added both check for key/seed verification for ML-KEM and ML-DSA.

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -11,7 +11,6 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.ASN1TaggedObject;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -49,6 +48,7 @@
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMPrivateKeyParameters;
+import org.bouncycastle.pqc.crypto.mlkem.MLKEMPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.newhope.NHPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.ntru.NTRUParameters;
 import org.bouncycastle.pqc.crypto.ntru.NTRUPrivateKeyParameters;
@@ -92,7 +92,7 @@ public class PrivateKeyFactory
      * @throws IOException on an error decoding the key
      */
     public static AsymmetricKeyParameter createKey(byte[] privateKeyInfoData)
-            throws IOException
+        throws IOException
     {
         if (privateKeyInfoData == null)
         {
@@ -114,7 +114,7 @@ public static AsymmetricKeyParameter createKey(byte[] privateKeyInfoData)
      * @throws IOException on an error decoding the key
      */
     public static AsymmetricKeyParameter createKey(InputStream inStr)
-            throws IOException
+        throws IOException
     {
         return createKey(PrivateKeyInfo.getInstance(new ASN1InputStream(inStr).readObject()));
     }
@@ -127,7 +127,7 @@ public static AsymmetricKeyParameter createKey(InputStream inStr)
      * @throws IOException on an error decoding the key
      */
     public static AsymmetricKeyParameter createKey(PrivateKeyInfo keyInfo)
-            throws IOException
+        throws IOException
     {
         if (keyInfo == null)
         {
@@ -146,7 +146,7 @@ public static AsymmetricKeyParameter createKey(PrivateKeyInfo keyInfo)
         else if (algOID.equals(PQCObjectIdentifiers.sphincs256))
         {
             return new SPHINCSPrivateKeyParameters(ASN1OctetString.getInstance(keyInfo.parsePrivateKey()).getOctets(),
-                    Utils.sphincs256LookupTreeAlgName(SPHINCS256KeyParams.getInstance(algId.getParameters())));
+                Utils.sphincs256LookupTreeAlgName(SPHINCS256KeyParams.getInstance(algId.getParameters())));
         }
         else if (algOID.equals(PQCObjectIdentifiers.newHope))
         {
@@ -176,7 +176,7 @@ else if (algOID.on(BCObjectIdentifiers.sphincsPlus) || algOID.on(BCObjectIdentif
                 SPHINCSPLUSPrivateKey spKey = SPHINCSPLUSPrivateKey.getInstance(obj);
                 SPHINCSPLUSPublicKey publicKey = spKey.getPublicKey();
                 return new SPHINCSPlusPrivateKeyParameters(spParams, spKey.getSkseed(), spKey.getSkprf(),
-                        publicKey.getPkseed(), publicKey.getPkroot());
+                    publicKey.getPkseed(), publicKey.getPkroot());
             }
             else
             {
@@ -226,24 +226,29 @@ else if (algOID.on(BCObjectIdentifiers.pqc_kem_ntru))
             return new NTRUPrivateKeyParameters(spParams, keyEnc);
         }
         else if (algOID.equals(NISTObjectIdentifiers.id_alg_ml_kem_512) ||
-                algOID.equals(NISTObjectIdentifiers.id_alg_ml_kem_768) ||
-                algOID.equals(NISTObjectIdentifiers.id_alg_ml_kem_1024))
+            algOID.equals(NISTObjectIdentifiers.id_alg_ml_kem_768) ||
+            algOID.equals(NISTObjectIdentifiers.id_alg_ml_kem_1024))
         {
             ASN1Primitive mlkemKey = parsePrimitiveString(keyInfo.getPrivateKey(), 64);
             MLKEMParameters mlkemParams = Utils.mlkemParamsLookup(algOID);
 
+            MLKEMPublicKeyParameters pubParams = null;
+            if (keyInfo.getPublicKeyData() != null)
+            {
+                pubParams = PublicKeyFactory.MLKEMConverter.getPublicKeyParams(mlkemParams, keyInfo.getPublicKeyData());
+            }
+
             if (mlkemKey instanceof ASN1Sequence)
             {
                 ASN1Sequence keySeq = ASN1Sequence.getInstance(mlkemKey);
 
-                if (keySeq.getObjectAt(0) instanceof ASN1OctetString)
-                {
-                    return new MLKEMPrivateKeyParameters(mlkemParams, ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets());
-                }
-                else
+                MLKEMPrivateKeyParameters mlkemPriv = new MLKEMPrivateKeyParameters(mlkemParams, ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(), pubParams);
+                if (!Arrays.constantTimeAreEqual(mlkemPriv.getEncoded(), ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets()))
                 {
-                    return new MLKEMPrivateKeyParameters(mlkemParams, ASN1OctetString.getInstance((ASN1TaggedObject)keySeq.getObjectAt(0), false).getOctets());
+                    throw new IllegalStateException("seed/expanded-key mismatch");
                 }
+
+                return mlkemPriv;
             }
             else if (mlkemKey instanceof ASN1OctetString)
             {
@@ -259,10 +264,10 @@ else if (algOID.on(BCObjectIdentifiers.pqc_kem_ntrulprime))
             NTRULPRimeParameters spParams = Utils.ntrulprimeParamsLookup(algOID);
 
             return new NTRULPRimePrivateKeyParameters(spParams,
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(0)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(3)).getOctets());
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(0)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(3)).getOctets());
         }
         else if (algOID.on(BCObjectIdentifiers.pqc_kem_sntruprime))
         {
@@ -271,11 +276,11 @@ else if (algOID.on(BCObjectIdentifiers.pqc_kem_sntruprime))
             SNTRUPrimeParameters spParams = Utils.sntruprimeParamsLookup(algOID);
 
             return new SNTRUPrimePrivateKeyParameters(spParams,
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(0)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
-                    ASN1OctetString.getInstance(keyEnc.getObjectAt(4)).getOctets());
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(0)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
+                ASN1OctetString.getInstance(keyEnc.getObjectAt(4)).getOctets());
         }
         else if (Utils.mldsaParams.containsKey(algOID))
         {
@@ -298,22 +303,21 @@ else if (keyObj instanceof ASN1Sequence)
             {
                 ASN1Sequence keySeq = ASN1Sequence.getInstance(keyObj);
 
-                if (keySeq.getObjectAt(0) instanceof ASN1OctetString)
-                {
-                    return new MLDSAPrivateKeyParameters(spParams, ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(), pubParams);
-                }
-                else
+                MLDSAPrivateKeyParameters mldsaPriv = new MLDSAPrivateKeyParameters(spParams, ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(), pubParams);
+                if (!Arrays.constantTimeAreEqual(mldsaPriv.getEncoded(), ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets()))
                 {
-                    return new MLDSAPrivateKeyParameters(spParams, ASN1OctetString.getInstance((ASN1TaggedObject)keySeq.getObjectAt(0), false).getOctets(), pubParams);
+                    throw new IllegalStateException("seed/expanded-key mismatch");
                 }
+
+                return mldsaPriv;
             }
             else
             {
                 throw new IOException("not supported");
             }
         }
         else if (algOID.equals(BCObjectIdentifiers.dilithium2)
-                || algOID.equals(BCObjectIdentifiers.dilithium3) || algOID.equals(BCObjectIdentifiers.dilithium5))
+            || algOID.equals(BCObjectIdentifiers.dilithium3) || algOID.equals(BCObjectIdentifiers.dilithium5))
         {
             ASN1Encodable keyObj = keyInfo.parsePrivateKey();
             DilithiumParameters dilParams = Utils.dilithiumParamsLookup(algOID);
@@ -333,24 +337,24 @@ else if (algOID.equals(BCObjectIdentifiers.dilithium2)
                     DilithiumPublicKeyParameters pubParams = PublicKeyFactory.DilithiumConverter.getPublicKeyParams(dilParams, keyInfo.getPublicKeyData());
 
