updated encoding of LMS public keys.

dropped inner OCTET STRING off NTRU public keys (appears back out of fashion).

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.pqc.crypto.util;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -12,7 +11,6 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.BERTags;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -156,7 +154,8 @@ else if (algOID.equals(PQCObjectIdentifiers.newHope))
         }
         else if (algOID.equals(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig))
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePrivateKey()).getOctets();
+            ASN1OctetString lmsKey = parseOctetString(keyInfo.getPrivateKey(), 64);
+            byte[] keyEnc = lmsKey.getOctets();
             ASN1BitString pubKey = keyInfo.getPublicKeyData();
 
             if (Pack.bigEndianToInt(keyEnc, 0) == 1)
@@ -466,6 +465,7 @@ else if (algOID.equals(PQCObjectIdentifiers.mcElieceCca2))
      * So it seems for the new PQC algorithms, there's a couple of approaches to what goes in the OCTET STRING
      */
     private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expectedLength)
+        throws IOException
     {
         byte[] data = octStr.getOctets();
         //
@@ -478,37 +478,15 @@ private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expe
 
         //
         // possible internal OCTET STRING, possibly long form with or without the internal OCTET STRING
-        ByteArrayInputStream bIn = new ByteArrayInputStream(data);
-
-        int tag = bIn.read();
-        int len = readLen(bIn);
-        if (tag == BERTags.OCTET_STRING)
+        data = Utils.readOctetString(data);
+        if (data != null)
         {
-            if (len == bIn.available())
-            {
-                return ASN1OctetString.getInstance(data);
-            }
+            return new DEROctetString(data);
         }
 
         return octStr;
     }
-
-    private static int readLen(ByteArrayInputStream bIn)
-    {
-        int length = bIn.read();
-        if (length != (length & 0x7f))
-        {
-            int count = length & 0x7f;
-            length = 0;
-            while (count-- != 0)
-            {
-                length = (length << 8) + bIn.read();
-            }
-        }
-
-        return length;
-    }
-
+    
     private static short[] convert(byte[] octets)
     {
         short[] rv = new short[octets.length / 2];

core/src/main/java/org/bouncycastle/pqc/crypto/util/PublicKeyFactory.java

@@ -39,6 +39,7 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCParameters;
 import org.bouncycastle.pqc.crypto.hqc.HQCPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPublicKeyParameters;
+import org.bouncycastle.pqc.crypto.lms.LMSKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.LMSPublicKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
@@ -131,7 +132,7 @@ public class PublicKeyFactory
         converters.put(BCObjectIdentifiers.sphincsPlus_shake_256s, new SPHINCSPlusConverter());
         converters.put(BCObjectIdentifiers.sphincsPlus_shake_256f, new SPHINCSPlusConverter());
         converters.put(new ASN1ObjectIdentifier("1.3.9999.6.4.10"), new SPHINCSPlusConverter());
-        
+
         converters.put(BCObjectIdentifiers.mceliece348864_r3, new CMCEConverter());
         converters.put(BCObjectIdentifiers.mceliece348864f_r3, new CMCEConverter());
         converters.put(BCObjectIdentifiers.mceliece460896_r3, new CMCEConverter());
@@ -437,8 +438,20 @@ private static class LMSConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
+            byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
+            byte[] data = Utils.readOctetString(keyEnc);
+
+            if (data != null)
+            {
+                return getLmsKeyParameters(data);
+            }
+
+            return getLmsKeyParameters(keyEnc);
+        }
 
+        private LMSKeyParameters getLmsKeyParameters(byte[] keyEnc)
+            throws IOException
+        {
             if (Pack.bigEndianToInt(keyEnc, 0) == 1)
             {
                 return LMSPublicKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
@@ -495,7 +508,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
                 return new CMCEPublicKeyParameters(spParams, keyEnc);
             }
             catch (Exception e)
-            {        
+            {
                 byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
 
                 CMCEParameters spParams = Utils.mcElieceParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
@@ -506,13 +519,13 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class SABERConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(
-                    ASN1Sequence.getInstance(keyInfo.parsePublicKey()).getObjectAt(0)).getOctets();
+                ASN1Sequence.getInstance(keyInfo.parsePublicKey()).getObjectAt(0)).getOctets();
 
             SABERParameters saberParams = Utils.saberParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
@@ -533,10 +546,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class FrodoConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
 
@@ -547,10 +560,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class PicnicConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
 
