added support for ML-DSA, attempted to avoid getting private key encoding.

dghgit · dghgit · commit 7324d9ad6bd8 · 2024-08-25T14:43:14.000+10:00
updated CMP test to use ML-DSA, ML-KEM.
diff --git a/pkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentSignerBuilder.java b/pkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentSignerBuilder.java
@@ -46,12 +46,15 @@
 public class JcaContentSignerBuilder
 {
     private static final Set isAlgIdFromPrivate = new HashSet();
+    private static final DefaultSignatureAlgorithmIdentifierFinder SIGNATURE_ALGORITHM_IDENTIFIER_FINDER = new DefaultSignatureAlgorithmIdentifierFinder();
 
     static
     {
         isAlgIdFromPrivate.add("DILITHIUM");
         isAlgIdFromPrivate.add("SPHINCS+");
         isAlgIdFromPrivate.add("SPHINCSPlus");
+        isAlgIdFromPrivate.add("ML-DSA");
+        isAlgIdFromPrivate.add("SLH-DSA");
     }
 
     private final String signatureAlgorithm;
@@ -130,12 +133,16 @@ public ContentSigner build(PrivateKey privateKey)
             {
                 if (isAlgIdFromPrivate.contains(Strings.toUpperCase(signatureAlgorithm)))
                 {
-                    sigAlgId = PrivateKeyInfo.getInstance(privateKey.getEncoded()).getPrivateKeyAlgorithm();
+                    this.sigAlgId = SIGNATURE_ALGORITHM_IDENTIFIER_FINDER.find(privateKey.getAlgorithm());
+                    if (this.sigAlgId == null)
+                    {
+                       this.sigAlgId = PrivateKeyInfo.getInstance(privateKey.getEncoded()).getPrivateKeyAlgorithm();
+                    }
                     this.sigAlgSpec = null;
                 }
                 else
                 {
-                    this.sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm);
+                    this.sigAlgId = SIGNATURE_ALGORITHM_IDENTIFIER_FINDER.find(signatureAlgorithm);
                     this.sigAlgSpec = null;
                 }
             }
diff --git a/pkix/src/test/java/org/bouncycastle/cert/cmp/test/PQCTest.java b/pkix/src/test/java/org/bouncycastle/cert/cmp/test/PQCTest.java
@@ -52,6 +52,8 @@
 import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder;
 import org.bouncycastle.cms.jcajce.JceKEMEnvelopedRecipient;
 import org.bouncycastle.cms.jcajce.JceKEMRecipientInfoGenerator;
+import org.bouncycastle.jcajce.spec.MLDSAParameterSpec;
+import org.bouncycastle.jcajce.spec.MLKEMParameterSpec;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.ContentVerifierProvider;
@@ -66,9 +68,7 @@
 import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider;
 import org.bouncycastle.pqc.jcajce.spec.BIKEParameterSpec;
 import org.bouncycastle.pqc.jcajce.spec.CMCEParameterSpec;
-import org.bouncycastle.pqc.jcajce.spec.DilithiumParameterSpec;
 import org.bouncycastle.pqc.jcajce.spec.HQCParameterSpec;
-import org.bouncycastle.pqc.jcajce.spec.KyberParameterSpec;
 import org.bouncycastle.pqc.jcajce.spec.NTRUParameterSpec;
 import org.bouncycastle.util.BigIntegers;
 
@@ -86,24 +86,24 @@ public void tearDown()
 
     }
 
-    public void testKyberRequestWithDilithiumCA()
+    public void testMlKemRequestWithMlDsaCA()
         throws Exception
     {
         char[] senderMacPassword = "secret".toCharArray();
-        GeneralName sender = new GeneralName(new X500Name("CN=Kyber Subject"));
-        GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+        GeneralName sender = new GeneralName(new X500Name("CN=ML-KEM Subject"));
+        GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-        dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+        dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_65);
 
         KeyPair dilKp = dilKpGen.generateKeyPair();
 
-        X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+        X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
-        KeyPairGenerator kybKpGen = KeyPairGenerator.getInstance("Kyber", "BCPQC");
+        KeyPairGenerator kybKpGen = KeyPairGenerator.getInstance("ML-KEM", "BC");
 
-        kybKpGen.initialize(KyberParameterSpec.kyber512);
+        kybKpGen.initialize(MLKEMParameterSpec.ml_kem_768);
 
         KeyPair kybKp = kybKpGen.generateKeyPair();
 
@@ -140,7 +140,7 @@ public void testKyberRequestWithDilithiumCA()
         CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
         CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
         // Send response with encrypted certificate
         CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -163,7 +163,7 @@ public void testKyberRequestWithDilithiumCA()
 
         repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
         CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -210,7 +210,7 @@ public void testKyberRequestWithDilithiumCA()
 
         RecipientInformation recInfo = (RecipientInformation)c.iterator().next();
 
