Solve the bugs related EDDSA_LEGACY with Ed448

Author: gefeili

pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java

@@ -454,9 +454,8 @@ else if (getKeyAlgorithm() == PublicKeyAlgorithmTags.EDDSA_LEGACY)
             {
                 byte[] a = BigIntegers.asUnsignedByteArray(sigValues[0].getValue());
                 byte[] b = BigIntegers.asUnsignedByteArray(sigValues[1].getValue());
-                signature = new byte[Ed25519.SIGNATURE_SIZE];
-                System.arraycopy(a, 0, signature, Ed25519.PUBLIC_KEY_SIZE - a.length, a.length);
-                System.arraycopy(b, 0, signature, Ed25519.SIGNATURE_SIZE - b.length, b.length);
+                //TODO: distinguish Ed25519 and Ed448
+                signature = Arrays.concatenate(a, b);
             }
             else
             {

pg/src/main/java/org/bouncycastle/openpgp/operator/PGPKeyConverter.java

@@ -75,7 +75,7 @@ protected PGPKeyConverter()
      *     <td>AES-128</td>
      *   </tr>
      *   <tr>
-     *     <td>Curve448</td>
+     *     <td>Curve448Legacy (not in RFC Draft)</td>
      *     <td>SHA2-512</td>
      *     <td>AES-256</td>
      *   </tr>

pg/src/main/java/org/bouncycastle/openpgp/operator/RFC6637Utils.java

@@ -4,6 +4,7 @@
 import java.io.IOException;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers;
 import org.bouncycastle.bcpg.ECDHPublicBCPGKey;
@@ -37,14 +38,15 @@ else if (pubKeyData.getKey() instanceof X448PublicBCPGKey)
             return "X448withSHA512CKDF";
         }
         ECDHPublicBCPGKey ecKey = (ECDHPublicBCPGKey)pubKeyData.getKey();
+        String curve = ecKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448) ? "X448" : "X25519";
         switch (ecKey.getHashAlgorithm())
         {
         case HashAlgorithmTags.SHA256:
-            return "X25519withSHA256CKDF";
+            return curve + "withSHA256CKDF";
         case HashAlgorithmTags.SHA384:
-            return "X25519withSHA384CKDF";
+            return curve + "withSHA384CKDF";
         case HashAlgorithmTags.SHA512:
-            return "X25519withSHA512CKDF";
+            return curve + "withSHA512CKDF";
         default:
             throw new IllegalArgumentException("Unknown hash algorithm specified: " + ecKey.getHashAlgorithm());
         }

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcImplProvider.java

@@ -33,6 +33,8 @@
 import org.bouncycastle.crypto.engines.RFC3394WrapEngine;
 import org.bouncycastle.crypto.engines.RSABlindedEngine;
 import org.bouncycastle.crypto.engines.TwofishEngine;
+import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
 import org.bouncycastle.crypto.signers.DSADigestSigner;
 import org.bouncycastle.crypto.signers.DSASigner;
 import org.bouncycastle.crypto.signers.ECDSASigner;
@@ -96,6 +98,11 @@ static Signer createSigner(int keyAlgorithm, int hashAlgorithm, CipherParameters
         case PublicKeyAlgorithmTags.ECDSA:
             return new DSADigestSigner(new ECDSASigner(), createDigest(hashAlgorithm));
         case PublicKeyAlgorithmTags.EDDSA_LEGACY:
+            if (keyParam instanceof Ed25519PrivateKeyParameters || keyParam instanceof Ed25519PublicKeyParameters)
+            {
+                return new EdDsaSigner(new Ed25519Signer(), createDigest(hashAlgorithm));
+            }
+            return new EdDsaSigner(new Ed448Signer(new byte[0]), createDigest(hashAlgorithm));
         case PublicKeyAlgorithmTags.Ed25519:
             return new EdDsaSigner(new Ed25519Signer(), createDigest(hashAlgorithm));
         case PublicKeyAlgorithmTags.Ed448:

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPublicKeyDataDecryptorFactory.java

@@ -3,6 +3,7 @@
 import java.io.IOException;
 import java.math.BigInteger;
 
+import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
 import org.bouncycastle.bcpg.AEADEncDataPacket;
 import org.bouncycastle.bcpg.ECDHPublicBCPGKey;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
@@ -118,6 +119,15 @@ else if (keyAlgorithm == PublicKeyAlgorithmTags.ECDH)
                     // skip the 0x40 header byte.
                     secret = BcUtil.getSecret(new X25519Agreement(), privKey, new X25519PublicKeyParameters(pEnc, 1));
                 }
+                else if (ecPubKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
+                {
+                    if (pEnc.length != 1 + X448PublicKeyParameters.KEY_SIZE || 0x40 != pEnc[0])
+                    {
+                        throw new IllegalArgumentException("Invalid Curve25519 public key");
+                    }
+                    // skip the 0x40 header byte.
+                    secret = BcUtil.getSecret(new X448Agreement(), privKey, new X448PublicKeyParameters(pEnc, 1));
+                }
                 else
                 {
                     ECDomainParameters ecParameters = ((ECPrivateKeyParameters)privKey).getParameters();

pg/src/main/java/org/bouncycastle/openpgp/operator/bc/BcPublicKeyKeyEncryptionMethodGenerator.java

