Merge remote-tracking branch 'origin/main' into java-25-kdf

Author: royb

core/src/main/java/org/bouncycastle/crypto/agreement/SM2KeyExchange.java

@@ -52,7 +52,7 @@ public void init(
         if (privParam instanceof ParametersWithID)
         {
             baseParam = (SM2KeyExchangePrivateParameters)((ParametersWithID)privParam).getParameters();
-            userID = ((ParametersWithID)privParam).getID();
+            userID = checkUserID(((ParametersWithID)privParam).getID());
         }
         else
         {
@@ -80,7 +80,7 @@ public byte[] calculateKey(int kLen, CipherParameters pubParam)
         if (pubParam instanceof ParametersWithID)
         {
             otherPub = (SM2KeyExchangePublicParameters)((ParametersWithID)pubParam).getParameters();
-            otherUserID = ((ParametersWithID)pubParam).getID();
+            otherUserID = checkUserID(((ParametersWithID)pubParam).getID());
         }
         else
         {
@@ -114,7 +114,7 @@ public byte[][] calculateKeyWithConfirmation(int kLen, byte[] confirmationTag, C
         if (pubParam instanceof ParametersWithID)
         {
             otherPub = (SM2KeyExchangePublicParameters)((ParametersWithID)pubParam).getParameters();
-            otherUserID = ((ParametersWithID)pubParam).getID();
+            otherUserID = checkUserID(((ParametersWithID)pubParam).getID());
         }
         else
         {
@@ -276,6 +276,7 @@ private byte[] getZ(Digest digest, byte[] userID, ECPoint pubPoint)
     private void addUserID(Digest digest, byte[] userID)
     {
         int len = userID.length * 8;
+//        assert len >>> 16 == 0;
 
         digest.update((byte)(len >>> 8));
         digest.update((byte)len);
@@ -294,4 +295,15 @@ private byte[] digestDoFinal()
         digest.doFinal(result, 0);
         return result;
     }
+
+    private static byte[] checkUserID(byte[] userID)
+    {
+        // The length in bits must be expressible in two bytes
+        if (userID.length >= 8192)
+        {
+            throw new IllegalArgumentException("SM2 user ID must be less than 2^16 bits long");
+        }
+
+        return userID;
+    }
 }

core/src/main/java/org/bouncycastle/crypto/digests/Kangaroo.java

@@ -1,6 +1,10 @@
 package org.bouncycastle.crypto.digests;
 
-import org.bouncycastle.crypto.*;
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.CryptoServicePurpose;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.ExtendedDigest;
+import org.bouncycastle.crypto.Xof;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Bytes;
 import org.bouncycastle.util.Pack;
@@ -220,8 +224,6 @@ abstract static class KangarooBase
          */
         private int theProcessed;
 
-        private final CryptoServicePurpose purpose;
-
         /**
          * Constructor.
          *
@@ -241,7 +243,6 @@ abstract static class KangarooBase
 
             /* Build personalisation */
             buildPersonal(null);
-            this.purpose = purpose;
 
             CryptoServicesRegistrar.checkConstraints(Utils.getDefaultProperties(this, pStrength, purpose));
 
@@ -542,7 +543,7 @@ private static class KangarooSponge
         /**
          * The round constants.
          */
-        private static long[] KeccakRoundConstants = new long[]{0x0000000000000001L, 0x0000000000008082L,
+        private static final long[] KeccakRoundConstants = new long[]{0x0000000000000001L, 0x0000000000008082L,
             0x800000000000808aL, 0x8000000080008000L, 0x000000000000808bL, 0x0000000080000001L, 0x8000000080008081L,
             0x8000000000008009L, 0x000000000000008aL, 0x0000000000000088L, 0x0000000080008009L, 0x000000008000000aL,
             0x000000008000808bL, 0x800000000000008bL, 0x8000000000008089L, 0x8000000000008003L, 0x8000000000008002L,
@@ -625,6 +626,12 @@ private void absorb(final byte[] data,
             int count = 0;
             while (count < len)
             {
+                if (bytesInQueue == theRateBytes)
+                {
+                    KangarooAbsorb(theQueue, 0);
+                    bytesInQueue = 0;
+                }
+
                 if (bytesInQueue == 0 && count <= (len - theRateBytes))
                 {
                     do
@@ -642,12 +649,6 @@ private void absorb(final byte[] data,
 