@@ -566,7 +579,19 @@ private static class NtruConverter
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
             throws IOException
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePublicKey()).getOctets();
+            byte[] keyEnc = keyInfo.getPublicKeyData().getOctets();
+            byte[] data = Utils.readOctetString(keyEnc);
+
+            if (data != null)
+            {
+                return getNtruPublicKeyParameters(keyInfo, data);
+            }
+
+            return getNtruPublicKeyParameters(keyInfo, keyEnc);
+        }
+
+        private NTRUPublicKeyParameters getNtruPublicKeyParameters(SubjectPublicKeyInfo keyInfo, byte[] keyEnc)
+        {
 
             NTRUParameters ntruParams = Utils.ntruParamsLookup(keyInfo.getAlgorithm().getAlgorithm());
 
@@ -640,7 +665,7 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
             return new SNTRUPrimePublicKeyParameters(ntruLPRimeParams, keyEnc);
         }
     }
-    
+
     static class DilithiumConverter
         extends SubjectPublicKeyInfoConverter
     {
@@ -720,10 +745,10 @@ static MLDSAPublicKeyParameters getPublicKeyParams(MLDSAParameters dilithiumPara
     }
 
     private static class BIKEConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             try
             {
@@ -745,10 +770,10 @@ AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Obje
     }
 
     private static class HQCConverter
-            extends SubjectPublicKeyInfoConverter
+        extends SubjectPublicKeyInfoConverter
     {
         AsymmetricKeyParameter getPublicKeyParameters(SubjectPublicKeyInfo keyInfo, Object defaultParams)
-                throws IOException
+            throws IOException
         {
             try
             {

core/src/main/java/org/bouncycastle/pqc/crypto/util/SubjectPublicKeyInfoFactory.java

@@ -91,7 +91,7 @@ else if (publicKey instanceof LMSPublicKeyParameters)
             byte[] encoding = Composer.compose().u32str(1).bytes(params).build();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig);
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof HSSPublicKeyParameters)
         {
@@ -100,7 +100,7 @@ else if (publicKey instanceof HSSPublicKeyParameters)
             byte[] encoding = Composer.compose().u32str(params.getL()).bytes(params.getLMSPublicKey()).build();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig);
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof SLHDSAPublicKeyParameters)
         {
@@ -215,7 +215,7 @@ else if (publicKey instanceof NTRUPublicKeyParameters)
             byte[] encoding = params.getEncoded();
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.ntruOidLookup(params.getParameters()));
-            return new SubjectPublicKeyInfo(algorithmIdentifier, new DEROctetString(encoding));
+            return new SubjectPublicKeyInfo(algorithmIdentifier, encoding);
         }
         else if (publicKey instanceof FalconPublicKeyParameters)
         {

core/src/main/java/org/bouncycastle/pqc/crypto/util/Utils.java

@@ -1,9 +1,12 @@
 package org.bouncycastle.pqc.crypto.util;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.BERTags;
 import org.bouncycastle.asn1.DERNull;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -35,6 +38,7 @@
 import org.bouncycastle.pqc.crypto.xmss.XMSSKeyParameters;
 import org.bouncycastle.pqc.legacy.crypto.qtesla.QTESLASecurityCategory;
 import org.bouncycastle.util.Integers;
+import org.bouncycastle.util.io.Streams;
 
 class Utils
 {
@@ -101,7 +105,7 @@ class Utils
 
     static final Map shldsaOids = new HashMap<ASN1ObjectIdentifier, SLHDSAParameters>();
     static final Map shldsaParams = new HashMap<SLHDSAParameters, ASN1ObjectIdentifier>();
-    
+
     static
     {
         categories.put(PQCObjectIdentifiers.qTESLA_p_I, Integers.valueOf(QTESLASecurityCategory.PROVABLY_SECURE_I));
@@ -230,7 +234,7 @@ class Utils
 
         mlkemOids.put(MLKEMParameters.ml_kem_512, NISTObjectIdentifiers.id_alg_ml_kem_512);
         mlkemOids.put(MLKEMParameters.ml_kem_768, NISTObjectIdentifiers.id_alg_ml_kem_768);
-        mlkemOids.put(MLKEMParameters.ml_kem_1024,NISTObjectIdentifiers.id_alg_ml_kem_1024);
+        mlkemOids.put(MLKEMParameters.ml_kem_1024, NISTObjectIdentifiers.id_alg_ml_kem_1024);
 
