Update SNTRUPrime KEMSpi for jdk21 (only tested generic)

Author: royb

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/Util.java

@@ -1,9 +1,7 @@
 package org.bouncycastle.pqc.jcajce.provider.ntruprime;
 
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.crypto.InvalidCipherTextException;
 import org.bouncycastle.crypto.Wrapper;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
 import org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMExtractor;
 import org.bouncycastle.pqc.jcajce.provider.util.WrapUtil;
@@ -14,11 +12,8 @@
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
 import java.util.Objects;
 
-import static org.bouncycastle.pqc.jcajce.provider.Util.makeKeyBytes;
-
 class SNTRUPrimeDecapsulatorSpi
     implements KEMSpi.DecapsulatorSpi
 {
@@ -47,33 +42,59 @@ public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, Strin
             throw new DecapsulateException("incorrect encapsulation size");
         }
 
-        KTSParameterSpec.Builder builder = new KTSParameterSpec.Builder(parameterSpec.getKeyAlgorithmName(), parameterSpec.getKeySize());
+        // if algorithm is Generic then use parameterSpec to wrap key
+        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
+                algorithm.equals("Generic"))
+        {
+            algorithm = parameterSpec.getKeyAlgorithmName();
+        }
 
-        if (!algorithm.equals("Generic"))
+        // check spec algorithm mismatch provided algorithm
+        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
+                !parameterSpec.getKeyAlgorithmName().equals(algorithm))
         {
-            //TODO:
-//            builder.withKdfAlgorithm(AlgorithmIdentifier.getInstance(algorithm));
+            throw new UnsupportedOperationException(parameterSpec.getKeyAlgorithmName() + " does not match " + algorithm);
         }
-        KTSParameterSpec spec = builder.build();
 
-        byte[] secret = kemExt.extractSecret(encapsulation);
+        // Only use KDF when ktsParameterSpec is provided
+        // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
+        boolean wrapKey = !(parameterSpec.getKeyAlgorithmName().equals("Generic") && algorithm.equals("Generic"));
 
-        byte[] kdfKey = Arrays.copyOfRange(secret, from, to);
+        byte[] secret = kemExt.extractSecret(encapsulation);
+        byte[] secretKey = Arrays.copyOfRange(secret, from, to);
 
-        try
-        {
-            return new SecretKeySpec(makeKeyBytes(spec, kdfKey), algorithm);
-        }
-        catch (InvalidKeyException e)
+        if (wrapKey)
         {
-            throw new RuntimeException(e);
+            try
+            {
+                KTSParameterSpec spec = parameterSpec;
+                // Generate a new ktsParameterSpec if spec is generic but algorithm is not generic
+                if (parameterSpec.getKeyAlgorithmName().equals("Generic"))
+                {
+                    spec = new KTSParameterSpec.Builder(algorithm, secretKey.length * 8).withNoKdf().build();
+                }
+
+                Wrapper kWrap = WrapUtil.getKeyUnwrapper(spec, secretKey);
+                secretKey = kWrap.unwrap(secretKey, 0, secretKey.length);
+
+            }
+            catch (InvalidCipherTextException e)
+            {
+                throw new RuntimeException(e);
+            }
+            catch (InvalidKeyException e)
+            {
+                throw new RuntimeException(e);
+            }
+
         }
+        return new SecretKeySpec(secretKey, algorithm);
     }
 
     @Override
     public int engineSecretSize()
     {
-        return privateKey.getKeyParams().getParameters().getSessionKeySize() / 8;
+        return parameterSpec.getKeySize() / 8;
     }
 
     @Override

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/ntruprime/SNTRUPrimeDecapsulatorSpi.java

@@ -1,10 +1,7 @@
 package org.bouncycastle.pqc.jcajce.provider.ntruprime;
 
-import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.crypto.SecretWithEncapsulation;
 import org.bouncycastle.crypto.Wrapper;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
 import org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMGenerator;
 import org.bouncycastle.pqc.jcajce.provider.util.WrapUtil;
@@ -13,68 +10,86 @@
 import javax.crypto.KEM;
 import javax.crypto.KEMSpi;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
-import java.security.KeyPair;
 import java.security.SecureRandom;
 import java.util.Objects;
 
-import static org.bouncycastle.pqc.jcajce.provider.Util.makeKeyBytes;
-
 class SNTRUPrimeEncapsulatorSpi
     implements KEMSpi.EncapsulatorSpi
 {
     private final BCSNTRUPrimePublicKey publicKey;
     private final KTSParameterSpec parameterSpec;
-    private final SecureRandom random;
     private final SNTRUPrimeKEMGenerator kemGen;
 
 
     public SNTRUPrimeEncapsulatorSpi(BCSNTRUPrimePublicKey publicKey, KTSParameterSpec parameterSpec, SecureRandom random)
     {
         this.publicKey = publicKey;
         this.parameterSpec = parameterSpec;
-        this.random = random;
 
         kemGen = new SNTRUPrimeKEMGenerator(random);
     }
 
     @Override
     public KEM.Encapsulated engineEncapsulate(int from, int to, String algorithm)
     {
-        Objects.checkFromToIndex(from, to, engineEncapsulationSize());
+        Objects.checkFromToIndex(from, to, engineSecretSize());
         Objects.requireNonNull(algorithm, "null algorithm");
 
-        KTSParameterSpec.Builder builder = new KTSParameterSpec.Builder(parameterSpec.getKeyAlgorithmName(), parameterSpec.getKeySize());
+        // if algorithm is Generic then use parameterSpec to wrap key
+        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
+                algorithm.equals("Generic"))
+        {
+            algorithm = parameterSpec.getKeyAlgorithmName();
+        }
 
-        if (!algorithm.equals("Generic"))
+        // check spec algorithm mismatch provided algorithm
+        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
+                !parameterSpec.getKeyAlgorithmName().equals(algorithm))
         {
-            //TODO:
-//            builder.withKdfAlgorithm(AlgorithmIdentifier.getInstance(algorithm));
+            throw new UnsupportedOperationException(parameterSpec.getKeyAlgorithmName() + " does not match " + algorithm);
         }
-        KTSParameterSpec spec = builder.build();
+
+        // Only use KDF when ktsParameterSpec is provided
+        // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
+        boolean wrapKey = !(parameterSpec.getKeyAlgorithmName().equals("Generic") && algorithm.equals("Generic"));
 
         SecretWithEncapsulation secEnc = kemGen.generateEncapsulated(publicKey.getKeyParams());
 
         byte[] encapsulation = secEnc.getEncapsulation();
         byte[] secret = secEnc.getSecret();
 
-        byte[] kdfKey = Arrays.copyOfRange(secret, from, to);
+        byte[] secretKey = Arrays.copyOfRange(secret, from, to);
 
-        try
+        if (wrapKey)
         {
-            return new KEM.Encapsulated(new SecretKeySpec(makeKeyBytes(spec, kdfKey), algorithm), encapsulation , null);
-        }
-        catch (InvalidKeyException e)
-        {
-            throw new RuntimeException(e);
+            try
+            {
+                KTSParameterSpec spec = parameterSpec;
+                // Generate a new ktsParameterSpec if spec is generic but algorithm is not generic
+                if (parameterSpec.getKeyAlgorithmName().equals("Generic"))
+                {
+                    spec = new KTSParameterSpec.Builder(algorithm, secretKey.length * 8).withNoKdf().build();
+                }
+
+                Wrapper kWrap = WrapUtil.getKeyWrapper(spec, secret);
+                secretKey = kWrap.wrap(secretKey, 0, secretKey.length);
+//                 secretKey = Arrays.concatenate(encapsulation, kWrap.wrap(secretKey, 0, secretKey.length));
+            }
+            catch (InvalidKeyException e)
+            {
+                throw new RuntimeException(e);
+            }
         }
+
+        return new KEM.Encapsulated(new SecretKeySpec(secretKey, algorithm), encapsulation, parameterSpec.getOtherInfo());
+
     }
 
     @Override
     public int engineSecretSize()
     {
-        return publicKey.getKeyParams().getParameters().getSessionKeySize() / 8;
+        return parameterSpec.getKeySize() / 8;
     }
 
     @Override

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/ntruprime/SNTRUPrimeEncapsulatorSpi.java

@@ -1,18 +1,8 @@
 package org.bouncycastle.pqc.jcajce.provider.ntruprime;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.bouncycastle.crypto.SecretWithEncapsulation;
-import org.bouncycastle.crypto.Wrapper;
-import org.bouncycastle.crypto.params.KeyParameter;
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
-import org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMGenerator;
-import org.bouncycastle.pqc.jcajce.provider.util.WrapUtil;
-import org.bouncycastle.util.Arrays;
 
-import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.KEMSpi;
-import javax.security.auth.DestroyFailedException;
-import java.security.AlgorithmParameters;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.PrivateKey;
@@ -33,8 +23,8 @@ public EncapsulatorSpi engineNewEncapsulator(PublicKey publicKey, AlgorithmParam
         }
         if (spec == null)
         {
-            // TODO: default should probably use shake.
-            spec = new KTSParameterSpec.Builder("AES-KWP", 256).build();
+            // Do not wrap key, no KDF
+            spec = new KTSParameterSpec.Builder("Generic", 256).withNoKdf().build();
         }
         if (!(spec instanceof KTSParameterSpec))
         {
@@ -56,8 +46,8 @@ public DecapsulatorSpi engineNewDecapsulator(PrivateKey privateKey, AlgorithmPar
         }
         if (spec == null)
         {
-            // TODO: default should probably use shake.
-            spec = new KTSParameterSpec.Builder("AES-KWP", 256).build();
+            // Do not unwrap key, no KDF
+            spec = new KTSParameterSpec.Builder("Generic", 256).withNoKdf().build();
         }
         if (!(spec instanceof KTSParameterSpec))
         {