Merge branch 'main' into 1836-openpgp-unpacking-time

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPrivateKeyParameters.java

@@ -26,6 +26,23 @@ public class HSSPrivateKeyParameters
 
     private HSSPublicKeyParameters publicKey;
 
+    public HSSPrivateKeyParameters(LMSPrivateKeyParameters key, long index, long indexLimit)
+    {
+        super(true);
+
+        this.l = 1;
+        this.keys = Collections.singletonList(key);
+        this.sig = Collections.emptyList();
+        this.index = index;
+        this.indexLimit = indexLimit;
+        this.isShard = false;
+
+        //
+        // Correct Intermediate LMS values will be constructed during reset to index.
+        //
+        resetKeyToIndex();
+    }
+
     public HSSPrivateKeyParameters(int l, List<LMSPrivateKeyParameters> keys, List<LMSSignature> sig, long index, long indexLimit)
     {
         super(true);
@@ -104,7 +121,16 @@ else if (src instanceof byte[])
             try // 1.5 / 1.6 compatibility
             {
                 in = new DataInputStream(new ByteArrayInputStream((byte[])src));
-                return getInstance(in);
+                try
+                {
+                    return getInstance(in);
+                }
+                catch (Exception e)
+                {
+                    // old style single LMS key.
+                    LMSPrivateKeyParameters lmsKey = LMSPrivateKeyParameters.getInstance(src);
+                    return new HSSPrivateKeyParameters(lmsKey, lmsKey.getIndex(), lmsKey.getIndex() + lmsKey.getUsagesRemaining());
+                }
             }
             finally
             {

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.pqc.crypto.util;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -12,7 +11,6 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.BERTags;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -45,7 +43,6 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCParameters;
 import org.bouncycastle.pqc.crypto.hqc.HQCPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPrivateKeyParameters;
-import org.bouncycastle.pqc.crypto.lms.LMSPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
@@ -156,29 +153,17 @@ else if (algOID.equals(PQCObjectIdentifiers.newHope))
         }
         else if (algOID.equals(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig))
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePrivateKey()).getOctets();
+            ASN1OctetString lmsKey = parseOctetString(keyInfo.getPrivateKey(), 64);
+            byte[] keyEnc = lmsKey.getOctets();
             ASN1BitString pubKey = keyInfo.getPublicKeyData();
 
-            if (Pack.bigEndianToInt(keyEnc, 0) == 1)
+            if (pubKey != null)
             {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
+                byte[] pubEnc = pubKey.getOctets();
 
-                    return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), Arrays.copyOfRange(pubEnc, 4, pubEnc.length));
-                }
-                return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
-            }
-            else
-            {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
-
-                    return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
-                }
-                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
+                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
             }
+            return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
         }
         else if (algOID.on(BCObjectIdentifiers.sphincsPlus) || algOID.on(BCObjectIdentifiers.sphincsPlus_interop))
         {
@@ -466,6 +451,7 @@ else if (algOID.equals(PQCObjectIdentifiers.mcElieceCca2))
      * So it seems for the new PQC algorithms, there's a couple of approaches to what goes in the OCTET STRING
      */
     private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expectedLength)
+        throws IOException
     {
         byte[] data = octStr.getOctets();
         //
@@ -478,37 +464,15 @@ private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expe
 
         //
         // possible internal OCTET STRING, possibly long form with or without the internal OCTET STRING
-        ByteArrayInputStream bIn = new ByteArrayInputStream(data);
-
-        int tag = bIn.read();
-        int len = readLen(bIn);
-        if (tag == BERTags.OCTET_STRING)
+        data = Utils.readOctetString(data);
+        if (data != null)
         {
-            if (len == bIn.available())
-            {
-                return ASN1OctetString.getInstance(data);
-            }
+            return new DEROctetString(data);
         }
 
         return octStr;
     }
-
-    private static int readLen(ByteArrayInputStream bIn)
-    {
-        int length = bIn.read();
-        if (length != (length & 0x7f))
-        {
-            int count = length & 0x7f;
-            length = 0;
-            while (count-- != 0)
-            {
-                length = (length << 8) + bIn.read();
-            }
-        }
-
-        return length;
-    }
-
+    
     private static short[] convert(byte[] octets)
     {
         short[] rv = new short[octets.length / 2];