                     bytesInQueue += partialBlock;
                     count += partialBlock;
-
-                    if (bytesInQueue == theRateBytes)
-                    {
-                        KangarooAbsorb(theQueue, 0);
-                        bytesInQueue = 0;
-                    }
                 }
             }
         }

core/src/main/java/org/bouncycastle/crypto/signers/SM2Signer.java

@@ -79,9 +79,10 @@ public void init(boolean forSigning, CipherParameters param)
             baseParam = ((ParametersWithID)param).getParameters();
             userID = ((ParametersWithID)param).getID();
 
+            // The length in bits must be expressible in two bytes
             if (userID.length >= 8192)
             {
-                throw new IllegalArgumentException("SM2 user ID must be less than 2^13 bits long");
+                throw new IllegalArgumentException("SM2 user ID must be less than 2^16 bits long");
             }
         }
         else
@@ -323,6 +324,8 @@ private byte[] getZ(byte[] userID)
     private void addUserID(Digest digest, byte[] userID)
     {
         int len = userID.length * 8;
+//        assert len >>> 16 == 0;
+
         digest.update((byte)(len >>> 8));
         digest.update((byte)len);
         digest.update(userID, 0, userID.length);

core/src/main/jdk1.4/org/bouncycastle/util/Arrays.java

@@ -177,6 +177,37 @@ public static boolean constantTimeAreEqual(
         return nonEqual == 0;
     }
 
+    public static boolean constantTimeAreEqual(int len, long[] a, int aOff, long[] b, int bOff)
+    {
+        if (null == a)
+        {
+            throw new NullPointerException("'a' cannot be null");
+        }
+        if (null == b)
+        {
+            throw new NullPointerException("'b' cannot be null");
+        }
+        if (len < 0)
+        {
+            throw new IllegalArgumentException("'len' cannot be negative");
+        }
+        if (aOff > (a.length - len))
+        {
+            throw new IndexOutOfBoundsException("'aOff' value invalid for specified length");
+        }
+        if (bOff > (b.length - len))
+        {
+            throw new IndexOutOfBoundsException("'bOff' value invalid for specified length");
+        }
+
+        long d = 0;
+        for (int i = 0; i < len; ++i)
+        {
+            d |= (a[aOff + i] ^ b[bOff + i]);
+        }
+        return 0L == d;
+    }
+
     public static int compareUnsigned(byte[] a, byte[] b)
     {
         if (a == b)

core/src/test/java/org/bouncycastle/crypto/test/KangarooTest.java

@@ -8,7 +8,8 @@
 
 /**
  * Test Cases for Kangaroo12. No TestVectors are available for MarsupilamiFourteen.
- * Test Vectors taken from https://tools.ietf.org/html/draft-viguier-kangarootwelve-04.
+ * Test Vectors taken from https://tools.ietf.org/html/draft-viguier-kangarootwelve-04,
+ * and generated using the reference implementation given in https://keccak.team/files/KangarooTwelve.pdf.
  */
 public class KangarooTest
     extends SimpleTest
@@ -147,7 +148,13 @@ static class Kangaroo12Test
                  "FAB658DB63E94A246188BF7AF69A133045F46EE984C56E3C3328CAAF1AA1A583",
                  "D848C5068CED736F4462159B9867FD4C20B808ACC3D5BC48E0B06BA0A3762EC4",
                  "C389E5009AE57120854C2E8C64670AC01358CF4C1BAF89447A724234DC7CED74",
-                 "75D2F86A2E644566726B4FBCFC5657B9DBCF070C7B0DCA06450AB291D7443BCF"
+                 "75D2F86A2E644566726B4FBCFC5657B9DBCF070C7B0DCA06450AB291D7443BCF",
+                 "61F2AD5657F4F2632A0822138EFE20C6A68A1885E1C0643EBF5587103219301D",
+                 "CBBE9DD1E423F20003FBA7BB219491C8D1F445FA5C4199D6C6C70C9FDC101964",
+                 "77DF46FD2D22BCE26E636E02CE10F9A42AE925E071F9056A9236328DB01BA411",
+                 "711835517A182DD4BC0E816BF5C72A278B227AE0B3D68F82577F97AD3CBFCA6A",
+                 "640728E5B4BE29F04A4FFFA645CB308102170F4D2B69D61F030CDC569BC74BAC",
+                 "5D7D68B49A5D999B8699FC4EDBEF0F0B4E4E7E904FE4B2B6B10C7C922407CF66"
          };
 
