replaced internal ML-KEM usage in JcaTlsCrypto with JCE providers

royb · royb · commit a35bbd294a0b · 2025-05-12T15:51:20.000-04:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsKemConfig.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsKemConfig.java
@@ -1,14 +1,25 @@
 package org.bouncycastle.tls.crypto;
 
+import org.bouncycastle.jcajce.spec.KEMParameterSpec;
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+
 public class TlsKemConfig
 {
+    protected final KTSParameterSpec ktsParameterSpec;
     protected final int namedGroup;
     protected final boolean isServer;
 
     public TlsKemConfig(int namedGroup, boolean isServer)
     {
         this.namedGroup = namedGroup;
         this.isServer = isServer;
+        this.ktsParameterSpec = new KTSParameterSpec.Builder("AES-KWP", 256).withNoKdf().build();
+    }
+    public TlsKemConfig(int namedGroup, boolean isServer, KTSParameterSpec ktsParameterSpec)
+    {
+        this.namedGroup = namedGroup;
+        this.isServer = isServer;
+        this.ktsParameterSpec = ktsParameterSpec;
     }
 
     public int getNamedGroup()
@@ -20,4 +31,9 @@ public boolean isServer()
     {
         return isServer;
     }
+
+    public KTSParameterSpec getKtsParameterSpec()
+    {
+        return ktsParameterSpec;
+    }
 }
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JcaTlsCrypto.java
@@ -464,6 +464,7 @@ else if (NamedGroup.refersToASpecificFiniteField(namedGroup))
         }
         else if (NamedGroup.refersToASpecificKem(namedGroup))
         {
+            //Note: There is no AlgorithmParametersSpi for ML-KEM
             return KemUtil.getAlgorithmParameters(this, NamedGroup.getKemName(namedGroup));
         }
 
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMLKem.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMLKem.java
@@ -1,20 +1,20 @@
 package org.bouncycastle.tls.crypto.impl.jcajce;
 
 import java.io.IOException;
+import java.security.KeyPair;
 
-import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
-import org.bouncycastle.crypto.SecretWithEncapsulation;
-import org.bouncycastle.pqc.crypto.mlkem.MLKEMPrivateKeyParameters;
-import org.bouncycastle.pqc.crypto.mlkem.MLKEMPublicKeyParameters;
+import org.bouncycastle.jcajce.SecretKeyWithEncapsulation;
+import org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPrivateKey;
+import org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPublicKey;
 import org.bouncycastle.tls.crypto.TlsAgreement;
 import org.bouncycastle.tls.crypto.TlsSecret;
 
 public class JceTlsMLKem implements TlsAgreement
 {
     protected final JceTlsMLKemDomain domain;
 
-    protected MLKEMPrivateKeyParameters privateKey;
-    protected MLKEMPublicKeyParameters publicKey;
+    protected BCMLKEMPrivateKey privateKey;
+    protected BCMLKEMPublicKey publicKey;
     protected TlsSecret secret;
 
     public JceTlsMLKem(JceTlsMLKemDomain domain)
@@ -26,16 +26,16 @@ public byte[] generateEphemeral() throws IOException
     {
         if (domain.isServer())
         {
-            SecretWithEncapsulation encap = domain.encapsulate(publicKey);
+            SecretKeyWithEncapsulation encap = domain.encapsulate(publicKey);
             this.publicKey = null;
-            this.secret = domain.adoptLocalSecret(encap.getSecret());
+            this.secret = domain.adoptLocalSecret(encap.getEncoded());
             return encap.getEncapsulation();
         }
         else
         {
-            AsymmetricCipherKeyPair kp = domain.generateKeyPair();
-            this.privateKey = (MLKEMPrivateKeyParameters)kp.getPrivate();
-            return domain.encodePublicKey((MLKEMPublicKeyParameters)kp.getPublic());
+            KeyPair kp = domain.generateKeyPair();
+            this.privateKey = (BCMLKEMPrivateKey)kp.getPrivate();
+            return ((BCMLKEMPublicKey)kp.getPublic()).getPublicData();
         }
     }
 