-        assertEquals(recInfo.getKeyEncryptionAlgOID(), NISTObjectIdentifiers.id_alg_ml_kem_512.getId());
+        assertEquals(recInfo.getKeyEncryptionAlgOID(), NISTObjectIdentifiers.id_alg_ml_kem_768.getId());
 
         // Note: we don't specify the provider here as we're actually using both BC and BCPQC
 
@@ -248,20 +248,20 @@ public void testKyberRequestWithDilithiumCA()
         assertTrue(recContent.getStatusMessages()[0].isVerified(receivedCert, new JcaDigestCalculatorProviderBuilder().build()));
     }
 
-    public void testNTRURequestWithDilithiumCA()
+    public void testNTRURequestWithMlDsaCA()
         throws Exception
     {
         char[] senderMacPassword = "secret".toCharArray();
         GeneralName sender = new GeneralName(new X500Name("CN=NTRU Subject"));
-        GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+        GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-        dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+        dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_44);
 
         KeyPair dilKp = dilKpGen.generateKeyPair();
 
-        X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+        X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
         KeyPairGenerator kybKpGen = KeyPairGenerator.getInstance("NTRU", "BCPQC");
 
@@ -302,7 +302,7 @@ public void testNTRURequestWithDilithiumCA()
         CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
         CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
         // Send response with encrypted certificate
         CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -325,7 +325,7 @@ public void testNTRURequestWithDilithiumCA()
 
         repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
         CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -420,20 +420,20 @@ public void testNTRURequestWithDilithiumCA()
 //        System.err.println(ASN1Dump.dumpAsString(receivedEnvelope.toASN1Structure()));
     }
 
-    public void testBIKERequestWithDilithiumCA()
+    public void testBIKERequestWithMlDsaCA()
         throws Exception
     {
         char[] senderMacPassword = "secret".toCharArray();
         GeneralName sender = new GeneralName(new X500Name("CN=Bike128 Subject"));
-        GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+        GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-        dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+        dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_44);
 
         KeyPair dilKp = dilKpGen.generateKeyPair();
 
-        X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+        X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
         KeyPairGenerator kybKpGen = KeyPairGenerator.getInstance("BIKE", "BCPQC");
 
@@ -474,7 +474,7 @@ public void testBIKERequestWithDilithiumCA()
         CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
         CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
         // Send response with encrypted certificate
         CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -497,7 +497,7 @@ public void testBIKERequestWithDilithiumCA()
 
         repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
         CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -592,20 +592,20 @@ public void testBIKERequestWithDilithiumCA()
 //        System.err.println(ASN1Dump.dumpAsString(receivedEnvelope.toASN1Structure()));
     }
 
-    public void testHQCRequestWithDilithiumCA()
+    public void testHQCRequestWithMlDsaCA()
         throws Exception
     {
         char[] senderMacPassword = "secret".toCharArray();
         GeneralName sender = new GeneralName(new X500Name("CN=HQC128 Subject"));
-        GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+        GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-        dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+        dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_44);
 
         KeyPair dilKp = dilKpGen.generateKeyPair();
 
-        X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+        X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
         KeyPairGenerator kybKpGen = KeyPairGenerator.getInstance("HQC", "BCPQC");
 
@@ -646,7 +646,7 @@ public void testHQCRequestWithDilithiumCA()
         CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
         CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
         // Send response with encrypted certificate
         CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -669,7 +669,7 @@ public void testHQCRequestWithDilithiumCA()
 
         repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
         CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -764,20 +764,20 @@ public void testHQCRequestWithDilithiumCA()
 //        System.err.println(ASN1Dump.dumpAsString(receivedEnvelope.toASN1Structure()));
     }
 
-    public void testCMCERequestWithDilithiumCA()
+    public void testCMCERequestWithMlDsaCA()
         throws Exception
     {
         char[] senderMacPassword = "secret".toCharArray();
         GeneralName sender = new GeneralName(new X500Name("CN=mceliece3488864 Subject"));
-        GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+        GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+        KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-        dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+        dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_44);
 
         KeyPair dilKp = dilKpGen.generateKeyPair();
 
-        X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+        X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
         KeyPairGenerator cmceKpGen = KeyPairGenerator.getInstance("CMCE", "BCPQC");
 
@@ -818,7 +818,7 @@ public void testCMCERequestWithDilithiumCA()
         CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
         CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+        X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
         // Send response with encrypted certificate
         CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -841,7 +841,7 @@ public void testCMCERequestWithDilithiumCA()
 
         repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
         CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -936,20 +936,20 @@ public void testCMCERequestWithDilithiumCA()
 //        System.err.println(ASN1Dump.dumpAsString(receivedEnvelope.toASN1Structure()));
     }
 
-    public void testExternalCMCERequestWithDilithiumCA()
+    public void testExternalCMCERequestWithMlDsaCA()
             throws Exception
         {
             char[] senderMacPassword = "secret".toCharArray();
             GeneralName sender = new GeneralName(new X500Name("CN=mceliece3488864 Subject"));
-            GeneralName recipient = new GeneralName(new X500Name("CN=Dilithium Issuer"));
+            GeneralName recipient = new GeneralName(new X500Name("CN=ML-DSA Issuer"));
 
