Merge branch 'main' into pg-synchronize-bc_csharp

gefeili · gefeili · commit 67a2f3ab7e31 · 2024-06-03T16:01:18.000+09:30
# Conflicts:
#	pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
#	pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcImplProvider.java
#	pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentSignerBuilder.java
#	pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentVerifierBuilderProvider.java
diff --git a/CONTRIBUTORS.html b/CONTRIBUTORS.html
@@ -547,6 +547,7 @@
 <li>Seung Yeon &lt;https://github.com/seungyeonpark&gt; - addition of Memoable method implementations to CertPathValidationContext and CertificatePoliciesValidation.</li>
 <li>yuhh0328 &lt;https://github.com/yuhh0328&gt; - initial patch for adding ML-KEM support to TLS.</li>
 <li>Jan Oupick&yacute; &lt;https://github.com/Honzaik&gt; - update to draft 13 of composite PQC signatures.</li>
+<li>Karsten Otto &lt;https://github.com/ottoka&gt; - finished the support for jdk.tls.server.defaultDHEParameters.</li>
 </ul>
 </body>
 </html>
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java
@@ -536,14 +536,7 @@ public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[]
         // Helper.printByteArray(c2);
 
 
-        for (int i = 0; i < DilithiumCTilde; ++i)
-        {
-            if (c[i] != c2[i])
-            {
-                return false;
-            }
-        }
-        return true;
+        return Arrays.constantTimeAreEqual(c, c2);
     }
 
     public boolean signOpen(byte[] msg, byte[] signedMsg, int signedMsglen, byte[] rho, byte[] t1)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPublicKeyParameters.java
@@ -136,7 +136,7 @@ public LMSContext generateLMSContext(byte[] sigEnc)
 
     public boolean verify(LMSContext context)
     {
-        boolean failed = false;
+        boolean passed = true;
 
         LMSSignedPubKey[] sigKeys = context.getSignedPubKeys();
 
@@ -151,13 +151,10 @@ public boolean verify(LMSContext context)
         {
             LMSSignature sig = sigKeys[i].getSignature();
             byte[] msg = sigKeys[i].getPublicKey().toByteArray();
-            if (!LMS.verifySignature(key, sig, msg))
-            {
-                failed = true;
-            }
+            passed &= LMS.verifySignature(key, sig, msg);
             key = sigKeys[i].getPublicKey();
         }
 
-        return !failed & key.verify(context);
+        return passed & key.verify(context);
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java b/core/src/main/java/org/bouncycastle/pqc/crypto/sphincs/SPHINCS256Signer.java
@@ -406,13 +406,12 @@ boolean verify(HashFunctions hs, byte[] m, byte[] sm, byte[] pk)
             smlen -= SPHINCS256Config.SUBTREE_HEIGHT * SPHINCS256Config.HASH_BYTES;
         }
 
+        // Because we use custom offsets on tpk, rather than incurring an
+        // expensive copy, we use a manual constant time comparison.
         boolean verified = true;
         for (i = 0; i < SPHINCS256Config.HASH_BYTES; i++)
         {
-            if (root[i] != tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES])
-            {
-                verified = false;
-            }
+            verified &= root[i] == tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES];
         }
 
         return verified;
diff --git a/docs/releasenotes.html b/docs/releasenotes.html
@@ -19,12 +19,18 @@ <h2>1.0 Introduction</h2>
 <h2>2.0 Release History</h2>
 
 <a id="r1rv79"><h3>2.1.1 Version</h3></a>
+Release: 1.79<br/>
 Date:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2024, TBD.
 <h3>2.1.2 Defects Fixed</h3>
 <ul>
 </ul>
+<h3>2.1.3 Additional Features and Functionality</h3>
+<ul>
+<li>BCJSSE: Added support for security property "jdk.tls.server.defaultDHEParameters" (disabled in FIPS mode).</li>
+</ul>
 
