Add XWING keys and support them in HPKE. (#1383)

* Add XWING keys and support them in HPKE.

* Fix formating.

* Fix typo.

* Add X-Wing to HPKE suite.

* Add missing import.

* Add missing entry.

* fix format.

* Fix typo.

* Add serialVersionUID to keys.

* Make two helper functions private.

* Move dispatch of key serialization into subclasses of HPKEImpl.

* Fix formatting.

* Use constant-time compare in Xwing private key.

* Fix order in compare with constant string.

---------

Co-authored-by: miguelaranda0 <90468342+miguelaranda0@users.noreply.github.com>

Author: juergw

common/src/main/java/org/conscrypt/HpkeImpl.java

@@ -20,6 +20,7 @@
 import static org.conscrypt.HpkeSuite.AEAD_CHACHA20POLY1305;
 import static org.conscrypt.HpkeSuite.KDF_HKDF_SHA256;
 import static org.conscrypt.HpkeSuite.KEM_DHKEM_X25519_HKDF_SHA256;
+import static org.conscrypt.HpkeSuite.KEM_XWING;
 
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
@@ -35,7 +36,7 @@
  * of the subclasses of {@link HpkeContext}.
  */
 @Internal
-public class HpkeImpl implements HpkeSpi {
+public abstract class HpkeImpl implements HpkeSpi {
     private final HpkeSuite hpkeSuite;
 
     private NativeRef.EVP_HPKE_CTX ctx;
@@ -45,19 +46,17 @@ public HpkeImpl(HpkeSuite hpkeSuite) {
         this.hpkeSuite = hpkeSuite;
     }
 
+    abstract byte[] getRecipientPublicKeyBytes(PublicKey recipientKey) throws InvalidKeyException;
+
     @Override
     public void engineInitSender(PublicKey recipientKey, byte[] info, PrivateKey senderKey,
             byte[] psk, byte[] psk_id) throws InvalidKeyException {
         checkNotInitialised();
         checkArgumentsForBaseModeOnly(senderKey, psk, psk_id);
         if (recipientKey == null) {
             throw new InvalidKeyException("null recipient key");
-        } else if (!(recipientKey instanceof OpenSSLX25519PublicKey)) {
-            throw new InvalidKeyException(
-                    "Unsupported recipient key class: " + recipientKey.getClass());
         }
-        final byte[] recipientKeyBytes = ((OpenSSLX25519PublicKey) recipientKey).getU();
-
+        final byte[] recipientKeyBytes = getRecipientPublicKeyBytes(recipientKey);
         final Object[] result = NativeCrypto.EVP_HPKE_CTX_setup_base_mode_sender(
                 hpkeSuite, recipientKeyBytes, info);
         ctx = (NativeRef.EVP_HPKE_CTX) result[0];
@@ -73,19 +72,17 @@ public void engineInitSenderForTesting(PublicKey recipientKey, byte[] info,
         checkArgumentsForBaseModeOnly(senderKey, psk, psk_id);
         if (recipientKey == null) {
             throw new InvalidKeyException("null recipient key");
-        } else if (!(recipientKey instanceof OpenSSLX25519PublicKey)) {
-            throw new InvalidKeyException(
-                    "Unsupported recipient key class: " + recipientKey.getClass());
         }
-        final byte[] recipientKeyBytes = ((OpenSSLX25519PublicKey) recipientKey).getU();
-
+        final byte[] recipientKeyBytes = getRecipientPublicKeyBytes(recipientKey);
         final Object[] result =
                 NativeCrypto.EVP_HPKE_CTX_setup_base_mode_sender_with_seed_for_testing(
                         hpkeSuite, recipientKeyBytes, info, sKe);
         ctx = (NativeRef.EVP_HPKE_CTX) result[0];
         encapsulated = (byte[]) result[1];
     }
 
+    abstract byte[] getPrivateRecipientKeyBytes(PrivateKey recipientKey) throws InvalidKeyException;
+
     @Override
     public void engineInitRecipient(byte[] encapsulated, PrivateKey recipientKey, byte[] info,
             PublicKey senderKey, byte[] psk, byte[] psk_id) throws InvalidKeyException {
@@ -98,12 +95,8 @@ public void engineInitRecipient(byte[] encapsulated, PrivateKey recipientKey, by
 
         if (recipientKey == null) {
             throw new InvalidKeyException("null recipient key");
-        } else if (!(recipientKey instanceof OpenSSLX25519PrivateKey)) {
-            throw new InvalidKeyException(
-                    "Unsupported recipient key class: " + recipientKey.getClass());
         }
-        final byte[] recipientKeyBytes = ((OpenSSLX25519PrivateKey) recipientKey).getU();
-
+        final byte[] recipientKeyBytes = getPrivateRecipientKeyBytes(recipientKey);
         ctx = (NativeRef.EVP_HPKE_CTX) NativeCrypto.EVP_HPKE_CTX_setup_base_mode_recipient(
                 hpkeSuite, recipientKeyBytes, encapsulated, info);
     }
@@ -181,22 +174,94 @@ public byte[] getEncapsulated() {
         return encapsulated;
     }
 
-    public static class X25519_AES_128 extends HpkeImpl {
+    private static class HpkeX25519Impl extends HpkeImpl {
+        private HpkeX25519Impl(HpkeSuite hpkeSuite) {
+            super(hpkeSuite);
+        }
+
+        @Override
+        byte[] getRecipientPublicKeyBytes(PublicKey recipientKey) throws InvalidKeyException {
+            if (!(recipientKey instanceof OpenSSLX25519PublicKey)) {
+                throw new InvalidKeyException(
+                        "Unsupported recipient key class: " + recipientKey.getClass());
+            }
+            return ((OpenSSLX25519PublicKey) recipientKey).getU();
+        }
+
+        @Override
+        byte[] getPrivateRecipientKeyBytes(PrivateKey recipientKey) throws InvalidKeyException {
+            if (!(recipientKey instanceof OpenSSLX25519PrivateKey)) {
+                throw new InvalidKeyException(
+                        "Unsupported recipient private key class: " + recipientKey.getClass());
+            }
+            return ((OpenSSLX25519PrivateKey) recipientKey).getU();
+        }
+    }
+
+    /** Implementation of X25519/HKDF_SHA256/AES_128_GCM. */
+    public static class X25519_AES_128 extends HpkeX25519Impl {
         public X25519_AES_128() {
             super(new HpkeSuite(KEM_DHKEM_X25519_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_AES_128_GCM));
         }
     }
 
-    public static class X25519_AES_256 extends HpkeImpl {
+    /** Implementation of X25519/HKDF_SHA256/AES_256_GCM. */
+    public static class X25519_AES_256 extends HpkeX25519Impl {
         public X25519_AES_256() {
             super(new HpkeSuite(KEM_DHKEM_X25519_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_AES_256_GCM));
         }
     }
 
-    public static class X25519_CHACHA20 extends HpkeImpl {
+    /** Implementation of X25519/HKDF_SHA256/CHACHA20_POLY1305. */
+    public static class X25519_CHACHA20 extends HpkeX25519Impl {
         public X25519_CHACHA20() {
             super(new HpkeSuite(
                     KEM_DHKEM_X25519_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_CHACHA20POLY1305));
         }
     }
+
+    private static class HpkeXwingImpl extends HpkeImpl {
+        HpkeXwingImpl(HpkeSuite hpkeSuite) {
+            super(hpkeSuite);
+        }
+
+        @Override
+        byte[] getRecipientPublicKeyBytes(PublicKey publicKey) throws InvalidKeyException {
+            if (!(publicKey instanceof OpenSslXwingPublicKey)) {
+                throw new InvalidKeyException(
+                        "Unsupported recipient key class: " + publicKey.getClass());
+            }
+            return ((OpenSslXwingPublicKey) publicKey).getRaw();
+        }
+
+        @Override
+        byte[] getPrivateRecipientKeyBytes(PrivateKey recipientKey) throws InvalidKeyException {
+            if (!(recipientKey instanceof OpenSslXwingPrivateKey)) {
+                throw new InvalidKeyException(
+                        "Unsupported recipient private key class: " + recipientKey.getClass());
+            }
+            return ((OpenSslXwingPrivateKey) recipientKey).getRaw();
+        }
+    }
+
+    /** Implementation of XWING/HKDF_SHA256/AES_128_GCM. */
+    public static class XwingHkdfSha256Aes128Gcm extends HpkeXwingImpl {
+        public XwingHkdfSha256Aes128Gcm() {
+            super(new HpkeSuite(KEM_XWING, KDF_HKDF_SHA256, AEAD_AES_128_GCM));
+        }
+    }
+
+    /** Implementation of XWING/HKDF_SHA256/AES_256_GCM. */
+    public static class XwingHkdfSha256Aes256Gcm extends HpkeXwingImpl {
+        public XwingHkdfSha256Aes256Gcm() {
+            super(new HpkeSuite(KEM_XWING, KDF_HKDF_SHA256, AEAD_AES_256_GCM));
+        }
+    }
+
+    /** Implementation of XWING/HKDF_SHA256/CHACHA20_POLY1305. */
+    public static class XwingHkdfSha256ChaCha20Poly1305 extends HpkeXwingImpl {
+        public XwingHkdfSha256ChaCha20Poly1305() {
+            super(new HpkeSuite(KEM_XWING, KDF_HKDF_SHA256, AEAD_CHACHA20POLY1305));
+        }
+    }
 }

common/src/main/java/org/conscrypt/HpkeSuite.java

@@ -35,6 +35,11 @@ public final class HpkeSuite {
      */
     public static final int KEM_DHKEM_X25519_HKDF_SHA256 = 0x0020;
 
+    /**
+     * KEM: 0x647a X-Wing
+     */
+    public static final int KEM_XWING = 0x647a;
+
     /**
      * KDF: 0x0001 HKDF-SHA256
      */
@@ -135,10 +140,13 @@ public AEAD convertAead(int aead) {
      *
      * @see <a href="https://www.rfc-editor.org/rfc/rfc9180.html#name-key-encapsulation-mechanism">
      *         rfc9180 </a>
+     * @see <a href="https://www.iana.org/assignments/hpke/hpke.xhtml">IANA HPKE</a>
      */
     public enum KEM {
         DHKEM_X25519_HKDF_SHA256(
-                /* id= */ 0x20, /* nSecret= */ 32, /* nEnc= */ 32, /* nPk= */ 32, /* nSk= */ 32);
+                /* id= */ 0x20, /* nSecret= */ 32, /* nEnc= */ 32, /* nPk= */ 32, /* nSk= */ 32),
+        XWING(/* id= */ 0x647a, /* nSecret= */ 32, /* nEnc= */ 1120, /* nPk= */ 1216,
+                /* nSk= */ 32);
 
         private final int id;
         private final int nSecret;

common/src/main/java/org/conscrypt/OpenSSLProvider.java

@@ -223,6 +223,8 @@ public OpenSSLProvider(String providerName) {
         // We don't support SLH-DSA, because it's not clear which algorithm to use.
         put("KeyPairGenerator.SLH-DSA-SHA2-128S", PREFIX + "OpenSslSlhDsaKeyPairGenerator");
 
+        put("KeyPairGenerator.XWING", PREFIX + "OpenSslXwingKeyPairGenerator");
+
         /* == KeyFactory == */
         put("KeyFactory.RSA", PREFIX + "OpenSSLRSAKeyFactory");
         put("Alg.Alias.KeyFactory.1.2.840.113549.1.1.1", "RSA");
@@ -248,6 +250,8 @@ public OpenSSLProvider(String providerName) {
         // We don't support SLH-DSA, because it's not clear which algorithm to use.
         put("KeyFactory.SLH-DSA-SHA2-128S", PREFIX + "OpenSslSlhDsaKeyFactory");
 
+        put("KeyFactory.XWING", PREFIX + "OpenSslXwingKeyFactory");
+
         /* == SecretKeyFactory == */
         put("SecretKeyFactory.DESEDE", PREFIX + "DESEDESecretKeyFactory");
         put("Alg.Alias.SecretKeyFactory.TDEA", "DESEDE");
@@ -580,6 +584,10 @@ public OpenSSLProvider(String providerName) {
                 baseClass + "$X25519_CHACHA20");
         put("Alg.Alias.ConscryptHpke.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_GhpkeCHACHA20POLY1305",
                 "DHKEM_X25519_HKDF_SHA256/HKDF_SHA256/CHACHA20POLY1305");
+        put("ConscryptHpke.XWING/HKDF_SHA256/AES_128_GCM", baseClass + "$XwingHkdfSha256Aes128Gcm");
+        put("ConscryptHpke.XWING/HKDF_SHA256/AES_256_GCM", baseClass + "$XwingHkdfSha256Aes256Gcm");
+        put("ConscryptHpke.XWING/HKDF_SHA256/CHACHA20POLY1305",
+                baseClass + "$XwingHkdfSha256ChaCha20Poly1305");
 
         /* === PAKE === */
         if (Platform.isPakeSupported()) {

common/src/main/java/org/conscrypt/OpenSslXwingKeyFactory.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.KeyFactorySpi;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.spec.EncodedKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+
+/** An implementation of a {@link KeyFactorySpi} for XWING keys based on BoringSSL. */
+@Internal
+public final class OpenSslXwingKeyFactory extends KeyFactorySpi {
+    public OpenSslXwingKeyFactory() {}
+
+    @Override
+    protected PublicKey engineGeneratePublic(KeySpec keySpec) throws InvalidKeySpecException {
+        if (keySpec == null) {
+            throw new InvalidKeySpecException("keySpec == null");
+        }
+        if (keySpec instanceof EncodedKeySpec) {
+            return new OpenSslXwingPublicKey((EncodedKeySpec) keySpec);
+        }
+        throw new InvalidKeySpecException(
+                "Currently only EncodedKeySpec is supported; was " + keySpec.getClass().getName());
+    }
+
+    @Override
+    protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpecException {
+        if (keySpec == null) {
+            throw new InvalidKeySpecException("keySpec == null");
+        }
+        if (keySpec instanceof EncodedKeySpec) {
+            return new OpenSslXwingPrivateKey((EncodedKeySpec) keySpec);
+        }
+        throw new InvalidKeySpecException(
+                "Currently only EncodedKeySpec is supported; was " + keySpec.getClass().getName());
+    }
+
+    @Override
+    protected <T extends KeySpec> T engineGetKeySpec(Key key, Class<T> keySpec)
+            throws InvalidKeySpecException {
+        if (key == null) {
+            throw new InvalidKeySpecException("key == null");
+        }
+        if (keySpec == null) {
+            throw new InvalidKeySpecException("keySpec == null");
+        }
+        if (key instanceof OpenSslXwingPublicKey) {
+            OpenSslXwingPublicKey conscryptKey = (OpenSslXwingPublicKey) key;
+            if (X509EncodedKeySpec.class.isAssignableFrom(keySpec)) {
+                throw new UnsupportedOperationException(
+                        "X509EncodedKeySpec is currently not supported");
+            } else if (EncodedKeySpec.class.isAssignableFrom(keySpec)) {
+                return KeySpecUtil.makeRawKeySpec(conscryptKey.getRaw(), keySpec);
+            }
+        } else if (key instanceof OpenSslXwingPrivateKey) {
+            OpenSslXwingPrivateKey conscryptKey = (OpenSslXwingPrivateKey) key;
+            if (PKCS8EncodedKeySpec.class.isAssignableFrom(keySpec)) {
+                throw new UnsupportedOperationException(
+                        "PKCS8EncodedKeySpec is currently not supported");
+            } else if (EncodedKeySpec.class.isAssignableFrom(keySpec)) {
+                return KeySpecUtil.makeRawKeySpec(conscryptKey.getRaw(), keySpec);
+            }
+        }
+        throw new InvalidKeySpecException("Unsupported key type and key spec combination; key="
+                + key.getClass().getName() + ", keySpec=" + keySpec.getName());
+    }
+
+    @Override
+    protected Key engineTranslateKey(Key key) throws InvalidKeyException {
+        if (key == null) {
+            throw new InvalidKeyException("key == null");
+        }
+        if ((key instanceof OpenSslXwingPublicKey) || (key instanceof OpenSslXwingPrivateKey)) {
+            return key;
+        }
+        throw new InvalidKeyException(
+                "Key must be OpenSslXwingPublicKey or OpenSslXwingPrivateKey");
+    }
+}

common/src/main/java/org/conscrypt/OpenSslXwingKeyPairGenerator.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import java.security.InvalidParameterException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+
+/**
+ * An implementation of {@link KeyPairGenerator} for XWING keys which uses BoringSSL to perform all
+ * the operations.
+ */
+@Internal
+public final class OpenSslXwingKeyPairGenerator extends KeyPairGenerator {
+    public OpenSslXwingKeyPairGenerator() {
+        super("XWING");
+    }
+
+    @Override
+    public void initialize(int bits) throws InvalidParameterException {
+        if (bits != -1) {
+            throw new InvalidParameterException("XWING only supports -1 for bits");
+        }
+    }
+
+    @Override
+    public KeyPair generateKeyPair() {
+        byte[] privateKeyBytes = new byte[OpenSslXwingPrivateKey.PRIVATE_KEY_SIZE_BYTES];
+        NativeCrypto.RAND_bytes(privateKeyBytes);
+        byte[] publicKeyBytes = NativeCrypto.XWING_public_key_from_seed(privateKeyBytes);
+        return new KeyPair(new OpenSslXwingPublicKey(publicKeyBytes),
+                new OpenSslXwingPrivateKey(privateKeyBytes));
+    }
+}