Merge branch 'main' into pg-synchronize-bc_csharp

# Conflicts:
#	pg/src/main/java/org/bouncycastle/bcpg/PublicKeyPacket.java
#	pg/src/main/java/org/bouncycastle/bcpg/SignaturePacket.java
#	pg/src/main/java/org/bouncycastle/bcpg/StreamUtil.java
#	pg/src/main/java/org/bouncycastle/openpgp/PGPSignatureGenerator.java

Author: gefeili

core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java

@@ -36,6 +36,7 @@
 
 
 class DHKEM
+    extends KEM
 {
     private AsymmetricCipherKeyPairGenerator kpGen;
 
@@ -48,6 +49,7 @@ class DHKEM
     private byte bitmask;
     private int Nsk;
     private int Nsecret;
+    private int Nenc;
 
     ECDomainParameters domainParams;
 
@@ -74,7 +76,7 @@ protected DHKEM(short kemid)
             bitmask = (byte)0xff;
             Nsk = 32;
             Nsecret = 32;
-
+            Nenc = 65;
             this.kpGen = new ECKeyPairGenerator();
             this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom()));
 
@@ -96,6 +98,7 @@ protected DHKEM(short kemid)
             bitmask = (byte)0xff;
             Nsk = 48;
             Nsecret = 48;
+            Nenc = 97;
 
             this.kpGen = new ECKeyPairGenerator();
             this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom()));
@@ -119,6 +122,7 @@ protected DHKEM(short kemid)
             bitmask = 0x01;
             Nsk = 66;
             Nsecret = 64;
+            Nenc = 133;
 
             this.kpGen = new ECKeyPairGenerator();
             this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom()));
@@ -129,6 +133,7 @@ protected DHKEM(short kemid)
             this.agreement = new XDHBasicAgreement();
             Nsecret = 32;
             Nsk = 32;
+            Nenc = 32;
             this.kpGen = new X25519KeyPairGenerator();
             this.kpGen.init(new X25519KeyGenerationParameters(new SecureRandom()));
 
@@ -138,6 +143,7 @@ protected DHKEM(short kemid)
             this.agreement = new XDHBasicAgreement();
             Nsecret = 64;
             Nsk = 56;
+            Nenc = 56;
 
             this.kpGen = new X448KeyPairGenerator();
             this.kpGen.init(new X448KeyGenerationParameters(new SecureRandom()));
@@ -242,6 +248,11 @@ public AsymmetricCipherKeyPair DeserializePrivateKey(byte[] skEncoded, byte[] pk
         }
     }
 
+    int getEncryptionSize()
+    {
+        return Nenc;
+    }
+
     private boolean ValidateSk(BigInteger d)
     {
         BigInteger n = domainParams.getN();

core/src/main/java/org/bouncycastle/crypto/hpke/HPKE.java

@@ -40,7 +40,7 @@ public class HPKE
     private final short kemId;
     private final short kdfId;
     private final short aeadId;
-    private final DHKEM dhkem;
+    private final KEM kem;
     private final HKDF hkdf;
 
     short Nk;
@@ -58,7 +58,7 @@ public HPKE(byte mode, short kemId, short kdfId, short aeadId)
         this.kdfId = kdfId;
         this.aeadId = aeadId;
         this.hkdf = new HKDF(kdfId);
-        this.dhkem = new DHKEM(kemId);
+        this.kem = new DHKEM(kemId);
         if (aeadId == aead_AES_GCM128)
         {
             Nk = 16;
@@ -67,25 +67,12 @@ public HPKE(byte mode, short kemId, short kdfId, short aeadId)
         {
             Nk = 32;
         }
+
     }
 
     public int getEncSize()
     {
-        switch (kemId)
-        {
-            case HPKE.kem_P256_SHA256:
-                return 65;
-            case HPKE.kem_P384_SHA348:
-                return 97;
-            case HPKE.kem_P521_SHA512:
-                return 133;
-            case HPKE.kem_X25519_SHA256:
-                return 32;
-            case HPKE.kem_X448_SHA512:
-                return 56;
-            default:
-                throw new IllegalArgumentException("invalid kem id");
-        }
+        return kem.getEncryptionSize();
     }
     public short getAeadId()
     {
@@ -139,32 +126,32 @@ private HPKEContext keySchedule(byte mode, byte[] sharedSecret, byte[] info, byt
 
