Updated X9.146 with latests wolfssl and cleaned up testing / interopting

Author: royb

tls/src/main/java/org/bouncycastle/tls/HandshakeMessageOutput.java

@@ -37,12 +37,6 @@ static void send(TlsProtocol protocol, short handshakeType, byte[] body)
 
     void send(TlsProtocol protocol) throws IOException
     {
-        {
-            String isServer = protocol.getContext().isServer() ? "Server" : "Client";
-            short type = TlsUtils.readUint8(buf, 0);
-            System.out.println(isServer + "_send_" + HandshakeType.getName(type));
-        }
-
         // Patch actual length back in
         int bodyLength = count - 4;
         TlsUtils.checkUint24(bodyLength);

tls/src/main/java/org/bouncycastle/tls/SignatureAndHashAlgorithm.java

@@ -102,6 +102,10 @@ public static SignatureAndHashAlgorithm getHybrid(SignatureAndHashAlgorithm nati
         {
             return SignatureAndHashAlgorithm.WOLFSSL_HYBRID_P521_MLDSA_LEVEL5;
         }
+        if (nativeAlg.equals(create(SignatureScheme.rsa_pss_rsae_sha256)) && altAlg.equals(SignatureAndHashAlgorithm.DRAFT_mldsa44))
+        {
+            return SignatureAndHashAlgorithm.WOLFSSL_HYBRID_RSA3072_MLDSA_LEVEL2;
+        }
         return null;
     }
     public static SignatureAndHashAlgorithm getInstance(short hashAlgorithm, short signatureAlgorithm)

tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java

@@ -1622,12 +1622,14 @@ protected void receive13ServerCertificateVerify(ByteArrayInputStream buf)
         // check server extension if alternative algorithm is supported or not
         // if supported and hybrid scheme was not sent throw an error
 
-        short serverCKS = TlsExtensionsUtils.getCertificationKeySelection(serverExtensions);
-        short clientCKS = TlsExtensionsUtils.getCertificationKeySelection(clientExtensions);
+        short cksCode = TlsUtils.getCommonCKS(
+                TlsExtensionsUtils.getCertificationKeySelection(clientExtensions),
+                TlsExtensionsUtils.getCertificationKeySelection(serverExtensions)
+        );
 
         // TODO: Throw error if server cks != client cks (check if native == default)
 
-        TlsUtils.verify13CertificateVerifyServer(tlsClientContext, handshakeHash, certificateVerify, clientCKS);
+        TlsUtils.verify13CertificateVerifyServer(tlsClientContext, handshakeHash, certificateVerify, cksCode);
 
         //TODO[x9.146]: new extension, need more testing/publishing
 //        HybridSchemeSignature hybridSchemeSignature = TlsExtensionsUtils.getHybridSchemeSignature(serverExtensions);

tls/src/main/java/org/bouncycastle/tls/TlsExtensionsUtils.java

@@ -545,10 +545,10 @@ public static Vector getTrustedCAKeysExtensionClient(Hashtable extensions)
         return extensionData == null ? null : readTrustedCAKeysExtensionClient(extensionData);
     }
 
-    public static short getCertificationKeySelection(Hashtable extensions) throws IOException
+    public static short[] getCertificationKeySelection(Hashtable extensions) throws IOException
     {
         byte[] cksCodeData = TlsUtils.getExtensionData(extensions, EXT_certificate_key_selection);
-        return cksCodeData == null ? 0 : readCertificationKeySelection(cksCodeData);
+        return cksCodeData == null ? new short[]{0} : readCertificationKeySelection(cksCodeData);
     }
 
     //TODO[x9.146]: new extension, need more testing/publishing
@@ -1625,14 +1625,20 @@ public static boolean readTrustedCAKeysExtensionServer(byte[] extensionData) thr
         return readEmptyExtensionData(extensionData);
     }
 
