Fix conversion of ECDSA keys

Author: vanitasvitae

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPKeyConverter.java

@@ -29,13 +29,15 @@
 import java.security.spec.RSAPublicKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Date;
+import java.util.Enumeration;
 
 import javax.crypto.interfaces.DHPrivateKey;
 import javax.crypto.interfaces.DHPublicKey;
 import javax.crypto.spec.DHParameterSpec;
 import javax.crypto.spec.DHPrivateKeySpec;
 import javax.crypto.spec.DHPublicKeySpec;
 
+import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.DEROctetString;
@@ -49,6 +51,7 @@
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.asn1.x9.X9ECParametersHolder;
 import org.bouncycastle.asn1.x9.X9ECPoint;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
 import org.bouncycastle.bcpg.BCPGKey;
 import org.bouncycastle.bcpg.DSAPublicBCPGKey;
 import org.bouncycastle.bcpg.DSASecretBCPGKey;
@@ -72,6 +75,7 @@
 import org.bouncycastle.bcpg.X25519SecretBCPGKey;
 import org.bouncycastle.bcpg.X448PublicBCPGKey;
 import org.bouncycastle.bcpg.X448SecretBCPGKey;
+import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
 import org.bouncycastle.jcajce.util.DefaultJcaJceHelper;
 import org.bouncycastle.jcajce.util.NamedJcaJceHelper;
 import org.bouncycastle.jcajce.util.ProviderJcaJceHelper;
@@ -549,47 +553,58 @@ private BCPGKey getPublicBCPGKey(int algorithm, PGPAlgorithmParameters algorithm
                 SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubKey.getEncoded());
 
                 // TODO: should probably match curve by comparison as well
-                ASN1ObjectIdentifier curveOid = ASN1ObjectIdentifier.getInstance(keyInfo.getAlgorithm().getParameters());
-                if (curveOid == null)
+                ASN1Encodable enc = keyInfo.getAlgorithm().getAlgorithm();
+                ASN1ObjectIdentifier curveOid;
+                curveOid = ASN1ObjectIdentifier.getInstance(enc);
+
+                // ecPublicKey is not specific enough. Drill down to find proper OID.
+                if (X9ObjectIdentifiers.id_ecPublicKey.equals(curveOid))
                 {
-                    // Legacy XDH on Curve25519 (legacy X25519)
-                    // 1.3.6.1.4.1.3029.1.5.1 & 1.3.101.110
-                    if (pubKey.getAlgorithm().regionMatches(true, 0, "X2", 0, 2))
+                    enc = getCurveOIDForBCECKey((BCECPublicKey) pubKey);
+                    ASN1ObjectIdentifier nCurveOid = ASN1ObjectIdentifier.getInstance(enc);
+                    if (nCurveOid != null)
                     {
-                        PGPKdfParameters kdfParams = implGetKdfParameters(CryptlibObjectIdentifiers.curvey25519, algorithmParameters);
+                        curveOid = nCurveOid;
+                    }
+                }
 
-                        return new ECDHPublicBCPGKey(CryptlibObjectIdentifiers.curvey25519, new BigInteger(1, getPointEncUncompressed(pubKey, X25519.SCALAR_SIZE)),
+                // Legacy XDH on Curve25519 (legacy X25519)
+                // 1.3.6.1.4.1.3029.1.5.1 & 1.3.101.110
+                if (pubKey.getAlgorithm().regionMatches(true, 0, "X2", 0, 2))
+                {
+                    PGPKdfParameters kdfParams = implGetKdfParameters(CryptlibObjectIdentifiers.curvey25519, algorithmParameters);
+
+                    return new ECDHPublicBCPGKey(CryptlibObjectIdentifiers.curvey25519, new BigInteger(1, getPointEncUncompressed(pubKey, X25519.SCALAR_SIZE)),
                                 kdfParams.getHashAlgorithm(), kdfParams.getSymmetricWrapAlgorithm());
-                    }
-                    // Legacy X448 (1.3.101.111)
-                    if (pubKey.getAlgorithm().regionMatches(true, 0, "X4", 0, 2))
-                    {
+                }
+                // Legacy X448 (1.3.101.111)
+                if (pubKey.getAlgorithm().regionMatches(true, 0, "X4", 0, 2))
+                {
 
-                        PGPKdfParameters kdfParams = implGetKdfParameters(EdECObjectIdentifiers.id_X448, algorithmParameters);
+                    PGPKdfParameters kdfParams = implGetKdfParameters(EdECObjectIdentifiers.id_X448, algorithmParameters);
 
