Implement key encoding and decoding

Follows the docs for java.security.spec.PKCS8EncodedKeySpec and the draft at
https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-04

Ignores the example in the josefsson draft, required for keytool to work.

Closes #13
I2P ticket: https://trac.i2p2.de/ticket/1723

Signed-off-by: str4d <[email protected]>

Author: zzz

src/net/i2p/crypto/eddsa/EdDSAPrivateKey.java

@@ -1,8 +1,11 @@
 package net.i2p.crypto.eddsa;
 
 import java.security.PrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
 
 import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 
@@ -29,6 +32,11 @@ public EdDSAPrivateKey(EdDSAPrivateKeySpec spec) {
         this.edDsaSpec = spec.getParams();
     }
 
+    public EdDSAPrivateKey(PKCS8EncodedKeySpec spec) throws InvalidKeySpecException {
+        this(new EdDSAPrivateKeySpec(decode(spec.getEncoded()),
+                                     EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512)));
+    }
+
     public String getAlgorithm() {
         return "EdDSA";
     }
@@ -37,9 +45,115 @@ public String getFormat() {
         return "PKCS#8";
     }
 
+    /**
+     *  This follows the spec at
+     *  https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-04
+     *  AND the docs from
+     *  java.security.spec.PKCS8EncodedKeySpec
+     *  quote:
+     *<pre>
+     *  The PrivateKeyInfo syntax is defined in the PKCS#8 standard as follows:
+     *  PrivateKeyInfo ::= SEQUENCE {
+     *    version Version,
+     *    privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
+     *    privateKey PrivateKey,
+     *    attributes [0] IMPLICIT Attributes OPTIONAL }
+     *  Version ::= INTEGER
+     *  PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+     *  PrivateKey ::= OCTET STRING
+     *  Attributes ::= SET OF Attribute
+     *</pre>
+     *
+     *<pre>
+     *  AlgorithmIdentifier ::= SEQUENCE
+     *  {
+     *    algorithm           OBJECT IDENTIFIER,
+     *    parameters          ANY OPTIONAL
+     *  }
+     *</pre>
+     *
+     *  Note that the private key encoding is not fully specified in the Josefsson draft version 04,
+     *  and the example could be wrong, as it's lacking Version and AlgorithmIdentifier.
+     *  This will hopefully be clarified in the next draft.
+     *  But sun.security.pkcs.PKCS8Key expects them so we must include them for keytool to work.
+     *
+     *  @return 49 bytes for Ed25519, null for other curves
+     */
     public byte[] getEncoded() {
-        // TODO Auto-generated method stub
-        return null;
+        // TODO no equals() implemented in spec, but it's essentially a singleton
+        if (!edDsaSpec.equals(EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512)))
+            return null;
+        int totlen = 17 + seed.length;
+        byte[] rv = new byte[totlen];
+        int idx = 0;
+        // sequence
+        rv[idx++] = 0x30;
+        rv[idx++] = (byte) (15 + seed.length);
+
+        // version
+        // not in the Josefsson example
+        rv[idx++] = 0x02;
+        rv[idx++] = 1;
+        rv[idx++] = 0;
+
+        // Algorithm Identifier
+        // sequence
+        // not in the Josefsson example
+        rv[idx++] = 0x30;
+        rv[idx++] = 8;
+        // OID 1.3.101.100
+        // https://msdn.microsoft.com/en-us/library/windows/desktop/bb540809%28v=vs.85%29.aspx
+        // not in the Josefsson example
+        rv[idx++] = 0x06;
+        rv[idx++] = 3;
+        rv[idx++] = (1 * 40) + 3;
+        rv[idx++] = 101;
+        rv[idx++] = 100;
+        // params
+        rv[idx++] = 0x0a;
+        rv[idx++] = 1;
+        rv[idx++] = 1; // Ed25519
+        // the key
+        rv[idx++] = 0x04;  // octet string
+        rv[idx++] = (byte) seed.length;
+        System.arraycopy(seed, 0, rv, idx, seed.length);
+        return rv;
+    }
+
+    /**
+     *  This is really dumb for now.
+     *  See getEncoded().
+     *
+     *  @return 32 bytes for Ed25519, throws for other curves
+     */
+    private static byte[] decode(byte[] d) throws InvalidKeySpecException {
+        try {
+            int idx = 0;
+            if (d[idx++] != 0x30 ||
+                d[idx++] != 47 ||
+                d[idx++] != 0x02 ||
+                d[idx++] != 1 ||
+                d[idx++] != 0 ||
+                d[idx++] != 0x30 ||
+                d[idx++] != 8 ||
+                d[idx++] != 0x06 ||
+                d[idx++] != 3 ||
+                d[idx++] != (1 * 40) + 3 ||
+                d[idx++] != 101 ||
+                d[idx++] != 100 ||
+                d[idx++] != 0x0a ||
+                d[idx++] != 1 ||
+                d[idx++] != 1 ||
+                d[idx++] != 0x04 ||
+                d[idx++] != 32) {
+                throw new InvalidKeySpecException("unsupported key spec");
+            }
+            byte[] rv = new byte[32];
+            System.arraycopy(d, idx, rv, 0, 32);
+            return rv;
+        } catch (IndexOutOfBoundsException ioobe) {
+            throw new InvalidKeySpecException(ioobe);
+        }
     }
 
     public EdDSAParameterSpec getParams() {

src/net/i2p/crypto/eddsa/EdDSAPublicKey.java

@@ -1,8 +1,11 @@
 package net.i2p.crypto.eddsa;
 
 import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
 
 import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 
@@ -25,6 +28,11 @@ public EdDSAPublicKey(EdDSAPublicKeySpec spec) {
         this.edDsaSpec = spec.getParams();
     }
 