 <a id="r1rv78d1"><h3>2.2.1 Version</h3></a>
+Release: 1.78.1<br/>
 Date:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2024, 18th April.
 <h3>2.2.2 Defects Fixed</h3>
 <ul>
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java
@@ -19,6 +19,7 @@
 import org.bouncycastle.bcpg.SignatureSubpacket;
 import org.bouncycastle.bcpg.TrustPacket;
 import org.bouncycastle.math.ec.rfc8032.Ed25519;
+import org.bouncycastle.math.ec.rfc8032.Ed448;
 import org.bouncycastle.openpgp.operator.PGPContentVerifier;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilder;
 import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
@@ -454,8 +455,19 @@ else if (getKeyAlgorithm() == PublicKeyAlgorithmTags.EDDSA_LEGACY)
             {
                 byte[] a = BigIntegers.asUnsignedByteArray(sigValues[0].getValue());
                 byte[] b = BigIntegers.asUnsignedByteArray(sigValues[1].getValue());
-                //TODO: distinguish Ed25519 and Ed448
-                signature = Arrays.concatenate(a, b);
+                if (a.length + b.length == Ed25519.SIGNATURE_SIZE)
+                {
+                    signature = new byte[Ed25519.SIGNATURE_SIZE];
+                    System.arraycopy(a, 0, signature, Ed25519.PUBLIC_KEY_SIZE - a.length, a.length);
+                    System.arraycopy(b, 0, signature, Ed25519.SIGNATURE_SIZE - b.length, b.length);
+                }
+                else
+                {
+                    signature = new byte[Ed448.SIGNATURE_SIZE];
+                    System.arraycopy(a, 0, signature, Ed448.PUBLIC_KEY_SIZE - a.length, a.length);
+                    System.arraycopy(b, 0, signature, Ed448.SIGNATURE_SIZE - b.length, b.length);
+                }
+
             }
             else
             {
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentSignerBuilder.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentSignerBuilder.java
@@ -98,7 +98,6 @@ public PGPContentSigner build(final int signatureType, final long keyID, final P
 
         if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY && privateKey.getAlgorithm().equals("Ed448"))
         {
-            // Try my best to solve Ed448Legacy issue
             signature = helper.createSignature("Ed448");
         }
         else
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentVerifierBuilderProvider.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentVerifierBuilderProvider.java
@@ -8,8 +8,6 @@
 import java.security.SignatureException;
 import java.security.interfaces.RSAPublicKey;
 
-import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
-import org.bouncycastle.bcpg.EdDSAPublicBCPGKey;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 import org.bouncycastle.jcajce.io.OutputStreamFactory;
 import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;
@@ -73,22 +71,19 @@ public JcaPGPContentVerifierBuilder(int keyAlgorithm, int hashAlgorithm)
         public PGPContentVerifier build(final PGPPublicKey publicKey)
             throws PGPException
         {
-            final Signature signature;
+            final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);
+            final PublicKey jcaKey = keyConverter.getPublicKey(publicKey);
 
-            if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY
-                && ((EdDSAPublicBCPGKey)publicKey.getPublicKeyPacket().getKey()).getCurveOID().equals(EdECObjectIdentifiers.id_Ed448))
+            final Signature signature;
+            if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY && jcaKey.getAlgorithm().equals("Ed448"))
             {
-                // Try my best to solve Ed448Legacy issue
-                signature = helper.createSignature("Ed448");
+                signature = helper.createSignature(PublicKeyAlgorithmTags.Ed448, hashAlgorithm);
             }
             else
             {
                 signature = helper.createSignature(keyAlgorithm, hashAlgorithm);
             }
 
