More work in crypto.hpke

- Validate public key lengths and uncompressed format
- Clamp XDH private key output
- Switch to RawAgreement (add BasicRawAgreement adapter)
- Avoid String.getBytes for label conversion

Author: peterdettman

core/src/main/java/org/bouncycastle/crypto/agreement/BasicRawAgreement.java

@@ -0,0 +1,40 @@
+package org.bouncycastle.crypto.agreement;
+
+import java.math.BigInteger;
+
+import org.bouncycastle.crypto.BasicAgreement;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.RawAgreement;
+import org.bouncycastle.util.BigIntegers;
+
+public final class BasicRawAgreement
+    implements RawAgreement
+{
+    public final BasicAgreement basicAgreement;
+
+    public BasicRawAgreement(BasicAgreement basicAgreement)
+    {
+        if (basicAgreement == null)
+        {
+            throw new NullPointerException("'basicAgreement' cannot be null");
+        }
+
+        this.basicAgreement = basicAgreement;
+    }
+
+    public void init(CipherParameters parameters)
+    {
+        basicAgreement.init(parameters);
+    }
+
+    public int getAgreementSize()
+    {
+        return basicAgreement.getFieldSize();
+    }
+
+    public void calculateAgreement(CipherParameters publicKey, byte[] buf, int off)
+    {
+        BigInteger z = basicAgreement.calculateAgreement(publicKey);
+        BigIntegers.asUnsignedByteArray(z, buf, off, getAgreementSize());
+    }
+}

core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java

@@ -5,10 +5,12 @@
 
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
 import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator;
-import org.bouncycastle.crypto.BasicAgreement;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.RawAgreement;
+import org.bouncycastle.crypto.agreement.BasicRawAgreement;
 import org.bouncycastle.crypto.agreement.ECDHCBasicAgreement;
-import org.bouncycastle.crypto.agreement.XDHBasicAgreement;
+import org.bouncycastle.crypto.agreement.X25519Agreement;
+import org.bouncycastle.crypto.agreement.X448Agreement;
 import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.generators.ECKeyPairGenerator;
 import org.bouncycastle.crypto.generators.X25519KeyPairGenerator;
@@ -27,6 +29,8 @@
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.math.ec.FixedPointCombMultiplier;
 import org.bouncycastle.math.ec.WNafUtil;
+import org.bouncycastle.math.ec.rfc7748.X25519;
+import org.bouncycastle.math.ec.rfc7748.X448;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.BigIntegers;
 import org.bouncycastle.util.Pack;
@@ -37,7 +41,7 @@ class DHKEM
 {
     private AsymmetricCipherKeyPairGenerator kpGen;
 
-    private BasicAgreement agreement;
+    private RawAgreement rawAgreement;
 