          /**
@@ -170,6 +177,12 @@ void checkDigests(final KangarooTest pTest)
              pTest.testKangaroo(1, false, 41, EXPECTED[11]);
              pTest.testKangaroo(3, false, 41*41, EXPECTED[12]);
              pTest.testKangaroo(7, false, 41*41*41, EXPECTED[13]);
+             pTest.testKangaroo(165, true, 0, EXPECTED[14]);
+             pTest.testKangaroo(166, true, 0, EXPECTED[15]);
+             pTest.testKangaroo(167, true, 0, EXPECTED[16]);
+             pTest.testKangaroo(8192 + 165, false, 0, EXPECTED[17]);
+             pTest.testKangaroo(8192 + 166, false, 0, EXPECTED[18]);
+             pTest.testKangaroo(8192 + 167, false, 0, EXPECTED[19]);
          }
      }
 

core/src/test/java/org/bouncycastle/pqc/crypto/test/MLDSATest.java

@@ -79,7 +79,7 @@ public void testConsistency()
                 {
                     AsymmetricCipherKeyPair kp = kpg.generateKeyPair();
 
-                    Signer signer = parameters.isPreHash() ? new HashMLDSASigner() : new MLDSASigner();
+                    Signer signer = parameters.isPreHash() ? (Signer)new HashMLDSASigner() : (Signer)new MLDSASigner();
 
                     for (int j = 0; j < 2; ++j)
                     {

prov/src/main/java/org/bouncycastle/jcajce/CompositeUtil.java

@@ -35,7 +35,7 @@ class CompositeUtil
 
     static ASN1ObjectIdentifier getOid(String name)
     {
-        ASN1ObjectIdentifier oid = algorithmOids.get(Strings.toUpperCase(name));
+        ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)algorithmOids.get(Strings.toUpperCase(name));
         if (oid == null)
         {
             throw new IllegalArgumentException("name " + name + " not recognized");

prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java

@@ -19,6 +19,7 @@
 import java.security.spec.MGF1ParameterSpec;
 import java.security.spec.PSSParameterSpec;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -41,7 +42,6 @@
 import org.bouncycastle.jcajce.util.SpecUtil;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Exceptions;
-import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 
 /**
@@ -53,7 +53,7 @@ public class SignatureSpi
     //the byte encoding of the ASCII string "CompositeAlgorithmSignatures2025"
     private static final byte[] prefix = Hex.decode("436f6d706f73697465416c676f726974686d5369676e61747572657332303235");
     private static final Map<String, String> canonicalNames = new HashMap<String, String>();
-    private static final HashMap<ASN1ObjectIdentifier, byte[]> domainSeparators = new HashMap<ASN1ObjectIdentifier, byte[]>();
+    private static final HashMap<ASN1ObjectIdentifier, byte[]> domainSeparators = new LinkedHashMap<ASN1ObjectIdentifier, byte[]>();
     private static final HashMap<ASN1ObjectIdentifier, AlgorithmParameterSpec> algorithmsParameterSpecs = new HashMap<ASN1ObjectIdentifier, AlgorithmParameterSpec>();
     private static final String ML_DSA_44 = "ML-DSA-44";
     private static final String ML_DSA_65 = "ML-DSA-65";
@@ -69,25 +69,25 @@ public class SignatureSpi
         canonicalNames.put(NISTObjectIdentifiers.id_ml_dsa_44.getId(), ML_DSA_44);
         canonicalNames.put(NISTObjectIdentifiers.id_ml_dsa_65.getId(), ML_DSA_65);
         canonicalNames.put(NISTObjectIdentifiers.id_ml_dsa_87.getId(), ML_DSA_87);
-
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_RSA2048_PSS_SHA256, Strings.toByteArray("COMPSIG-MLDSA44-RSA2048-PSS-SHA256"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_RSA2048_PKCS15_SHA256, Strings.toByteArray("COMPSIG-MLDSA44-RSA2048-PKCS15-SHA256"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_Ed25519_SHA512, Strings.toByteArray("COMPSIG-MLDSA44-Ed25519-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_ECDSA_P256_SHA256, Strings.toByteArray("COMPSIG-MLDSA44-ECDSA-P256-SHA256"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA3072_PSS_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-RSA3072-PSS-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA3072_PKCS15_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-RSA3072-PKCS15-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA4096_PSS_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-RSA4096-PSS-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA4096_PKCS15_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-RSA4096-PKCS15-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_P256_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-ECDSA-P256-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_P384_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-ECDSA-P384-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_brainpoolP256r1_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-ECDSA-BP256-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_Ed25519_SHA512, Strings.toByteArray("COMPSIG-MLDSA65-Ed25519-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_brainpoolP384r1_SHA512, Strings.toByteArray("COMPSIG-MLDSA87-ECDSA-BP384-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_Ed448_SHAKE256, Strings.toByteArray("COMPSIG-MLDSA87-Ed448-SHAKE256"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_RSA3072_PSS_SHA512, Strings.toByteArray("COMPSIG-MLDSA87-RSA3072-PSS-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_RSA4096_PSS_SHA512, Strings.toByteArray("COMPSIG-MLDSA87-RSA4096-PSS-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_P384_SHA512, Strings.toByteArray("COMPSIG-MLDSA87-ECDSA-P384-SHA512"));
-        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_P521_SHA512, Strings.toByteArray("COMPSIG-MLDSA87-ECDSA-P521-SHA512"));
+        
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_RSA2048_PSS_SHA256, Hex.decode("434f4d505349472d4d4c44534134342d525341323034382d5053532d534841323536")); // COMPSIG-MLDSA44-RSA2048-PSS-SHA256
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_RSA2048_PKCS15_SHA256, Hex.decode("434f4d505349472d4d4c44534134342d525341323034382d504b435331352d534841323536")); // COMPSIG-MLDSA44-RSA2048-PKCS15-SHA256
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_Ed25519_SHA512, Hex.decode("434f4d505349472d4d4c44534134342d456432353531392d534841353132")); // COMPSIG-MLDSA44-Ed25519-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA44_ECDSA_P256_SHA256, Hex.decode("434f4d505349472d4d4c44534134342d45434453412d503235362d534841323536")); // COMPSIG-MLDSA44-ECDSA-P256-SHA256
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA3072_PSS_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d525341333037322d5053532d534841353132")); // COMPSIG-MLDSA65-RSA3072-PSS-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA3072_PKCS15_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d525341333037322d504b435331352d534841353132")); // COMPSIG-MLDSA65-RSA3072-PKCS15-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA4096_PSS_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d525341343039362d5053532d534841353132")); // COMPSIG-MLDSA65-RSA4096-PSS-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_RSA4096_PKCS15_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d525341343039362d504b435331352d534841353132")); // COMPSIG-MLDSA65-RSA4096-PKCS15-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_P256_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d45434453412d503235362d534841353132")); // COMPSIG-MLDSA65-ECDSA-P256-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_P384_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d45434453412d503338342d534841353132")); // COMPSIG-MLDSA65-ECDSA-P384-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_ECDSA_brainpoolP256r1_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d45434453412d42503235362d534841353132")); // COMPSIG-MLDSA65-ECDSA-BP256-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA65_Ed25519_SHA512, Hex.decode("434f4d505349472d4d4c44534136352d456432353531392d534841353132")); // COMPSIG-MLDSA65-Ed25519-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_brainpoolP384r1_SHA512, Hex.decode("434f4d505349472d4d4c44534138372d45434453412d42503338342d534841353132")); // COMPSIG-MLDSA87-ECDSA-BP384-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_Ed448_SHAKE256, Hex.decode("434f4d505349472d4d4c44534138372d45643434382d5348414b45323536")); // COMPSIG-MLDSA87-Ed448-SHAKE256
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_RSA3072_PSS_SHA512, Hex.decode("434f4d505349472d4d4c44534138372d525341333037322d5053532d534841353132")); // COMPSIG-MLDSA87-RSA3072-PSS-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_RSA4096_PSS_SHA512, Hex.decode("434f4d505349472d4d4c44534138372d525341343039362d5053532d534841353132")); // COMPSIG-MLDSA87-RSA4096-PSS-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_P384_SHA512, Hex.decode("434f4d505349472d4d4c44534138372d45434453412d503338342d534841353132")); // COMPSIG-MLDSA87-ECDSA-P384-SHA512
+        domainSeparators.put(IANAObjectIdentifiers.id_MLDSA87_ECDSA_P521_SHA512, Hex.decode("434f4d505349472d4d4c44534138372d45434453412d503532312d534841353132")); // COMPSIG-MLDSA87-ECDSA-P521-SHA512
 