     public AsymmetricCipherKeyPair generatePrivateKey()
     {
-        return dhkem.GeneratePrivateKey();
+        return kem.GeneratePrivateKey();
     }
 
 
     public byte[] serializePublicKey(AsymmetricKeyParameter pk)
     {
-        return dhkem.SerializePublicKey(pk);
+        return kem.SerializePublicKey(pk);
     }
 
     public byte[] serializePrivateKey(AsymmetricKeyParameter sk)
     {
-        return dhkem.SerializePrivateKey(sk);
+        return kem.SerializePrivateKey(sk);
     }
     public AsymmetricKeyParameter deserializePublicKey(byte[] pkEncoded)
     {
-        return dhkem.DeserializePublicKey(pkEncoded);
+        return kem.DeserializePublicKey(pkEncoded);
     }
 
     public AsymmetricCipherKeyPair deserializePrivateKey(byte[] skEncoded, byte[] pkEncoded)
     {
-        return dhkem.DeserializePrivateKey(skEncoded, pkEncoded);
+        return kem.DeserializePrivateKey(skEncoded, pkEncoded);
     }
 
     public AsymmetricCipherKeyPair deriveKeyPair(byte[] ikm)
     {
-        return dhkem.DeriveKeyPair(ikm);
+        return kem.DeriveKeyPair(ikm);
     }
 
     public byte[][] sendExport(AsymmetricKeyParameter pkR, byte[] info, byte[] exporterContext, int L,
@@ -273,7 +260,7 @@ public byte[] open(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[]
 
     public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[] info)
     {
-        byte[][] output = dhkem.Encap(pkR); // sharedSecret, enc
+        byte[][] output = kem.Encap(pkR); // sharedSecret, enc
         HPKEContext ctx = keySchedule(mode_base, output[0], info, default_psk, default_psk_id);
 
         return new HPKEContextWithEncapsulation(ctx, output[1]);
@@ -283,21 +270,21 @@ public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[
     // This should only be used to validate test vectors.
     public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[] info, AsymmetricCipherKeyPair kpE)
     {
-        byte[][] output = dhkem.Encap(pkR, kpE); // sharedSecret, enc
+        byte[][] output = kem.Encap(pkR, kpE); // sharedSecret, enc
         HPKEContext ctx = keySchedule(mode_base, output[0], info, default_psk, default_psk_id);
 
         return new HPKEContextWithEncapsulation(ctx, output[1]);
     }
 
     public HPKEContext setupBaseR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info)
     {
-        byte[] sharedSecret = dhkem.Decap(enc, skR);
+        byte[] sharedSecret = kem.Decap(enc, skR);
         return keySchedule(mode_base, sharedSecret, info, default_psk, default_psk_id);
     }
 
     public HPKEContextWithEncapsulation SetupPSKS(AsymmetricKeyParameter pkR, byte[] info, byte[] psk, byte[] psk_id)
     {
-        byte[][] output = dhkem.Encap(pkR); // sharedSecret, enc
+        byte[][] output = kem.Encap(pkR); // sharedSecret, enc
 
         HPKEContext ctx = keySchedule(mode_psk, output[0], info, psk, psk_id);
 
@@ -306,35 +293,35 @@ public HPKEContextWithEncapsulation SetupPSKS(AsymmetricKeyParameter pkR, byte[]
 
     public HPKEContext setupPSKR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[] psk, byte[] psk_id)
     {
-        byte[] sharedSecret = dhkem.Decap(enc, skR);
+        byte[] sharedSecret = kem.Decap(enc, skR);
         return keySchedule(mode_psk, sharedSecret, info, psk, psk_id);
     }
 
     public HPKEContextWithEncapsulation setupAuthS(AsymmetricKeyParameter pkR, byte[] info, AsymmetricCipherKeyPair skS)
     {
-        byte[][] output = dhkem.AuthEncap(pkR, skS);
+        byte[][] output = kem.AuthEncap(pkR, skS);
         HPKEContext ctx = keySchedule(mode_auth, output[0], info, default_psk, default_psk_id);
 
         return new HPKEContextWithEncapsulation(ctx, output[1]);
     }
 
     public HPKEContext setupAuthR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, AsymmetricKeyParameter pkS)
     {
-        byte[] sharedSecret = dhkem.AuthDecap(enc, skR, pkS);
+        byte[] sharedSecret = kem.AuthDecap(enc, skR, pkS);
         return keySchedule(mode_auth, sharedSecret, info, default_psk, default_psk_id);
     }
 
     public HPKEContextWithEncapsulation setupAuthPSKS(AsymmetricKeyParameter pkR, byte[] info, byte[] psk, byte[] psk_id, AsymmetricCipherKeyPair skS)
     {
-        byte[][] output = dhkem.AuthEncap(pkR, skS);
+        byte[][] output = kem.AuthEncap(pkR, skS);
         HPKEContext ctx = keySchedule(mode_auth_psk, output[0], info, psk, psk_id);
 
         return new HPKEContextWithEncapsulation(ctx, output[1]);
     }
 
     public HPKEContext setupAuthPSKR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[] psk, byte[] psk_id, AsymmetricKeyParameter pkS)
     {
-        byte[] sharedSecret = dhkem.AuthDecap(enc, skR, pkS);
+        byte[] sharedSecret = kem.AuthDecap(enc, skR, pkS);
         return keySchedule(mode_auth_psk, sharedSecret, info, psk, psk_id);
     }
 }

core/src/main/java/org/bouncycastle/crypto/hpke/KEM.java

@@ -0,0 +1,35 @@
+package org.bouncycastle.crypto.hpke;
+
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+
+
+/**
+ * base class for HPKE KEM
+ */
+public abstract class KEM
+{
+    // Key Generation
+    abstract AsymmetricCipherKeyPair GeneratePrivateKey();
+    abstract AsymmetricCipherKeyPair DeriveKeyPair(byte[] ikm);
+
+    // Encapsulates a shared secret for a given public key and returns the encapsulated key and shared secret.
+    abstract byte[][] Encap(AsymmetricKeyParameter recipientPublicKey);
+    abstract byte[][] Encap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair kpE);
+    abstract byte[][] AuthEncap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair kpS);
+
+    // Decapsulates the given encapsulated key using the recipient's key pair and returns the shared secret.
+    abstract byte[] Decap(byte[] encapsulatedKey, AsymmetricCipherKeyPair recipientKeyPair);
+    abstract byte[] AuthDecap(byte[] enc, AsymmetricCipherKeyPair kpR, AsymmetricKeyParameter pkS);
+
+    // Serialization
+    abstract byte[] SerializePublicKey(AsymmetricKeyParameter publicKey);
+    abstract byte[] SerializePrivateKey(AsymmetricKeyParameter key);
+
+    // Deserialization
+    abstract AsymmetricKeyParameter DeserializePublicKey(byte[] encodedPublicKey);
+    abstract AsymmetricCipherKeyPair DeserializePrivateKey(byte[] skEncoded, byte[] pkEncoded);
+
+    abstract int getEncryptionSize();
+
+}

core/src/main/java/org/bouncycastle/crypto/params/ECNamedDomainParameters.java

@@ -3,14 +3,26 @@
 import java.math.BigInteger;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x9.ECNamedCurveTable;
 import org.bouncycastle.asn1.x9.X9ECParameters;
+import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.math.ec.ECConstants;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 
 public class ECNamedDomainParameters
     extends ECDomainParameters
 {
+    public static ECNamedDomainParameters lookup(ASN1ObjectIdentifier name)
+    {
+        X9ECParameters x9 = CustomNamedCurves.getByOID(name);
+        if (x9 == null)
+        {
+            x9 = ECNamedCurveTable.getByOID(name);
+        }
+        return new ECNamedDomainParameters(name, x9);
+    }
+
     private ASN1ObjectIdentifier name;
 
     public ECNamedDomainParameters(ASN1ObjectIdentifier name, ECCurve curve, ECPoint G, BigInteger n)