     // kem ids
     private final short kemId;
@@ -59,7 +63,7 @@ protected DHKEM(short kemid)
         case HPKE.kem_P256_SHA256:
             this.hkdf = new HKDF(HPKE.kdf_HKDF_SHA256);
             domainParams = getDomainParameters("P-256");
-            this.agreement = new ECDHCBasicAgreement();
+            rawAgreement = new BasicRawAgreement(new ECDHCBasicAgreement());
             bitmask = (byte)0xff;
             Nsk = 32;
             Nsecret = 32;
@@ -72,7 +76,7 @@ protected DHKEM(short kemid)
         case HPKE.kem_P384_SHA348:
             this.hkdf = new HKDF(HPKE.kdf_HKDF_SHA384);
             domainParams = getDomainParameters("P-384");
-            this.agreement = new ECDHCBasicAgreement();
+            rawAgreement = new BasicRawAgreement(new ECDHCBasicAgreement());
             bitmask = (byte)0xff;
             Nsk = 48;
             Nsecret = 48;
@@ -85,7 +89,7 @@ protected DHKEM(short kemid)
         case HPKE.kem_P521_SHA512:
             this.hkdf = new HKDF(HPKE.kdf_HKDF_SHA512);
             domainParams = getDomainParameters("P-521");
-            this.agreement = new ECDHCBasicAgreement();
+            rawAgreement = new BasicRawAgreement(new ECDHCBasicAgreement());
             bitmask = 0x01;
             Nsk = 66;
             Nsecret = 64;
@@ -97,7 +101,7 @@ protected DHKEM(short kemid)
             break;
         case HPKE.kem_X25519_SHA256:
             this.hkdf = new HKDF(HPKE.kdf_HKDF_SHA256);
-            this.agreement = new XDHBasicAgreement();
+            rawAgreement = new X25519Agreement();
             Nsecret = 32;
             Nsk = 32;
             Nenc = 32;
@@ -108,7 +112,7 @@ protected DHKEM(short kemid)
             break;
         case HPKE.kem_X448_SHA512:
             this.hkdf = new HKDF(HPKE.kdf_HKDF_SHA512);
-            this.agreement = new XDHBasicAgreement();
+            rawAgreement = new X448Agreement();
             Nsecret = 64;
             Nsk = 56;
             Nenc = 56;
@@ -129,6 +133,10 @@ public byte[] SerializePublicKey(AsymmetricKeyParameter key)
         case HPKE.kem_P256_SHA256:
         case HPKE.kem_P384_SHA348:
         case HPKE.kem_P521_SHA512:
+            /*
+             * RFC 9180 7.1.1. For P-256, P-384, and P-521, the SerializePublicKey() function of the KEM performs
+             * the uncompressed Elliptic-Curve-Point-to-Octet-String conversion according to [SECG].
+             */
             return ((ECPublicKeyParameters)key).getQ().getEncoded(false);
         case HPKE.kem_X448_SHA512:
             return ((X448PublicKeyParameters)key).getEncoded();
@@ -146,30 +154,74 @@ public byte[] SerializePrivateKey(AsymmetricKeyParameter key)
         case HPKE.kem_P256_SHA256:
         case HPKE.kem_P384_SHA348:
         case HPKE.kem_P521_SHA512:
+        {
+            /*
+             * RFC 9180 7.1.2. For P-256, P-384, and P-521, the SerializePrivateKey() function of the KEM
+             * performs the Field-Element-to-Octet-String conversion according to [SECG].
+             */
             return BigIntegers.asUnsignedByteArray(Nsk, ((ECPrivateKeyParameters)key).getD());
+        }
         case HPKE.kem_X448_SHA512:
-            return ((X448PrivateKeyParameters)key).getEncoded();
+        {
+            /*
+             * RFC 9180 7.1.2. For [..] X448 [..]. The SerializePrivateKey() function MUST clamp its output
+             * [..].
+             * 
+             * NOTE: Our X448 implementation clamps generated keys, but de-serialized keys are preserved as is
+             * (clamping applied only during usage).
+             */
+            byte[] encoded = ((X448PrivateKeyParameters)key).getEncoded();
+            X448.clampPrivateKey(encoded);
+            return encoded;
+        }
         case HPKE.kem_X25519_SHA256:
-            return ((X25519PrivateKeyParameters)key).getEncoded();
+        {
+            /*
+             * RFC 9180 7.1.2. For X25519 [..]. The SerializePrivateKey() function MUST clamp its output [..].
+             * 
+             * NOTE: Our X25519 implementation clamps generated keys, but de-serialized keys are preserved as
+             * is (clamping applied only during usage).
+             */
+            byte[] encoded = ((X25519PrivateKeyParameters)key).getEncoded();
+            X25519.clampPrivateKey(encoded);
+            return encoded;
+        }
         default:
             throw new IllegalStateException("invalid kem id");
         }
     }
 
-    public AsymmetricKeyParameter DeserializePublicKey(byte[] encoded)
+    public AsymmetricKeyParameter DeserializePublicKey(byte[] pkEncoded)
     {
+        if (pkEncoded == null)
+        {
+            throw new NullPointerException("'pkEncoded' cannot be null");
+        }
+        if (pkEncoded.length != Nenc)
+        {
+            throw new IllegalArgumentException("'pkEncoded' has invalid length");
+        }
+
         switch (kemId)
         {
         case HPKE.kem_P256_SHA256:
         case HPKE.kem_P384_SHA348:
         case HPKE.kem_P521_SHA512:
-            // TODO Does the encoding have to be uncompressed? (i.e. encoded.length MUST be Nenc?)
-            ECPoint G = domainParams.getCurve().decodePoint(encoded);
+            /*
+             * RFC 9180 7.1.1. For P-256, P-384, and P-521 [..]. DeserializePublicKey() performs the
+             * uncompressed Octet-String-to-Elliptic-Curve-Point conversion.
+             */
+            if (pkEncoded[0] != 0x04) // "0x04" is the marker for an uncompressed encoding
+            {
+                throw new IllegalArgumentException("'pkEncoded' has invalid format");
+            }
+
+            ECPoint G = domainParams.getCurve().decodePoint(pkEncoded);
             return new ECPublicKeyParameters(G, domainParams);
         case HPKE.kem_X448_SHA512:
-            return new X448PublicKeyParameters(encoded);
+            return new X448PublicKeyParameters(pkEncoded);
         case HPKE.kem_X25519_SHA256:
-            return new X25519PublicKeyParameters(encoded);
+            return new X25519PublicKeyParameters(pkEncoded);
         default:
             throw new IllegalStateException("invalid kem id");
         }
@@ -198,6 +250,10 @@ public AsymmetricCipherKeyPair DeserializePrivateKey(byte[] skEncoded, byte[] pk
         case HPKE.kem_P256_SHA256:
         case HPKE.kem_P384_SHA348:
         case HPKE.kem_P521_SHA512:
+            /*
+             * RFC 9180 7.1.2. For P-256, P-384, and P-521 [..]. DeserializePrivateKey() performs the Octet-
+             * String-to-Field-Element conversion according to [SECG].
+             */
             BigInteger d = new BigInteger(1, skEncoded);
             ECPrivateKeyParameters ec = new ECPrivateKeyParameters(d, domainParams);
 
