Interim fix for MLKEM/MLDSA seed only private key ASN1 encoding. This will be replaced when formal support is available from OpenSSL for seed only encoding.

Added Tests

Author: mwcw

interface/ffi/asn1_ni_ffi.c

@@ -7,6 +7,8 @@
 
 #include <assert.h>
 #include <stdlib.h>
+#include <string.h>
+
 #include "../util/asn1_util.h"
 #include "../util/bc_err_codes.h"
 #include "types.h"
@@ -48,9 +50,11 @@ int32_t ASN1_encodePublicKey(asn1_ctx *asn1_ctx, key_spec *key_spec) {
     return (int32_t) buf_len;
 }
 
-int32_t ASN1_encodePrivateKey(asn1_ctx *asn1_ctx, key_spec *key_spec) {
+int32_t ASN1_encodePrivateKey(asn1_ctx *asn1_ctx, key_spec *key_spec, const char *option_string,
+                              size_t option_string_len) {
     assert(asn1_ctx != NULL);
 
+
     if (key_spec == NULL) {
         return JO_KEY_IS_NULL;
     }
@@ -59,8 +63,21 @@ int32_t ASN1_encodePrivateKey(asn1_ctx *asn1_ctx, key_spec *key_spec) {
         return JO_KEY_SPEC_HAS_NULL_KEY;
     }
 
+    int encoding_option = PRIVATE_KEY_DEFAULT_ENCODING;
+
+    if (option_string != NULL) {
+        if (strncmp(PRIVATE_KEY_DEFAULT_ENCODING_OPTION, option_string, option_string_len) == 0) {
+            encoding_option = PRIVATE_KEY_DEFAULT_ENCODING;
+        } else if (strncmp(PRIVATE_KEY_SEED_ONLY_ENCODING_OPTION, option_string, option_string_len) == 0) {
+            encoding_option = PRIVATE_KEY_SEED_ONLY_ENCODING;
+        } else {
+            return JO_INVALID_KEY_ENCODING_OPTION;
+        }
+    }
+
+
     size_t buf_len = 0;
-    if (!asn1_writer_encode_private_key(asn1_ctx, key_spec, &buf_len)) {
+    if (!asn1_writer_encode_private_key(asn1_ctx, key_spec, &buf_len, encoding_option)) {
         return JO_OPENSSL_ERROR;
     }
 

interface/jni/asn1_ni_jni.c

@@ -89,33 +89,64 @@ JNIEXPORT jint JNICALL Java_org_openssl_jostle_util_asn1_Asn1NiJNI_encodePublicK
  * Signature: (JJ)I
  */
 JNIEXPORT jint JNICALL Java_org_openssl_jostle_util_asn1_Asn1NiJNI_encodePrivateKey
-(JNIEnv *env, jobject jo, jlong asn1_ref, jlong key_ref) {
+(JNIEnv *env, jobject jo, jlong asn1_ref, jlong key_ref, jstring _option) {
     UNUSED(env);
     UNUSED(jo);
 
     asn1_ctx *ctx = (asn1_ctx *) asn1_ref;
     assert(ctx != NULL);
 
     key_spec *key = (key_spec *) key_ref;
+    size_t ret_code = 0;
+    const char *option_string = NULL;
+    int encoding_option = PRIVATE_KEY_DEFAULT_ENCODING;
+
 
     if (key == NULL) {
-        return JO_KEY_IS_NULL;
+        ret_code = JO_KEY_IS_NULL;
+        goto exit;
     }
 
     if (key->key == NULL) {
-        return JO_KEY_SPEC_HAS_NULL_KEY;
+        ret_code = JO_KEY_SPEC_HAS_NULL_KEY;
+        goto exit;
     }
 
