Add support for different curves

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/generators/ECCSIKeyPairGenerator.java

@@ -3,16 +3,13 @@
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
-import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
 import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator;
 import org.bouncycastle.crypto.CryptoServicePurpose;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.KeyGenerationParameters;
 import org.bouncycastle.crypto.constraints.DefaultServiceProperties;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.ECCSIKeyGenerationParameters;
 import org.bouncycastle.crypto.params.ECCSIPrivateKeyParameters;
 import org.bouncycastle.crypto.params.ECCSIPublicKeyParameters;
@@ -21,28 +18,27 @@
 public class ECCSIKeyPairGenerator
     implements AsymmetricCipherKeyPairGenerator
 {
-    // Initialize NIST P-256 curve
-    private static final X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-    private static final BigInteger q = params.getCurve().getOrder();
-
-    // And the base point (generator) is:
-    private static final ECPoint G = params.getG();
-    //int N = 32; // 256 bits
-
+    private BigInteger q;
+    private ECPoint G;
+    private Digest digest;
     private ECCSIKeyGenerationParameters parameters;
 
     @Override
     public void init(KeyGenerationParameters parameters)
     {
         this.parameters = (ECCSIKeyGenerationParameters)parameters;
+        this.q = this.parameters.getQ();
+        this.G = this.parameters.getG();
+        this.digest = this.parameters.getDigest();
 
-        CryptoServicesRegistrar.checkConstraints(new DefaultServiceProperties("ECCSI", 256, null, CryptoServicePurpose.KEYGEN));
+        CryptoServicesRegistrar.checkConstraints(new DefaultServiceProperties("ECCSI", this.parameters.getN(), null, CryptoServicePurpose.KEYGEN));
     }
 
     @Override
     public AsymmetricCipherKeyPair generateKeyPair()
     {
         SecureRandom random = parameters.getRandom();
+        this.digest.reset();
         byte[] id = parameters.getId();
         ECPoint kpak = parameters.getKPAK();
         // 1) Choose v, a random (ephemeral) non-zero element of F_q;
@@ -51,7 +47,6 @@ public AsymmetricCipherKeyPair generateKeyPair()
         ECPoint pvt = G.multiply(v).normalize();
 
         // 3) Compute a hash value HS = hash( G || KPAK || ID || PVT ), an N-octet integer;
-        Digest digest = new SHA256Digest();
         byte[] tmp = G.getEncoded(false);
         digest.update(tmp, 0, tmp.length);
         tmp = kpak.getEncoded(false);

core/src/main/java/org/bouncycastle/crypto/params/ECCSIKeyGenerationParameters.java

@@ -4,39 +4,37 @@
 import java.security.SecureRandom;
 
 import org.bouncycastle.asn1.x9.X9ECParameters;
+import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.KeyGenerationParameters;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
 
 public class ECCSIKeyGenerationParameters
     extends KeyGenerationParameters
 {
-    private static final BigInteger q;
-    private static final ECPoint G;
-
-    static
-    {
-        X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-        q = params.getCurve().getOrder();
-        G = params.getG();
-    }
-
+    private final BigInteger q;
+    private final ECPoint G;
+    private final Digest digest;
     private final byte[] id;
     private final BigInteger ksak;
     private final ECPoint kpak;
+    private final int n;
 
     /**
      * initialise the generator with a source of randomness
      * and a strength (in bits).
      *
      * @param random the random byte source.
      */
-    public ECCSIKeyGenerationParameters(SecureRandom random, byte[] id)
+    public ECCSIKeyGenerationParameters(SecureRandom random, X9ECParameters params, Digest digest, byte[] id)
     {
-        super(random, 256);
+        super(random, params.getCurve().getA().bitLength());
+        this.q = params.getCurve().getOrder();
+        this.G = params.getG();
+        this.digest = digest;
         this.id = Arrays.clone(id);
-        this.ksak = new BigInteger(256, random).mod(q);
+        this.n = params.getCurve().getA().bitLength();
+        this.ksak = new BigInteger(n, random).mod(q);
         this.kpak = G.multiply(ksak).normalize();
     }
 