-                        return new ECDHPublicBCPGKey(EdECObjectIdentifiers.id_X448, new BigInteger(1, getPointEncUncompressed(pubKey, X448.SCALAR_SIZE)),
+                    return new ECDHPublicBCPGKey(EdECObjectIdentifiers.id_X448, new BigInteger(1, getPointEncUncompressed(pubKey, X448.SCALAR_SIZE)),
                                 kdfParams.getHashAlgorithm(), kdfParams.getSymmetricWrapAlgorithm());
-                    }
-                    // sun.security.ec.XDHPublicKeyImpl returns "XDH" for getAlgorithm()
-                    // In this case we need to determine the curve by looking at the length of the encoding :/
-                    else
+                }
+                // sun.security.ec.XDHPublicKeyImpl returns "XDH" for getAlgorithm()
+                // In this case we need to determine the curve by looking at the length of the encoding :/
+                else if (pubKey.getAlgorithm().regionMatches(true, 0, "XDH", 0, 3))
+                {
+                    // Legacy X25519 (1.3.6.1.4.1.3029.1.5.1 & 1.3.101.110)
+                    if (X25519.SCALAR_SIZE + 12 == pubKey.getEncoded().length) // + 12 for some reason
                     {
-                        // Legacy X25519 (1.3.6.1.4.1.3029.1.5.1 & 1.3.101.110)
-                        if (X25519.SCALAR_SIZE + 12 == pubKey.getEncoded().length) // + 12 for some reason
-                        {
-                            PGPKdfParameters kdfParams = implGetKdfParameters(CryptlibObjectIdentifiers.curvey25519, algorithmParameters);
+                        PGPKdfParameters kdfParams = implGetKdfParameters(CryptlibObjectIdentifiers.curvey25519, algorithmParameters);
 
-                            return new ECDHPublicBCPGKey(CryptlibObjectIdentifiers.curvey25519, new BigInteger(1, getPointEncUncompressed(pubKey, X25519.SCALAR_SIZE)),
+                        return new ECDHPublicBCPGKey(CryptlibObjectIdentifiers.curvey25519, new BigInteger(1, getPointEncUncompressed(pubKey, X25519.SCALAR_SIZE)),
                                     kdfParams.getHashAlgorithm(), kdfParams.getSymmetricWrapAlgorithm());
-                        }
-                        // Legacy X448 (1.3.101.111)
-                        else
-                        {
-                            PGPKdfParameters kdfParams = implGetKdfParameters(EdECObjectIdentifiers.id_X448, algorithmParameters);
+                    }
+                    // Legacy X448 (1.3.101.111)
+                    else
+                    {
+                        PGPKdfParameters kdfParams = implGetKdfParameters(EdECObjectIdentifiers.id_X448, algorithmParameters);
 
-                            return new ECDHPublicBCPGKey(EdECObjectIdentifiers.id_X448, new BigInteger(1, getPointEncUncompressed(pubKey, X448.SCALAR_SIZE)),
+                        return new ECDHPublicBCPGKey(EdECObjectIdentifiers.id_X448, new BigInteger(1, getPointEncUncompressed(pubKey, X448.SCALAR_SIZE)),
                                     kdfParams.getHashAlgorithm(), kdfParams.getSymmetricWrapAlgorithm());
-                        }
                     }
                 }
 
@@ -670,6 +685,22 @@ private BCPGKey getPublicBCPGKey(int algorithm, PGPAlgorithmParameters algorithm
         }
     }
 
+    private ASN1Encodable getCurveOIDForBCECKey(BCECPublicKey pubKey)
+    {
+        // Iterate through all registered curves to find applicable OID
+        Enumeration names = ECNamedCurveTable.getNames();
+        while (names.hasMoreElements())
+        {
+            String name = (String) names.nextElement();
+            X9ECParameters parms = ECNamedCurveTable.getByName(name);
+            if (pubKey.getParameters().getCurve().equals(parms.getCurve()))
+            {
+                return ECNamedCurveTable.getOID(name);
+            }
+        }
+        return null;
+    }
+
     @FunctionalInterface
     private interface BCPGKeyOperation
     {

pg/src/test/java/org/bouncycastle/openpgp/test/ECDSAKeyPairTest.java

@@ -18,7 +18,8 @@
 import java.security.*;
 import java.util.Date;
 
-public class ECDSAKeyPairTest extends AbstractPgpKeyPairTest
+public class ECDSAKeyPairTest
+        extends AbstractPgpKeyPairTest
 {
 
     private static final String PRIME256v1 = "" +
@@ -93,23 +94,27 @@ public void performTest()
             throws Exception
     {
         Security.addProvider(new BouncyCastleProvider());
+        testConversionOfFreshJcaKeyPair();
         testConversionOfParsedJcaKeyPair();
         testConversionOfParsedBcKeyPair();
 
-        testConversionOfFreshJcaKeyPair();
     }
 
-    private void testConversionOfParsedJcaKeyPair() throws PGPException, IOException {
-        // parseAndConvertJca(PRIME256v1);
-        // parseAndConvertJca(SECP384r1);
-        // parseAndConvertJca(SECP521r1);
+    private void testConversionOfParsedJcaKeyPair()
+            throws PGPException, IOException
+    {
         parseAndConvertJca(BRAINPOOLP256r1);
         parseAndConvertJca(BRAINPOOLP384r1);
         parseAndConvertJca(BRAINPOOLP521r1);
+        parseAndConvertJca(PRIME256v1);
+        parseAndConvertJca(SECP384r1);
+        parseAndConvertJca(SECP521r1);
     }
 