-    size_t buf_len = 0;
-    if (!asn1_writer_encode_private_key(ctx, key, &buf_len)) {
-        return JO_OPENSSL_ERROR;
+
+    if (_option != NULL) {
+        option_string = (*env)->GetStringUTFChars(env, _option, NULL);
+        if (OPS_FAILED_ACCESS_1 option_string == NULL) {
+            ret_code = JO_FAILED_ACCESS_ENCODING_OPTION;
+            goto exit;
+        }
+
+        if (strcmp(PRIVATE_KEY_DEFAULT_ENCODING_OPTION, option_string) == 0) {
+            encoding_option = PRIVATE_KEY_DEFAULT_ENCODING;
+        } else if (strcmp(PRIVATE_KEY_SEED_ONLY_ENCODING_OPTION, option_string) == 0) {
+            encoding_option = PRIVATE_KEY_SEED_ONLY_ENCODING;
+        } else {
+            ret_code = JO_INVALID_KEY_ENCODING_OPTION;
+            goto exit;
+        }
     }
 
-    if (OPS_INT32_OVERFLOW_1 buf_len > INT_MAX) {
-        return JO_OUTPUT_SIZE_INT_OVERFLOW;
+
+    if (!asn1_writer_encode_private_key(ctx, key, &ret_code, encoding_option)) {
+        ret_code = JO_OPENSSL_ERROR;
+        goto exit;
     }
 
-    return (jint) buf_len;
+    if (OPS_INT32_OVERFLOW_1 ret_code > INT_MAX) {
+        ret_code = JO_OUTPUT_SIZE_INT_OVERFLOW;
+    }
+
+
+exit:
+    if (option_string != NULL) {
+        (*env)->ReleaseStringUTFChars(env, _option, option_string);
+    }
+
+    return (jint) ret_code;
 }
 
 /*

interface/util/asn1_util.c

@@ -13,7 +13,7 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
-
+#include <openssl/core_names.h>
 #include "bc_err_codes.h"
 #include "key_spec.h"
 #include "ops.h"
@@ -50,7 +50,6 @@ int32_t asn1_writer_get_content(asn1_ctx *ctx, uint8_t *output, size_t *written,
     *written = BIO_get_mem_data(ctx->buffer, &buffer);
 
     if (output != NULL) {
-
         if (output_len != *written) {
             return JO_OUTPUT_OUT_OF_RANGE;
         }
@@ -77,13 +76,175 @@ int32_t asn1_writer_encode_public_key(asn1_ctx *ctx, key_spec *key_spec, size_t
     return 1;
 }
 
-int32_t asn1_writer_encode_private_key(asn1_ctx *ctx, key_spec *key_spec, size_t *buf_len) {
+static uint8_t mldsa44[] = {
+    48, 52, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101,
+    3, 4, 3, 17, 4, 34, -128, 32, 0, 0, 0, 24, -114,
+    -53, -113, 95, -119, -16, 39, 21, 113, 55, -26, 114,
+    -74, -30, -20, -39, 107, 62, 87, 20, 41, 34, 90, -18,
+    -39, -100, -91, -10
+}; // Seed at byte 22 for 32
+
+static uint8_t mldsa65[] = {
+    48, 52, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101,
+    3, 4, 3, 18, 4, 34, -128, 32, 8, -114, 106, -34, 33,
+    -98, 52, 82, -49, 38, 83, 64, 94, -40, -4, 34, -102,
+    114, -44, 79, 63, -108, 20, 90, 127, 120, -99, -103,
+    -60, -128, -41, 87
+};
+
+static uint8_t mldsa87[] = {
+    48, 52, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101,
+    3, 4, 3, 19, 4, 34, -128, 32, -53, 1, -80, -43, -69,
+    -53, -31, -23, 13, 107, 112, 73, -105, -65, 120, 123,
+    87, 81, 58, 107, 18, 65, -62, -8, 92, 36, 126, -97,
+    -4, 64, 93, -86
+};
+
+
+static uint8_t mlkem512[] = {
+    48, 84, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101, 3,
+    4, 4, 1, 4, 66, -128, 64, -21, -50, 86, -11, -120, -111,
+    60, 38, 98, 62, 7, 9, 64, 49, -67, -88, -37, 65, 3, -70,
+    -119, -109, -22, 120, -69, 95, 89, 72, -79, -53, -100,
+    -112, -103, 49, -118, 107, -10, 52, -4, 35, -69, 17, 67,
+    58, -24, -123, -77, -70, 74, 125, -83, -33, -126, 34, 32,
+    24, 28, -99, -53, 31, 23, 97, -59, -111
+};
+
+static uint8_t mlkem768[] = {
+    48, 84, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101, 3,
+    4, 4, 2, 4, 66, -128, 64, -70, -57, -85, 79, -37, -43,
+    102, 66, 26, -118, -59, 37, 104, 86, -89, -108, 45, -25,
+    13, 61, -80, 10, -55, 30, 47, -57, 117, -72, -44, -66,
+    61, 88, -128, 21, -88, 9, -1, 26, -103, 33, -26, 72, -32,
+    -33, -72, 26, -101, 64, 28, -21, 94, 113, 22, -70, -20,
+    -78, 23, 40, 16, 12, 60, 6, -109, -89
+}; // Seed at byte 22 for 64
+
+
+static uint8_t mlkem1024[] = {
+    48, 84, 2, 1, 0, 48, 11, 6, 9, 96, -122, 72, 1, 101, 3, 4,
+    4, 3, 4, 66, -128, 64, -26, -73, 52, -19, 111, 116, 81, 6,
+    72, -100, 120, -75, -90, -118, 44, -100, 59, 41, -35, 81,
+    -109, -121, -42, -37, -102, 11, -9, 3, -50, -59, 30, -15,
+    9, 46, -71, 106, -45, 2, -126, 64, 108, 114, -67, -91, -68,
+    38, -77, 97, -56, 126, -8, -43, 127, -30, 2, -60, 95, -74,
+    125, -101, 88, 35, -17, 89
+};
+
+
+int32_t asn1_writer_encode_private_key(asn1_ctx *ctx, key_spec *key_spec, size_t *buf_len, int encoding_option) {
     assert(ctx != NULL);
     assert(key_spec != NULL);
     assert(key_spec->key != NULL);
 
