Merge branch 'main' into rfc-6508-sakke

Author: gefeili

ant/jdk14.xml

@@ -214,6 +214,7 @@
         </copy>
         <copy todir="${src.dir}" overwrite="true">
             <fileset dir="pg/src/main/jdk1.5" includes="**/*.java"/>
+            <fileset dir="prov/src/test/jdk1.5" includes="**/*.java"/>
         </copy>
         <copy todir="${src.dir}" overwrite="true">
             <fileset dir="core/src/main/jdk1.4" includes="**/*.java"/>

build.gradle

@@ -253,7 +253,10 @@ subprojects {
     }
 
     nohttp {
+        source.exclude '**/*.asc'
+        source.exclude '**/*.pem'
         source.exclude '**/*.rsp'
+        source.exclude '**/*.jar'
     }
 
     jacocoTestReport {

core/src/main/java/org/bouncycastle/asn1/bc/BCObjectIdentifiers.java

@@ -429,4 +429,18 @@ public interface BCObjectIdentifiers
     ASN1ObjectIdentifier hqc128 = pqc_kem_hqc.branch("1");
     ASN1ObjectIdentifier hqc192 = pqc_kem_hqc.branch("2");
     ASN1ObjectIdentifier hqc256 = pqc_kem_hqc.branch("3");
+
+    /**
+     * ML-KEM/ML-DSA seed parameters algorithms - temporary
+     * 
+     */
+    //TODO: delete before release
+    ASN1ObjectIdentifier id_id_alg_seed = bc.branch("10");
+
+    ASN1ObjectIdentifier id_id_alg_ml_dsa_44_seed = id_id_alg_seed.branch("1");
+    ASN1ObjectIdentifier id_id_alg_ml_dsa_65_seed = id_id_alg_seed.branch("2");
+    ASN1ObjectIdentifier id_id_alg_ml_dsa_87_seed = id_id_alg_seed.branch("3");
+    ASN1ObjectIdentifier id_id_alg_ml_kem_512_seed = id_id_alg_seed.branch("4");
+    ASN1ObjectIdentifier id_id_alg_ml_kem_768_seed = id_id_alg_seed.branch("5");
+    ASN1ObjectIdentifier id_id_alg_ml_kem_1024_seed = id_id_alg_seed.branch("6");
 }

core/src/main/java/org/bouncycastle/pqc/crypto/util/Utils.java

@@ -279,6 +279,9 @@ class Utils
         mldsaParams.put(NISTObjectIdentifiers.id_ml_dsa_44, MLDSAParameters.ml_dsa_44);
         mldsaParams.put(NISTObjectIdentifiers.id_ml_dsa_65, MLDSAParameters.ml_dsa_65);
         mldsaParams.put(NISTObjectIdentifiers.id_ml_dsa_87, MLDSAParameters.ml_dsa_87);
+        mldsaParams.put(BCObjectIdentifiers.id_id_alg_ml_dsa_44_seed, MLDSAParameters.ml_dsa_44);
+        mldsaParams.put(BCObjectIdentifiers.id_id_alg_ml_dsa_65_seed, MLDSAParameters.ml_dsa_65);
+        mldsaParams.put(BCObjectIdentifiers.id_id_alg_ml_dsa_87_seed, MLDSAParameters.ml_dsa_87);
         mldsaParams.put(NISTObjectIdentifiers.id_hash_ml_dsa_44_with_sha512, MLDSAParameters.ml_dsa_44_with_sha512);
         mldsaParams.put(NISTObjectIdentifiers.id_hash_ml_dsa_65_with_sha512, MLDSAParameters.ml_dsa_65_with_sha512);
         mldsaParams.put(NISTObjectIdentifiers.id_hash_ml_dsa_87_with_sha512, MLDSAParameters.ml_dsa_87_with_sha512);

pg/src/main/java/org/bouncycastle/bcpg/ArmoredInputStream.java

@@ -276,9 +276,8 @@ private boolean parseHeaders()
                     }
                     catch (Exception e)
                     {
-                         throw new ArmoredInputException(e.getMessage());
+                        throw new ArmoredInputException(e.getMessage());
                     }
-
                     if (line.trim().length() == 0)
                     {
                         break;

pg/src/main/java/org/bouncycastle/openpgp/operator/jcajce/JcePBEKeyEncryptionMethodGenerator.java

@@ -185,7 +185,6 @@ protected byte[] getEskAndTag(int kekAlgorithm, int aeadAlgorithm, byte[] sessio
         {
             throw new PGPException("cannot encrypt session info", e);
         }
-
     }
 
     private static String getBaseAEADAlgorithm(int encAlgorithm)

pkix/src/test/java/org/bouncycastle/cms/test/GOSTR3410_2012_256CmsSignVerifyDetached.java

@@ -9,6 +9,7 @@
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 
@@ -121,9 +122,13 @@ private static boolean verifyDetached(byte[] data, byte[] detachedCms,
 
                     // Validate signer's certificate chain
                     X509CertSelector constraints = new X509CertSelector();
-                    constraints.setCertificate(getX509Certificate(signerCert));
+                    X509Certificate x509Certificate = getX509Certificate(signerCert);
+                    constraints.setCertificate(x509Certificate);
+
                     PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, constraints);
 
+                    params.setDate(new Date(x509Certificate.getNotAfter().getTime() - 5000L));
+
                     JcaCertStoreBuilder certStoreBuilder = new JcaCertStoreBuilder();
                     certStoreBuilder.addCertificate(signerCert);
 

pkix/src/test/java/org/bouncycastle/cms/test/PQCSignedDataTest.java

@@ -337,7 +337,7 @@ public void testLmsEncapsulated()
             Iterator certIt = certCollection.iterator();
             X509CertificateHolder cert = (X509CertificateHolder)certIt.next();
 
-            assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)));
+            assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)));
 
             //
             // check content digest

prov/src/main/java/org/bouncycastle/jcajce/PKIXCRLStoreSelector.java

@@ -185,45 +185,44 @@ public boolean match(CRL obj)
         }
 
         X509CRL crl = (X509CRL)obj;
-        ASN1Integer dci = null;
-        try
+
+        // TODO[pkix] Do we always need to parse the Delta CRL Indicator extension?
         {
-            byte[] bytes = crl
-                .getExtensionValue(Extension.deltaCRLIndicator.getId());
-            if (bytes != null)
+            ASN1Integer baseCRLNumber = null;
+            try
             {
-                dci = ASN1Integer.getInstance(ASN1OctetString.getInstance(bytes).getOctets());
+                byte[] dci = crl.getExtensionValue(Extension.deltaCRLIndicator.getId());
+                if (dci != null)
+                {
+                    baseCRLNumber = ASN1Integer.getInstance(ASN1OctetString.getInstance(dci).getOctets());
+                }
             }
-        }
-        catch (Exception e)
-        {
-            return false;
-        }
-        if (isDeltaCRLIndicatorEnabled())
-        {
-            if (dci == null)
+            catch (Exception e)
             {
                 return false;
             }
-        }
-        if (isCompleteCRLEnabled())
-        {
-            if (dci != null)
+
+            if (baseCRLNumber == null)
             {
-                return false;
+                if (isDeltaCRLIndicatorEnabled())
+                {
+                    return false;
+                }
             }
-        }
-        if (dci != null)
-        {
-
-            if (maxBaseCRLNumber != null)
+            else
             {
-                if (dci.getPositiveValue().compareTo(maxBaseCRLNumber) == 1)
+                if (isCompleteCRLEnabled())
+                {
+                    return false;
+                }
+
+                if (maxBaseCRLNumber != null && baseCRLNumber.getPositiveValue().compareTo(maxBaseCRLNumber) == 1)
                 {
                     return false;
                 }
             }
         }
+
         if (issuingDistributionPointEnabled)
         {
             byte[] idp = crl

prov/src/main/java/org/bouncycastle/jcajce/interfaces/MLDSAPrivateKey.java

@@ -25,4 +25,12 @@ public interface MLDSAPrivateKey
      * @return the seed for the private key, null if not available.
      */
     byte[] getSeed();
+
+    /**
+     * Return the encoding of the key or an encoding of its key generation parameters (the seed).
+     *
+     * @param asKeyGenParams return a key gen parameters structure.
+     * @return a PKCS#8 of the private key encoding, or a PKCS#8 of the seed.
+     */
+    byte[] getEncoded(boolean asKeyGenParams);
 }