-            final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);
-            final PublicKey jcaKey = keyConverter.getPublicKey(publicKey);
-
             try
             {
                 signature.initVerify(jcaKey);
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPKeyConverter.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPKeyConverter.java
@@ -366,22 +366,13 @@ else if (ecdhK.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
             // Modern Ed25519 (1.3.6.1.4.1.11591.15.1 & 1.3.101.112)
             case PublicKeyAlgorithmTags.Ed25519:
             {
-                BCPGKey key = publicPk.getKey();
-                if (key instanceof Ed25519PublicBCPGKey)
-                {
-                    return implGetPublicKeyX509(BigIntegers.asUnsignedByteArray(new BigInteger(1, publicPk.getKey().getEncoded())),
-                        0, EdECObjectIdentifiers.id_Ed25519, "EdDSA");
-                }
-                else
-                {
-                    return implGetPublicKeyX509(BigIntegers.asUnsignedByteArray(((EdDSAPublicBCPGKey)publicPk.getKey()).getEncodedPoint()),
+                return implGetPublicKeyX509(publicPk.getKey().getEncoded(),
                         0, EdECObjectIdentifiers.id_Ed25519, "EdDSA");
-                }
             }
             // Modern Ed448 (1.3.101.113)
             case PublicKeyAlgorithmTags.Ed448:
             {
-                return implGetPublicKeyX509(BigIntegers.asUnsignedByteArray(new BigInteger(1, publicPk.getKey().getEncoded())),
+                return implGetPublicKeyX509(publicPk.getKey().getEncoded(),
                     0, EdECObjectIdentifiers.id_Ed448, "EdDSA");
             }
             case PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT:
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/EdDSAKeyConversionWithLeadingZeroTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/EdDSAKeyConversionWithLeadingZeroTest.java
@@ -0,0 +1,112 @@
+package org.bouncycastle.openpgp.test;
+
+import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
+import org.bouncycastle.bcpg.test.AbstractPacketTest;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyConverter;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair;
+import org.bouncycastle.util.encoders.Hex;
+
+import java.security.*;
+import java.security.spec.*;
+import java.util.Date;
+
+public class EdDSAKeyConversionWithLeadingZeroTest
+        extends AbstractPacketTest
+{
+    @Override
+    public String getName()
+    {
+        return "EdDSALeadingZero";
+    }
+
+    private static final String ED448_KEY_WITH_LEADING_ZERO = "308183020101300506032b6571043b0439fe2c82fd07b0e8b5da002ee4964e55a357bfdd2192fe43a40b150e6c5a8f8202f140dd34ede17dc10fef9a98bf8188425c14bd1a76a308cfb7813a0000728cbb07c590e2cb282834cc22d7a1f775f729986c4754e7035695dee34057403e98e94cf5012007c3236f4894af039e668acb746fcf8a00";
+    private static final String ED448_PUB_WITH_LEADING_ZERO = "3043300506032b6571033a0000728cbb07c590e2cb282834cc22d7a1f775f729986c4754e7035695dee34057403e98e94cf5012007c3236f4894af039e668acb746fcf8a00";
+
+    private static final String ED25519_KEY_WITH_LEADING_ZERO = "3051020101300506032b65700422042077ee5931a6d454f85acd9cc28bb2fa8c340e10f7cbf0193f1f898a5c22e77f4281210000dcd38e8ec0978690a4bbc8ac7787d311e741c394ba839ad9cc15e9ba21deb1";
+    private static final String ED25519_PUB_WITH_LEADING_ZERO = "302a300506032b657003210000dcd38e8ec0978690a4bbc8ac7787d311e741c394ba839ad9cc15e9ba21deb1";
+
+    @Override
+    public void performTest()
+            throws Exception
+    {
+        testWithEd448KeyWithLeadingZero();
+        testWithEd25519KeyWithLeadingZero();
+    }
+
+    private void testWithEd448KeyWithLeadingZero()
+            throws NoSuchAlgorithmException, InvalidKeySpecException, PGPException, InvalidKeyException, SignatureException
+    {
+        JcaPGPKeyConverter jcaPGPKeyConverter = new JcaPGPKeyConverter().setProvider(new BouncyCastleProvider());
