HQC: Add missing mappings, fix OID mappings

- unify HQC mappings using SpiUtil
- restrict keys by parameter set where appropriate

Author: peterdettman

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java

@@ -30,9 +30,10 @@ class HQCEngine
     private final int pkSize;
     private final GF2PolynomialCalculator gf;
     private final long rejectionThreshold;
+    private final int cipherTextBytes;
 
-    public HQCEngine(int n, int n1, int n2, int k, int g, int delta, int w, int wr,
-                     int fft, int nmu, int pkSize, int[] generatorPoly)
+    HQCEngine(int n, int n1, int n2, int k, int g, int delta, int w, int wr, int fft, int nmu, int pkSize,
+        int[] generatorPoly)
     {
         this.n = n;
         this.k = k;
@@ -54,6 +55,12 @@ public HQCEngine(int n, int n1, int n2, int k, int g, int delta, int w, int wr,
         long RED_MASK = ((1L << (n & 63)) - 1);
         this.gf = new GF2PolynomialCalculator(N_BYTE_64, n, RED_MASK);
         this.rejectionThreshold = ((1L << 24) / n) * n;
+        this.cipherTextBytes = N_BYTE + N1N2_BYTE + 16;
+    }
+
+    int getCipherTextBytes()
+    {
+        return cipherTextBytes;
     }
 
     /**

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCKEMExtractor.java

@@ -6,34 +6,32 @@
 public class HQCKEMExtractor
     implements EncapsulatedSecretExtractor
 {
-    private HQCEngine engine;
+    private final HQCPrivateKeyParameters privateKey;
+    private final HQCEngine engine;
 
-    private final HQCKeyParameters key;
-
-    public HQCKEMExtractor(HQCPrivateKeyParameters privParams)
+    public HQCKEMExtractor(HQCPrivateKeyParameters privateKey)
     {
-        this.key = privParams;
-        initCipher(key.getParameters());
-    }
+        if (privateKey == null)
+        {
+            throw new NullPointerException("'privateKey' cannot be null");
+        }
 
-    private void initCipher(HQCParameters param)
-    {
-        engine = param.getEngine();
+        this.privateKey = privateKey;
+        this.engine = privateKey.getParameters().getEngine();
     }
 
     public byte[] extractSecret(byte[] encapsulation)
     {
         byte[] session_key = new byte[64];
-        HQCPrivateKeyParameters secretKey = (HQCPrivateKeyParameters)key;
-        byte[] sk = secretKey.getPrivateKey();
+        byte[] sk = privateKey.getPrivateKey();
 
         engine.decaps(session_key, encapsulation, sk);
 
         return Arrays.copyOfRange(session_key, 0, 32);
     }
 
     public int getEncapsulationLength()
-    {         // Hash + salt
-        return key.getParameters().getN_BYTES() + key.getParameters().getN1N2_BYTES() + 16;
+    {
+        return engine.getCipherTextBytes();
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCParameters.java

@@ -31,18 +31,18 @@ public class HQCParameters
     final static int PARAM_M = 8;
     final static int GF_MUL_ORDER = 255;
 
-    private final HQCEngine hqcEngine;
+    private final HQCEngine engine;
 
-    private HQCParameters(String name, int n, int n1, int n2, int k, int g, int delta, int w, int wr,
-                          int fft, int nMu, int pkSize, int skSize, int[] generatorPoly)
+    private HQCParameters(String name, int n, int n1, int n2, int k, int g, int delta, int w, int wr, int fft, int nMu,
+        int pkSize, int skSize, int[] generatorPoly)
     {
         this.name = name;
         this.n = n;
         this.n1 = n1;
         this.n2 = n2;
         this.publicKeyBytes = pkSize;
         this.secretKeyBytes = skSize;
-        hqcEngine = new HQCEngine(n, n1, n2, k, g, delta, w, wr, fft, nMu, pkSize, generatorPoly);
+        this.engine = new HQCEngine(n, n1, n2, k, g, delta, w, wr, fft, nMu, pkSize, generatorPoly);
     }
 
     int getSHA512_BYTES()
@@ -67,7 +67,12 @@ int getN1N2_BYTES()
 
     HQCEngine getEngine()
     {
-        return hqcEngine;
+        return engine;
+    }
+
+    public int getEncapsulationLength()
+    {
+        return engine.getCipherTextBytes();
     }
 
     public int getSessionKeySize()

prov/src/main/java/org/bouncycastle/pqc/jcajce/provider/HQC.java

@@ -4,6 +4,7 @@
 import org.bouncycastle.jcajce.provider.config.ConfigurableProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricAlgorithmProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricKeyInfoConverter;
+import org.bouncycastle.jcajce.util.SpiUtil;
 import org.bouncycastle.pqc.jcajce.provider.hqc.HQCKeyFactorySpi;
 
 public class HQC
@@ -38,10 +39,7 @@ public void configure(ConfigurableProvider provider)
 
             AsymmetricKeyInfoConverter keyFact = new HQCKeyFactorySpi();
 
-            provider.addAlgorithm("Cipher.HQC", PREFIX + "HQCCipherSpi$Base");
-            provider.addAlgorithm("Alg.Alias.Cipher.HQC", "HQC");
-            provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.pqc_kem_hqc, "HQC");
-
+            addCipherAlgorithm(provider, "HQC", PREFIX + "HQCCipherSpi$Base", BCObjectIdentifiers.pqc_kem_hqc);
             addCipherAlgorithm(provider, "HQC128", PREFIX + "HQCCipherSpi$HQC128", BCObjectIdentifiers.hqc128);
             addCipherAlgorithm(provider, "HQC192", PREFIX + "HQCCipherSpi$HQC192", BCObjectIdentifiers.hqc192);
             addCipherAlgorithm(provider, "HQC256", PREFIX + "HQCCipherSpi$HQC256", BCObjectIdentifiers.hqc256);
@@ -50,7 +48,15 @@ public void configure(ConfigurableProvider provider)
             provider.addKeyInfoConverter(BCObjectIdentifiers.hqc128, keyFact);
             provider.addKeyInfoConverter(BCObjectIdentifiers.hqc192, keyFact);
             provider.addKeyInfoConverter(BCObjectIdentifiers.hqc256, keyFact);
+
+            if (SpiUtil.hasKEM())
+            {
+                provider.addAlgorithm("KEM.HQC", PREFIX + "HQCKEMSpi$HQC");
+
+                addKEMAlgorithm(provider, "HQC-128", PREFIX + "HQCKEMSpi$HQC128", BCObjectIdentifiers.hqc128);
+                addKEMAlgorithm(provider, "HQC-192", PREFIX + "HQCKEMSpi$HQC192", BCObjectIdentifiers.hqc192);
+                addKEMAlgorithm(provider, "HQC-256", PREFIX + "HQCKEMSpi$HQC256", BCObjectIdentifiers.hqc256);
+            }
         }
     }
 }
-

prov/src/main/jdk17/org/bouncycastle/pqc/jcajce/provider/HQC.java

@@ -1,31 +1,33 @@
 package org.bouncycastle.pqc.jcajce.provider.hqc;
 
-import org.bouncycastle.pqc.jcajce.provider.hqc.BCHQCPrivateKey;
-import org.bouncycastle.jcajce.spec.KTSParameterSpec;
-
-import org.bouncycastle.pqc.crypto.hqc.HQCKEMExtractor;
-import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import java.util.Objects;
 
 import javax.crypto.DecapsulateException;
 import javax.crypto.KEMSpi;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
-import java.util.Arrays;
-import java.util.Objects;
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+import org.bouncycastle.pqc.crypto.hqc.HQCKEMExtractor;
+import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import org.bouncycastle.util.Arrays;
 
+/*
+ *  NOTE: Per javadoc for javax.crypto.KEM, "Encapsulator and Decapsulator objects are also immutable. It is safe to
+ *  invoke multiple encapsulate and decapsulate methods on the same Encapsulator or Decapsulator object at the same
+ *  time. Each invocation of encapsulate will generate a new shared secret and key encapsulation message."
+ */
 public class HQCDecapsulatorSpi
     implements KEMSpi.DecapsulatorSpi
 {
-    BCHQCPrivateKey privateKey;
-    KTSParameterSpec parameterSpec;
-    HQCKEMExtractor kemExt;
+//    private final BCHQCPrivateKey privateKey;
+    private final KTSParameterSpec parameterSpec;
+    private final HQCKEMExtractor kemExt;
 
-    public HQCDecapsulatorSpi(BCHQCPrivateKey privateKey, KTSParameterSpec parameterSpec)
+    HQCDecapsulatorSpi(BCHQCPrivateKey privateKey, KTSParameterSpec parameterSpec)
     {
-        this.privateKey = privateKey;
+//        this.privateKey = privateKey;
         this.parameterSpec = parameterSpec;
-
         this.kemExt = new HQCKEMExtractor(privateKey.getKeyParams());
     }
 
@@ -42,28 +44,32 @@ public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, Strin
             throw new DecapsulateException("incorrect encapsulation size");
         }
 
-        // if algorithm is Generic then use parameterSpec to wrap key
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-            algorithm.equals("Generic"))
+        String keyAlgName = parameterSpec.getKeyAlgorithmName();
+        if (!"Generic".equals(keyAlgName))
         {
-            algorithm = parameterSpec.getKeyAlgorithmName();
+            // if algorithm is Generic then use parameterSpec to wrap key
+            if ("Generic".equals(algorithm))
+            {
+                algorithm = keyAlgName;
+            }
+            // check spec algorithm mismatch provided algorithm
+            else if (!algorithm.equals(keyAlgName))
+            {
+                throw new UnsupportedOperationException(keyAlgName + " does not match " + algorithm);
+            }
         }
 
-        // check spec algorithm mismatch provided algorithm
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-            !parameterSpec.getKeyAlgorithmName().equals(algorithm))
+        byte[] kemSecret = kemExt.extractSecret(encapsulation);
+        byte[] kdfSecret = KdfUtil.makeKeyBytes(parameterSpec, kemSecret);
+
+        try
         {
-            throw new UnsupportedOperationException(parameterSpec.getKeyAlgorithmName() + " does not match " + algorithm);
+            return new SecretKeySpec(kdfSecret, from, to - from, algorithm);
+        }
+        finally
+        {
+            Arrays.clear(kdfSecret);
         }
-
-        // Only use KDF when ktsParameterSpec is provided
-        // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
-        boolean useKDF = parameterSpec.getKdfAlgorithm() != null;
-
-        byte[] secret = kemExt.extractSecret(encapsulation);
-        byte[] secretKey = Arrays.copyOfRange(KdfUtil.makeKeyBytes(parameterSpec, secret), from, to);
-
-        return new SecretKeySpec(secretKey, algorithm);
     }
 
     @Override
@@ -77,4 +83,4 @@ public int engineEncapsulationSize()
     {
         return kemExt.getEncapsulationLength();
     }
-}
+}