@@ -4,6 +4,7 @@
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
+import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
 import org.bouncycastle.bcpg.ECDHPublicBCPGKey;
 import org.bouncycastle.bcpg.HashAlgorithmTags;
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;
@@ -94,6 +95,17 @@ protected byte[] encryptSessionInfo(PGPPublicKey pubKey, byte[] sessionInfo)
                     ((X25519PublicKeyParameters)ephKp.getPublic()).encode(ephPubEncoding, 1);
                     return encryptSessionInfo(sessionInfo, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
                 }
+                else if (ecPubKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
+                {
+                    AsymmetricCipherKeyPair ephKp = getAsymmetricCipherKeyPair(new X448KeyPairGenerator(), new X448KeyGenerationParameters(random));
+
+                    byte[] secret = BcUtil.getSecret(new X448Agreement(), ephKp.getPrivate(), cryptoPublicKey);
+
+                    byte[] ephPubEncoding = new byte[1 + X448PublicKeyParameters.KEY_SIZE];
+                    ephPubEncoding[0] = X_HDR;
+                    ((X448PublicKeyParameters)ephKp.getPublic()).encode(ephPubEncoding, 1);
+                    return encryptSessionInfo(sessionInfo, secret, userKeyingMaterial, ephPubEncoding, ecPubKey.getHashAlgorithm(), ecPubKey.getSymmetricKeyAlgorithm());
+                }
                 else
                 {
                     AsymmetricCipherKeyPair ephKp = getAsymmetricCipherKeyPair(new ECKeyPairGenerator(),

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentSignerBuilder.java

@@ -95,7 +95,17 @@ public PGPContentSigner build(final int signatureType, final long keyID, final P
         final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);
         final PGPDigestCalculator edDigestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);
         final Signature signature;
-        signature = helper.createSignature(keyAlgorithm, hashAlgorithm);
+
+        if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY && privateKey.getAlgorithm().equals("Ed448"))
+        {
+            // Try my best to solve Ed448Legacy issue
+            signature = helper.createSignature("Ed448");
+        }
+        else
+        {
+            signature = helper.createSignature(keyAlgorithm, hashAlgorithm);
+        }
+
 
         try
         {

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPContentVerifierBuilderProvider.java

@@ -73,7 +73,18 @@ public JcaPGPContentVerifierBuilder(int keyAlgorithm, int hashAlgorithm)
         public PGPContentVerifier build(final PGPPublicKey publicKey)
             throws PGPException
         {
-            final Signature signature = helper.createSignature(keyAlgorithm, hashAlgorithm);
+            final Signature signature;
+
+            if (keyAlgorithm == PublicKeyAlgorithmTags.EDDSA_LEGACY
+                && ((EdDSAPublicBCPGKey)publicKey.getPublicKeyPacket().getKey()).getCurveOID().equals(EdECObjectIdentifiers.id_Ed448))
+            {
+                // Try my best to solve Ed448Legacy issue
+                signature = helper.createSignature("Ed448");
+            }
+            else
+            {
+                signature = helper.createSignature(keyAlgorithm, hashAlgorithm);
+            }
 
             final PGPDigestCalculator digestCalculator = digestCalculatorProviderBuilder.build().get(hashAlgorithm);
             final PublicKey jcaKey = keyConverter.getPublicKey(publicKey);

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcaPGPKeyConverter.java

@@ -728,11 +728,12 @@ private BCPGKey getPublicBCPGKey(PublicKey pubKey, int keySize, BCPGKeyOperation
 
     private byte[] getPointEncUncompressed(PublicKey pubKey, int publicKeySize)
     {
-        SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfo.getInstance(pubKey.getEncoded());
+        byte[] pubInfo = SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()).getPublicKeyData().getBytes();
         byte[] pointEnc = new byte[1 + publicKeySize];
 
         pointEnc[0] = 0x40;
-        System.arraycopy(pubInfo.getPublicKeyData().getBytes(), 0, pointEnc, 1, pointEnc.length - 1);
+        //offset with pointEnc.length - pubInfo.length to avoid leading zero issue
+        System.arraycopy(pubInfo, 0, pointEnc, pointEnc.length - pubInfo.length , pubInfo.length);
         return pointEnc;
     }
 

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePublicKeyDataDecryptorFactoryBuilder.java

@@ -264,6 +264,15 @@ private byte[] decryptSessionData(JcaPGPKeyConverter converter, PGPPrivateKey pr
                 }
                 publicKey = getPublicKey(pEnc, EdECObjectIdentifiers.id_X25519, 1);
             }
+            else if (ecKey.getCurveOID().equals(EdECObjectIdentifiers.id_X448))
+            {
+                agreementName = RFC6637Utils.getXDHAlgorithm(pubKeyData);
+                if (pEnc.length != (1 + X448PublicBCPGKey.LENGTH) || 0x40 != pEnc[0])
+                {
+                    throw new IllegalArgumentException("Invalid Curve25519 public key");
+                }
+                publicKey = getPublicKey(pEnc, EdECObjectIdentifiers.id_X448, 1);
+            }
             else
             {
                 X9ECParametersHolder x9Params = ECNamedCurveTable.getByOIDLazy(ecKey.getCurveOID());
@@ -318,7 +327,7 @@ private Key getSessionKey(JcaPGPKeyConverter converter, PGPPrivateKey privKey, S
         throws PGPException, GeneralSecurityException
     {
         PrivateKey privateKey = converter.getPrivateKey(privKey);
-        Key key = JcaJcePGPUtil.getSecret(helper, publicKey, RFC6637Utils.getKeyEncryptionOID(symmetricKeyAlgorithm).getId(),  agreementName, ukms, privateKey);
+        Key key = JcaJcePGPUtil.getSecret(helper, publicKey, RFC6637Utils.getKeyEncryptionOID(symmetricKeyAlgorithm).getId(), agreementName, ukms, privateKey);
         Cipher c = helper.createKeyWrapper(symmetricKeyAlgorithm);
         c.init(Cipher.UNWRAP_MODE, key);
         return c.unwrap(keyEnc, "Session", Cipher.SECRET_KEY);