+
+        KeyFactory factory = KeyFactory.getInstance("EdDSA", new BouncyCastleProvider());
+
+        PublicKey pubKey = factory.generatePublic(new X509EncodedKeySpec(Hex.decode(ED448_PUB_WITH_LEADING_ZERO)));
+        PrivateKey privKey = factory.generatePrivate(new PKCS8EncodedKeySpec(Hex.decode(ED448_KEY_WITH_LEADING_ZERO)));
+        KeyPair keyPair = new KeyPair(pubKey, privKey);
+
+        Date creationDate = new Date();
+        PGPKeyPair jcaPgpPair = new JcaPGPKeyPair(PublicKeyAlgorithmTags.Ed448, keyPair, creationDate);
+        isTrue("public key encoding before conversion MUST have leading 0",
+                jcaPgpPair.getPublicKey().getPublicKeyPacket().getKey().getEncoded()[0] == 0); // leading 0
+
+        PublicKey cPubKey = jcaPGPKeyConverter.getPublicKey(jcaPgpPair.getPublicKey());
+        PrivateKey cPrivKey = jcaPGPKeyConverter.getPrivateKey(jcaPgpPair.getPrivateKey());
+
+        testSignature(cPrivKey, pubKey, "Ed448");
+        testSignature(privKey, cPubKey, "Ed448");
+
+        jcaPgpPair = new JcaPGPKeyPair(PublicKeyAlgorithmTags.Ed448, new KeyPair(cPubKey, cPrivKey), creationDate);
+        isTrue("public key encoding after conversion MUST have leading 0",
+                jcaPgpPair.getPublicKey().getPublicKeyPacket().getKey().getEncoded()[0] == 0); // leading 0 is preserved
+    }
+
+
+    private void testWithEd25519KeyWithLeadingZero()
+            throws NoSuchAlgorithmException, InvalidKeySpecException, PGPException, InvalidKeyException, SignatureException
+    {
+        JcaPGPKeyConverter jcaPGPKeyConverter = new JcaPGPKeyConverter().setProvider(new BouncyCastleProvider());
+
+        KeyFactory factory = KeyFactory.getInstance("EdDSA", new BouncyCastleProvider());
+
+        PublicKey pubKey = factory.generatePublic(new X509EncodedKeySpec(Hex.decode(ED25519_PUB_WITH_LEADING_ZERO)));
+        PrivateKey privKey = factory.generatePrivate(new PKCS8EncodedKeySpec(Hex.decode(ED25519_KEY_WITH_LEADING_ZERO)));
+        KeyPair keyPair = new KeyPair(pubKey, privKey);
+
+        Date creationDate = new Date();
+        PGPKeyPair jcaPgpPair = new JcaPGPKeyPair(PublicKeyAlgorithmTags.Ed25519, keyPair, creationDate);
+        isTrue("public key encoding before conversion MUST have leading 0",
+                jcaPgpPair.getPublicKey().getPublicKeyPacket().getKey().getEncoded()[0] == 0); // leading 0
+
+        PublicKey cPubKey = jcaPGPKeyConverter.getPublicKey(jcaPgpPair.getPublicKey());
+        PrivateKey cPrivKey = jcaPGPKeyConverter.getPrivateKey(jcaPgpPair.getPrivateKey());
+
+        testSignature(cPrivKey, pubKey, "Ed25519");
+        testSignature(privKey, cPubKey, "Ed25519");
+
+        jcaPgpPair = new JcaPGPKeyPair(PublicKeyAlgorithmTags.Ed25519, new KeyPair(cPubKey, cPrivKey), creationDate);
+        isTrue("public key encoding after conversion MUST have leading 0",
+                jcaPgpPair.getPublicKey().getPublicKeyPacket().getKey().getEncoded()[0] == 0); // leading 0 is preserved
+    }
+
+    private void testSignature(PrivateKey privateKey, PublicKey publicKey, String edAlgo)
+            throws NoSuchAlgorithmException, SignatureException, InvalidKeyException
+    {
+        Signature signature = Signature.getInstance(edAlgo, new BouncyCastleProvider());
+        signature.initSign(privateKey);
+        signature.update("Hello, World!\n".getBytes());
+        byte[] sig = signature.sign();
+
+        signature.initVerify(publicKey);
+        signature.update("Hello, World!\n".getBytes());
+        isTrue("Signature MUST verify", signature.verify(sig));
+    }
+
+    public static void main(String[] args)
+    {
+        Security.addProvider(new BouncyCastleProvider());
+        runTest(new EdDSAKeyConversionWithLeadingZeroTest());
+    }
+}
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/LegacyEd25519KeyPairTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/LegacyEd25519KeyPairTest.java
@@ -2,17 +2,28 @@
 