@@ -54,4 +52,24 @@ public BigInteger computeSSK(BigInteger hs_v)
     {
         return ksak.add(hs_v).mod(q);
     }
+
+    public BigInteger getQ()
+    {
+        return q;
+    }
+
+    public ECPoint getG()
+    {
+        return G;
+    }
+
+    public Digest getDigest()
+    {
+        return digest;
+    }
+
+    public int getN()
+    {
+        return n;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/signers/ECCSISigner.java

@@ -10,29 +10,34 @@
 import org.bouncycastle.crypto.DataLengthException;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.Signer;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.ECCSIPrivateKeyParameters;
 import org.bouncycastle.crypto.params.ECCSIPublicKeyParameters;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.BigIntegers;
 
+/**
+ * Implementation of Elliptic Curve-based Certificateless Signatures for Identity-Based Encryption (ECCSI)
+ * as defined in RFC 6507.
+ * <p>
+ * This class handles both signature generation and verification using the ECCSI scheme. It supports:
+ * <ul>
+ *   <li>NIST P-256 (secp256r1) elliptic curve parameters</li>
+ *   <li>SHA-256 hash function</li>
+ *   <li>Certificateless signatures using KMS Public Authentication Key (KPAK)</li>
+ *   <li>Identity-based signatures with Secret Signing Key (SSK)</li>
+ * </ul>
+ *
+ * @see <a href="https://datatracker.ietf.org/doc/html/rfc6507">RFC 6507:  Elliptic Curve-Based Certificateless
+ * Signatures for Identity-Based Encryption (ECCSI)</a>
+ */
 public class ECCSISigner
     implements Signer
 {
-    private static final BigInteger q;
-    private static final ECPoint G;
-
-    static
-    {
-        X9ECParameters params = CustomNamedCurves.getByName("secP256r1");
-        q = params.getCurve().getOrder();
-        G = params.getG();
-    }
-
-    private final Digest digest = new SHA256Digest();
+    private final BigInteger q;
+    private final ECPoint G;
+    private final Digest digest;
     private BigInteger j;
     private BigInteger r;
     private ECPoint Y;
@@ -41,72 +46,26 @@ public class ECCSISigner
     private CipherParameters param;
     private ByteArrayOutputStream stream;
     private boolean forSigning;
+    private final int N;
 
-    public ECCSISigner(ECPoint kpak, byte[] id)
+
+    public ECCSISigner(ECPoint kpak, X9ECParameters params, Digest digest, byte[] id)
     {
         this.kpak = kpak;
         this.id = id;
+        this.q = params.getCurve().getOrder();
+        this.G = params.getG();
+        this.digest = digest;
+        this.digest.reset();
+        this.N = (params.getCurve().getOrder().bitLength() + 7) >> 3;
     }
 
     @Override
     public void init(boolean forSigning, CipherParameters param)
     {
         this.forSigning = forSigning;
         this.param = param;
-        SecureRandom random = null;
-        if (param instanceof ParametersWithRandom)
-        {
-            random = ((ParametersWithRandom)param).getRandom();
-            param = ((ParametersWithRandom)param).getParameters();
-        }
-        ECPoint kpak_computed = null;
-        ECPoint pvt;
-        if (forSigning)
-        {
-            ECCSIPrivateKeyParameters parameters = (ECCSIPrivateKeyParameters)param;
-
-            j = new BigInteger(256, random).mod(q);
-            ECPoint J = G.multiply(j).normalize();
-            r = J.getAffineXCoord().toBigInteger();
-            pvt = parameters.getPublicKeyParameters().getPVT();
-            kpak_computed = G.multiply(parameters.getSSK());
-        }
-        else
-        {
-            ECCSIPublicKeyParameters parameters = (ECCSIPublicKeyParameters)param;
-            pvt = parameters.getPVT();
-            stream = new ByteArrayOutputStream();
-        }
-
-        // compute HS
-        byte[] tmp = G.getEncoded(false);
-        digest.update(tmp, 0, tmp.length);
-        tmp = kpak.getEncoded(false);
-        digest.update(tmp, 0, tmp.length);
-        digest.update(id, 0, id.length);
-        tmp = pvt.getEncoded(false);
-        digest.update(tmp, 0, tmp.length);
-        tmp = new byte[digest.getDigestSize()];
-        digest.doFinal(tmp, 0);
-        BigInteger HS = new BigInteger(1, tmp).mod(q);
-
-        //HE = hash( HS || r || M );
-        digest.update(tmp, 0, tmp.length);
-        if (forSigning)
-        {
-            kpak_computed = kpak_computed.subtract(pvt.multiply(HS)).normalize();
-            if (!kpak_computed.equals(kpak))
-            {
-                throw new IllegalArgumentException("Invalid KPAK");
-            }
-            byte[] rBytes = BigIntegers.asUnsignedByteArray(32, r);
-            digest.update(rBytes, 0, rBytes.length);
-        }
-        else
-        {
-            // Compute Y = HS*PVT + KPAK
-            Y = pvt.multiply(HS).add(kpak).normalize();
-        }
+        reset();
     }
 