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMLKemDomain.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/JceTlsMLKemDomain.java
@@ -2,17 +2,41 @@
 
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
 import org.bouncycastle.crypto.SecretWithEncapsulation;
+import org.bouncycastle.jcajce.SecretKeyWithEncapsulation;
+import org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPrivateKey;
+import org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPublicKey;
+import org.bouncycastle.jcajce.spec.KEMExtractSpec;
+import org.bouncycastle.jcajce.spec.KEMGenerateSpec;
+import org.bouncycastle.jcajce.spec.KEMParameterSpec;
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+import org.bouncycastle.jcajce.spec.MLKEMParameterSpec;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMExtractor;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMGenerator;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMKeyGenerationParameters;
-import org.bouncycastle.pqc.crypto.mlkem.MLKEMKeyPairGenerator;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMPublicKeyParameters;
 import org.bouncycastle.tls.NamedGroup;
 import org.bouncycastle.tls.crypto.TlsAgreement;
 import org.bouncycastle.tls.crypto.TlsKemConfig;
 import org.bouncycastle.tls.crypto.TlsKemDomain;
+import org.bouncycastle.util.encoders.Hex;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.AlgorithmParameters;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
 
 public class JceTlsMLKemDomain implements TlsKemDomain
 {
@@ -38,13 +62,29 @@ public static MLKEMParameters getDomainParameters(TlsKemConfig kemConfig)
     protected final TlsKemConfig config;
     protected final MLKEMParameters domainParameters;
     protected final boolean isServer;
+    protected KeyGenerator keyGen;
+//    protected KeyPairGenerator kpg;
+//    protected Cipher cipher;
+
 
     public JceTlsMLKemDomain(JcaTlsCrypto crypto, TlsKemConfig kemConfig)
     {
         this.crypto = crypto;
         this.config = kemConfig;
         this.domainParameters = getDomainParameters(kemConfig);
         this.isServer = kemConfig.isServer();
+        try
+        {
+            this.keyGen = keyGen = crypto.getHelper().createKeyGenerator(domainParameters.getName());
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            throw new RuntimeException(e);
+        }
+        catch (NoSuchProviderException e)
+        {
+            throw new RuntimeException(e);
+        }
     }
 
     public JceTlsSecret adoptLocalSecret(byte[] secret)
@@ -57,34 +97,89 @@ public TlsAgreement createKem()
         return new JceTlsMLKem(this);
     }
 
-    public JceTlsSecret decapsulate(MLKEMPrivateKeyParameters privateKey, byte[] ciphertext)
+    public JceTlsSecret decapsulate(PrivateKey privateKey, byte[] ciphertext)
     {
-        MLKEMExtractor kemExtract = new MLKEMExtractor(privateKey);
-        byte[] secret = kemExtract.extractSecret(ciphertext);
-        return adoptLocalSecret(secret);
+        try
+        {
+            keyGen.init(new KEMExtractSpec.Builder(privateKey, ciphertext, "DEF", 256).withNoKdf().build());
+            SecretKeyWithEncapsulation secEnc = (SecretKeyWithEncapsulation)keyGen.generateKey();
+
+            return adoptLocalSecret(secEnc.getEncoded());
+        }
+        catch (Exception e)
+        {
+            throw Exceptions.illegalArgumentException("invalid key: " + e.getMessage(), e);
+        }
+
+
+//        MLKEMExtractor kemExtract = new MLKEMExtractor(privateKey);
+//        byte[] secret = kemExtract.extractSecret(ciphertext);
+//        return adoptLocalSecret(secret);
     }
 
-    public MLKEMPublicKeyParameters decodePublicKey(byte[] encoding)
+    public BCMLKEMPublicKey decodePublicKey(byte[] encoding)
     {
-        return new MLKEMPublicKeyParameters(domainParameters, encoding);
+        return new BCMLKEMPublicKey(new MLKEMPublicKeyParameters(domainParameters, encoding));
     }
 