@@ -317,7 +373,7 @@ protected byte[][] Encap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair kpE
         byte[][] output = new byte[2][];
 
         // DH
-        byte[] secret = calculateAgreement(agreement, kpE.getPrivate(), pkR);
+        byte[] secret = calculateRawAgreement(rawAgreement, kpE.getPrivate(), pkR);
 
         byte[] enc = SerializePublicKey(kpE.getPublic());
         byte[] pkRm = SerializePublicKey(pkR);
@@ -335,7 +391,7 @@ protected byte[] Decap(byte[] enc, AsymmetricCipherKeyPair kpR)
         AsymmetricKeyParameter pkE = DeserializePublicKey(enc);
 
         // DH
-        byte[] secret = calculateAgreement(agreement, kpR.getPrivate(), pkE);
+        byte[] secret = calculateRawAgreement(rawAgreement, kpR.getPrivate(), pkE);
 
         byte[] pkRm = SerializePublicKey(kpR.getPublic());
         byte[] KEMContext = Arrays.concatenate(enc, pkRm);
@@ -350,12 +406,22 @@ protected byte[][] AuthEncap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair
         AsymmetricCipherKeyPair kpE = kpGen.generateKeyPair(); // todo: can be replaced with deriveKeyPair(random)
 
         // DH(skE, pkR)
-        byte[] secret1 = calculateAgreement(agreement, kpE.getPrivate(), pkR);
+        rawAgreement.init(kpE.getPrivate());
+        int agreementSize = rawAgreement.getAgreementSize();
+
+        byte[] secret = new byte[agreementSize * 2];
+
+        rawAgreement.calculateAgreement(pkR, secret, 0);
 
         // DH(skS, pkR)
-        byte[] secret2 = calculateAgreement(agreement, kpS.getPrivate(), pkR);
+        rawAgreement.init(kpS.getPrivate());
+        if (agreementSize != rawAgreement.getAgreementSize())
+        {
+            throw new IllegalStateException();
+        }
+
+        rawAgreement.calculateAgreement(pkR, secret, agreementSize);
 
-        byte[] secret = Arrays.concatenate(secret1, secret2);
         byte[] enc = SerializePublicKey(kpE.getPublic());
 
         byte[] pkRm = SerializePublicKey(pkR);
@@ -373,13 +439,16 @@ protected byte[] AuthDecap(byte[] enc, AsymmetricCipherKeyPair kpR, AsymmetricKe
     {
         AsymmetricKeyParameter pkE = DeserializePublicKey(enc);
 
+        rawAgreement.init(kpR.getPrivate());
+
+        int agreementSize = rawAgreement.getAgreementSize();
+        byte[] secret = new byte[agreementSize * 2];
+
         // DH(skR, pkE)
-        byte[] secret1 = calculateAgreement(agreement, kpR.getPrivate(), pkE);
+        rawAgreement.calculateAgreement(pkE, secret, 0);
 
         // DH(skR, pkS)
-        byte[] secret2 = calculateAgreement(agreement, kpR.getPrivate(), pkS);
-
-        byte[] secret = Arrays.concatenate(secret1, secret2);
+        rawAgreement.calculateAgreement(pkS, secret, agreementSize);
 
         byte[] pkRm = SerializePublicKey(kpR.getPublic());
         byte[] pkSm = SerializePublicKey(pkS);
@@ -397,12 +466,13 @@ private byte[] ExtractAndExpand(byte[] dh, byte[] kemContext)
         return hkdf.LabeledExpand(eae_prk, suiteID, "shared_secret", kemContext, Nsecret);
     }
 
