Merge branch 'main' into 1958-aead-parameters

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurve.java

@@ -18,7 +18,7 @@
  */
 public class ECJPAKECurve
 {
-    private final ECCurve.Fp curve;
+    private final ECCurve.AbstractFp curve;
     private final ECPoint g;
 
     /**
@@ -116,7 +116,7 @@ public ECJPAKECurve(BigInteger q, BigInteger a, BigInteger b, BigInteger n, BigI
      * groups in {@link ECJPAKECurves}.
      * These pre-approved curves can avoid the expensive checks.
      */
-    ECJPAKECurve(ECCurve.Fp curve, ECPoint g)
+    ECJPAKECurve(ECCurve.AbstractFp curve, ECPoint g)
     {
         ECJPAKEUtil.validateNotNull(curve, "curve");
         ECJPAKEUtil.validateNotNull(g, "g");
@@ -127,7 +127,7 @@ public ECJPAKECurve(BigInteger q, BigInteger a, BigInteger b, BigInteger n, BigI
         this.g = g;
     }
 
-    public ECCurve.Fp getCurve()
+    public ECCurve.AbstractFp getCurve()
     {
         return curve;
     }
@@ -159,7 +159,7 @@ public BigInteger getH()
 
     public BigInteger getQ()
     {
-        return curve.getQ();
+        return curve.getField().getCharacteristic();
     }
 
     private static BigInteger calculateDeterminant(BigInteger q, BigInteger a, BigInteger b)

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKECurves.java

@@ -1,7 +1,7 @@
 package org.bouncycastle.crypto.agreement.ecjpake;
 
-import org.bouncycastle.asn1.nist.NISTNamedCurves;
 import org.bouncycastle.asn1.x9.X9ECParameters;
+import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.math.ec.ECCurve;
 
 /**
@@ -37,13 +37,14 @@ public class ECJPAKECurves
 
     static
     {
-        NIST_P256 = fromX9ECParameters(NISTNamedCurves.getByName("P-256"));
-        NIST_P384 = fromX9ECParameters(NISTNamedCurves.getByName("P-384"));
-        NIST_P521 = fromX9ECParameters(NISTNamedCurves.getByName("P-521"));
+        NIST_P256 = getCurve("P-256");
+        NIST_P384 = getCurve("P-384");
+        NIST_P521 = getCurve("P-521");
     }
 
-    private static ECJPAKECurve fromX9ECParameters(X9ECParameters x9)
+    private static ECJPAKECurve getCurve(String curveName)
     {
-        return new ECJPAKECurve((ECCurve.Fp)x9.getCurve(), x9.getG());
+        X9ECParameters x9 = CustomNamedCurves.getByName(curveName);
+        return new ECJPAKECurve((ECCurve.AbstractFp)x9.getCurve(), x9.getG());
     }
 }

core/src/main/java/org/bouncycastle/crypto/agreement/ecjpake/ECJPAKEParticipant.java

@@ -107,9 +107,7 @@ public class ECJPAKEParticipant
      */
     private String partnerParticipantId;
 
-    private ECCurve.Fp ecCurve;
-    private BigInteger ecca;
-    private BigInteger eccb;
+    private ECCurve.AbstractFp ecCurve;
     private BigInteger q;
     private BigInteger h;
     private BigInteger n;
@@ -255,8 +253,6 @@ public ECJPAKEParticipant(
         this.password = Arrays.copyOf(password, password.length);
 
         this.ecCurve = curve.getCurve();
-        this.ecca = curve.getA();
-        this.eccb = curve.getB();
         this.g = curve.getG();
         this.h = curve.getH();
         this.n = curve.getN();

core/src/main/java/org/bouncycastle/crypto/prng/drbg/DualECSP800DRBG.java

@@ -2,8 +2,8 @@
 
 import java.math.BigInteger;
 
-import org.bouncycastle.asn1.nist.NISTNamedCurves;
 import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.prng.EntropySource;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECMultiplier;
@@ -36,23 +36,18 @@ public class DualECSP800DRBG
     private static final BigInteger p521_Qx = new BigInteger("1b9fa3e518d683c6b65763694ac8efbaec6fab44f2276171a42726507dd08add4c3b3f4c1ebc5b1222ddba077f722943b24c3edfa0f85fe24d0c8c01591f0be6f63", 16);
     private static final BigInteger p521_Qy = new BigInteger("1f3bdba585295d9a1110d1df1f9430ef8442c5018976ff3437ef91b81dc0b8132c8d5c39c32d0e004a3092b7d327c0e7a4d26d2c7b69b58f9066652911e457779de", 16);
 