-    public SecretWithEncapsulation encapsulate(MLKEMPublicKeyParameters publicKey)
+    public SecretKeyWithEncapsulation encapsulate(PublicKey publicKey)
     {
-        MLKEMGenerator kemGen = new MLKEMGenerator(crypto.getSecureRandom());
-        return kemGen.generateEncapsulated(publicKey);
+        try
+        {
+            keyGen.init(new KEMGenerateSpec.Builder(publicKey, "DEF", 256).withNoKdf().build());
+            return (SecretKeyWithEncapsulation)keyGen.generateKey();
+        }
+        catch (Exception e)
+        {
+            throw Exceptions.illegalArgumentException("invalid key: " + e.getMessage(), e);
+        }
     }
 
     public byte[] encodePublicKey(MLKEMPublicKeyParameters publicKey)
     {
         return publicKey.getEncoded();
     }
 
-    public AsymmetricCipherKeyPair generateKeyPair()
+    private void init()
+    {
+//        try
+//        {
+////            kpg = KeyPairGenerator.getInstance("MLKEM");
+////            kpg.initialize(MLKEMParameterSpec.fromName(domainParameters.getName()), crypto.getSecureRandom());
+////            keyGen = KeyGenerator.getInstance(domainParameters.getName(), "BC");
+//
+////            cipher = KemUtil.getCipher(crypto, domainParameters.getName());
+//
+//
+//        }
+//        catch (GeneralSecurityException e)
+//        {
+//            throw Exceptions.illegalStateException("unable to create key pair: " + e.getMessage(), e);
+//        }
+
+
+    }
+    public KeyPair generateKeyPair()
     {
-        MLKEMKeyPairGenerator keyPairGenerator = new MLKEMKeyPairGenerator();
-        keyPairGenerator.init(new MLKEMKeyGenerationParameters(crypto.getSecureRandom(), domainParameters));
-        return keyPairGenerator.generateKeyPair();
+//        AlgorithmParameters params = KemUtil.getAlgorithmParameters(crypto, domainParameters.getName());
+//        if (params == null)
+//        {
+//            throw new IllegalStateException("KEM parameters unavailable");
+//        }
+        KeyPairGenerator kpg = null;
+        try
+        {
+            kpg = crypto.getHelper().createKeyPairGenerator(domainParameters.getName());
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            throw new RuntimeException(e);
+        }
+        catch (NoSuchProviderException e)
+        {
+            throw new RuntimeException(e);
+        }
+        return kpg.generateKeyPair();
     }
 
     public boolean isServer()
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/KemUtil.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/jcajce/KemUtil.java
@@ -1,6 +1,9 @@
 package org.bouncycastle.tls.crypto.impl.jcajce;
 
+import org.bouncycastle.jcajce.spec.MLKEMParameterSpec;
+
 import java.security.AlgorithmParameters;
+import java.security.spec.AlgorithmParameterSpec;
 
 import javax.crypto.Cipher;
 
@@ -10,7 +13,11 @@ static AlgorithmParameters getAlgorithmParameters(JcaTlsCrypto crypto, String ke
     {
         try
         {
-            // TODO[tls-kem] Return AlgorithmParameters to check against disabled algorithms?
+            return null;
+//            AlgorithmParameters algParams = AlgorithmParameters.getInstance(kemName, "BC");
+//            MLKEMParameterSpec mlkemSpec = MLKEMParameterSpec.fromName(kemName);
+//            algParams.init(mlkemSpec);
+//            return algParams;
         }
         catch (AssertionError e)
         {
@@ -33,6 +40,7 @@ static Cipher getCipher(JcaTlsCrypto crypto, String kemName)
         }
         catch (Exception e)
         {
+            throw new IllegalStateException("KEM cipher failed: " + kemName, e);
         }
 
         return null;
@@ -41,7 +49,21 @@ static Cipher getCipher(JcaTlsCrypto crypto, String kemName)
     static boolean isKemSupported(JcaTlsCrypto crypto, String kemName)
     {
         // TODO[tls-kem] When implemented via provider, need to check for support dynamically
-//        return kemName != null && getCipher(crypto, kemName) != null;
-        return true;
+        return kemName != null && getCipher(crypto, kemName) != null;
+    }
+
+    static int getEncapsulationLength(String kemName)
+    {
+        switch (kemName)
+        {
+        case "ML-KEM-512":
+            return 768;
+        case "ML-KEM-768":
+            return 1088;
+        case "ML-KEM-1024":
+            return 1568;
+        default:
+            throw new IllegalArgumentException("unknown kem name " + kemName);
+        }
     }
 }
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/BcTlsProtocolKemTest.java b/tls/src/test/java/org/bouncycastle/tls/test/BcTlsProtocolKemTest.java
@@ -0,0 +1,12 @@
+package org.bouncycastle.tls.test;
+
+import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
+
+public class BcTlsProtocolKemTest
+    extends TlsProtocolKemTest
+{
+    public BcTlsProtocolKemTest()
+    {
+        super(new BcTlsCrypto());
+    }
+}
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/JcaTlsProtocolKemTest.java b/tls/src/test/java/org/bouncycastle/tls/test/JcaTlsProtocolKemTest.java
@@ -0,0 +1,15 @@
+package org.bouncycastle.tls.test;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider;
+
+import java.security.SecureRandom;
+
+public class JcaTlsProtocolKemTest
+    extends TlsProtocolKemTest
+{
+    public JcaTlsProtocolKemTest()
+    {
+        super(new JcaTlsCryptoProvider().setProvider(new BouncyCastleProvider()).create(new SecureRandom()));
+    }
+}
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/MockTlsKemClient.java b/tls/src/test/java/org/bouncycastle/tls/test/MockTlsKemClient.java
@@ -2,10 +2,12 @@
 
 import java.io.IOException;
 import java.io.PrintStream;
+import java.security.SecureRandom;
 import java.util.Hashtable;
 import java.util.Vector;
 
 import org.bouncycastle.asn1.x509.Certificate;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.tls.AlertDescription;
 import org.bouncycastle.tls.AlertLevel;
 import org.bouncycastle.tls.CertificateRequest;
@@ -28,6 +30,7 @@
 import org.bouncycastle.tls.crypto.TlsCertificate;
 import org.bouncycastle.tls.crypto.TlsCrypto;
 import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
+import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Integers;
 import org.bouncycastle.util.encoders.Hex;
@@ -44,9 +47,9 @@ class MockTlsKemClient
         NamedGroup.MLKEM1024,
     };
 
-    MockTlsKemClient(TlsSession session)
+    MockTlsKemClient(TlsCrypto crypto,  TlsSession session)
     {
-        super(new BcTlsCrypto());
+        super(crypto);
 
         this.session = session;
     }
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/MockTlsKemServer.java b/tls/src/test/java/org/bouncycastle/tls/test/MockTlsKemServer.java
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/TlsProtocolKemTest.java b/tls/src/test/java/org/bouncycastle/tls/test/TlsProtocolKemTest.java

