NTRU: Add missing mappings, fix OID mappings

- unify NTRU mappings using SpiUtil

Author: peterdettman

core/src/main/java/org/bouncycastle/pqc/crypto/ntru/NTRUKEMExtractor.java

@@ -81,6 +81,6 @@ private void cmov(byte[] r, byte[] x, byte b)
 
     public int getEncapsulationLength()
     {
-        return ntruPrivateKey.getParameters().getParameterSet().ntruCiphertextBytes();
+        return ntruPrivateKey.getParameters().getEncapsulationLength();
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/ntru/NTRUParameters.java

@@ -52,6 +52,11 @@ private NTRUParameters(String name, NTRUParameterSet parameterSet)
         this.parameterSet = parameterSet;
     }
 
+    public int getEncapsulationLength()
+    {
+        return getParameterSet().ntruCiphertextBytes();
+    }
+
     public String getName()
     {
         return name;

prov/src/main/java/org/bouncycastle/pqc/jcajce/provider/NTRU.java

@@ -4,6 +4,7 @@
 import org.bouncycastle.jcajce.provider.config.ConfigurableProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricAlgorithmProvider;
 import org.bouncycastle.jcajce.provider.util.AsymmetricKeyInfoConverter;
+import org.bouncycastle.jcajce.util.SpiUtil;
 import org.bouncycastle.pqc.jcajce.provider.ntru.NTRUKeyFactorySpi;
 
 public class NTRU
@@ -27,22 +28,33 @@ public void configure(ConfigurableProvider provider)
             provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhps2048509, "NTRU");
             provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhps2048677, "NTRU");
             provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhps4096821, "NTRU");
+            provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhps40961229, "NTRU");
             provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhrss701, "NTRU");
+            provider.addAlgorithm("Alg.Alias.KeyGenerator." + BCObjectIdentifiers.ntruhrss1373, "NTRU");
 
             AsymmetricKeyInfoConverter keyFact = new NTRUKeyFactorySpi();
 
-            provider.addAlgorithm("Cipher.NTRU", PREFIX + "NTRUCipherSpi$Base");
-            provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.pqc_kem_ntru, "NTRU");
+            addCipherAlgorithm(provider, "NTRU", PREFIX + "NTRUCipherSpi$Base", BCObjectIdentifiers.pqc_kem_ntru);
             provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhps2048509, "NTRU");
             provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhps2048677, "NTRU");
             provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhps4096821, "NTRU");
+            provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhps40961229, "NTRU");
             provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhrss701, "NTRU");
+            provider.addAlgorithm("Alg.Alias.Cipher." + BCObjectIdentifiers.ntruhrss1373, "NTRU");
 
             registerOid(provider, BCObjectIdentifiers.pqc_kem_ntru, "NTRU", keyFact);
             registerOid(provider, BCObjectIdentifiers.ntruhps2048509, "NTRU", keyFact);
             registerOid(provider, BCObjectIdentifiers.ntruhps2048677, "NTRU", keyFact);
             registerOid(provider, BCObjectIdentifiers.ntruhps4096821, "NTRU", keyFact);
+            registerOid(provider, BCObjectIdentifiers.ntruhps40961229, "NTRU", keyFact);
             registerOid(provider, BCObjectIdentifiers.ntruhrss701, "NTRU", keyFact);
+            registerOid(provider, BCObjectIdentifiers.ntruhrss1373, "NTRU", keyFact);
+
+            if (SpiUtil.hasKEM())
+            {
+                // TODO Per-parameter-set SPI classes?
+                addKEMAlgorithm(provider, "NTRU", PREFIX + "NTRUKEMSpi$NTRU", BCObjectIdentifiers.pqc_kem_ntru);
+            }
         }
     }
 }

prov/src/main/jdk17/org/bouncycastle/pqc/jcajce/provider/NTRU.java

@@ -1,36 +1,39 @@
 package org.bouncycastle.pqc.jcajce.provider.ntru;
 
-import org.bouncycastle.jcajce.spec.KTSParameterSpec;
-
-import org.bouncycastle.jcajce.spec.KTSParameterSpec;
-import org.bouncycastle.pqc.crypto.ntru.NTRUKEMExtractor;
-import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import java.util.Objects;
 
 import javax.crypto.DecapsulateException;
 import javax.crypto.KEMSpi;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidKeyException;
-import java.util.Arrays;
-import java.util.Objects;
 
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+import org.bouncycastle.pqc.crypto.ntru.NTRUKEMExtractor;
+import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import org.bouncycastle.util.Arrays;
+
+/*
+ *  NOTE: Per javadoc for javax.crypto.KEM, "Encapsulator and Decapsulator objects are also immutable. It is safe to
+ *  invoke multiple encapsulate and decapsulate methods on the same Encapsulator or Decapsulator object at the same
+ *  time. Each invocation of encapsulate will generate a new shared secret and key encapsulation message."
+ */
 public class NTRUDecapsulatorSpi
     implements KEMSpi.DecapsulatorSpi
 {
-    BCNTRUPrivateKey privateKey;
-    KTSParameterSpec parameterSpec;
-    NTRUKEMExtractor kemExt;
+//    private final BCNTRUPrivateKey privateKey;
+    private final KTSParameterSpec parameterSpec;
+    private final NTRUKEMExtractor kemExt;
 
-    public NTRUDecapsulatorSpi(BCNTRUPrivateKey privateKey, KTSParameterSpec parameterSpec)
+    NTRUDecapsulatorSpi(BCNTRUPrivateKey privateKey, KTSParameterSpec parameterSpec)
     {
-        this.privateKey = privateKey;
+//        this.privateKey = privateKey;
         this.parameterSpec = parameterSpec;
-
         this.kemExt = new NTRUKEMExtractor(privateKey.getKeyParams());
     }
 
     @Override
-    public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, String algorithm) throws DecapsulateException
+    public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, String algorithm)
+        throws DecapsulateException
     {
         Objects.checkFromToIndex(from, to, engineSecretSize());
         Objects.requireNonNull(algorithm, "null algorithm");
@@ -41,28 +44,32 @@ public SecretKey engineDecapsulate(byte[] encapsulation, int from, int to, Strin
             throw new DecapsulateException("incorrect encapsulation size");
         }
 
-        // if algorithm is Generic then use parameterSpec to wrap key
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-                algorithm.equals("Generic"))
+        String keyAlgName = parameterSpec.getKeyAlgorithmName();
+        if (!"Generic".equals(keyAlgName))
         {
-            algorithm = parameterSpec.getKeyAlgorithmName();
+            // if algorithm is Generic then use parameterSpec to wrap key
+            if ("Generic".equals(algorithm))
+            {
+                algorithm = keyAlgName;
+            }
+            // check spec algorithm mismatch provided algorithm
+            else if (!algorithm.equals(keyAlgName))
+            {
+                throw new UnsupportedOperationException(keyAlgName + " does not match " + algorithm);
+            }
         }
 
-        // check spec algorithm mismatch provided algorithm
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-                !parameterSpec.getKeyAlgorithmName().equals(algorithm))
+        byte[] kemSecret = kemExt.extractSecret(encapsulation);
+        byte[] kdfSecret = KdfUtil.makeKeyBytes(parameterSpec, kemSecret);
+
+        try
         {
-            throw new UnsupportedOperationException(parameterSpec.getKeyAlgorithmName() + " does not match " + algorithm);
+            return new SecretKeySpec(kdfSecret, from, to - from, algorithm);
+        }
+        finally
+        {
+            Arrays.clear(kdfSecret);
         }
-
-        // Only use KDF when ktsParameterSpec is provided
-        // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
-        boolean useKDF = parameterSpec.getKdfAlgorithm() != null;
-
-        byte[] secret = kemExt.extractSecret(encapsulation);
-        byte[] secretKey = Arrays.copyOfRange(KdfUtil.makeKeyBytes(parameterSpec, secret), from, to);
-
-        return new SecretKeySpec(secretKey, algorithm);
     }
 
     @Override

prov/src/main/jdk17/org/bouncycastle/pqc/jcajce/provider/ntru/NTRUDecapsulatorSpi.java

@@ -1,30 +1,35 @@
 package org.bouncycastle.pqc.jcajce.provider.ntru;
 
-import org.bouncycastle.crypto.SecretWithEncapsulation;
-import org.bouncycastle.jcajce.spec.KTSParameterSpec;
-import org.bouncycastle.pqc.crypto.ntru.NTRUKEMGenerator;
-import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import java.security.SecureRandom;
+import java.util.Objects;
 
 import javax.crypto.KEM;
 import javax.crypto.KEMSpi;
+import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidKeyException;
-import java.security.SecureRandom;
-import java.util.Arrays;
-import java.util.Objects;
 
+import org.bouncycastle.crypto.SecretWithEncapsulation;
+import org.bouncycastle.jcajce.spec.KTSParameterSpec;
+import org.bouncycastle.pqc.crypto.ntru.NTRUKEMGenerator;
+import org.bouncycastle.pqc.jcajce.provider.util.KdfUtil;
+import org.bouncycastle.util.Arrays;
+
+/*
+ *  NOTE: Per javadoc for javax.crypto.KEM, "Encapsulator and Decapsulator objects are also immutable. It is safe to
+ *  invoke multiple encapsulate and decapsulate methods on the same Encapsulator or Decapsulator object at the same
+ *  time. Each invocation of encapsulate will generate a new shared secret and key encapsulation message."
+ */
 public class NTRUEncapsulatorSpi
     implements KEMSpi.EncapsulatorSpi
 {
     private final BCNTRUPublicKey publicKey;
     private final KTSParameterSpec parameterSpec;
     private final NTRUKEMGenerator kemGen;
 
-    public NTRUEncapsulatorSpi(BCNTRUPublicKey publicKey, KTSParameterSpec parameterSpec, SecureRandom random)
+    NTRUEncapsulatorSpi(BCNTRUPublicKey publicKey, KTSParameterSpec parameterSpec, SecureRandom random)
     {
         this.publicKey = publicKey;
         this.parameterSpec = parameterSpec;
-
         this.kemGen = new NTRUKEMGenerator(random);
     }
 
@@ -34,31 +39,37 @@ public KEM.Encapsulated engineEncapsulate(int from, int to, String algorithm)
         Objects.checkFromToIndex(from, to, engineSecretSize());
         Objects.requireNonNull(algorithm, "null algorithm");
 
-        // if algorithm is Generic then use parameterSpec to wrap key
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-                algorithm.equals("Generic"))
-        {
-            algorithm = parameterSpec.getKeyAlgorithmName();
-        }
-
-        // check spec algorithm mismatch provided algorithm
-        if (!parameterSpec.getKeyAlgorithmName().equals("Generic") &&
-                !parameterSpec.getKeyAlgorithmName().equals(algorithm))
+        String keyAlgName = parameterSpec.getKeyAlgorithmName();
+        if (!"Generic".equals(keyAlgName))
         {
-            throw new UnsupportedOperationException(parameterSpec.getKeyAlgorithmName() + " does not match " + algorithm);
+            // if algorithm is Generic then use parameterSpec to wrap key
+            if ("Generic".equals(algorithm))
+            {
+                algorithm = keyAlgName;
+            }
+            // check spec algorithm mismatch provided algorithm
+            else if (!algorithm.equals(keyAlgName))
+            {
+                throw new UnsupportedOperationException(keyAlgName + " does not match " + algorithm);
+            }
         }
 
-        // Only use KDF when ktsParameterSpec is provided
-        // Considering any ktsParameterSpec with "Generic" as ktsParameterSpec not provided
-        boolean useKDF = parameterSpec.getKdfAlgorithm() != null;
-
         SecretWithEncapsulation secEnc = kemGen.generateEncapsulated(publicKey.getKeyParams());
 
         byte[] encapsulation = secEnc.getEncapsulation();
-        byte[] secret = secEnc.getSecret();
-        byte[] secretKey = Arrays.copyOfRange(KdfUtil.makeKeyBytes(parameterSpec, secret), from, to);
 
-        return new KEM.Encapsulated(new SecretKeySpec(secretKey, algorithm), encapsulation, null); //TODO: DER encoding for params
+        byte[] kemSecret = secEnc.getSecret();
+        byte[] kdfSecret = KdfUtil.makeKeyBytes(parameterSpec, kemSecret);
+
+        try
+        {
+            SecretKey secretKey = new SecretKeySpec(kdfSecret, from, to - from, algorithm);
+            return new KEM.Encapsulated(secretKey, encapsulation, null);
+        }
+        finally
+        {
+            Arrays.clear(kdfSecret);
+        }
     }
 
     @Override
@@ -70,23 +81,6 @@ public int engineSecretSize()
     @Override
     public int engineEncapsulationSize()
     {
-        //TODO: Maybe make parameterSet public or add getEncapsulationSize() in NTRUKEMGenerator.java
-        switch (publicKey.getKeyParams().getParameters().getName())
-        {
-            case "ntruhps2048509":
-                return 699;
-            case "ntruhps2048677":
-                return 930;
-            case "ntruhps4096821":
-                return 1230;
-            case "ntruhps40961229":
-                return 1843;
-            case "ntruhrss701":
-                return 1138;
-            case "ntruhrss1373":
-                return 2401;
-            default:
-                return -1;
-        }
+        return publicKey.getKeyParams().getParameters().getEncapsulationLength();
     }
 }