+    public EdDSAPublicKey(X509EncodedKeySpec spec) throws InvalidKeySpecException {
+        this(new EdDSAPublicKeySpec(decode(spec.getEncoded()),
+                                    EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512)));
+    }
+
     public String getAlgorithm() {
         return "EdDSA";
     }
@@ -33,9 +41,94 @@ public String getFormat() {
         return "X.509";
     }
 
+    /**
+     *  This follows the spec at
+     *  ref: https://tools.ietf.org/html/draft-josefsson-pkix-eddsa-04
+     *  which matches the docs from
+     *  java.security.spec.X509EncodedKeySpec
+     *  quote:
+     *<pre>
+     * The SubjectPublicKeyInfo syntax is defined in the X.509 standard as follows:
+     *  SubjectPublicKeyInfo ::= SEQUENCE {
+     *    algorithm AlgorithmIdentifier,
+     *    subjectPublicKey BIT STRING }
+     *</pre>
+     *
+     *<pre>
+     *  AlgorithmIdentifier ::= SEQUENCE
+     *  {
+     *    algorithm           OBJECT IDENTIFIER,
+     *    parameters          ANY OPTIONAL
+     *  }
+     *</pre>
+     *
+     *  @return 47 bytes for Ed25519, null for other curves
+     */
     public byte[] getEncoded() {
-        // TODO Auto-generated method stub
-        return null;
+        // TODO no equals() implemented in spec, but it's essentially a singleton
+        if (!edDsaSpec.equals(EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512)))
+            return null;
+        int totlen = 15 + Abyte.length;
+        byte[] rv = new byte[totlen];
+        int idx = 0;
+        // sequence
+        rv[idx++] = 0x30;
+        rv[idx++] = (byte) (13 + Abyte.length);
+        // Algorithm Identifier
+        // sequence
+        rv[idx++] = 0x30;
+        rv[idx++] = 8;
+        // OID 1.3.101.100
+        // https://msdn.microsoft.com/en-us/library/windows/desktop/bb540809%28v=vs.85%29.aspx
+        rv[idx++] = 0x06;
+        rv[idx++] = 3;
+        rv[idx++] = (1 * 40) + 3;
+        rv[idx++] = 101;
+        rv[idx++] = 100;
+        // params
+        rv[idx++] = 0x0a;
+        rv[idx++] = 1;
+        rv[idx++] = 1; // Ed25519
+        // the key
+        rv[idx++] = 0x03; // bit string
+        rv[idx++] = (byte) (1 + Abyte.length);
+        rv[idx++] = 0; // number of trailing unused bits
+        System.arraycopy(Abyte, 0, rv, idx, Abyte.length);
+        return rv;
+    }
+
+    /**
+     *  This is really dumb for now.
+     *  See getEncoded().
+     *
+     *  @return 32 bytes for Ed25519, throws for other curves
+     */
+    private static byte[] decode(byte[] d) throws InvalidKeySpecException {
+        try {
+            int idx = 0;
+            if (d[idx++] != 0x30 ||
+                d[idx++] != 45 ||
+                d[idx++] != 0x30 ||
+                d[idx++] != 8 ||
+                d[idx++] != 0x06 ||
+                d[idx++] != 3 ||
+                d[idx++] != (1 * 40) + 3 ||
+                d[idx++] != 101 ||
+                d[idx++] != 100 ||
+                d[idx++] != 0x0a ||
+                d[idx++] != 1 ||
+                d[idx++] != 1 ||
+                d[idx++] != 0x03 ||
+                d[idx++] != 33 ||
+                d[idx++] != 0) {
+                throw new InvalidKeySpecException("unsupported key spec");
+            }
+            byte[] rv = new byte[32];
+            System.arraycopy(d, idx, rv, 0, 32);
+            return rv;
+        } catch (IndexOutOfBoundsException ioobe) {
+            throw new InvalidKeySpecException(ioobe);
+        }
     }
 
     public EdDSAParameterSpec getParams() {

src/net/i2p/crypto/eddsa/KeyFactory.java

@@ -7,6 +7,8 @@
 import java.security.PublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.KeySpec;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
@@ -22,15 +24,21 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec)
         if (keySpec instanceof EdDSAPrivateKeySpec) {
             return new EdDSAPrivateKey((EdDSAPrivateKeySpec) keySpec);
         }
-        throw new InvalidKeySpecException("key spec not recognised");
+        if (keySpec instanceof PKCS8EncodedKeySpec) {
+            return new EdDSAPrivateKey((PKCS8EncodedKeySpec) keySpec);
+        }
+        throw new InvalidKeySpecException("key spec not recognised: " + keySpec.getClass());
     }
 
     protected PublicKey engineGeneratePublic(KeySpec keySpec)
             throws InvalidKeySpecException {
         if (keySpec instanceof EdDSAPublicKeySpec) {
             return new EdDSAPublicKey((EdDSAPublicKeySpec) keySpec);
         }
-        throw new InvalidKeySpecException("key spec not recognised");
+        if (keySpec instanceof X509EncodedKeySpec) {
+            return new EdDSAPublicKey((X509EncodedKeySpec) keySpec);
+        }
+        throw new InvalidKeySpecException("key spec not recognised: " + keySpec.getClass());
     }
 
     @SuppressWarnings("unchecked")