         algorithmsParameterSpecs.put(IANAObjectIdentifiers.id_MLDSA44_RSA2048_PSS_SHA256,
             new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 1));
@@ -439,15 +439,15 @@ protected boolean engineVerify(byte[] signature)
         throws SignatureException
     {
         int mldsaSigLen = 0;
-        if (componentSignatures[0] instanceof org.bouncycastle.jcajce.provider.asymmetric.mldsa.SignatureSpi.MLDSA44)
+        if (algs[0].indexOf("44") > 0)
         {
             mldsaSigLen = 2420;
         }
-        else if (componentSignatures[0] instanceof org.bouncycastle.jcajce.provider.asymmetric.mldsa.SignatureSpi.MLDSA65)
+        else if (algs[0].indexOf("65") > 0)
         {
             mldsaSigLen = 3309;
         }
-        else if (componentSignatures[0] instanceof org.bouncycastle.jcajce.provider.asymmetric.mldsa.SignatureSpi.MLDSA87)
+        else if (algs[0].indexOf("87") > 0)
         {
             mldsaSigLen = 4627;
         }

prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/util/BaseDeterministicOrRandomSignature.java

@@ -7,8 +7,8 @@
 import java.security.ProviderException;
 import java.security.PublicKey;
 import java.security.SecureRandom;
-import java.security.Signature;
 import java.security.SignatureException;
+import java.security.SignatureSpi;
 import java.security.spec.AlgorithmParameterSpec;
 
 import org.bouncycastle.crypto.CipherParameters;
@@ -22,7 +22,7 @@
 import org.bouncycastle.util.Exceptions;
 
 public abstract class BaseDeterministicOrRandomSignature
-    extends Signature
+    extends SignatureSpi
 {
     private final JcaJceHelper helper = new BCJcaJceHelper();
     private final AlgorithmParameterSpec originalSpec;
@@ -35,7 +35,6 @@ public abstract class BaseDeterministicOrRandomSignature
 
     protected BaseDeterministicOrRandomSignature(String name)
     {
-        super(name);
         this.originalSpec = ContextParameterSpec.EMPTY_CONTEXT_SPEC;
     }