-    private static final DualECPoints[] nistPoints;
-
-    static
+    private static final DualECPoints[] nistPoints = new DualECPoints[]
     {
-        nistPoints = new DualECPoints[3];
-
-        ECCurve.Fp curve = (ECCurve.Fp)NISTNamedCurves.getByNameLazy("P-256").getCurve();
-
-        nistPoints[0] = new DualECPoints(128, curve.createPoint(p256_Px, p256_Py), curve.createPoint(p256_Qx, p256_Qy), 1);
-
-        curve = (ECCurve.Fp)NISTNamedCurves.getByNameLazy("P-384").getCurve();
-
-        nistPoints[1] = new DualECPoints(192, curve.createPoint(p384_Px, p384_Py), curve.createPoint(p384_Qx, p384_Qy), 1);
+        createDualECPoints("P-256", 128, p256_Px, p256_Py, p256_Qx, p256_Qy, 1),
+        createDualECPoints("P-384", 192, p384_Px, p384_Py, p384_Qx, p384_Qy, 1),
+        createDualECPoints("P-521", 256, p521_Px, p521_Py, p521_Qx, p521_Qy, 1),
+    };
 
-        curve = (ECCurve.Fp)NISTNamedCurves.getByNameLazy("P-521").getCurve();
-
-        nistPoints[2] = new DualECPoints(256, curve.createPoint(p521_Px, p521_Py), curve.createPoint(p521_Qx, p521_Qy), 1);
+    private static DualECPoints createDualECPoints(String curveName, int securityStrength, BigInteger Px,
+        BigInteger Py, BigInteger Qx, BigInteger Qy, int cofactor)
+    {
+        ECCurve.AbstractFp c = (ECCurve.AbstractFp)CustomNamedCurves.getByNameLazy(curveName).getCurve();
+        return new DualECPoints(securityStrength, c.createPoint(Px, Py), c.createPoint(Qx, Qy), cofactor);
     }
 
 
@@ -67,7 +62,6 @@ public class DualECSP800DRBG
     private int                    _securityStrength;
     private int                    _seedlen;
     private int                    _outlen;
-    private ECCurve.Fp             _curve;
     private ECPoint                _P;
     private ECPoint                _Q;
     private byte[]                 _s;
@@ -210,11 +204,9 @@ public int generate(byte[] output, byte[] additionalInput, boolean predictionRes
         {
             s = getScalarMultipleXCoord(_P, s);
 
-            //System.err.println("S: " + new String(Hex.encode(_s)));
-
             byte[] r = getScalarMultipleXCoord(_Q, s).toByteArray();
 
-            if (r.length > _outlen)
+            if (r.length >= _outlen)
             {
                 System.arraycopy(r, r.length - _outlen, output, outOffset, _outlen);
             }
@@ -223,7 +215,6 @@ public int generate(byte[] output, byte[] additionalInput, boolean predictionRes
                 System.arraycopy(r, 0, output, outOffset + (_outlen - r.length), r.length);
             }
 
-            //System.err.println("R: " + new String(Hex.encode(r)));
             outOffset += _outlen;
 
             _reseedCounter++;
@@ -237,13 +228,17 @@ public int generate(byte[] output, byte[] additionalInput, boolean predictionRes
 
             int required = output.length - outOffset;
 
-            if (r.length > _outlen)
+            if (r.length >= _outlen)
             {
                 System.arraycopy(r, r.length - _outlen, output, outOffset, required);
             }
             else
             {
-                System.arraycopy(r, 0, output, outOffset + (_outlen - r.length), required);
+                int outPos = _outlen - r.length;
+                if (outPos < required)
+                {
+                    System.arraycopy(r, 0, output, outOffset + outPos, required - outPos);
+                }
             }
 
             _reseedCounter++;

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyInfoFactory.java

@@ -53,6 +53,7 @@
 import org.bouncycastle.pqc.legacy.crypto.mceliece.McElieceCCA2PrivateKeyParameters;
 import org.bouncycastle.pqc.legacy.crypto.qtesla.QTESLAPrivateKeyParameters;
 import org.bouncycastle.util.Pack;
+import org.bouncycastle.util.Properties;
 