                     return new DilithiumPrivateKeyParameters(dilParams,
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(4)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(5)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(6)).getOctets(),
-                            pubParams.getT1()); // encT1
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(4)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(5)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(6)).getOctets(),
+                        pubParams.getT1()); // encT1
                 }
                 else
                 {
                     return new DilithiumPrivateKeyParameters(dilParams,
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(4)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(5)).getOctets(),
-                            ASN1BitString.getInstance(keyEnc.getObjectAt(6)).getOctets(),
-                            null);
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(4)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(5)).getOctets(),
+                        ASN1BitString.getInstance(keyEnc.getObjectAt(6)).getOctets(),
+                        null);
                 }
             }
             else if (keyObj instanceof DEROctetString)
@@ -409,12 +413,12 @@ else if (algOID.equals(PQCObjectIdentifiers.xmss))
             try
             {
                 XMSSPrivateKeyParameters.Builder keyBuilder = new XMSSPrivateKeyParameters
-                        .Builder(new XMSSParameters(keyParams.getHeight(), Utils.getDigest(treeDigest)))
-                        .withIndex(xmssPrivateKey.getIndex())
-                        .withSecretKeySeed(xmssPrivateKey.getSecretKeySeed())
-                        .withSecretKeyPRF(xmssPrivateKey.getSecretKeyPRF())
-                        .withPublicSeed(xmssPrivateKey.getPublicSeed())
-                        .withRoot(xmssPrivateKey.getRoot());
+                    .Builder(new XMSSParameters(keyParams.getHeight(), Utils.getDigest(treeDigest)))
+                    .withIndex(xmssPrivateKey.getIndex())
+                    .withSecretKeySeed(xmssPrivateKey.getSecretKeySeed())
+                    .withSecretKeyPRF(xmssPrivateKey.getSecretKeyPRF())
+                    .withPublicSeed(xmssPrivateKey.getPublicSeed())
+                    .withRoot(xmssPrivateKey.getRoot());
 
                 if (xmssPrivateKey.getVersion() != 0)
                 {
@@ -423,7 +427,7 @@ else if (algOID.equals(PQCObjectIdentifiers.xmss))
 
                 if (xmssPrivateKey.getBdsState() != null)
                 {
-                    BDS bds = (BDS) XMSSUtil.deserialize(xmssPrivateKey.getBdsState(), BDS.class);
+                    BDS bds = (BDS)XMSSUtil.deserialize(xmssPrivateKey.getBdsState(), BDS.class);
                     keyBuilder.withBDSState(bds.withWOTSDigest(treeDigest));
                 }
 
@@ -444,12 +448,12 @@ else if (algOID.equals(PQCObjectIdentifiers.xmss_mt))
                 XMSSMTPrivateKey xmssMtPrivateKey = XMSSMTPrivateKey.getInstance(keyInfo.parsePrivateKey());
 
                 XMSSMTPrivateKeyParameters.Builder keyBuilder = new XMSSMTPrivateKeyParameters
-                        .Builder(new XMSSMTParameters(keyParams.getHeight(), keyParams.getLayers(), Utils.getDigest(treeDigest)))
-                        .withIndex(xmssMtPrivateKey.getIndex())
-                        .withSecretKeySeed(xmssMtPrivateKey.getSecretKeySeed())
-                        .withSecretKeyPRF(xmssMtPrivateKey.getSecretKeyPRF())
-                        .withPublicSeed(xmssMtPrivateKey.getPublicSeed())
-                        .withRoot(xmssMtPrivateKey.getRoot());
+                    .Builder(new XMSSMTParameters(keyParams.getHeight(), keyParams.getLayers(), Utils.getDigest(treeDigest)))
+                    .withIndex(xmssMtPrivateKey.getIndex())
+                    .withSecretKeySeed(xmssMtPrivateKey.getSecretKeySeed())
+                    .withSecretKeyPRF(xmssMtPrivateKey.getSecretKeyPRF())
+                    .withPublicSeed(xmssMtPrivateKey.getPublicSeed())
+                    .withRoot(xmssMtPrivateKey.getRoot());
 
                 if (xmssMtPrivateKey.getVersion() != 0)
                 {
@@ -458,7 +462,7 @@ else if (algOID.equals(PQCObjectIdentifiers.xmss_mt))
 
                 if (xmssMtPrivateKey.getBdsState() != null)
                 {
-                    BDSStateMap bdsState = (BDSStateMap) XMSSUtil.deserialize(xmssMtPrivateKey.getBdsState(), BDSStateMap.class);
+                    BDSStateMap bdsState = (BDSStateMap)XMSSUtil.deserialize(xmssMtPrivateKey.getBdsState(), BDSStateMap.class);
                     keyBuilder.withBDSState(bdsState.withWOTSDigest(treeDigest));
                 }
 
