ML-KEM: Add missing mappings, fix OID mappings

peterdettman · peterdettman · commit 762db64d60d1 · 2026-02-05T22:19:37.000+07:00
- unify MLKEM mappings using SpiUtil
- restrict keys by parameter set where appropriate
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/MLKEM.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/MLKEM.java
@@ -5,6 +5,7 @@
 import org.bouncycastle.jcajce.provider.config.ConfigurableProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricAlgorithmProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricKeyInfoConverter;
+import org.bouncycastle.jcajce.util.SpiUtil;
 
 public class MLKEM
 {
@@ -51,6 +52,22 @@ public void configure(ConfigurableProvider provider)
             provider.addKeyInfoConverter(NISTObjectIdentifiers.id_alg_ml_kem_512, keyFact);
             provider.addKeyInfoConverter(NISTObjectIdentifiers.id_alg_ml_kem_768, keyFact);
             provider.addKeyInfoConverter(NISTObjectIdentifiers.id_alg_ml_kem_1024, keyFact);
+
+            if (SpiUtil.hasKEM())
+            {
+                // "This algorithm supports keys with ML-KEM-512, ML-KEM-768, and ML-KEM-1024 parameter sets."
+                provider.addAlgorithm("KEM.ML-KEM", PREFIX + "MLKEMSpi$MLKEM");
+                // "[..] (ML-KEM) using the ML-KEM-512 parameter set [..]."
+                provider.addAlgorithm("KEM.ML-KEM-512", PREFIX + "MLKEMSpi$MLKEM512");
+                // "[..] (ML-KEM) using the ML-KEM-768 parameter set [..]."
+                provider.addAlgorithm("KEM.ML-KEM-768", PREFIX + "MLKEMSpi$MLKEM768");
+                // "[..] (ML-KEM) using the ML-KEM-1024 parameter set [..]."
+                provider.addAlgorithm("KEM.ML-KEM-1024", PREFIX + "MLKEMSpi$MLKEM1024");
+
+                provider.addAlgorithm("Alg.Alias.KEM." + NISTObjectIdentifiers.id_alg_ml_kem_512, "ML-KEM-512");
+                provider.addAlgorithm("Alg.Alias.KEM." + NISTObjectIdentifiers.id_alg_ml_kem_768, "ML-KEM-768");
+                provider.addAlgorithm("Alg.Alias.KEM." + NISTObjectIdentifiers.id_alg_ml_kem_1024, "ML-KEM-1024");
+            }
         }
     }
 }
diff --git a/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/MLKEM.java b/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/MLKEM.java
diff --git a/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMDecapsulatorSpi.java b/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMDecapsulatorSpi.java
@@ -12,18 +12,22 @@
 import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
 import org.bouncycastle.util.Arrays;
 
-public class MLKEMDecapsulatorSpi
+/*
+ *  NOTE: Per javadoc for javax.crypto.KEM, "Encapsulator and Decapsulator objects are also immutable. It is safe to
+ *  invoke multiple encapsulate and decapsulate methods on the same Encapsulator or Decapsulator object at the same
+ *  time. Each invocation of encapsulate will generate a new shared secret and key encapsulation message."
+ */
+class MLKEMDecapsulatorSpi
     implements KEMSpi.DecapsulatorSpi
 {
-    BCMLKEMPrivateKey privateKey;
-    KTSParameterSpec parameterSpec;
-    MLKEMExtractor kemExt;
+//    private final BCMLKEMPrivateKey privateKey;
+    private final KTSParameterSpec parameterSpec;
+    private final MLKEMExtractor kemExt;
 
-    public MLKEMDecapsulatorSpi(BCMLKEMPrivateKey privateKey, KTSParameterSpec parameterSpec)
+    MLKEMDecapsulatorSpi(BCMLKEMPrivateKey privateKey, KTSParameterSpec parameterSpec)
     {
-        this.privateKey = privateKey;
+//        this.privateKey = privateKey;
         this.parameterSpec = parameterSpec;
-
         this.kemExt = new MLKEMExtractor(privateKey.getKeyParams());
     }
 
diff --git a/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMEncapsulatorSpi.java b/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMEncapsulatorSpi.java
@@ -14,14 +14,19 @@
 import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
 import org.bouncycastle.util.Arrays;
 
-public class MLKEMEncapsulatorSpi
+/*
+ *  NOTE: Per javadoc for javax.crypto.KEM, "Encapsulator and Decapsulator objects are also immutable. It is safe to
+ *  invoke multiple encapsulate and decapsulate methods on the same Encapsulator or Decapsulator object at the same
+ *  time. Each invocation of encapsulate will generate a new shared secret and key encapsulation message."
+ */
+class MLKEMEncapsulatorSpi
     implements KEMSpi.EncapsulatorSpi
 {
     private final BCMLKEMPublicKey publicKey;
     private final KTSParameterSpec parameterSpec;
     private final MLKEMGenerator kemGen;
 
-    public MLKEMEncapsulatorSpi(BCMLKEMPublicKey publicKey, KTSParameterSpec parameterSpec, SecureRandom random)
+    MLKEMEncapsulatorSpi(BCMLKEMPublicKey publicKey, KTSParameterSpec parameterSpec, SecureRandom random)
     {
         this.publicKey = publicKey;
         this.parameterSpec = parameterSpec;
@@ -59,7 +64,7 @@ else if (!algorithm.equals(keyAlgName))
         try
         {
             SecretKey secretKey = new SecretKeySpec(kdfSecret, from, to - from, algorithm);
-            return new KEM.Encapsulated(secretKey, encapsulation, null); //TODO: DER encoding for params
+            return new KEM.Encapsulated(secretKey, encapsulation, null);
         }
         finally
         {
@@ -76,17 +81,6 @@ public int engineSecretSize()
     @Override
     public int engineEncapsulationSize()
     {
-        //TODO: Maybe make parameterSet public or add getEncapsulationSize() in KEMGenerator.java
-        switch (publicKey.getKeyParams().getParameters().getName())
-        {
-            case "ML-KEM-512":
-                return 768;
-            case "ML-KEM-768":
-                return 1088;
-            case "ML-KEM-1024":
-                return 1568;
-            default:
-                return -1;
-        }
+        return publicKey.getKeyParams().getParameters().getEncapsulationLength();
     }
 }
diff --git a/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMSpi.java b/prov/src/main/jdk17/org/bouncycastle/jcajce/provider/asymmetric/mlkem/MLKEMSpi.java
@@ -10,51 +10,107 @@
 import javax.crypto.KEMSpi;
 
 import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+import org.bouncycastle.pqc.crypto.mlkem.MLKEMKeyParameters;
+import org.bouncycastle.pqc.crypto.mlkem.MLKEMParameters;
 
 public class MLKEMSpi
     implements KEMSpi
 {
+    private final MLKEMParameters mlkemParameters;
+
+    MLKEMSpi(MLKEMParameters mlkemParameters)
+    {
+        this.mlkemParameters = mlkemParameters;
+    }
+
     @Override
-    public EncapsulatorSpi engineNewEncapsulator(PublicKey publicKey, AlgorithmParameterSpec spec, SecureRandom secureRandom)
-            throws InvalidAlgorithmParameterException, InvalidKeyException
+    public EncapsulatorSpi engineNewEncapsulator(PublicKey publicKey, AlgorithmParameterSpec spec,
+        SecureRandom secureRandom) throws InvalidAlgorithmParameterException, InvalidKeyException
     {
         if (!(publicKey instanceof BCMLKEMPublicKey))
         {
-            throw new InvalidKeyException("unsupported key");
+            throw new InvalidKeyException("unsupported key type");
         }
+
+        BCMLKEMPublicKey bcPublicKey = (BCMLKEMPublicKey)publicKey;
+        checkKeyParameters(bcPublicKey.getKeyParams());
+
         if (spec == null)
         {
             // Do not wrap key, no KDF
             spec = new KTSParameterSpec.Builder("Generic", 256).withNoKdf().build();
         }
-        if (!(spec instanceof KTSParameterSpec))
+        else if (!(spec instanceof KTSParameterSpec))
         {
             throw new InvalidAlgorithmParameterException("MLKEM can only accept KTSParameterSpec");
         }
-        if (secureRandom == null)
-        {
-            secureRandom = new SecureRandom();
-        }
-        return new MLKEMEncapsulatorSpi((BCMLKEMPublicKey) publicKey, (KTSParameterSpec) spec, secureRandom);
+
+        return new MLKEMEncapsulatorSpi(bcPublicKey, (KTSParameterSpec)spec, secureRandom);
     }
 
     @Override
     public DecapsulatorSpi engineNewDecapsulator(PrivateKey privateKey, AlgorithmParameterSpec spec)
-            throws InvalidAlgorithmParameterException, InvalidKeyException
+        throws InvalidAlgorithmParameterException, InvalidKeyException
     {
         if (!(privateKey instanceof BCMLKEMPrivateKey))
         {
             throw new InvalidKeyException("unsupported key");
         }
+
+        BCMLKEMPrivateKey bcPrivateKey = (BCMLKEMPrivateKey)privateKey;
+        checkKeyParameters(bcPrivateKey.getKeyParams());
+
         if (spec == null)
         {
             // Do not unwrap key, no KDF
             spec = new KTSParameterSpec.Builder("Generic", 256).withNoKdf().build();
         }
-        if (!(spec instanceof KTSParameterSpec))
+        else if (!(spec instanceof KTSParameterSpec))
         {
             throw new InvalidAlgorithmParameterException("MLKEM can only accept KTSParameterSpec");
         }
-        return new MLKEMDecapsulatorSpi((BCMLKEMPrivateKey) privateKey, (KTSParameterSpec) spec);
+
+        return new MLKEMDecapsulatorSpi(bcPrivateKey, (KTSParameterSpec)spec);
+    }
+
+    private void checkKeyParameters(MLKEMKeyParameters key) throws InvalidKeyException
+    {
+        if (mlkemParameters != null && mlkemParameters != key.getParameters())
+        {
+            throw new InvalidKeyException("ML-KEM key mismatch");
+        }
+    }
+
+    public static class MLKEM extends MLKEMSpi
+    {
+        public MLKEM()
+        {
+            // NOTE: Unrestricted parameters/keys
+            super(null);
+        }
+    }
+
+    public static class MLKEM512 extends MLKEMSpi
+    {
+        public MLKEM512()
+        {
+            super(MLKEMParameters.ml_kem_512);
+        }
+    }
+
+    public static class MLKEM768 extends MLKEMSpi
+    {
+        public MLKEM768()
+        {
+            super(MLKEMParameters.ml_kem_768);
+        }
+    }
+
+    public static class MLKEM1024 extends MLKEMSpi
+    {
+        public MLKEM1024()
+        {
+            super(MLKEMParameters.ml_kem_1024);
+        }
     }
 }
