8213363: X25519 private key PKCS#8 encoding/decoding is incorrect

Fixed private key format to match spec in RFC 8410 Reviewed-by: mullan
2025-09-19 18:44:38 +02:00 · 2018-11-15 13:22:29 -05:00 · 2018-11-15 13:22:29 -05:00 · 12d64aaeba
commit 12d64aaeba
parent 52bee8fe04
3 changed files with 194 additions and 25 deletions
--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/XDHPrivateKeyImpl.java
@ -25,28 +25,31 @@

 package sun.security.ec;

+import java.io.*;
 import java.security.interfaces.XECPrivateKey;
 import java.util.Optional;
-import java.security.InvalidKeyException;
-import java.security.PrivateKey;
-import java.security.spec.AlgorithmParameterSpec;
-import java.security.spec.NamedParameterSpec;
+import java.security.*;
+import java.security.spec.*;

 import sun.security.pkcs.PKCS8Key;
 import sun.security.x509.AlgorithmId;
+import sun.security.util.*;

 public final class XDHPrivateKeyImpl extends PKCS8Key implements XECPrivateKey {

    private static final long serialVersionUID = 1L;

-    private AlgorithmParameterSpec paramSpec;
+    private final AlgorithmParameterSpec paramSpec;
+    private byte[] k;

    XDHPrivateKeyImpl(XECParameters params, byte[] k)
        throws InvalidKeyException {

        this.paramSpec = new NamedParameterSpec(params.getName());
+        this.k = k.clone();
+
        this.algid = new AlgorithmId(params.getOid());
-        this.key = k.clone();
+        encodeKey();

        checkLength(params);
    }
@ -57,20 +60,40 @@ public final class XDHPrivateKeyImpl extends PKCS8Key implements XECPrivateKey {
        XECParameters params = XECParameters.get(
            InvalidKeyException::new, algid);
        paramSpec = new NamedParameterSpec(params.getName());
+        decodeKey();

        checkLength(params);
    }

+    private void decodeKey() throws InvalidKeyException {
+        try {
+            DerInputStream derStream = new DerInputStream(key);
+            k = derStream.getOctetString();
+        } catch (IOException ex) {
+            throw new InvalidKeyException(ex);
+        }
+    }
+
+    private void encodeKey() {
+        DerOutputStream derKey = new DerOutputStream();
+        try {
+            derKey.putOctetString(k);
+            this.key = derKey.toByteArray();
+        } catch (IOException ex) {
+            throw new ProviderException(ex);
+        }
+    }
+
    void checkLength(XECParameters params) throws InvalidKeyException {

-        if (params.getBytes() != this.key.length) {
+        if (params.getBytes() != this.k.length) {
            throw new InvalidKeyException(
                "key length must be " + params.getBytes());
        }
    }

    public byte[] getK() {
-        return key.clone();
+        return k.clone();
    }

    @Override
--- a/test/jdk/sun/security/ec/xec/TestXDH.java
+++ b/test/jdk/sun/security/ec/xec/TestXDH.java
@ -210,8 +210,8 @@ public class TestXDH {
            "954e472439316f118ae158b65619eecff9e6bcf51ab29add66f3fd088681e233");

        runDiffieHellmanTest(
-            "302e020100300706032b656e0500042077076d0a7318a57d3c16c17251b266" +
-            "45df4c2f87ebc0992ab177fba51db92c2a",
+            "3030020100300706032b656e05000422042077076d0a7318a57d3c16c1725" +
+            "1b26645df4c2f87ebc0992ab177fba51db92c2a",
            "302c300706032b656e0500032100de9edb7d7b7dc1b4d35b61c2ece435373f" +
            "8343c85b78674dadfc7e146f882b8f",
            "954e472439316f118ae158b65619eecff9e6bcf51ab29add66f3fd088681e233");
@ -227,8 +227,8 @@ public class TestXDH {
            "81a02a45014594332261085128959869fc0540c6b12380f51db4b41380de2c2c");

