Fixed SNTRUPrime KEMSpi for jdk21, added more tests

Author: royb

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/Util.java

@@ -0,0 +1,85 @@
+package org.bouncycastle.pqc.jcajce.provider;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+import org.bouncycastle.crypto.DerivationFunction;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.Xof;
+import org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
+import org.bouncycastle.crypto.digests.SHAKEDigest;
+import org.bouncycastle.crypto.generators.KDF2BytesGenerator;
+import org.bouncycastle.crypto.params.KDFParameters;
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+
+import java.security.InvalidKeyException;
+
+public class Util
+{
+    public static byte[] makeKeyBytes(KTSParameterSpec ktsSpec, byte[] secret)
+            throws InvalidKeyException
+    {
+        AlgorithmIdentifier kdfAlgorithm = ktsSpec.getKdfAlgorithm();
+        byte[] otherInfo = ktsSpec.getOtherInfo();
+        byte[] keyBytes = new byte[(ktsSpec.getKeySize() + 7) / 8];
+
+        if (X9ObjectIdentifiers.id_kdf_kdf2.equals(kdfAlgorithm.getAlgorithm()))
+        {
+            AlgorithmIdentifier digAlg = AlgorithmIdentifier.getInstance(kdfAlgorithm.getParameters());
+            DerivationFunction kdf = new KDF2BytesGenerator(getDigest(digAlg.getAlgorithm()));
+
+            kdf.init(new KDFParameters(secret, otherInfo));
+
+            kdf.generateBytes(keyBytes, 0, keyBytes.length);
+        }
+        else if (X9ObjectIdentifiers.id_kdf_kdf3.equals(kdfAlgorithm.getAlgorithm()))
+        {
+            AlgorithmIdentifier digAlg = AlgorithmIdentifier.getInstance(kdfAlgorithm.getParameters());
+            DerivationFunction kdf = new ConcatenationKDFGenerator(getDigest(digAlg.getAlgorithm()));
+
+            kdf.init(new KDFParameters(secret, otherInfo));
+
+            kdf.generateBytes(keyBytes, 0, keyBytes.length);
+        }
+        else if (NISTObjectIdentifiers.id_shake256.equals(kdfAlgorithm.getAlgorithm()))
+        {
+            Xof xof = new SHAKEDigest(256);
+
+            xof.update(secret, 0, secret.length);
+            xof.update(otherInfo, 0, otherInfo.length);
+
+            xof.doFinal(keyBytes, 0, keyBytes.length);
+        }
+        else
+        {
+            throw new InvalidKeyException("Unrecognized KDF: " + kdfAlgorithm.getAlgorithm());
+        }
+
+        return keyBytes;
+    }
+
+    static Digest getDigest(ASN1ObjectIdentifier oid)
+    {
+        if (oid.equals(NISTObjectIdentifiers.id_sha256))
+        {
+            return new SHA256Digest();
+        }
+        if (oid.equals(NISTObjectIdentifiers.id_sha512))
+        {
+            return new SHA512Digest();
+        }
+        if (oid.equals(NISTObjectIdentifiers.id_shake128))
+        {
+            return new SHAKEDigest(128);
+        }
+        if (oid.equals(NISTObjectIdentifiers.id_shake256))
+        {
+            return new SHAKEDigest(256);
+        }
+
+        throw new IllegalArgumentException("unrecognized digest OID: " + oid);
+    }
+}

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/ntruprime/SNTRUPrimeDecapsulatorSpi.java

@@ -1,10 +1,8 @@
 package org.bouncycastle.pqc.jcajce.provider.ntruprime;
 
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.Wrapper;
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
 import org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMExtractor;
-import org.bouncycastle.pqc.jcajce.provider.util.WrapUtil;
+import org.bouncycastle.pqc.jcajce.provider.Util;
 import org.bouncycastle.util.Arrays;
 
 import javax.crypto.DecapsulateException;
@@ -58,36 +56,23 @@ public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, Strin
 