     @Override
@@ -153,17 +112,17 @@ public byte[] generateSignature()
 
         BigInteger sPrime = denominator.modInverse(q).multiply(j).mod(q);
 
-        return Arrays.concatenate(BigIntegers.asUnsignedByteArray(32, r), BigIntegers.asUnsignedByteArray(32, sPrime),
+        return Arrays.concatenate(BigIntegers.asUnsignedByteArray(this.N, r), BigIntegers.asUnsignedByteArray(this.N, sPrime),
             params.getPublicKeyParameters().getPVT().getEncoded(false));
     }
 
     @Override
     public boolean verifySignature(byte[] signature)
     {
-        byte[] bytes = Arrays.copyOf(signature, 32);
-        BigInteger s = new BigInteger(1, Arrays.copyOfRange(signature, 32, 64));
+        byte[] bytes = Arrays.copyOf(signature, this.N);
+        BigInteger s = new BigInteger(1, Arrays.copyOfRange(signature, this.N, this.N << 1));
         r = new BigInteger(1, bytes).mod(q);
-        digest.update(bytes, 0, 32);
+        digest.update(bytes, 0, this.N);
         bytes = stream.toByteArray();
         digest.update(bytes, 0, bytes.length);
         bytes = new byte[digest.getDigestSize()];
@@ -185,6 +144,61 @@ public boolean verifySignature(byte[] signature)
     @Override
     public void reset()
     {
+        digest.reset();
+        CipherParameters param = this.param;
+        SecureRandom random = null;
+        if (param instanceof ParametersWithRandom)
+        {
+            random = ((ParametersWithRandom)param).getRandom();
+            param = ((ParametersWithRandom)param).getParameters();
+        }
+        ECPoint kpak_computed = null;
+        ECPoint pvt;
+        if (forSigning)
+        {
+            ECCSIPrivateKeyParameters parameters = (ECCSIPrivateKeyParameters)param;
+            pvt = parameters.getPublicKeyParameters().getPVT();
+            j = new BigInteger(q.bitLength(), random);
+            ECPoint J = G.multiply(j).normalize();
+            r = J.getAffineXCoord().toBigInteger().mod(q);
 
+            kpak_computed = G.multiply(parameters.getSSK());
+        }
+        else
+        {
+            ECCSIPublicKeyParameters parameters = (ECCSIPublicKeyParameters)param;
+            pvt = parameters.getPVT();
+            stream = new ByteArrayOutputStream();
+        }
+
+        // compute HS
+        byte[] tmp = G.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        tmp = kpak.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        digest.update(id, 0, id.length);
+        tmp = pvt.getEncoded(false);
+        digest.update(tmp, 0, tmp.length);
+        tmp = new byte[digest.getDigestSize()];
+        digest.doFinal(tmp, 0);
+        BigInteger HS = new BigInteger(1, tmp).mod(q);
+
+        //HE = hash( HS || r || M );
+        digest.update(tmp, 0, tmp.length);
+        if (forSigning)
+        {
+            kpak_computed = kpak_computed.subtract(pvt.multiply(HS)).normalize();
+            if (!kpak_computed.equals(kpak))
+            {
+                throw new IllegalArgumentException("Invalid KPAK");
+            }
+            byte[] rBytes = BigIntegers.asUnsignedByteArray(this.N, r);
+            digest.update(rBytes, 0, rBytes.length);
+        }
+        else
+        {
+            // Compute Y = HS*PVT + KPAK
+            Y = pvt.multiply(HS).add(kpak).normalize();
+        }
     }
 }