core/src/main/java/org/bouncycastle/crypto/util/OpenSSHPrivateKeyUtil.java

@@ -13,12 +13,13 @@
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
 import org.bouncycastle.asn1.sec.ECPrivateKey;
-import org.bouncycastle.asn1.x9.ECNamedCurveTable;
+import org.bouncycastle.asn1.x9.X962Parameters;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.DSAParameters;
 import org.bouncycastle.crypto.params.DSAPrivateKeyParameters;
+import org.bouncycastle.crypto.params.ECDomainParameters;
 import org.bouncycastle.crypto.params.ECNamedDomainParameters;
 import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
 import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
@@ -199,13 +200,24 @@ else if (sequence.size() == 4)
                     && sequence.getObjectAt(2) instanceof ASN1TaggedObject)
                 {
                     ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(sequence);
-                    ASN1ObjectIdentifier curveOID = ASN1ObjectIdentifier.getInstance(ecPrivateKey.getParametersObject());
-                    X9ECParameters x9Params = ECNamedCurveTable.getByOID(curveOID);
-                    result = new ECPrivateKeyParameters(
-                        ecPrivateKey.getKey(),
-                        new ECNamedDomainParameters(
-                            curveOID,
-                            x9Params));
+
+                    X962Parameters parameters = X962Parameters.getInstance(
+                        ecPrivateKey.getParametersObject().toASN1Primitive());
+                    ECDomainParameters domainParams;
+                    if (parameters.isNamedCurve())
+                    {
+                        ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(parameters.getParameters());
+                        domainParams = ECNamedDomainParameters.lookup(oid);
+                    }
+                    else
+                    {
+                        X9ECParameters x9 = X9ECParameters.getInstance(parameters.getParameters());
+                        domainParams = new ECDomainParameters(x9);
+                    }
+
+                    BigInteger d = ecPrivateKey.getKey();
+
+                    result = new ECPrivateKeyParameters(d, domainParams);
                 }
             }
         }

core/src/main/java/org/bouncycastle/crypto/util/PrivateKeyFactory.java

@@ -26,7 +26,6 @@
 import org.bouncycastle.asn1.x9.X962Parameters;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
-import org.bouncycastle.crypto.ec.CustomNamedCurves;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.DHParameters;
 import org.bouncycastle.crypto.params.DHPrivateKeyParameters;
@@ -155,33 +154,24 @@ else if (algOID.equals(X9ObjectIdentifiers.id_dsa))
         }
         else if (algOID.equals(X9ObjectIdentifiers.id_ecPublicKey))
         {
-            X962Parameters params = X962Parameters.getInstance(algId.getParameters());
+            ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(keyInfo.parsePrivateKey());
 
-            X9ECParameters x9;
-            ECDomainParameters dParams;
-
-            if (params.isNamedCurve())
+            X962Parameters parameters = X962Parameters.getInstance(algId.getParameters().toASN1Primitive());
+            ECDomainParameters domainParams;
+            if (parameters.isNamedCurve())
             {
-                ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)params.getParameters();
-
-                x9 = CustomNamedCurves.getByOID(oid);
-                if (x9 == null)
-                {
-                    x9 = ECNamedCurveTable.getByOID(oid);
-                }
-                dParams = new ECNamedDomainParameters(oid, x9);
+                ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(parameters.getParameters());
+                domainParams = ECNamedDomainParameters.lookup(oid);
             }
             else
             {
-                x9 = X9ECParameters.getInstance(params.getParameters());
-                dParams = new ECDomainParameters(
-                    x9.getCurve(), x9.getG(), x9.getN(), x9.getH(), x9.getSeed());
+                X9ECParameters x9 = X9ECParameters.getInstance(parameters.getParameters());
+                domainParams = new ECDomainParameters(x9);
             }
 
-            ECPrivateKey ec = ECPrivateKey.getInstance(keyInfo.parsePrivateKey());
-            BigInteger d = ec.getKey();
+            BigInteger d = ecPrivateKey.getKey();
 
-            return new ECPrivateKeyParameters(d, dParams);
+            return new ECPrivateKeyParameters(d, domainParams);
         }
         else if (algOID.equals(EdECObjectIdentifiers.id_X25519))
         {