-    private void parseAndConvertJca(String curve) throws IOException, PGPException {
-        JcaPGPKeyConverter c = new JcaPGPKeyConverter();
+    private void parseAndConvertJca(String curve)
+            throws IOException, PGPException
+    {
+        JcaPGPKeyConverter c = new JcaPGPKeyConverter().setProvider(new BouncyCastleProvider());
         PGPKeyPair parsed = parseJca(curve);
         byte[] pubEnc = parsed.getPublicKey().getEncoded();
         byte[] privEnc = parsed.getPrivateKey().getPrivateKeyDataPacket().getEncoded();
@@ -119,7 +124,7 @@ private void parseAndConvertJca(String curve) throws IOException, PGPException {
                 new KeyPair(c.getPublicKey(parsed.getPublicKey()),
                         c.getPrivateKey(parsed.getPrivateKey())),
                 parsed.getPublicKey().getCreationTime());
-        isEncodingEqual(pubEnc, j1.getPublicKey().getEncoded());
+        isEncodingEqual("ECDSA Public key (" + curve + ") encoding mismatch", pubEnc, j1.getPublicKey().getEncoded());
         isEncodingEqual(privEnc, j1.getPrivateKey().getPrivateKeyDataPacket().getEncoded());
 
         BcPGPKeyPair b1 = toBcKeyPair(j1);
@@ -135,16 +140,20 @@ private void parseAndConvertJca(String curve) throws IOException, PGPException {
         isEncodingEqual(privEnc, b2.getPrivateKey().getPrivateKeyDataPacket().getEncoded());
     }
 
-    private void testConversionOfParsedBcKeyPair() throws PGPException, IOException {
-        parseAndConvertBc(PRIME256v1);
-        parseAndConvertBc(SECP384r1);
-        parseAndConvertBc(SECP521r1);
+    private void testConversionOfParsedBcKeyPair()
+            throws PGPException, IOException
+    {
         parseAndConvertBc(BRAINPOOLP256r1);
         parseAndConvertBc(BRAINPOOLP384r1);
         parseAndConvertBc(BRAINPOOLP521r1);
+        parseAndConvertBc(PRIME256v1);
+        parseAndConvertBc(SECP384r1);
+        parseAndConvertBc(SECP521r1);
     }
 
-    private void parseAndConvertBc(String curve) throws IOException, PGPException {
+    private void parseAndConvertBc(String curve)
+            throws IOException, PGPException
+    {
         BcPGPKeyConverter c = new BcPGPKeyConverter();
         PGPKeyPair parsed = parseBc(curve);
         byte[] pubEnc = parsed.getPublicKey().getEncoded();
@@ -173,7 +182,9 @@ private void parseAndConvertBc(String curve) throws IOException, PGPException {
 
     }
 
-    private PGPKeyPair parseJca(String armored) throws IOException, PGPException {
+    private PGPKeyPair parseJca(String armored)
+            throws IOException, PGPException
+    {
         ByteArrayInputStream bIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream aIn = new ArmoredInputStream(bIn);
         BCPGInputStream pIn = new BCPGInputStream(aIn);
@@ -182,7 +193,9 @@ private PGPKeyPair parseJca(String armored) throws IOException, PGPException {
         return new PGPKeyPair(sk.getPublicKey(), sk.extractPrivateKey(null));
     }
 
-    private PGPKeyPair parseBc(String armored) throws IOException, PGPException {
+    private PGPKeyPair parseBc(String armored)
+            throws IOException, PGPException
+    {
         ByteArrayInputStream bIn = new ByteArrayInputStream(armored.getBytes(StandardCharsets.UTF_8));
         ArmoredInputStream aIn = new ArmoredInputStream(bIn);
         BCPGInputStream pIn = new BCPGInputStream(aIn);
@@ -194,15 +207,17 @@ private PGPKeyPair parseBc(String armored) throws IOException, PGPException {
     private void testConversionOfFreshJcaKeyPair()
             throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, PGPException, IOException
     {
-        for (String curve : new String[] {"prime256v1", "secp384r1", "secp521r1", "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"})
+        for (String curve : new String[] {
+                "prime256v1",
+                "secp384r1",
+                "secp521r1",
+                "brainpoolP256r1",
+                "brainpoolP384r1",
+                "brainpoolP512r1"
+        })
         {
-            try {
-                testConversionOfFreshJcaKeyPair(curve);
-            } catch (Exception e) {
-
-            }
+            testConversionOfFreshJcaKeyPair(curve);
         }
-
     }
 
     private void testConversionOfFreshJcaKeyPair(String curve)

pg/src/test/java/org/bouncycastle/openpgp/test/RegressionTest.java

@@ -74,7 +74,8 @@ public class RegressionTest
         new LegacyX25519KeyPairTest(),
         new LegacyX448KeyPairTest(),
 
-        new Curve25519PrivateKeyEncodingTest()
+        new Curve25519PrivateKeyEncodingTest(),
+        new ECDSAKeyPairTest()
     };
 
     public static void main(String[] args)