-    if (!i2d_PrivateKey_bio(ctx->buffer, key_spec->key)) {
-        return 0;
+    switch (encoding_option) {
+        case PRIVATE_KEY_DEFAULT_ENCODING:
+            if (!i2d_PrivateKey_bio(ctx->buffer, key_spec->key)) {
+                return 0;
+            }
+            break;
+        case PRIVATE_KEY_SEED_ONLY_ENCODING:
+
+            // NB hack until official support in OpenSSL
+            // This is not intended to be robust implementation and will be replaced
+
+            if (EVP_PKEY_is_a(key_spec->key, "ML-DSA-44")) {
+                uint8_t b[sizeof(mldsa44)];
+                memcpy(b, mldsa44, sizeof(mldsa44));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 32, NULL)) {
+                    return 0;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mldsa44)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mldsa44));
+            } else if (EVP_PKEY_is_a(key_spec->key, "ML-DSA-65")) {
+                uint8_t b[sizeof(mldsa65)];
+                memcpy(b, mldsa65, sizeof(mldsa65));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 32, NULL)) {
+                    return 0;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mldsa65)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mldsa65));
+            } else if (EVP_PKEY_is_a(key_spec->key, "ML-DSA-87")) {
+                uint8_t b[sizeof(mldsa87)];
+                memcpy(b, mldsa87, sizeof(mldsa87));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 32, NULL)) {
+                    return 0;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mldsa87)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mldsa87));
+            } else if (EVP_PKEY_is_a(key_spec->key, "ML-KEM-512")) {
+                uint8_t b[sizeof(mlkem512)];
+                memcpy(b, mlkem512, sizeof(mlkem512));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 64, NULL)) {
+                    return JO_OPENSSL_ERROR;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mlkem512)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mlkem512));
+            } else if (EVP_PKEY_is_a(key_spec->key, "ML-KEM-768")) {
+                uint8_t b[sizeof(mlkem768)];
+                memcpy(b, mlkem768, sizeof(mlkem768));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 64, NULL)) {
+                    return 0;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mlkem768)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mlkem768));
+            } else if (EVP_PKEY_is_a(key_spec->key, "ML-KEM-1024")) {
+                uint8_t b[sizeof(mlkem1024)];
+                memcpy(b, mlkem1024, sizeof(mlkem1024));
+
+                if (
+                    1 != EVP_PKEY_get_octet_string_param(
+                        key_spec->key,
+                        OSSL_PKEY_PARAM_ML_DSA_SEED, b + 22, 64, NULL)) {
+                    return 0;
+                }
+
+                if (BIO_write(ctx->buffer, b, sizeof(mlkem1024)) < 0) {
+                    return 0;
+                }
+                OPENSSL_cleanse(b, sizeof(mlkem1024));
+            } else {
+                return 0;
+            }
+            break;
+        default:
+            return 0;
     }
 