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,25 @@`
`1`	`1`	`package org.bouncycastle.tls.crypto;`
`2`	`2`
	`3`	`+import org.bouncycastle.jcajce.spec.KEMParameterSpec;`
	`4`	`+import org.bouncycastle.jcajce.spec.KTSParameterSpec;`
	`5`	`+`
`3`	`6`	`public class TlsKemConfig`
`4`	`7`	`{`
	`8`	`+ protected final KTSParameterSpec ktsParameterSpec;`
`5`	`9`	`protected final int namedGroup;`
`6`	`10`	`protected final boolean isServer;`
`7`	`11`
`8`	`12`	`public TlsKemConfig(int namedGroup, boolean isServer)`
`9`	`13`	`{`
`10`	`14`	`this.namedGroup = namedGroup;`
`11`	`15`	`this.isServer = isServer;`
	`16`	`+ this.ktsParameterSpec = new KTSParameterSpec.Builder("AES-KWP", 256).withNoKdf().build();`
	`17`	`+ }`
	`18`	`+ public TlsKemConfig(int namedGroup, boolean isServer, KTSParameterSpec ktsParameterSpec)`
	`19`	`+ {`
	`20`	`+ this.namedGroup = namedGroup;`
	`21`	`+ this.isServer = isServer;`
	`22`	`+ this.ktsParameterSpec = ktsParameterSpec;`
`12`	`23`	`}`
`13`	`24`
`14`	`25`	`public int getNamedGroup()`
`@@ -20,4 +31,9 @@ public boolean isServer()`
`20`	`31`	`{`
`21`	`32`	`return isServer;`
`22`	`33`	`}`
	`34`	`+`
	`35`	`+ public KTSParameterSpec getKtsParameterSpec()`
	`36`	`+ {`
	`37`	`+ return ktsParameterSpec;`
	`38`	`+ }`
`23`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -464,6 +464,7 @@ else if (NamedGroup.refersToASpecificFiniteField(namedGroup))`
`464`	`464`	`}`
`465`	`465`	`else if (NamedGroup.refersToASpecificKem(namedGroup))`
`466`	`466`	`{`
	`467`	`+ //Note: There is no AlgorithmParametersSpi for ML-KEM`
`467`	`468`	`return KemUtil.getAlgorithmParameters(this, NamedGroup.getKemName(namedGroup));`
`468`	`469`	`}`
`469`	`470`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,9 @@`
`1`	`1`	`package org.bouncycastle.tls.crypto.impl.jcajce;`
`2`	`2`
	`3`	`+import org.bouncycastle.jcajce.spec.MLKEMParameterSpec;`
	`4`	`+`
`3`	`5`	`import java.security.AlgorithmParameters;`
	`6`	`+import java.security.spec.AlgorithmParameterSpec;`
`4`	`7`
`5`	`8`	`import javax.crypto.Cipher;`
`6`	`9`
`@@ -10,7 +13,11 @@ static AlgorithmParameters getAlgorithmParameters(JcaTlsCrypto crypto, String ke`
`10`	`13`	`{`
`11`	`14`	`try`
`12`	`15`	`{`
`13`		`- // TODO[tls-kem] Return AlgorithmParameters to check against disabled algorithms?`
	`16`	`+ return null;`
	`17`	`+// AlgorithmParameters algParams = AlgorithmParameters.getInstance(kemName, "BC");`
	`18`	`+// MLKEMParameterSpec mlkemSpec = MLKEMParameterSpec.fromName(kemName);`
	`19`	`+// algParams.init(mlkemSpec);`
	`20`	`+// return algParams;`
`14`	`21`	`}`
`15`	`22`	`catch (AssertionError e)`
`16`	`23`	`{`
`@@ -33,6 +40,7 @@ static Cipher getCipher(JcaTlsCrypto crypto, String kemName)`
`33`	`40`	`}`
`34`	`41`	`catch (Exception e)`
`35`	`42`	`{`
	`43`	`+ throw new IllegalStateException("KEM cipher failed: " + kemName, e);`
`36`	`44`	`}`
`37`	`45`
`38`	`46`	`return null;`
`@@ -41,7 +49,21 @@ static Cipher getCipher(JcaTlsCrypto crypto, String kemName)`
`41`	`49`	`static boolean isKemSupported(JcaTlsCrypto crypto, String kemName)`
`42`	`50`	`{`
`43`	`51`	`// TODO[tls-kem] When implemented via provider, need to check for support dynamically`
`44`		`-// return kemName != null && getCipher(crypto, kemName) != null;`
`45`		`- return true;`
	`52`	`+ return kemName != null && getCipher(crypto, kemName) != null;`
	`53`	`+ }`
	`54`	`+`
	`55`	`+ static int getEncapsulationLength(String kemName)`
	`56`	`+ {`
	`57`	`+ switch (kemName)`
	`58`	`+ {`
	`59`	`+ case "ML-KEM-512":`
	`60`	`+ return 768;`
	`61`	`+ case "ML-KEM-768":`
	`62`	`+ return 1088;`
	`63`	`+ case "ML-KEM-1024":`
	`64`	`+ return 1568;`
	`65`	`+ default:`
	`66`	`+ throw new IllegalArgumentException("unknown kem name " + kemName);`
	`67`	`+ }`
`46`	`68`	`}`
`47`	`69`	`}`