core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java

@@ -39,7 +39,7 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCParameters;
 import org.bouncycastle.pqc.crypto.hqc.HQCPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPublicKeyParameters;
-import org.bouncycastle.pqc.crypto.lms.LMSPublicKeyParameters;
+import org.bouncycastle.pqc.crypto.lms.LMSKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMParameters;
@@ -131,7 +131,7 @@ public class PublicKeyFactory
         converters.put(BCObjectIdentifiers.sphincsPlus_shake_256s, new SPHINCSPlusConverter());
         converters.put(BCObjectIdentifiers.sphincsPlus_shake_256f, new SPHINCSPlusConverter());
         converters.put(new ASN1ObjectIdentifier("1.3.9999.6.4.10"), new SPHINCSPlusConverter());
-        
+
         converters.put(BCObjectIdentifiers.mceliece348864_r3, new CMCEConverter());
         converters.put(BCObjectIdentifiers.mceliece348864f_r3, new CMCEConverter());
         converters.put(BCObjectIdentifiers.mceliece460896_r3, new CMCEConverter());
@@ -437,21 +437,25 @@ private static class LMSConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
+            byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
+            byte[] data = Utils.readOctetString(keyEnc);
 
-            if (Pack.bigEndianToInt(keyEnc, 0) == 1)
+            if (data != null)
             {
-                return LMSPublicKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
+                return getLmsKeyParameters(data);
             }
-            else
+
+            return getLmsKeyParameters(keyEnc);
+        }
+
+        private LMSKeyParameters getLmsKeyParameters(byte[] keyEnc)
+            throws IOException
+        {
+            if (keyEnc.length == 64)
             {
-                // public key with extra tree height
-                if (keyEnc.length == 64)
-                {
-                    keyEnc = Arrays.copyOfRange(keyEnc, 4, keyEnc.length);
-                }
-                return HSSPublicKeyParameters.getInstance(keyEnc);
+                keyEnc = Arrays.copyOfRange(keyEnc, 4, keyEnc.length);
             }
+            return HSSPublicKeyParameters.getInstance(keyEnc);
         }
     }
 
@@ -495,7 +499,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
                 return new CMCEPublicKeyParameters(spParams, keyEnc);
             }
             catch (Exception e)
-            {        
+            {
                 byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
 
                 CMCEParameters spParams = Utils.mcElieceParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
@@ -506,13 +510,13 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class SABERConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(
-                    ASN1Sequence.getInstance(keyInfo.parsePublicKey()).getObjectAt(0)).getOctets();
+                ASN1Sequence.getInstance(keyInfo.parsePublicKey()).getObjectAt(0)).getOctets();
 
             SABERParameters saberParams = Utils.saberParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
@@ -533,10 +537,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class FrodoConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
 
@@ -547,10 +551,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class PicnicConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
 
@@ -566,7 +570,19 @@ private static class NtruConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
+            byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
+            byte[] data = Utils.readOctetString(keyEnc);
+
+            if (data != null)
+            {
+                return getNtruPublicKeyParameters(keyInfo, data);
+            }
+
+            return getNtruPublicKeyParameters(keyInfo, keyEnc);
+        }
+
+        private NTRUPublicKeyParameters getNtruPublicKeyParameters(SubjectPublicKeyInfo keyInfo, byte[] keyEnc)
+        {
 
             NTRUParameters ntruParams = Utils.ntruParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
@@ -640,7 +656,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
             return new SNTRUPrimePublicKeyParameters(ntruLPRimeParams, keyEnc);
         }
     }
-    
+
     static class DilithiumConverter
         extends SubjectPublicKeyInfoConverter
     {
@@ -720,10 +736,10 @@ static MLDSAPublicKeyParameters getPublicKeyParams(MLDSAParameters dilithiumPara
     }
 
     private static class BIKEConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             try
             {
@@ -745,10 +761,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class HQCConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             try
             {

core/src/main/java/org/bouncycastle/pqc/crypto/util/SubjectPublicKeyInfoFactory.java

@@ -91,7 +91,7 @@ else if (publicKey instanceof LMSPublicKeyParameters)
             byte[] encoding = Composer.compose().u32str(1).bytes(params).build();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig);
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof HSSPublicKeyParameters)
         {
@@ -100,7 +100,7 @@ else if (publicKey instanceof HSSPublicKeyParameters)
             byte[] encoding = Composer.compose().u32str(params.getL()).bytes(params.getLMSPublicKey()).build();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig);
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof SLHDSAPublicKeyParameters)
         {
@@ -215,7 +215,7 @@ else if (publicKey instanceof NTRUPublicKeyParameters)
             byte[] encoding = params.getEncoded();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.ntruOidLookup(params.getParameters()));
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof FalconPublicKeyParameters)
         {