         // Only use KDF when ktsParameterSpec is provided
         // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
-        boolean wrapKey = !(parameterSpec.getKeyAlgorithmName().equals("Generic") && algorithm.equals("Generic"));
+        boolean useKDF = parameterSpec.getKdfAlgorithm() != null;
 
         byte[] secret = kemExt.extractSecret(encapsulation);
-        byte[] secretKey = Arrays.copyOfRange(secret, from, to);
 
-        if (wrapKey)
+        if (useKDF)
         {
             try
             {
-                KTSParameterSpec spec = parameterSpec;
-                // Generate a new ktsParameterSpec if spec is generic but algorithm is not generic
-                if (parameterSpec.getKeyAlgorithmName().equals("Generic"))
-                {
-                    spec = new KTSParameterSpec.Builder(algorithm, secretKey.length * 8).withNoKdf().build();
-                }
-
-                Wrapper kWrap = WrapUtil.getKeyUnwrapper(spec, secretKey);
-                secretKey = kWrap.unwrap(secretKey, 0, secretKey.length);
-
-            }
-            catch (InvalidCipherTextException e)
-            {
-                throw new RuntimeException(e);
+                secret = Util.makeKeyBytes(parameterSpec, secret);
             }
             catch (InvalidKeyException e)
             {
                 throw new RuntimeException(e);
             }
-
         }
+        byte[] secretKey = Arrays.copyOfRange(secret, from, to);
+
         return new SecretKeySpec(secretKey, algorithm);
     }
 

prov/src/main/jdk21/org/bouncycastle/pqc/jcajce/provider/ntruprime/SNTRUPrimeEncapsulatorSpi.java

@@ -1,10 +1,9 @@
 package org.bouncycastle.pqc.jcajce.provider.ntruprime;
 
 import org.bouncycastle.crypto.SecretWithEncapsulation;
-import org.bouncycastle.crypto.Wrapper;
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
 import org.bouncycastle.pqc.crypto.ntruprime.SNTRUPrimeKEMGenerator;
-import org.bouncycastle.pqc.jcajce.provider.util.WrapUtil;
+import org.bouncycastle.pqc.jcajce.provider.Util;
 import org.bouncycastle.util.Arrays;
 
 import javax.crypto.KEM;
@@ -52,36 +51,29 @@ public KEM.Encapsulated engineEncapsulate(int from, int to, String algorithm)
 
         // Only use KDF when ktsParameterSpec is provided
         // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
-        boolean wrapKey = !(parameterSpec.getKeyAlgorithmName().equals("Generic") && algorithm.equals("Generic"));
+        boolean useKDF = parameterSpec.getKdfAlgorithm() != null;
 
         SecretWithEncapsulation secEnc = kemGen.generateEncapsulated(publicKey.getKeyParams());
 
         byte[] encapsulation = secEnc.getEncapsulation();
         byte[] secret = secEnc.getSecret();
 
-        byte[] secretKey = Arrays.copyOfRange(secret, from, to);
+        byte[] secretKey;
 
-        if (wrapKey)
+        if (useKDF)
         {
             try
             {
-                KTSParameterSpec spec = parameterSpec;
-                // Generate a new ktsParameterSpec if spec is generic but algorithm is not generic
-                if (parameterSpec.getKeyAlgorithmName().equals("Generic"))
-                {
-                    spec = new KTSParameterSpec.Builder(algorithm, secretKey.length * 8).withNoKdf().build();
-                }
-
-                Wrapper kWrap = WrapUtil.getKeyWrapper(spec, secret);
-                secretKey = kWrap.wrap(secretKey, 0, secretKey.length);
-//                 secretKey = Arrays.concatenate(encapsulation, kWrap.wrap(secretKey, 0, secretKey.length));
+                secret = Util.makeKeyBytes(parameterSpec, secret);
             }
             catch (InvalidKeyException e)
             {
                 throw new RuntimeException(e);
             }
         }
 
+        secretKey = Arrays.copyOfRange(secret, from, to);
+
         return new KEM.Encapsulated(new SecretKeySpec(secretKey, algorithm), encapsulation, parameterSpec.getOtherInfo());
 
     }