         mlkemParams.put(NISTObjectIdentifiers.id_alg_ml_kem_512, MLKEMParameters.ml_kem_512);
         mlkemParams.put(NISTObjectIdentifiers.id_alg_ml_kem_768, MLKEMParameters.ml_kem_768);
@@ -478,7 +482,7 @@ static SLHDSAParameters slhdsaParamsLookup(ASN1ObjectIdentifier oid)
     {
         return (SLHDSAParameters)shldsaParams.get(oid);
     }
-    
+
     static int qTeslaLookupSecurityCategory(AlgorithmIdentifier algorithm)
     {
         return ((Integer)categories.get(algorithm.getAlgorithm())).intValue();
@@ -778,4 +782,45 @@ static RainbowParameters rainbowParamsLookup(ASN1ObjectIdentifier oid)
     {
         return (RainbowParameters)rainbowParams.get(oid);
     }
+
+    static byte[] readOctetString(byte[] data)
+        throws IOException
+    {
+        if (data[0] == BERTags.OCTET_STRING)
+        {
+            ByteArrayInputStream bIn = new ByteArrayInputStream(data);
+
+            int tag = bIn.read();
+            int len = readLen(bIn);
+            if (len == bIn.available())
+            {
+                return Streams.readAll(bIn);
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * ASN.1 length reader.
+     */
+    static int readLen(ByteArrayInputStream bIn)
+    {
+        int length = bIn.read();
+        if (length < 0)
+        {
+            return -1;
+        }
+        if (length != (length & 0x7f))
+        {
+            int count = length & 0x7f;
+            length = 0;
+            while (count-- != 0)
+            {
+                length = (length << 8) + bIn.read();
+            }
+        }
+
+        return length;
+    }
 }

prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/LMSTest.java

@@ -23,13 +23,17 @@
 import org.bouncycastle.pqc.jcajce.spec.LMSKeyGenParameterSpec;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Strings;
+import org.bouncycastle.util.encoders.Base64;
 
 /**
  * LMS is now promoted to the BC provider.
  */
 public class LMSTest
     extends TestCase
 {
+    private static final byte[] nestedPublicKey = Base64.decode("MFAwDQYLKoZIhvcNAQkQAxEDPwAEPAAAAAEAAAAFAAAAARmSUd5GHVvFNVl0JBcv+GJX8+FaUrz1mNrCHGZ1z8c4j9kgSBhaEYlu+//bc2yOhQ==");
+    private static final byte[] nestedPrivateKey = Base64.decode("MIGhAgEBMA0GCyqGSIb3DQEJEAMRBE4ETAAAAAEAAAAAAAAABQAAAAEZklHeRh1bxTVZdCQXL/hiAAAAAAAAACAAAAAgXs4Bdu2gpyoEccTNWwAA81qLeSqn2yW+LWYVAi2hadyBPQAAAAABAAAABQAAAAEZklHeRh1bxTVZdCQXL/hiV/PhWlK89Zjawhxmdc/HOI/ZIEgYWhGJbvv/23NsjoU=");
+
     public void setUp()
     {
         if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null)
@@ -82,6 +86,29 @@ private void trySigning(KeyPair keyPair)
         assertTrue(signer.verify(sig));
     }
 
+    public void testKeyEncoding()
+        throws Exception
+    {
+
+        KeyFactory kf = KeyFactory.getInstance("LMS", "BC");
+
+        PublicKey oldLmsPub = kf.generatePublic(new X509EncodedKeySpec(nestedPublicKey));
+        PrivateKey oldLmsPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(nestedPrivateKey));
+
+        trySigning(new KeyPair(oldLmsPub, oldLmsPriv));
+
+        KeyPairGenerator kpGen = KeyPairGenerator.getInstance("LMS", "BC");
+
+        kpGen.initialize(new LMSKeyGenParameterSpec(LMSigParameters.lms_sha256_n32_h5, LMOtsParameters.sha256_n32_w1));
+
+        KeyPair kp = kpGen.generateKeyPair();
+
+        PublicKey newLmsPub = kf.generatePublic(new X509EncodedKeySpec(kp.getPublic().getEncoded()));
+        PrivateKey newLmsPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(kp.getPrivate().getEncoded()));
+
+        trySigning(new KeyPair(newLmsPub, newLmsPriv));
+    }
+
     public void testKeyFactoryLMSKey()
         throws Exception
     {