        runDiffieHellmanTest(
-            "302e020100300706032b656e0500042077076d0a7318a57d3c16c17251b266" +
-            "45df4c2f87ebc0992ab177fba51db92c2a",
+            "3030020100300706032b656e05000422042077076d0a7318a57d3c16c17251" +
+            "b26645df4c2f87ebc0992ab177fba51db92c2a",
            "302c300706032b656e0500032100FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" +
            "FFFFFFFFFFFFFFFFFFFFFFFFFFFF7F",
            "81a02a45014594332261085128959869fc0540c6b12380f51db4b41380de2c2c");
@ -245,9 +245,9 @@ public class TestXDH {
            "3660eabd54934f3382061d17607f581a90bdac917a064959fb");

        runDiffieHellmanTest(
-            "3046020100300706032B656F050004389A8F4925D1519F5775CF46B04B5800" +
-            "D4EE9EE8BAE8BC5565D498C28DD9C9BAF574A9419744897391006382A6F127" +
-            "AB1D9AC2D8C0A598726B",
+            "3048020100300706032B656F0500043A04389A8F4925D1519F5775CF46B04B" +
+            "5800D4EE9EE8BAE8BC5565D498C28DD9C9BAF574A9419744897391006382A6" +
+            "F127AB1D9AC2D8C0A598726B",
            "3044300706032B656F0500033900FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" +
            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" +
            "FFFFFFFFFFFFFFFF",
@ -275,15 +275,15 @@ public class TestXDH {

        // encoded
        runDiffieHellmanTest(
-            "302E020100300706032B656E0500042077076D0A7318A57D3C16C17251B266" +
-            "45DF4C2F87EBC0992AB177FBA51DB92C2A",
+            "3030020100300706032B656E05000422042077076D0A7318A57D3C16C17251" +
+            "B26645DF4C2F87EBC0992AB177FBA51DB92C2A",
            "302C300706032B656E0500032100DE9EDB7D7B7DC1B4D35B61C2ECE435373F" +
            "8343C85B78674DADFC7E146F882B4F",
            "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742");

        runDiffieHellmanTest(
-            "302E020100300706032B656E050004205DAB087E624A8A4B79E17F8B83800E" +
-            "E66F3BB1292618B6FD1C2F8B27FF88E0EB",
+            "3030020100300706032B656E0500042204205DAB087E624A8A4B79E17F8B83" +
+            "800EE66F3BB1292618B6FD1C2F8B27FF88E0EB",
            "302C300706032B656E05000321008520F0098930A754748B7DDCB43EF75A0D" +
            "BF3A0D26381AF4EBA4A98EAA9B4E6A",
            "4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742");
@ -310,9 +310,9 @@ public class TestXDH {

        //encoded
        runDiffieHellmanTest(
-            "3046020100300706032B656F050004389A8F4925D1519F5775CF46B04B5800" +
-            "D4EE9EE8BAE8BC5565D498C28DD9C9BAF574A9419744897391006382A6F127" +
-            "AB1D9AC2D8C0A598726B",
+            "3048020100300706032B656F0500043A04389A8F4925D1519F5775CF46B04B" +
+            "5800D4EE9EE8BAE8BC5565D498C28DD9C9BAF574A9419744897391006382A6" +
+            "F127AB1D9AC2D8C0A598726B",
            "3044300706032B656F05000339003EB7A829B0CD20F5BCFC0B599B6FECCF6D" +
            "A4627107BDB0D4F345B43027D8B972FC3E34FB4232A13CA706DCB57AEC3DAE" +
            "07BDC1C67BF33609",
@ -320,9 +320,9 @@ public class TestXDH {
            "56fd2464c335543936521c24403085d59a449a5037514a879d");

        runDiffieHellmanTest(
-            "3046020100300706032B656F050004381C306A7AC2A0E2E0990B294470CBA3" +
-            "39E6453772B075811D8FAD0D1D6927C120BB5EE8972B0D3E21374C9C921B09" +
-            "D1B0366F10B65173992D",
+            "3048020100300706032B656F0500043A04381C306A7AC2A0E2E0990B294470" +
+            "CBA339E6453772B075811D8FAD0D1D6927C120BB5EE8972B0D3E21374C9C92" +
+            "1B09D1B0366F10B65173992D",
            "3044300706032B656F05000339009B08F7CC31B7E3E67D22D5AEA121074A27" +
            "3BD2B83DE09C63FAA73D2C22C5D9BBC836647241D953D40C5B12DA88120D53" +
            "177F80E532C41FA0",
--- a/test/jdk/sun/security/ec/xec/XECKeyFormat.java
+++ b/test/jdk/sun/security/ec/xec/XECKeyFormat.java
@ -0,0 +1,146 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8213363
+ * @summary Check for correct formatting of X25519/X448 private keys
+ * @library /test/lib
+ * @build jdk.test.lib.Convert
+ * @modules java.base/sun.security.util
+ * @run main XECKeyFormat
+ */
+
+import java.security.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.io.*;
+import java.nio.file.*;
+import java.math.*;
+import java.util.*;
+
+import jdk.test.lib.Convert;
+
+import sun.security.util.*;
+
+public class XECKeyFormat {
+
+    private interface Test {
+        public void runTest(Provider p) throws Exception;
+    }
+
+    private static void forEachProvider(Test t, String algName)
+        throws Exception {
+
+        int tested = 0;
+        for (Provider p : Security.getProviders()) {
+            Provider.Service s = p.getService("KeyPairGenerator", algName);
+            if (s != null) {
+                t.runTest(p);
+                tested++;
+            }
+        }
+        if (tested == 0) {
+            throw new RuntimeException("no service found for " + algName);
+        }
+    }
+
+    private static Map<String, String> privKeys = Map.of(
+        "X25519",
+        "302e020100300506032b656e0422042010fdf8358b9cda51eb98d2479fb092a80639" +
+        "bf31c5e7c5ba5000387fbf9c6678",
+        "X448",
+        "3046020100300506032b656f043a043880998f387e05852d217c1d715b177c24aa7b" +
+        "f3f4c3a72223f4983597b9ab2ed4793c30d871c24388b380d80bb36d963f5c276219" +
+        "b0677fed"
+    );
+
+    private static List<String> pubKeys = List.of(
+        "302a300506032b656e03210019bf44096984cdfe8541bac167dc3b96c85086aa30b6" +
+        "b6cb0c5c38ad703166e1"
+    );
+
+    public static void main(String[] args) throws Exception {
+        privKeyTest("X25519");
+        privKeyTest("X448");
+        pubKeyTest();
+    }
+
+    private static void pubKeyTest() throws Exception {
+        forEachProvider(XECKeyFormat::pubKeyTest, "XDH");
+    }
+
+    private static void pubKeyTest(Provider p) throws Exception {
+        for (String s : pubKeys) {
+            pubKeyTest(p, s);
+        }
+    }
+
+    private static void pubKeyTest(Provider p, String key) throws Exception {
+        // ensure that a properly-formatted key can be read
+        byte[] encodedKey = Convert.hexStringToByteArray(key);
+        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encodedKey);
+        KeyFactory kf = KeyFactory.getInstance("XDH", p);
+        kf.generatePublic(keySpec);
+    }
+
+    private static void privKeyTest(String algName) throws Exception {
+
+        forEachProvider(p -> privKeyTest(algName, p), algName);
+    }
+
+    private static void privKeyTest(String algName, Provider p)
+        throws Exception {
+
+        System.out.println("Testing " + algName + " in " + p.getName());
+
+        // ensure format produced is correct
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance(algName, p);
+        KeyPair kp = kpg.generateKeyPair();
+        PrivateKey priv = kp.getPrivate();
+        checkPrivKeyFormat(priv.getEncoded());
+        KeyFactory kf = KeyFactory.getInstance(algName, p);
+        PKCS8EncodedKeySpec keySpec =
+            kf.getKeySpec(priv, PKCS8EncodedKeySpec.class);
+        checkPrivKeyFormat(keySpec.getEncoded());
+
+        // ensure that a properly-formatted key can be read
+        byte[] encodedKey = Convert.hexStringToByteArray(privKeys.get(algName));
+        keySpec = new PKCS8EncodedKeySpec(encodedKey);
+        kf.generatePrivate(keySpec);
+    }
+
+    private static void checkPrivKeyFormat(byte[] key) throws IOException {
+        // key value should be nested octet strings
+        DerValue val = new DerValue(new ByteArrayInputStream(key));
+        BigInteger version = val.data.getBigInteger();
+        DerValue algId = val.data.getDerValue();
+        byte[] keyValue = val.data.getOctetString();
+        val = new DerValue(new ByteArrayInputStream(keyValue));
+        if (val.tag != DerValue.tag_OctetString) {
+            throw new RuntimeException("incorrect format");
+        }
+    }
+}
+
+