org.apache.sshd.common.kex.MontgomeryCurve Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.sshd.common.kex;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import org.apache.sshd.common.OptionalFeature;
import org.apache.sshd.common.keyprovider.KeySizeIndicator;
import org.apache.sshd.common.util.security.SecurityUtils;
/**
* Provides implementation details for Montgomery curves and their key exchange algorithms Curve25519/X25519 and
* Curve448/X448 specified in RFC 7748 and RFC 8731. Montgomery curves provide improved security and flexibility over
* Weierstrass curves used in ECDH.
*
* @see RFC 7748
* @see RFC 8731
*/
public enum MontgomeryCurve implements KeySizeIndicator, OptionalFeature {
/**
* The "magic" bytes below are the beginning of a DER encoding of the ASN.1 of the SubjectPublicKeyInfo as specified
* in RFC 8410, sections 3 and 4.
*
*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL -- absent for these keys
* }
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING
* }
*
*
* If we take it apart the first one for x25519:
*
*
*
* 0x30 - SEQUENCE (start of SubjectPublicKeyInfo)
* 0x2a - of 42 bytes
* 0x30 - SEQUENCE (start of AlgorithmIdentifier)
* 0x05 - of 5 bytes
* 0x06 - OID
* 0x03 - of 3 bytes
* 0x2b - 1 3 (encoded as 1*40 + 3 = 43 = 0x2b)
* 0x65 - 101
* 0x6e - 110
* 0x03 - BIT STRING
* 0x21 - of 33 bytes
* 0x00 - NUL byte
*
*
* If one appends now the 32 public key bytes, the DER encoding for the x25519 public key is complete. The NUL byte
* at the end ensures that the raw key bytes appended are always interpreted as unsigned, even if the most
* significant bit is set.
*
*
* The OID for x25519 is { 1 3 101 110 }, for x448 { 1 3 101 111 }.
*
*/
/**
* X25519 uses Curve25519 and SHA-256 with a 32-byte key size.
*/
x25519("X25519", 32,
new byte[] { 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, 0x03, 0x21, 0x00 }),
/**
* X448 uses Curve448 and SHA-512 with a 56-byte key size.
*/
x448("X448", 56,
new byte[] { 0x30, 0x42, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6f, 0x03, 0x39, 0x00 });
private final String algorithm;
private final int keySize;
private final boolean supported;
private final KeyPairGenerator keyPairGenerator;
private final KeyFactory keyFactory;
private final byte[] encodedPublicKeyPrefix;
MontgomeryCurve(String algorithm, int keySize, byte[] encodedPublicKeyPrefix) {
this.algorithm = algorithm;
this.keySize = keySize;
this.encodedPublicKeyPrefix = encodedPublicKeyPrefix;
boolean isSupported;
KeyPairGenerator generator = null;
KeyFactory factory = null;
try {
SecurityUtils.getKeyAgreement(algorithm);
generator = SecurityUtils.getKeyPairGenerator(algorithm);
factory = SecurityUtils.getKeyFactory(algorithm);
isSupported = true;
} catch (GeneralSecurityException ignored) {
isSupported = false;
}
this.supported = isSupported;
keyPairGenerator = generator;
keyFactory = factory;
}
public String getAlgorithm() {
return algorithm;
}
@Override
public int getKeySize() {
return keySize;
}
@Override
public boolean isSupported() {
return supported;
}
public KeyAgreement createKeyAgreement() throws GeneralSecurityException {
return SecurityUtils.getKeyAgreement(algorithm);
}
public KeyPair generateKeyPair() {
synchronized (this) {
return keyPairGenerator.generateKeyPair();
}
}
public byte[] encode(PublicKey key) throws InvalidKeyException {
// Per the ASN.1 of SubjectPublicKeyInfo, the key must be the last keySize bytes of the X.509 encoding
byte[] subjectPublicKeyInfo = key.getEncoded();
byte[] result = Arrays.copyOfRange(subjectPublicKeyInfo, subjectPublicKeyInfo.length - getKeySize(),
subjectPublicKeyInfo.length);
return result;
}
public PublicKey decode(byte[] key) throws InvalidKeySpecException {
int size = getKeySize();
int offset = key.length - size;
// We're lenient here and accept a key prefixed by a zero byte.
if (offset < 0 || offset > 1) {
throw new InvalidKeySpecException("Provided key has wrong length (" + key.length + " bytes) for " + getAlgorithm());
} else if (offset == 1) {
if (key[0] != 0) {
throw new InvalidKeySpecException("Provided key for " + getAlgorithm()
+ " has extra byte, but it's non-zero: 0x"
+ Integer.toHexString(key[0] & 0xFF));
}
}
// Ideally, we'd just parse the key as a BigInteger and then create a XECPublicKeySpec in Java 11
// BouncyCastle supports a separate API, but we can use the generic X.509 encoding scheme supported by both
byte[] encoded = Arrays.copyOf(encodedPublicKeyPrefix, encodedPublicKeyPrefix.length + size);
System.arraycopy(key, offset, encoded, encodedPublicKeyPrefix.length, size);
return keyFactory.generatePublic(new X509EncodedKeySpec(encoded));
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy