parse ed25519 raw keys

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java

@@ -34,6 +34,8 @@
 import java.util.List;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.jce.ECNamedCurveTable;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -137,9 +139,24 @@ public static PublicKey constructTufPublicKey(byte[] contents, String scheme)
       case "ed25519":
         {
           final KeyFactory kf = KeyFactory.getInstance("Ed25519");
-          final X509EncodedKeySpec keySpec = new X509EncodedKeySpec(contents);
+          X509EncodedKeySpec keySpec;
+          // tuf allows raw keys only for ed25519 (non PEM):
+          // https://github.com/theupdateframework/specification/blob/c51875f445d8a57efca9dadfbd5dbdece06d87e6/tuf-spec.md#key-objects--file-formats-keys
+          if (contents.length == 32) {
+            var params =
+                new SubjectPublicKeyInfo(
+                    new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), contents);
+            try {
+              keySpec = new X509EncodedKeySpec(params.getEncoded());
+            } catch (IOException e) {
+              throw new RuntimeException(e);
+            }
+          } else {
+            keySpec = new X509EncodedKeySpec(contents);
+          }
           return kf.generatePublic(keySpec);
         }
+      case "ecdsa":
       case "ecdsa-sha2-nistp256":
         {
           // spec for P-256 curve

sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java

@@ -163,6 +163,28 @@ void parseTufPublicKey_ed25519_lteJava14()
     assertEquals("Ed25519", key.getAlgorithm());
   }
 
+  @Test
+  @EnabledForJreRange(min = JRE.JAVA_15)
+  void parseTufPublicKey_ed25519_rawBytes_java15plus() throws Exception {
+    PublicKey key =
+        Keys.constructTufPublicKey(
+            Hex.decode("2d7218ce609f85de4b0d29d9e679cfd73e96756652f7069a0cf00acb752e5d3c"),
+            "ed25519");
+    assertNotNull(key);
+    assertEquals("EdDSA", key.getAlgorithm());
+  }
+
+  @Test
+  @EnabledForJreRange(max = JRE.JAVA_14)
+  void parseTufPublicKey_ed25519_rawBytes_lteJava14() throws Exception {
+    PublicKey key =
+        Keys.constructTufPublicKey(
+            Hex.decode("2d7218ce609f85de4b0d29d9e679cfd73e96756652f7069a0cf00acb752e5d3c"),
+            "ed25519");
+    assertNotNull(key);
+    assertEquals("Ed25519", key.getAlgorithm());
+  }
+
   @Test
   void parseTufPublicKey_ed25519Bad() {
     Assertions.assertThrows(