-            KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("Dilithium", "BCPQC");
+            KeyPairGenerator dilKpGen = KeyPairGenerator.getInstance("ML-DSA", "BC");
 
-            dilKpGen.initialize(DilithiumParameterSpec.dilithium2);
+            dilKpGen.initialize(MLDSAParameterSpec.ml_dsa_44);
 
             KeyPair dilKp = dilKpGen.generateKeyPair();
 
-            X509CertificateHolder caCert = makeV3Certificate("CN=Dilithium Issuer", dilKp);
+            X509CertificateHolder caCert = makeV3Certificate("CN=ML-DSA Issuer", dilKp);
 
             KeyPairGenerator cmceKpGen = KeyPairGenerator.getInstance("CMCE", "BCPQC");
 
@@ -990,7 +990,7 @@ public void testExternalCMCERequestWithDilithiumCA()
             CertificateRequestMessage senderReqMessage = requestMessages.getRequests()[0];
             CertTemplate certTemplate = senderReqMessage.getCertTemplate();
 
-            X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=Dilithium Issuer");
+            X509CertificateHolder cert = makeV3Certificate(certTemplate.getPublicKey(), certTemplate.getSubject(), dilKp, "CN=ML-DSA Issuer");
 
             // Send response with encrypted certificate
             CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();
@@ -1013,7 +1013,7 @@ public void testExternalCMCERequestWithDilithiumCA()
 
             repMessageBuilder.addCertificateResponse(certRespBuilder.build());
 
-            ContentSigner signer = new JcaContentSignerBuilder("Dilithium").setProvider("BCPQC").build(dilKp.getPrivate());
+            ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").setProvider("BC").build(dilKp.getPrivate());
 
             CertificateRepMessage repMessage = repMessageBuilder.build();
 
@@ -1124,7 +1124,7 @@ private static X509CertificateHolder makeV3Certificate(String _subDN, KeyPair is
 
         certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").build(issPriv);
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").build(issPriv);
 
         X509CertificateHolder certHolder = certGen.build(signer);
 
@@ -1151,7 +1151,7 @@ private static X509CertificateHolder makeV3Certificate(SubjectPublicKeyInfo pubK
 
         certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
 
-        ContentSigner signer = new JcaContentSignerBuilder("Dilithium").build(issPriv);
+        ContentSigner signer = new JcaContentSignerBuilder("ML-DSA").build(issPriv);
 
         X509CertificateHolder certHolder = certGen.build(signer);
 

Original file line number	Diff line number	Diff line change
`@@ -46,12 +46,15 @@`
`46`	`46`	`public class JcaContentSignerBuilder`
`47`	`47`	`{`
`48`	`48`	`private static final Set isAlgIdFromPrivate = new HashSet();`
	`49`	`+ private static final DefaultSignatureAlgorithmIdentifierFinder SIGNATURE_ALGORITHM_IDENTIFIER_FINDER = new DefaultSignatureAlgorithmIdentifierFinder();`
`49`	`50`
`50`	`51`	`static`
`51`	`52`	`{`
`52`	`53`	`isAlgIdFromPrivate.add("DILITHIUM");`
`53`	`54`	`isAlgIdFromPrivate.add("SPHINCS+");`
`54`	`55`	`isAlgIdFromPrivate.add("SPHINCSPlus");`
	`56`	`+ isAlgIdFromPrivate.add("ML-DSA");`
	`57`	`+ isAlgIdFromPrivate.add("SLH-DSA");`
`55`	`58`	`}`
`56`	`59`
`57`	`60`	`private final String signatureAlgorithm;`
`@@ -130,12 +133,16 @@ public ContentSigner build(PrivateKey privateKey)`
`130`	`133`	`{`
`131`	`134`	`if (isAlgIdFromPrivate.contains(Strings.toUpperCase(signatureAlgorithm)))`
`132`	`135`	`{`
`133`		`- sigAlgId = PrivateKeyInfo.getInstance(privateKey.getEncoded()).getPrivateKeyAlgorithm();`
	`136`	`+ this.sigAlgId = SIGNATURE_ALGORITHM_IDENTIFIER_FINDER.find(privateKey.getAlgorithm());`
	`137`	`+ if (this.sigAlgId == null)`
	`138`	`+ {`
	`139`	`+ this.sigAlgId = PrivateKeyInfo.getInstance(privateKey.getEncoded()).getPrivateKeyAlgorithm();`
	`140`	`+ }`
`134`	`141`	`this.sigAlgSpec = null;`
`135`	`142`	`}`
`136`	`143`	`else`
`137`	`144`	`{`
`138`		`- this.sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithm);`
	`145`	`+ this.sigAlgId = SIGNATURE_ALGORITHM_IDENTIFIER_FINDER.find(signatureAlgorithm);`
`139`	`146`	`this.sigAlgSpec = null;`
`140`	`147`	`}`
`141`	`148`	`}`