bytes
     );
 
@@ -95,22 +84,18 @@ public class MayoParameters
         154 - 12,           // v = 142
         12 * 12 + 1,        // A_cols = 12 * 12 + 1 = 145
         12,                 // k
-        // q
         71,                 // m_bytes
         852,                // O_bytes
         71,                 // v_bytes
         72,                 // r_bytes
         720863,             // P1_bytes
         120984,             // P2_bytes
-        // P3_bytes
         40,                 // csk_bytes
         5554,               // cpk_bytes
         964,                // sig_bytes
         new int[]{4, 0, 8, 1}, //F_TAIL_142
-        new byte[]{4, 0, 8, 1},       // f_tail_arr
         40,                 // salt_bytes
         64,                 // digest_bytes
-        // pk_seed_bytes
         40                  // sk_seed_bytes
     );
 
@@ -133,15 +118,14 @@ public class MayoParameters
     private final int cpkBytes;
     private final int sigBytes;
     private final int[] fTail;
-    private final byte[] fTailArr;
     private final int saltBytes;
     private final int digestBytes;
     private static final int pkSeedBytes = 16;
     private final int skSeedBytes;
 
     private MayoParameters(String name, int n, int m, int mVecLimbs, int o, int v, int ACols, int k,
                            int mBytes, int OBytes, int vBytes, int rBytes, int P1Bytes, int P2Bytes,
-                           int cskBytes, int cpkBytes, int sigBytes, int[] fTail, byte[] fTailArr,
+                           int cskBytes, int cpkBytes, int sigBytes, int[] fTail,
                            int saltBytes, int digestBytes, int skSeedBytes)
     {
         this.name = name;
@@ -162,7 +146,6 @@ private MayoParameters(String name, int n, int m, int mVecLimbs, int o, int v, i
         this.cpkBytes = cpkBytes;
         this.sigBytes = sigBytes;
         this.fTail = fTail;
-        this.fTailArr = fTailArr;
         this.saltBytes = saltBytes;
         this.digestBytes = digestBytes;
         this.skSeedBytes = skSeedBytes;
@@ -258,11 +241,6 @@ public int[] getFTail()
         return fTail;
     }
 
-    public byte[] getFTailArr()
-    {
-        return fTailArr;
-    }
-
     public int getSaltBytes()
     {
         return saltBytes;
@@ -288,7 +266,7 @@ public int getSkSeedBytes()
      */
     public int getP1Limbs()
     {
-        return ((v * (v + 1)) / 2) * mVecLimbs;
+        return ((v * (v + 1)) >> 1) * mVecLimbs;
     }
 
     /**
@@ -304,7 +282,7 @@ public int getP2Limbs()
      */
     public int getP3Limbs()
     {
-        return ((o * (o + 1)) / 2) * mVecLimbs;
+        return ((o * (o + 1)) >> 1) * mVecLimbs;
     }
 }
 

core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoSigner.java

@@ -131,11 +131,11 @@ public byte[] generateSignature(byte[] message)
             // Generate S = seed_pk || (additional bytes), using SHAKE256.
             // Output length is param_pk_seed_bytes + param_O_bytes.
             shake.update(seed_sk, 0, seed_sk.length);
-            shake.doFinal(seed_pk, 0, pk_seed_bytes + oBytes);
+            shake.doFinal(seed_pk, 0, totalS);
 
             // Decode the portion of S after the first param_pk_seed_bytes into O.
             // (In C, this is: decode(S + param_pk_seed_bytes, O, param_v * param_o))
-            Utils.decode(seed_pk, pk_seed_bytes, O, 0, v * o);
+            Utils.decode(seed_pk, pk_seed_bytes, O, 0, O.length);
 
             // Expand P1 and P2 into the long array P using seed_pk.
             Utils.expandP1P2(params, P, seed_pk);
@@ -434,7 +434,7 @@ void computeA(long[] Mtmp, byte[] AOut)
         final int m = params.getM();
         final int mVecLimbs = params.getMVecLimbs();
         final int ACols = params.getACols();
-        final byte[] fTailArr = params.getFTailArr();
+        final int[] fTailArr = params.getFTail();
 
         int bitsToShift = 0;
         int wordsToShift = 0;
@@ -514,7 +514,7 @@ void computeA(long[] Mtmp, byte[] AOut)
         byte[] tab = new byte[F_TAIL_LEN << 2];
         for (int i = 0, idx = 0; i < F_TAIL_LEN; i++)
         {
-            byte ft = fTailArr[i];
+            int ft = fTailArr[i];
             tab[idx++] = (byte)GF16Utils.mulF(ft, 1);
             tab[idx++] = (byte)GF16Utils.mulF(ft, 2);
             tab[idx++] = (byte)GF16Utils.mulF(ft, 4);
@@ -798,13 +798,8 @@ void ef(byte[] A, int nrows, int ncols)
         for (int i = 0, irowLen = 0; i < nrows; i++, irowLen += rowLen)
         {
             Pack.longToLittleEndian(packedA, irowLen, len_4, bytes, 0);
-            int j = 0;
-            for (; j < ncols >> 1; j++)
-            {
-                A[outIndex++] = (byte)(bytes[j] & 0x0F);       // Lower nibble
-                A[outIndex++] = (byte)((bytes[j] >> 4) & 0x0F); // Upper nibble
-            }
-            A[outIndex++] = (byte)(bytes[j] & 0x0F);
+            Utils.decode(bytes, 0, A, outIndex, ncols);
+            outIndex += ncols;
         }
     }
 

pkix/src/main/java/org/bouncycastle/cms/CMSSignedDataStreamGenerator.java

@@ -372,13 +372,13 @@ else if (tagged.getTagNo() == 3)
         return new ASN1Integer(1);
     }
 
-    private boolean checkForVersion3(List signerInfos, List signerInfoGens)
+    private static boolean checkForVersion3(List signerInfos, List signerInfoGens)
     {
         for (Iterator it = signerInfos.iterator(); it.hasNext();)
         {
-            SignerInfo s = SignerInfo.getInstance(((SignerInformation)it.next()).toASN1Structure());
+            SignerInfo s = ((SignerInformation)it.next()).toASN1Structure();
 
-            if (s.getVersion().intValueExact() == 3)
+            if (s.getVersion().hasValue(3))
             {
                 return true;
             }

pkix/src/main/java/org/bouncycastle/cms/KEMRecipientInformation.java

@@ -27,13 +27,13 @@ public class KEMRecipientInformation
         {
             ASN1OctetString octs = ASN1OctetString.getInstance(r.getId());
 
-            rid = new KEMRecipientId(octs.getOctets());   // TODO: should be KEM
+            rid = new KEMRecipientId(octs.getOctets());
         }
         else
         {
             IssuerAndSerialNumber iAnds = IssuerAndSerialNumber.getInstance(r.getId());
 
-            rid = new KEMRecipientId(iAnds.getName(), iAnds.getSerialNumber().getValue());    // TODO:
+            rid = new KEMRecipientId(iAnds.getName(), iAnds.getSerialNumber().getValue());
         }
     }
 

pkix/src/test/java/org/bouncycastle/cms/test/CMSTestUtil.java

@@ -61,7 +61,12 @@ public class CMSTestUtil
     public static KeyPairGenerator ecDsaKpg;
     public static KeyPairGenerator ed25519Kpg;
     public static KeyPairGenerator ed448Kpg;
-    public static KeyPairGenerator mlKemKpg;
+    public static KeyPairGenerator mlDsa44Kpg;
+    public static KeyPairGenerator mlDsa65Kpg;
+    public static KeyPairGenerator mlDsa87Kpg;
+    public static KeyPairGenerator mlKem512Kpg;
+    public static KeyPairGenerator mlKem768Kpg;
+    public static KeyPairGenerator mlKem1024Kpg;
     public static KeyPairGenerator ntruKpg;
     public static KeyGenerator     aes192kg;
     public static KeyGenerator     desede128kg;
@@ -168,7 +173,14 @@ public class CMSTestUtil
             ed448Kpg = KeyPairGenerator.getInstance("Ed448", "BC");
 
             ntruKpg = KeyPairGenerator.getInstance(BCObjectIdentifiers.ntruhps2048509.getId(), "BC");
-            mlKemKpg = KeyPairGenerator.getInstance("ML-KEM-768", "BC");
+
+            mlDsa44Kpg = KeyPairGenerator.getInstance("ML-DSA-44", "BC");
+            mlDsa65Kpg = KeyPairGenerator.getInstance("ML-DSA-65", "BC");
+            mlDsa87Kpg = KeyPairGenerator.getInstance("ML-DSA-87", "BC");
+
+            mlKem512Kpg = KeyPairGenerator.getInstance("ML-KEM-512", "BC");
+            mlKem768Kpg = KeyPairGenerator.getInstance("ML-KEM-768", "BC");
+            mlKem1024Kpg = KeyPairGenerator.getInstance("ML-KEM-1024", "BC");
 
             aes192kg = KeyGenerator.getInstance("AES", "BC");
             aes192kg.init(192, rand);
@@ -281,9 +293,34 @@ public static KeyPair makeNtruKeyPair()
         return ntruKpg.generateKeyPair();
     }
 
-    public static KeyPair makeMLKemKeyPair()
+    public static KeyPair makeMLKem512KeyPair()
+    {
+        return mlKem512Kpg.generateKeyPair();
+    }
+
+    public static KeyPair makeMLKem768KeyPair()
+    {
+        return mlKem768Kpg.generateKeyPair();
+    }
+
+    public static KeyPair makeMLKem1024KeyPair()
+    {
+        return mlKem1024Kpg.generateKeyPair();
+    }
+
+    public static KeyPair makeMLDsa44KeyPair()
     {
-        return mlKemKpg.generateKeyPair();
+        return mlDsa44Kpg.generateKeyPair();
+    }
+
+    public static KeyPair makeMLDsa65KeyPair()
+    {
+        return mlDsa65Kpg.generateKeyPair();
+    }
+
+    public static KeyPair makeMLDsa87KeyPair()
+    {
+        return mlDsa87Kpg.generateKeyPair();
     }
 
     public static SecretKey makeDesede128Key()
@@ -504,6 +541,10 @@ public static X509Certificate makeOaepCertificate(KeyPair subKP, String _subDN,
 
     private static JcaContentSignerBuilder makeContentSignerBuilder(PublicKey issPub)
     {
+        /*
+         * NOTE: Current ALL test certificates are issued under a SHA1withRSA root, so this list is mostly
+         * redundant (and also incomplete in that it doesn't handle EdDSA or ML-DSA issuers).
+         */
         JcaContentSignerBuilder contentSignerBuilder;
         if (issPub instanceof RSAPublicKey)
         {
@@ -521,10 +562,14 @@ else if (issPub.getAlgorithm().equals("ECGOST3410"))
         {
             contentSignerBuilder = new JcaContentSignerBuilder("GOST3411withECGOST3410");
         }
-        else
+        else if (issPub.getAlgorithm().equals("GOST3410"))
         {
             contentSignerBuilder = new JcaContentSignerBuilder("GOST3411WithGOST3410");
         }
+        else
+        {
+            throw new UnsupportedOperationException("Algorithm handlers incomplete");
+        }
 
         contentSignerBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME);