added backwards compatibility for Dilithium and Falcon public keys.

dghgit · dghgit · commit b85eff91aa21 · 2022-09-22T15:21:27.000+10:00
updated Kyber public key to follow draft RFC.
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumPublicKeyParameters.java
@@ -23,6 +23,13 @@ public byte[] getEncoded()
         return Arrays.concatenate(rho, t1);
     }
 
+    public DilithiumPublicKeyParameters(DilithiumParameters params, byte[] encoding)
+    {
+        super(false, params);
+        this.rho = Arrays.copyOfRange(encoding, 0, DilithiumEngine.SeedBytes);
+        this.t1 = Arrays.copyOfRange(encoding, DilithiumEngine.SeedBytes, encoding.length);
+    }
+
     public DilithiumPublicKeyParameters(DilithiumParameters params, byte[] rho, byte[] t1)
     {
         super(false, params);
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberKEMGenerator.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberKEMGenerator.java
@@ -26,7 +26,7 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
         KyberPublicKeyParameters key = (KyberPublicKeyParameters)recipientKey;
         KyberEngine engine = key.getParameters().getEngine();
         engine.init(sr);
-        byte[][] kemEncrypt = engine.kemEncrypt(key.publicKey);
+        byte[][] kemEncrypt = engine.kemEncrypt(key.getPublicKey());
         return new KyberKEMGenerator.SecretWithEncapsulationImpl(kemEncrypt[0], kemEncrypt[1]);
     }
 
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberPublicKeyParameters.java
@@ -5,21 +5,40 @@
 public class KyberPublicKeyParameters
     extends KyberKeyParameters
 {
-    final byte[] publicKey;
+    final byte[] t;
+    final byte[] rho;
 
     public byte[] getPublicKey()
     {
-        return Arrays.clone(publicKey);
+        return Arrays.concatenate(t, rho);
     }
 
     public byte[] getEncoded()
     {
         return getPublicKey();
     }
 
-    public KyberPublicKeyParameters(KyberParameters params, byte[] publicKey)
+    public KyberPublicKeyParameters(KyberParameters params, byte[] t, byte[] rho)
     {
         super(false, params);
-        this.publicKey = Arrays.clone(publicKey);
+        this.t = Arrays.clone(t);
+        this.rho = Arrays.clone(rho);
+    }
+
+    public KyberPublicKeyParameters(KyberParameters params, byte[] encoding)
+    {
+        super(false, params);
+        this.t = Arrays.copyOfRange(encoding,0, encoding.length - KyberEngine.KyberSymBytes);
+        this.rho = Arrays.copyOfRange(encoding, encoding.length - KyberEngine.KyberSymBytes, encoding.length);
+    }
+
+    public byte[] getT()
+    {
+        return Arrays.clone(t);
+    }
+
+    public byte[] getRho()
+    {
+        return Arrays.clone(rho);
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/falcon/FalconPublicKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/falcon/FalconPublicKeyParameters.java
@@ -5,7 +5,6 @@
 public class FalconPublicKeyParameters
     extends FalconKeyParameters
 {
-
     private byte[] H;
 
     public FalconPublicKeyParameters(FalconParameters parameters, byte[] H)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java b/core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java
@@ -470,11 +470,26 @@ private static class FalconConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(ASN1Sequence.getInstance(keyInfo.parsePublicKey()).getObjectAt(0)).getOctets();
-
             FalconParameters falconParams = Utils.falconParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
-            return new FalconPublicKeyParameters(falconParams, keyEnc);
+            ASN1Primitive obj = keyInfo.parsePublicKey();
+            if (obj instanceof ASN1Sequence)
+            {
+                byte[] keyEnc = ASN1OctetString.getInstance(ASN1Sequence.getInstance(obj).getObjectAt(0)).getOctets();
+
+                return new FalconPublicKeyParameters(falconParams, keyEnc);
+            }
+            else
+            {
+                // header byte + h
+                byte[] keyEnc = ASN1OctetString.getInstance(obj).getOctets();
+
+                if (keyEnc[0] != (byte)(0x00 + falconParams.getLogN()))
+                {
+                    throw new IllegalArgumentException("byte[] enc of Falcon h value not tagged correctly");
+                }
+                return new FalconPublicKeyParameters(falconParams, Arrays.copyOfRange(keyEnc, 1, keyEnc.length));
+            }
         }
     }
 
@@ -484,11 +499,23 @@ private static class KyberConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
+            KyberParameters kyberParameters = Utils.kyberParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
-            KyberParameters kyberParams = Utils.kyberParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
+            ASN1Primitive obj = keyInfo.parsePublicKey();
+            if (obj instanceof ASN1Sequence)
+            {
+                ASN1Sequence keySeq = ASN1Sequence.getInstance(obj);
 
-            return new KyberPublicKeyParameters(kyberParams, keyEnc);
+                return new KyberPublicKeyParameters(kyberParameters,
+                    ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(),
+                    ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets());
+            }
+            else
+            {
+                byte[] encKey = ASN1OctetString.getInstance(obj).getOctets();
+
+                return new KyberPublicKeyParameters(kyberParameters, encKey);
+            }
         }
     }
 
@@ -526,13 +553,23 @@ private static class DilithiumConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            ASN1Sequence keySeq = ASN1Sequence.getInstance(keyInfo.parsePublicKey());
-
             DilithiumParameters dilithiumParams = Utils.dilithiumParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
-            return new DilithiumPublicKeyParameters(dilithiumParams,
-                ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(),
-                ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets());
+            ASN1Primitive obj = keyInfo.parsePublicKey();
+            if (obj instanceof ASN1Sequence)
+            {
+                ASN1Sequence keySeq = ASN1Sequence.getInstance(obj);
+
+                return new DilithiumPublicKeyParameters(dilithiumParams,
+                    ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(),
+                    ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets());
+            }
+            else
+            {
+                byte[] encKey = ASN1OctetString.getInstance(obj).getOctets();
+
+                return new DilithiumPublicKeyParameters(dilithiumParams, encKey);
+            }
         }
     }
 
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/util/SubjectPublicKeyInfoFactory.java b/core/src/main/java/org/bouncycastle/pqc/crypto/util/SubjectPublicKeyInfoFactory.java
@@ -188,8 +188,7 @@ else if (publicKey instanceof SABERPublicKeyParameters)
             byte[] encoding = params.getEncoded();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.saberOidLookup(params.getParameters()));
-
-            // https://datatracker.ietf.org/doc/draft-uni-qsckeys/
+            
             return new SubjectPublicKeyInfo(algorithmIdentifier, new DERSequence(new DEROctetString(encoding)));
         }
         else if (publicKey instanceof PicnicPublicKeyParameters)
@@ -231,10 +230,11 @@ else if (publicKey instanceof KyberPublicKeyParameters)
         {
             KyberPublicKeyParameters params = (KyberPublicKeyParameters)publicKey;
 
-            byte[] encoding = params.getEncoded();
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.kyberOidLookup(params.getParameters()));
-
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            ASN1EncodableVector v = new ASN1EncodableVector();
+            v.add(new DEROctetString(params.getT()));
+            v.add(new DEROctetString(params.getRho()));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, new DERSequence(v));
         }
         else if (publicKey instanceof NTRULPRimePublicKeyParameters)
         {