-    private static byte[] calculateAgreement(BasicAgreement agreement, AsymmetricKeyParameter privateKey,
+    private static byte[] calculateRawAgreement(RawAgreement rawAgreement, AsymmetricKeyParameter privateKey,
         AsymmetricKeyParameter publicKey)
     {
-        agreement.init(privateKey);
-        BigInteger z = agreement.calculateAgreement(publicKey);
-        return BigIntegers.asUnsignedByteArray(agreement.getFieldSize(), z);
+        rawAgreement.init(privateKey);
+        byte[] z = new byte[rawAgreement.getAgreementSize()];
+        rawAgreement.calculateAgreement(publicKey, z, 0);
+        return z;
     }
 
     private static ECDomainParameters getDomainParameters(String curveName)

core/src/main/java/org/bouncycastle/crypto/hpke/HKDF.java

@@ -8,10 +8,11 @@
 import org.bouncycastle.crypto.params.HKDFParameters;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Pack;
+import org.bouncycastle.util.Strings;
 
 class HKDF
 {
-    private final static String versionLabel = "HPKE-v1";
+    private final static byte[] VERSION_LABEL = getBytes("HPKE-v1");
     private final HKDFBytesGenerator kdf;
     private final int hashLength;
 
@@ -50,7 +51,7 @@ protected byte[] LabeledExtract(byte[] salt, byte[] suiteID, String label, byte[
             salt = new byte[hashLength];
         }
 
-        byte[] labeledIKM = Arrays.concatenate(versionLabel.getBytes(), suiteID, label.getBytes(), ikm);
+        byte[] labeledIKM = Arrays.concatenate(VERSION_LABEL, suiteID, getBytes(label), ikm);
 
         return kdf.extractPRK(salt, labeledIKM);
     }
@@ -61,7 +62,9 @@ protected byte[] LabeledExpand(byte[] prk, byte[] suiteID, String label, byte[]
         {
             throw new IllegalArgumentException("Expand length cannot be larger than 2^16");
         }
-        byte[] labeledInfo = Arrays.concatenate(Pack.shortToBigEndian((short)L), versionLabel.getBytes(), suiteID, label.getBytes());
+
+        byte[] labeledInfo = Arrays.concatenate(Pack.shortToBigEndian((short)L), VERSION_LABEL, suiteID,
+            getBytes(label));
 
         kdf.init(HKDFParameters.skipExtractParameters(prk, Arrays.concatenate(labeledInfo, info)));
 
@@ -97,4 +100,14 @@ protected byte[] Expand(byte[] prk, byte[] info, int L)
 
         return rv;
     }
+
+    private static byte[] getBytes(String label)
+    {
+        /*
+         * RFC 9180 seems silent about this conversion, but all given labels are ASCII anyway.
+         *
+         * NOTE: String#getBytes not reliable because it depends on the platform's default charset.
+         */
+        return Strings.toByteArray(label);
+    }
 }

core/src/main/java/org/bouncycastle/math/ec/rfc7748/X25519.java

@@ -30,6 +30,18 @@ public static boolean calculateAgreement(byte[] k, int kOff, byte[] u, int uOff,
         return !Arrays.areAllZeroes(r, rOff, POINT_SIZE);
     }
 
+    public static void clampPrivateKey(byte[] k)
+    {
+        if (k.length != SCALAR_SIZE)
+        {
+            throw new IllegalArgumentException("k");
+        }
+
+        k[0] &= 0xF8;
+        k[SCALAR_SIZE - 1] &= 0x7F;
+        k[SCALAR_SIZE - 1] |= 0x40;
+    }
+
     private static int decode32(byte[] bs, int off)
     {
         int n = bs[off] & 0xFF;
@@ -60,9 +72,7 @@ public static void generatePrivateKey(SecureRandom random, byte[] k)
 
         random.nextBytes(k);
 
-        k[0] &= 0xF8;
-        k[SCALAR_SIZE - 1] &= 0x7F;
-        k[SCALAR_SIZE - 1] |= 0x40;
+        clampPrivateKey(k);
     }
 
     public static void generatePublicKey(byte[] k, int kOff, byte[] r, int rOff)