 /**
  * Factory to create ASN.1 private key info objects from lightweight private keys.
@@ -247,18 +248,17 @@ else if (privateKey instanceof MLKEMPrivateKeyParameters)
             MLKEMPrivateKeyParameters params = (MLKEMPrivateKeyParameters)privateKey;
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mlkemOidLookup(params.getParameters()));
-                                                  
-            return new PrivateKeyInfo(algorithmIdentifier, getBasicPQCEncoding(params.getSeed(), params.getEncoded()), attributes);
-//            byte[] seed = params.getSeed();
-//
-//            if (seed == null)
-//            {
-//                return new PrivateKeyInfo(algorithmIdentifier, params.getEncoded(), attributes);
-//            }
-//            else
-//            {
-//                return new PrivateKeyInfo(algorithmIdentifier, seed, attributes);
-//            }
+
+            byte[] seed = params.getSeed();
+            if (Properties.isOverrideSet("org.bouncycastle.mlkem.seedOnly"))
+            {
+                if (seed == null)    // very difficult to imagine, but...
+                {
+                    throw new IOException("no seed available");
+                }
+                return new PrivateKeyInfo(algorithmIdentifier, seed, attributes);
+            }
+            return new PrivateKeyInfo(algorithmIdentifier, getBasicPQCEncoding(seed, params.getEncoded()), attributes);
         }
         else if (privateKey instanceof NTRULPRimePrivateKeyParameters)
         {
@@ -297,20 +297,16 @@ else if (privateKey instanceof MLDSAPrivateKeyParameters)
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mldsaOidLookup(params.getParameters()));
 
+            byte[] seed = params.getSeed();
+            if (Properties.isOverrideSet("org.bouncycastle.mldsa.seedOnly"))
+            {
+                if (seed == null)    // very difficult to imagine, but...
+                {
+                    throw new IOException("no seed available");
+                }
+                return new PrivateKeyInfo(algorithmIdentifier, seed, attributes);
+            }
             return new PrivateKeyInfo(algorithmIdentifier, getBasicPQCEncoding(params.getSeed(), params.getEncoded()), attributes);
-//            byte[] seed = params.getSeed();
-//            if (seed == null)
-//            {
-//                MLDSAPublicKeyParameters pubParams = params.getPublicKeyParameters();
-//
-//                return new PrivateKeyInfo(algorithmIdentifier, params.getEncoded(), attributes, pubParams.getEncoded());
-//            }
-//            else
-//            {
-//                MLDSAPublicKeyParameters pubParams = params.getPublicKeyParameters();
-//
-//                return new PrivateKeyInfo(algorithmIdentifier, seed, attributes, pubParams.getEncoded());
-//            }
         }
         else if (privateKey instanceof DilithiumPrivateKeyParameters)
         {

core/src/test/java/org/bouncycastle/crypto/agreement/test/ECJPAKEUtilTest.java

@@ -18,7 +18,6 @@
 public class ECJPAKEUtilTest
     extends TestCase
 {
-    private static final BigInteger TEN = BigInteger.valueOf(10);
     private static final BigInteger ONE = BigInteger.valueOf(1);
 
     public void testValidateParticipantIdsDiffer()
@@ -217,7 +216,7 @@ public void testValidateZeroKnowledgeProof()
         }
 
         // (x,y) elements for Gx are not in Fq ie: not in [0,q-1]
-        ECCurve.Fp curve = (ECCurve.Fp)curve1.getCurve();
+        ECCurve.AbstractFp curve = curve1.getCurve();
         try
         {
             ECPoint invalidGx_1 = curve.createPoint(ONE.negate(), ONE);

pg/src/main/java/org/bouncycastle/bcpg/ArmoredInputStream.java

@@ -268,7 +268,16 @@ private boolean parseHeaders()
                 }
                 if (c == '\r' || (last != '\r' && c == '\n'))
                 {
-                    String line = Strings.fromUTF8ByteArray(buf.toByteArray());
+                    String line;
+
+                    try
+                    {
+                        line = Strings.fromUTF8ByteArray(buf.toByteArray());
+                    }
+                    catch (Exception e)
+                    {
+                        throw new ArmoredInputException(e.getMessage());
+                    }
                     if (line.trim().length() == 0)
                     {
                         break;