 

interface/util/asn1_util.h

@@ -11,6 +11,11 @@
 
 #include "key_spec.h"
 
+#define PRIVATE_KEY_DEFAULT_ENCODING 0
+#define PRIVATE_KEY_SEED_ONLY_ENCODING 1
+
+#define PRIVATE_KEY_DEFAULT_ENCODING_OPTION "default"
+#define PRIVATE_KEY_SEED_ONLY_ENCODING_OPTION "seed_only"
 
 typedef struct asn1_ctx {
     BIO *buffer;
@@ -47,10 +52,11 @@ int32_t asn1_writer_encode_public_key(asn1_ctx *ctx, key_spec *key_spec, size_t
  * @param ctx the ctx
  * @param key_spec the key spec
  * @param buf_len receiver for the length of data in the buffer
+ * @param encoding_option
  *
  * @return 1 = success, 0 = failure
  */
-int32_t asn1_writer_encode_private_key(asn1_ctx *ctx, key_spec *key_spec, size_t *buf_len);
+int32_t asn1_writer_encode_private_key(asn1_ctx *ctx, key_spec *key_spec, size_t *buf_len, int encoding_option);
 
 
 /**

interface/util/bc_err_codes.h

@@ -110,6 +110,8 @@
 #define JO_KDF_PBE_ITER_NEGATIVE -83
 #define JO_KDF_PBE_UNKNOWN_DIGEST -84
 
+#define JO_INVALID_KEY_ENCODING_OPTION -85
+#define JO_FAILED_ACCESS_ENCODING_OPTION -86
 
 
 #endif //BC_OSSL_ERR_CODES_H

jostle/src/main/java/org/openssl/jostle/jcajce/provider/ErrorCode.java

@@ -102,6 +102,8 @@ public enum ErrorCode
     JO_KDF_PBE_ITER_NEGATIVE(-83),
     JO_KDF_PBE_UNKNOWN_DIGEST(-84),
 
+    JO_INVALID_KEY_ENCODING_OPTION(-85),
+    JO_FAILED_ACCESS_ENCODING_OPTION(-86),
 
     JO_UNKNOWN(Integer.MIN_VALUE);
 

jostle/src/main/java/org/openssl/jostle/jcajce/provider/mldsa/JOMLDSAPrivateKey.java

@@ -19,8 +19,9 @@
 import org.openssl.jostle.jcajce.spec.OSSLKeyType;
 import org.openssl.jostle.jcajce.spec.PKEYKeySpec;
 import org.openssl.jostle.util.asn1.ASNEncoder;
+import org.openssl.jostle.util.asn1.PrivateKeyOptions;
 
-class JOMLDSAPrivateKey extends AsymmetricKeyImpl implements MLDSAPrivateKey,OSSLKey
+class JOMLDSAPrivateKey extends AsymmetricKeyImpl implements MLDSAPrivateKey, OSSLKey
 {
     final boolean seedOnly;
 
@@ -51,7 +52,11 @@ public String getFormat()
     @Override
     public byte[] getEncoded()
     {
-        return ASNEncoder.asPrivateKeyInfo(spec);
+        if (seedOnly)
+        {
+            return ASNEncoder.asPrivateKeyInfo(spec, PrivateKeyOptions.SEED_ONLY);
+        }
+        return ASNEncoder.asPrivateKeyInfo(spec, PrivateKeyOptions.DEFAULT);
     }
 
     public byte[] getSeed()
@@ -88,7 +93,7 @@ public MLDSAPrivateKey getPrivateKey(boolean preferSeedOnly)
                         new PKEYKeySpec(
                                 NISelector.MLDSAServiceNI.handleErrors(
                                         NISelector.MLDSAServiceNI.generateKeyPair(type.getKsType(), seed, seed.length)
-                                ), type)
+                                ), type), preferSeedOnly
                 );
             }
         }