-    public static short readCertificationKeySelection(byte[] cksCodeData) throws IOException
+    public static short[] readCertificationKeySelection(byte[] cksCodeData) throws IOException
     {
         if (cksCodeData == null)
         {
             throw new IllegalArgumentException("'cksCodeData' cannot be null");
         }
 
-        return TlsUtils.readUint8(cksCodeData, 0);
+        short[] cksCodeList = new short[cksCodeData.length];
+        for (int i = 0; i < cksCodeData.length; i++)
+        {
+            cksCodeList[i] = cksCodeData[i];
+        }
+
+        return cksCodeList;
     }
 
     public static int[] readHybridSchemeList(byte[] extensionData) throws IOException

tls/src/main/java/org/bouncycastle/tls/TlsProtocol.java

@@ -946,10 +946,6 @@ protected boolean safeReadFullRecord(byte[] input, int inputOff, int inputLen)
     protected void safeWriteRecord(short type, byte[] buf, int offset, int len)
         throws IOException
     {
-
-        {
-            System.out.println("safeWrite_" + HandshakeType.getName(type) + " : " + Hex.toHexString(buf, offset, len));
-        }
         try
         {
             recordStream.writeRecord(type, buf, offset, len);
@@ -1113,12 +1109,6 @@ void writeHandshakeMessage(byte[] buf, int off, int len) throws IOException
 
         short type = TlsUtils.readUint8(buf, off);
 
-
-        {
-//TODO: delete
-//            System.out.println(getContext().isServer()+"Type: " + ExtensionType.getName(type) + " : " + Hex.toHexString(buf, off, len));
-        }
-
         switch (type)
         {
         /*

tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java

@@ -427,7 +427,7 @@ else if (NamedGroup.refersToASpecificKem(namedGroup))
         TlsUtils.establish13PhaseSecrets(tlsServerContext, pskEarlySecret, sharedSecret);
 
         // X9.146 Add CKS extension to serverHelloExt
-        short cksCode = TlsExtensionsUtils.getCertificationKeySelection(clientHelloExtensions);
+        short[] cksCode = TlsExtensionsUtils.getCertificationKeySelection(clientHelloExtensions);
         //TODO[x9147]: This throws an error for wolfssl client!
 //        if (cksCode != 0)
 //        {
@@ -1591,7 +1591,11 @@ protected void send13ServerHelloCoda(ServerHello serverHello, boolean afterHello
     {
         final SecurityParameters securityParameters = tlsServerContext.getSecurityParametersHandshake();
         // TODO[x9.146]: should ckscode be stored in securityParameters or somewhere else?
-        short cksCode = TlsExtensionsUtils.getCertificationKeySelection(clientExtensions);
+        short cksCode = TlsUtils.getCommonCKS(
+                TlsExtensionsUtils.getCertificationKeySelection(clientExtensions),
+                TlsExtensionsUtils.getCertificationKeySelection(serverExtensions)
+        );
+
         securityParameters.cksCode = cksCode;
 
         byte[] serverHelloTranscriptHash = TlsUtils.getCurrentPRFHash(handshakeHash);
@@ -1646,17 +1650,11 @@ protected void send13ServerHelloCoda(ServerHello serverHello, boolean afterHello
                  * extension instead.
                  */
 
-
                 Certificate serverCertificate = serverCredentials.getCertificate();
                 send13CertificateMessage(serverCertificate);
-                //TODO: When generating the hybridSchemeSignature, do we use the prf Hash of the certificateMessage???
-                System.out.println(this.connection_state + ": " + Hex.toHexString(TlsUtils.getCurrentPRFHash(handshakeHash)));
-
 
                 securityParameters.tlsServerEndPoint = null;
                 this.connection_state = CS_SERVER_CERTIFICATE;
-                System.out.println(this.connection_state + ": " + Hex.toHexString(TlsUtils.getCurrentPRFHash(handshakeHash)));
-
             }
 
             // CertificateVerify
@@ -1672,9 +1670,6 @@ protected void send13ServerHelloCoda(ServerHello serverHello, boolean afterHello
                 //TODO[x9.146]: How do we select which cksCode to use if multiple is sent?
                 // (find first mutual cksCode supported by both client and server?)
 
-                //HERE
-//                System.out.println(this.connection_state + ": " + Hex.toHexString(TlsUtils.getCurrentPRFHash(handshakeHash)));
-
                 //TODO[x9.146]: new extension, need more testing/publishing
 //                HybridSchemeSignature hybridSchemeSignature = TlsUtils.generateHybridSchemeSignature(tlsServerContext, serverCredentials, handshakeHash);
 //                TlsExtensionsUtils.addHybridSchemeSignature(serverExtensions, hybridSchemeSignature);

tls/src/main/java/org/bouncycastle/tls/TlsUtils.java

@@ -2558,10 +2558,6 @@ private static byte[] generate13CertificateVerify(TlsCrypto crypto, TlsCredentia
 
             byte[] header = getCertificateVerifyHeader(contextString);
             byte[] prfHash = getCurrentPRFHash(handshakeHash);
-            System.out.println("In Generate");
-            System.out.println("header: " + Hex.toHexString(header));
-            System.out.println("prfHash: " + Hex.toHexString(prfHash));
-
 
             if (null != streamSigner)
             {
@@ -2792,12 +2788,8 @@ private static void verify13CertificateVerify(Vector supportedAlgorithms, String
             {
                 Tls13Verifier verifier = certificate.createVerifier(signatureScheme);
 
-
                 byte[] header = getCertificateVerifyHeader(contextString);
-                System.out.println("header: " + Hex.toHexString(header));
-
                 byte[] prfHash = getCurrentPRFHash(handshakeHash);
-                System.out.println("prfHash: " + Hex.toHexString(prfHash));
 
                 OutputStream output = verifier.getOutputStream();
                 output.write(header, 0, header.length);
@@ -2811,13 +2803,7 @@ private static void verify13CertificateVerify(Vector supportedAlgorithms, String
                 Tls13Verifier altVerifier = certificate.createAltVerifier(signatureScheme);
 
                 byte[] header = getCertificateVerifyHeader(contextString);
-                System.out.println("header: " + Hex.toHexString(header));
-
                 byte[] prfHash = getCurrentPRFHash(handshakeHash);
-                System.out.println("prfHash: " + Hex.toHexString(prfHash));
-
-                System.out.println("nativeSignature: " + Hex.toHexString(nativeSignature));
-                System.out.println("altSignature: " + Hex.toHexString(altSignature));
 
                 OutputStream output = altVerifier.getOutputStream();
                 output.write(header, 0, header.length);
@@ -2981,6 +2967,25 @@ public static Vector vectorOfOne(Object obj)
         return v;
     }
 
+    public static short getCommonCKS(short[] clientCKS, short[] serverCKS)
+    {
+        if (clientCKS == null || serverCKS == null)
+        {
+            return 0;
+        }
+        for (short client : clientCKS)
+        {
+            for (short server : serverCKS)
+            {
+                if (client == server)
+                {
+                    return client;
+                }
+            }
+        }
+        return 0;
+    }
+
     public static int getCipherType(int cipherSuite)
     {
         int encryptionAlgorithm = getEncryptionAlgorithm(cipherSuite);
@@ -5188,7 +5193,11 @@ static void processServerCertificate(TlsClientContext clientContext,
     {
         SecurityParameters securityParameters = clientContext.getSecurityParametersHandshake();
         boolean isTLSv13 = isTLSv13(securityParameters.getNegotiatedVersion());
-        short cksCode = TlsExtensionsUtils.getCertificationKeySelection(clientExtensions);
+        short cksCode = TlsUtils.getCommonCKS(
+                TlsExtensionsUtils.getCertificationKeySelection(clientExtensions),
+                TlsExtensionsUtils.getCertificationKeySelection(serverExtensions)
+        );
+
         boolean usingAltCerts = cksCode > 1;
 
         if (null == clientAuthentication)

tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsRawKeyCertificate.java

@@ -262,63 +262,26 @@ public Tls13Verifier createAltVerifier(SubjectPublicKeyInfo keyInfo, int signatu
 
                 return new BcTls13PQVerifier(verifier);
             }
-//            case SignatureScheme.dilithiumr3_2:
-//            case SignatureScheme.dilithiumr3_3:
-//            case SignatureScheme.dilithiumr3_5:
-//            {
-//                DilithiumSigner verifier = new DilithiumSigner();
-//                DilithiumPublicKeyParameters pubKey = getPubKeyDilithium(keyInfo);
-//                verifier.init(false, getPubKeyDilithium(keyInfo));
-//
-//                return new BcTls13PQVerifier(verifier);
-//            }
             case SignatureScheme.OQS_CODEPOINT_P256_MLDSA44:
+            case SignatureScheme.OQS_CODEPOINT_RSA3072_MLDSA44:
             case SignatureScheme.WOLFSSL_HYBRID_P256_MLDSA_LEVEL2:
             case SignatureScheme.WOLFSSL_HYBRID_RSA3072_MLDSA_LEVEL2:
             case SignatureScheme.mldsa44_ecdsa_secp256r1_sha256:
             case SignatureScheme.mldsa65_ecdsa_secp384r1_sha384:
             case SignatureScheme.mldsa44_ed25519:
-//            case SignatureScheme.mldsa44_rsa2048_pkcs1_sha256:
-//            case SignatureScheme.mldsa44_rsa2048_pss_pss_sha256:
+            case SignatureScheme.mldsa44_rsa2048_pkcs1_sha256:
+            case SignatureScheme.mldsa44_rsa2048_pss_pss_sha256:
                 return createAltVerifier(SignatureScheme.DRAFT_mldsa44);
             case SignatureScheme.mldsa65_ed25519:
             case SignatureScheme.WOLFSSL_HYBRID_P384_MLDSA_LEVEL3:
             case SignatureScheme.OQS_CODEPOINT_P384_MLDSA65:
-//            case SignatureScheme.mldsa65_rsa3072_pkcs1_sha256:
-//            case SignatureScheme.mldsa65_rsa4096_pkcs1_sha384:
-//            case SignatureScheme.mldsa65_rsa3072_pss_pss_sha256:
-//            case SignatureScheme.mldsa65_rsa4096_pss_pss_sha384:
                 return createAltVerifier(SignatureScheme.DRAFT_mldsa65);
             case SignatureScheme.OQS_CODEPOINT_P521_MLDSA87:
             case SignatureScheme.WOLFSSL_HYBRID_P521_MLDSA_LEVEL5:
             case SignatureScheme.mldsa87_ecdsa_secp521r1_sha51:
             case SignatureScheme.mldsa87_ed448:
                 return createAltVerifier(SignatureScheme.DRAFT_mldsa87);
 
-//            case SignatureScheme.X9146_falcon512:
-//            case SignatureScheme.X9146_falcon1024:
-//            {
-//                FalconSigner verifier = new FalconSigner();
-//                FalconPublicKeyParameters pubKey = getPubKeyFalcon(keyInfo);
-//                verifier.init(false, getPubKeyFalcon(keyInfo));
-//
-//                return new BcTls13PQVerifier(verifier);
-//            }
-            //TODO[x9146]: alt will always be pqc
-//            case SignatureScheme.OQS_P256_MLDSA44:
-//            case SignatureScheme.OQS_RSA3072_MLDSA44:
-//                return createAltVerifier(keyInfo, SignatureScheme.DRAFT_mldsa44);
-//            case SignatureScheme.OQS_P384_MLDSA65:
-//                return createAltVerifier(keyInfo, SignatureScheme.DRAFT_mldsa65);
-//            case SignatureScheme.OQS_P521_MLDSA87:
-//                return createAltVerifier(keyInfo, SignatureScheme.DRAFT_mldsa87);
-//            case SignatureScheme.X9146_HYBRID_P256_falcon512:
-//            case SignatureScheme.X9146_HYBRID_RSA3072_falcon512:
-//                return createAltVerifier(keyInfo, SignatureScheme.X9146_falcon512);
-//            case SignatureScheme.X9146_HYBRID_P521_falcon1024:
-//                return createAltVerifier(keyInfo, SignatureScheme.X9146_falcon1024);
-
-
             // TODO[RFC 8998]
 //        case SignatureScheme.sm2sig_sm3:
 //        {
@@ -469,6 +432,9 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
         case SignatureScheme.OQS_CODEPOINT_P521_MLDSA87:
         case SignatureScheme.WOLFSSL_HYBRID_P521_MLDSA_LEVEL5:
             return createVerifier(SignatureScheme.ecdsa_secp521r1_sha512);
+        case SignatureScheme.OQS_CODEPOINT_RSA3072_MLDSA44:
+        case SignatureScheme.WOLFSSL_HYBRID_RSA3072_MLDSA_LEVEL2:
+            return createVerifier(SignatureScheme.rsa_pss_rsae_sha256);
 
         case SignatureScheme.mldsa44_ecdsa_secp256r1_sha256:
             return createVerifier(SignatureScheme.ecdsa_secp256r1_sha256);
@@ -481,27 +447,6 @@ public Tls13Verifier createVerifier(int signatureScheme) throws IOException
             return createVerifier(SignatureScheme.ed25519);
         case SignatureScheme.mldsa87_ed448:
             return createVerifier(SignatureScheme.ed448);
-        //TODO[x9146]: add corresponding rsa verifier
-//        case SignatureScheme.mldsa44_rsa2048_pkcs1_sha256:
-//        case SignatureScheme.mldsa44_rsa2048_pss_pss_sha256:
-//        case SignatureScheme.mldsa65_rsa3072_pkcs1_sha256:
-//        case SignatureScheme.mldsa65_rsa4096_pkcs1_sha384:
-//        case SignatureScheme.mldsa65_rsa3072_pss_pss_sha256:
-//        case SignatureScheme.mldsa65_rsa4096_pss_pss_sha384:
-
-            //TODO[x9146]: nonalt will always be native
-//        case SignatureScheme.OQS_P256_MLDSA44:
-//        case SignatureScheme.X9146_HYBRID_P256_falcon512:
-//            return createVerifier(SignatureScheme.ecdsa_secp256r1_sha256);
-//        case SignatureScheme.OQS_P384_MLDSA65:
-//            return createVerifier(SignatureScheme.ecdsa_secp384r1_sha384);
-//        case SignatureScheme.OQS_P521_MLDSA87:
-//        case SignatureScheme.X9146_HYBRID_P521_falcon1024:
-//            return createVerifier(SignatureScheme.ecdsa_secp521r1_sha512);
-//        case SignatureScheme.OQS_RSA3072_MLDSA44:
-//        case SignatureScheme.X9146_HYBRID_RSA3072_falcon512:
-//            return createVerifier(SignatureScheme.rsa_pss_pss_sha256);
-
         default:
             throw new TlsFatalAlert(AlertDescription.internal_error);
         }
@@ -684,23 +629,6 @@ public Ed448PublicKeyParameters getPubKeyEd448() throws IOException
         return getPubKeyEd448(this.keyInfo);
     }
 
-    private DilithiumPublicKeyParameters getPubKeyDilithium(SubjectPublicKeyInfo keyInfo) throws IOException
-    {
-        try
-        {
-            return (DilithiumPublicKeyParameters) getPQCPublicKey(keyInfo);
-        }
-        catch (ClassCastException e)
-        {
-            throw new TlsFatalAlert(AlertDescription.certificate_unknown, e);
-        }
-    }
-
-    public DilithiumPublicKeyParameters getPubKeyDilithium() throws IOException
-    {
-        return getPubKeyDilithium(this.keyInfo);
-    }
-
     public MLDSAPublicKeyParameters getPubKeyMLDSA(SubjectPublicKeyInfo keyInfo) throws IOException
     {
         try