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,13 @@ public byte[] getEncoded()`
`23`	`23`	`return Arrays.concatenate(rho, t1);`
`24`	`24`	`}`
`25`	`25`
	`26`	`+ public DilithiumPublicKeyParameters(DilithiumParameters params, byte[] encoding)`
	`27`	`+ {`
	`28`	`+ super(false, params);`
	`29`	`+ this.rho = Arrays.copyOfRange(encoding, 0, DilithiumEngine.SeedBytes);`
	`30`	`+ this.t1 = Arrays.copyOfRange(encoding, DilithiumEngine.SeedBytes, encoding.length);`
	`31`	`+ }`
	`32`	`+`
`26`	`33`	`public DilithiumPublicKeyParameters(DilithiumParameters params, byte[] rho, byte[] t1)`
`27`	`34`	`{`
`28`	`35`	`super(false, params);`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip`
`26`	`26`	`KyberPublicKeyParameters key = (KyberPublicKeyParameters)recipientKey;`
`27`	`27`	`KyberEngine engine = key.getParameters().getEngine();`
`28`	`28`	`engine.init(sr);`
`29`		`- byte[][] kemEncrypt = engine.kemEncrypt(key.publicKey);`
	`29`	`+ byte[][] kemEncrypt = engine.kemEncrypt(key.getPublicKey());`
`30`	`30`	`return new KyberKEMGenerator.SecretWithEncapsulationImpl(kemEncrypt[0], kemEncrypt[1]);`
`31`	`31`	`}`
`32`	`32`
Original file line number	Diff line number	Diff line change
`@@ -5,21 +5,40 @@`
`5`	`5`	`public class KyberPublicKeyParameters`
`6`	`6`	`extends KyberKeyParameters`
`7`	`7`	`{`
`8`		`- final byte[] publicKey;`
	`8`	`+ final byte[] t;`
	`9`	`+ final byte[] rho;`
`9`	`10`
`10`	`11`	`public byte[] getPublicKey()`
`11`	`12`	`{`
`12`		`- return Arrays.clone(publicKey);`
	`13`	`+ return Arrays.concatenate(t, rho);`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`public byte[] getEncoded()`
`16`	`17`	`{`
`17`	`18`	`return getPublicKey();`
`18`	`19`	`}`
`19`	`20`
`20`		`- public KyberPublicKeyParameters(KyberParameters params, byte[] publicKey)`
	`21`	`+ public KyberPublicKeyParameters(KyberParameters params, byte[] t, byte[] rho)`
`21`	`22`	`{`
`22`	`23`	`super(false, params);`
`23`		`- this.publicKey = Arrays.clone(publicKey);`
	`24`	`+ this.t = Arrays.clone(t);`
	`25`	`+ this.rho = Arrays.clone(rho);`
	`26`	`+ }`
	`27`	`+`
	`28`	`+ public KyberPublicKeyParameters(KyberParameters params, byte[] encoding)`
	`29`	`+ {`
	`30`	`+ super(false, params);`
	`31`	`+ this.t = Arrays.copyOfRange(encoding,0, encoding.length - KyberEngine.KyberSymBytes);`
	`32`	`+ this.rho = Arrays.copyOfRange(encoding, encoding.length - KyberEngine.KyberSymBytes, encoding.length);`
	`33`	`+ }`
	`34`	`+`
	`35`	`+ public byte[] getT()`
	`36`	`+ {`
	`37`	`+ return Arrays.clone(t);`
	`38`	`+ }`
	`39`	`+`
	`40`	`+ public byte[] getRho()`
	`41`	`+ {`
	`42`	`+ return Arrays.clone(rho);`
`24`	`43`	`}`
`25`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@`
`5`	`5`	`public class FalconPublicKeyParameters`
`6`	`6`	`extends FalconKeyParameters`
`7`	`7`	`{`
`8`		`-`
`9`	`8`	`private byte[] H;`
`10`	`9`
`11`	`10`	`public FalconPublicKeyParameters(FalconParameters parameters, byte[] H)`
Original file line number	Diff line number	Diff line change
`@@ -188,8 +188,7 @@ else if (publicKey instanceof SABERPublicKeyParameters)`
`188`	`188`	`byte[] encoding = params.getEncoded();`
`189`	`189`
`190`	`190`	`AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.saberOidLookup(params.getParameters()));`
`191`		`-`
`192`		`- // https://datatracker.ietf.org/doc/draft-uni-qsckeys/`
	`191`	`+`
`193`	`192`	`return new SubjectPublicKeyInfo(algorithmIdentifier, new DERSequence(new DEROctetString(encoding)));`
`194`	`193`	`}`
`195`	`194`	`else if (publicKey instanceof PicnicPublicKeyParameters)`
`@@ -231,10 +230,11 @@ else if (publicKey instanceof KyberPublicKeyParameters)`
`231`	`230`	`{`
`232`	`231`	`KyberPublicKeyParameters params = (KyberPublicKeyParameters)publicKey;`
`233`	`232`
`234`		`- byte[] encoding = params.getEncoded();`
`235`	`233`	`AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.kyberOidLookup(params.getParameters()));`
`236`		`-`
`237`		`- return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));`
	`234`	`+ ASN1EncodableVector v = new ASN1EncodableVector();`
	`235`	`+ v.add(new DEROctetString(params.getT()));`
	`236`	`+ v.add(new DEROctetString(params.getRho()));`
	`237`	`+ return new SubjectPublicKeyInfo(algorithmIdentifier, new DERSequence(v));`
`238`	`238`	`}`
`239`	`239`	`else if (publicKey instanceof NTRULPRimePublicKeyParameters)`
`240`	`240`	`{`