@@ -528,7 +532,7 @@ private static ASN1Primitive parsePrimitiveString(ASN1OctetString octStr, int ex
         // possible internal OCTET STRING, possibly long form with or without the internal OCTET STRING
         // or possible SEQUENCE
         ASN1Encodable obj = Utils.parseData(data);
-      
+
         if (obj instanceof ASN1OctetString)
         {
             return ASN1OctetString.getInstance(obj);

core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java

@@ -186,12 +186,12 @@ public class PublicKeyFactory
         converters.put(BCObjectIdentifiers.ntruhrss1373, new NtruConverter());
         converters.put(BCObjectIdentifiers.falcon_512, new FalconConverter());
         converters.put(BCObjectIdentifiers.falcon_1024, new FalconConverter());
-        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_512, new KyberConverter());
-        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_768, new KyberConverter());
-        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_1024, new KyberConverter());
-        converters.put(BCObjectIdentifiers.kyber512_aes, new KyberConverter());
-        converters.put(BCObjectIdentifiers.kyber768_aes, new KyberConverter());
-        converters.put(BCObjectIdentifiers.kyber1024_aes, new KyberConverter());
+        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_512, new MLKEMConverter());
+        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_768, new MLKEMConverter());
+        converters.put(NISTObjectIdentifiers.id_alg_ml_kem_1024, new MLKEMConverter());
+        converters.put(BCObjectIdentifiers.kyber512_aes, new MLKEMConverter());
+        converters.put(BCObjectIdentifiers.kyber768_aes, new MLKEMConverter());
+        converters.put(BCObjectIdentifiers.kyber1024_aes, new MLKEMConverter());
         converters.put(BCObjectIdentifiers.ntrulpr653, new NTRULPrimeConverter());
         converters.put(BCObjectIdentifiers.ntrulpr761, new NTRULPrimeConverter());
         converters.put(BCObjectIdentifiers.ntrulpr857, new NTRULPrimeConverter());
@@ -602,7 +602,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
         }
     }
 
-    private static class KyberConverter
+    static class MLKEMConverter
         extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
@@ -623,6 +623,33 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
                 return new MLKEMPublicKeyParameters(kyberParameters, keyInfo.getPublicKeyData().getOctets());
             }
         }
+
+        static MLKEMPublicKeyParameters getPublicKeyParams(MLKEMParameters dilithiumParams, ASN1BitString publicKeyData)
+        {
+            try
+            {
+                ASN1Primitive obj = ASN1Primitive.fromByteArray(publicKeyData.getOctets());
+                if (obj instanceof ASN1Sequence)
+                {
+                    ASN1Sequence keySeq = ASN1Sequence.getInstance(obj);
+
+                    return new MLKEMPublicKeyParameters(dilithiumParams,
+                        ASN1OctetString.getInstance(keySeq.getObjectAt(0)).getOctets(),
+                        ASN1OctetString.getInstance(keySeq.getObjectAt(1)).getOctets());
+                }
+                else
+                {
+                    byte[] encKey = ASN1OctetString.getInstance(obj).getOctets();
+
+                    return new MLKEMPublicKeyParameters(dilithiumParams, encKey);
+                }
+            }
+            catch (Exception e)
+            {
+                // we're a raw encoding
+                return new MLKEMPublicKeyParameters(dilithiumParams, publicKeyData.getOctets());
+            }
+        }
     }
 
     private static class NTRULPrimeConverter

prov/src/main/java/org/bouncycastle/pqc/jcajce/provider/util/BaseKeyFactorySpi.java

@@ -64,6 +64,10 @@ public PrivateKey engineGeneratePrivate(KeySpec keySpec)
             {
                 throw e;
             }
+            catch (IllegalStateException e)
+            {
+                throw new InvalidKeySpecException(e.getMessage());
+            }
             catch (Exception e)
             {
                 throw new InvalidKeySpecException(e.toString());