 import org.bouncycastle.bcpg.EdDSAPublicBCPGKey;
 import org.bouncycastle.bcpg.EdSecretBCPGKey;
+import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
 import org.bouncycastle.crypto.generators.Ed25519KeyPairGenerator;
 import org.bouncycastle.crypto.params.Ed25519KeyGenerationParameters;
 import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPKeyPair;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureGenerator;
+import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.bc.BcPGPKeyPair;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
+import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
 import org.bouncycastle.openpgp.operator.jcajce.JcaPGPKeyPair;
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.util.Date;
 
@@ -31,6 +42,60 @@ public void performTest()
     {
         testConversionOfJcaKeyPair();
         testConversionOfBcKeyPair();
+        testV4SigningVerificationWithJcaKey();
+        testV4SigningVerificationWithBcKey();
+    }
+
+    private void testV4SigningVerificationWithJcaKey()
+            throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException
+    {
+        Date date = currentTimeRounded();
+        KeyPairGenerator gen = KeyPairGenerator.getInstance("EDDSA", new BouncyCastleProvider());
+        gen.initialize(new EdDSAParameterSpec("Ed25519"));
+        KeyPair kp = gen.generateKeyPair();
+        PGPKeyPair keyPair = new JcaPGPKeyPair(PublicKeyAlgorithmTags.EDDSA_LEGACY, kp, date);
+
+        byte[] data = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
+
+        PGPContentSignerBuilder contSigBuilder = new JcaPGPContentSignerBuilder(
+                keyPair.getPublicKey().getAlgorithm(),
+                HashAlgorithmTags.SHA512)
+                .setProvider(new BouncyCastleProvider());
+        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(contSigBuilder);
+        sigGen.init(PGPSignature.BINARY_DOCUMENT, keyPair.getPrivateKey());
+        sigGen.update(data);
+        PGPSignature signature = sigGen.generate();
+
+        PGPContentVerifierBuilderProvider contVerBuilder = new JcaPGPContentVerifierBuilderProvider()
+                .setProvider(new BouncyCastleProvider());
+        signature.init(contVerBuilder, keyPair.getPublicKey());
+        signature.update(data);
+        isTrue(signature.verify());
+    }
+
+    private void testV4SigningVerificationWithBcKey()
+            throws PGPException
+    {
+        Date date = currentTimeRounded();
+        Ed25519KeyPairGenerator gen = new Ed25519KeyPairGenerator();
+        gen.init(new Ed25519KeyGenerationParameters(new SecureRandom()));
+        AsymmetricCipherKeyPair kp = gen.generateKeyPair();
+        BcPGPKeyPair keyPair = new BcPGPKeyPair(PublicKeyAlgorithmTags.EDDSA_LEGACY, kp, date);
+
+        byte[] data = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
+
+        PGPContentSignerBuilder contSigBuilder = new BcPGPContentSignerBuilder(
+                keyPair.getPublicKey().getAlgorithm(),
+                HashAlgorithmTags.SHA512);
+        PGPSignatureGenerator sigGen = new PGPSignatureGenerator(contSigBuilder);
+        sigGen.init(PGPSignature.BINARY_DOCUMENT, keyPair.getPrivateKey());
+        sigGen.update(data);
+        PGPSignature signature = sigGen.generate();
+
+        PGPContentVerifierBuilderProvider contVerBuilder = new BcPGPContentVerifierBuilderProvider();
+        signature.init(contVerBuilder, keyPair.getPublicKey());
+        signature.update(data);
+        isTrue(signature.verify());
     }
 
     private void testConversionOfJcaKeyPair()
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/LegacyEd448KeyPairTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/LegacyEd448KeyPairTest.java
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/RegressionTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/RegressionTest.java
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/NamedGroupInfo.java b/tls/src/main/java/org/bouncycastle/jsse/provider/NamedGroupInfo.java
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
diff --git a/tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java b/tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ public LMSContext generateLMSContext(byte[] sigEnc)`
`136`	`136`
`137`	`137`	`public boolean verify(LMSContext context)`
`138`	`138`	`{`
`139`		`- boolean failed = false;`
	`139`	`+ boolean passed = true;`
`140`	`140`
`141`	`141`	`LMSSignedPubKey[] sigKeys = context.getSignedPubKeys();`
`142`	`142`
`@@ -151,13 +151,10 @@ public boolean verify(LMSContext context)`
`151`	`151`	`{`
`152`	`152`	`LMSSignature sig = sigKeys[i].getSignature();`
`153`	`153`	`byte[] msg = sigKeys[i].getPublicKey().toByteArray();`
`154`		`- if (!LMS.verifySignature(key, sig, msg))`
`155`		`- {`
`156`		`- failed = true;`
`157`		`- }`
	`154`	`+ passed &= LMS.verifySignature(key, sig, msg);`
`158`	`155`	`key = sigKeys[i].getPublicKey();`
`159`	`156`	`}`
`160`	`157`
`161`		`- return !failed & key.verify(context);`
	`158`	`+ return passed & key.verify(context);`
`162`	`159`	`}`
`163`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -406,13 +406,12 @@ boolean verify(HashFunctions hs, byte[] m, byte[] sm, byte[] pk)`
`406`	`406`	`smlen -= SPHINCS256Config.SUBTREE_HEIGHT * SPHINCS256Config.HASH_BYTES;`
`407`	`407`	`}`
`408`	`408`
	`409`	`+ // Because we use custom offsets on tpk, rather than incurring an`
	`410`	`+ // expensive copy, we use a manual constant time comparison.`
`409`	`411`	`boolean verified = true;`
`410`	`412`	`for (i = 0; i < SPHINCS256Config.HASH_BYTES; i++)`
`411`	`413`	`{`
`412`		`- if (root[i] != tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES])`
`413`		`- {`
`414`		`- verified = false;`
`415`		`- }`
	`414`	`+ verified &= root[i] == tpk[i + Horst.N_MASKS * SPHINCS256Config.HASH_BYTES];`
`416`	`415`	`}`
`417`	`416`
`418`	`417`	`return verified;`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,6 @@ public PGPContentSigner build(final int signatureType, final long keyID, final P`
`98`	`98`
`99`	`99`	`if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY && privateKey.getAlgorithm().equals("Ed448"))`
`100`	`100`	`{`
`101`		`- // Try my best to solve Ed448Legacy issue`
`102`	`101`	`signature = helper.createSignature("Ed448");`
`103`	`102`	`}`
`104`	`103`	`else`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@`
`8`	`8`	`import java.security.SignatureException;`
`9`	`9`	`import java.security.interfaces.RSAPublicKey;`
`10`	`10`
`11`		`-import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;`
`12`		`-import org.bouncycastle.bcpg.EdDSAPublicBCPGKey;`
`13`	`11`	`import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;`
`14`	`12`	`import org.bouncycastle.jcajce.io.OutputStreamFactory;`
`15`	`13`	`import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;`
`@@ -73,22 +71,19 @@ public JcaPGPContentVerifierBuilder(int keyAlgorithm, int hashAlgorithm)`
`73`	`71`	`public PGPContentVerifier build(final PGPPublicKey publicKey)`
`74`	`72`	`throws PGPException`
`75`	`73`	`{`
`76`		`- final Signature signature;`
	`74`	`+ final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);`
	`75`	`+ final PublicKey jcaKey = keyConverter.getPublicKey(publicKey);`
`77`	`76`
`78`		`- if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY`
`79`		`- && ((EdDSAPublicBCPGKey)publicKey.getPublicKeyPacket().getKey()).getCurveOID().equals(EdECObjectIdentifiers.id_Ed448))`
	`77`	`+ final Signature signature;`
	`78`	`+ if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY && jcaKey.getAlgorithm().equals("Ed448"))`
`80`	`79`	`{`
`81`		`- // Try my best to solve Ed448Legacy issue`
`82`		`- signature = helper.createSignature("Ed448");`
	`80`	`+ signature = helper.createSignature(PublicKeyAlgorithmTags.Ed448, hashAlgorithm);`
`83`	`81`	`}`
`84`	`82`	`else`
`85`	`83`	`{`
`86`	`84`	`signature = helper.createSignature(keyAlgorithm, hashAlgorithm);`
`87`	`85`	`}`
`88`	`86`
`89`		`- final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);`
`90`		`- final PublicKey jcaKey = keyConverter.getPublicKey(publicKey);`
`91`		`-`
`92`	`87`	`try`
`93`	`88`	`{`
`94`	`89`	`signature.initVerify(jcaKey);`