From a6d6bf94e9525a5421003b797b80c7d1a6703ddc Mon Sep 17 00:00:00 2001 From: Zdenek Zambersky Date: Tue, 11 Mar 2025 15:08:55 +0100 Subject: [PATCH 1/2] Add support for ML algorithms --- cryptotest/tests/KEMTests.java | 2 ++ cryptotest/tests/KeyFactoryTests.java | 11 ++++++++++- cryptotest/tests/KeyPairGeneratorTests.java | 8 ++++++++ cryptotest/tests/SignatureTests.java | 2 +- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/cryptotest/tests/KEMTests.java b/cryptotest/tests/KEMTests.java index c218673..b1ab6ca 100644 --- a/cryptotest/tests/KEMTests.java +++ b/cryptotest/tests/KEMTests.java @@ -114,6 +114,8 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws Alg KeyPairGenerator kpg = null; if (service.getAlgorithm().equals("DHKEM")) { kpg = KeysNaiveGenerator.getKeyPairGenerator("X25519", service.getProvider()); + } else if (service.getAlgorithm().startsWith("ML-")) { + kpg = KeysNaiveGenerator.getKeyPairGenerator(service.getAlgorithm(), service.getProvider()); } else { throw new RuntimeException("Unsupported KEM algorithm: " + service.getAlgorithm()); } diff --git a/cryptotest/tests/KeyFactoryTests.java b/cryptotest/tests/KeyFactoryTests.java index 41f7bf5..d4b87d4 100644 --- a/cryptotest/tests/KeyFactoryTests.java +++ b/cryptotest/tests/KeyFactoryTests.java @@ -106,7 +106,7 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws Alg privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), privateKeyClass); publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), publicKeyClass); } - } else if (service.getAlgorithm().contains("DSA")) { + } else if (service.getAlgorithm().contains("DSA") && !service.getAlgorithm().startsWith("ML-")) { KeyPair kp = KeysNaiveGenerator.getDsaKeyPair(p); translated = keyFactory.translateKey(kp.getPublic()); if (!pkcs11fips) { @@ -150,6 +150,15 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws Alg privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class); } + } else if (service.getAlgorithm().startsWith("ML-")) { + KeyPairGenerator kpg = KeysNaiveGenerator.getKeyPairGenerator(service.getAlgorithm(), p); + KeyPair kp = kpg.generateKeyPair(); + translated = keyFactory.translateKey(kp.getPublic()); + if (!pkcs11fips) { + // pkcs11 provider in FIPS mode cannot obtain RAW keys + privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); + publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class); + } } else if (service.getAlgorithm().contains("RSA")) { KeyPair kp = KeysNaiveGenerator.getRsaKeyPair(p); translated = keyFactory.translateKey(kp.getPublic()); diff --git a/cryptotest/tests/KeyPairGeneratorTests.java b/cryptotest/tests/KeyPairGeneratorTests.java index f9a7375..561f103 100644 --- a/cryptotest/tests/KeyPairGeneratorTests.java +++ b/cryptotest/tests/KeyPairGeneratorTests.java @@ -80,6 +80,14 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws keySize = 2048; } else if (service.getAlgorithm().contains("RSA")) { keySize = 2048; + } else if (service.getAlgorithm().contains("ML-")) { + // keySize is intentionally -1 here, KPG of this provider [1] + // does not override default initialize method [2], + // internal (in-tree) tests do the same [3], see: + // [1] https://github.com/openjdk/jdk/blob/da2b4f0749dffc99fa42c7311fbc74231af273bd/src/java.base/share/classes/com/sun/crypto/provider/ML_KEM_Impls.java#L40 + // [2] https://github.com/openjdk/jdk/blob/da2b4f0749dffc99fa42c7311fbc74231af273bd/src/java.base/share/classes/sun/security/provider/NamedKeyPairGenerator.java#L153 + // [3] https://github.com/openjdk/jdk/blob/da2b4f0749dffc99fa42c7311fbc74231af273bd/test/jdk/sun/security/provider/all/Deterministic.java#L208 + keySize = -1; } keyPairGenerator.initialize(keySize, random); KeyPair pair = keyPairGenerator.genKeyPair(); diff --git a/cryptotest/tests/SignatureTests.java b/cryptotest/tests/SignatureTests.java index f7f85c5..6192160 100644 --- a/cryptotest/tests/SignatureTests.java +++ b/cryptotest/tests/SignatureTests.java @@ -99,7 +99,7 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws Alg } } key = getEcPrivateKey(service.getProvider()); - } else if (service.getAlgorithm().equals("Ed25519") || service.getAlgorithm().equals("EdDSA") || service.getAlgorithm().equals("Ed448")) { + } else if (service.getAlgorithm().equals("Ed25519") || service.getAlgorithm().equals("EdDSA") || service.getAlgorithm().equals("Ed448") || service.getAlgorithm().startsWith("ML-")) { KeyPairGenerator kpg = KeyPairGenerator.getInstance(service.getAlgorithm(), service.getProvider()); KeyPair kp = kpg.generateKeyPair(); key = kp.getPrivate(); From 8603062ccb001d3e821fa75edb6d0bb73e1d0556 Mon Sep 17 00:00:00 2001 From: Zdenek Zambersky Date: Tue, 11 Mar 2025 18:09:54 +0100 Subject: [PATCH 2/2] merged duplicated cases in KeyFactoryTests --- cryptotest/tests/KeyFactoryTests.java | 34 ++++----------------------- 1 file changed, 5 insertions(+), 29 deletions(-) diff --git a/cryptotest/tests/KeyFactoryTests.java b/cryptotest/tests/KeyFactoryTests.java index d4b87d4..3a7ce2e 100644 --- a/cryptotest/tests/KeyFactoryTests.java +++ b/cryptotest/tests/KeyFactoryTests.java @@ -123,38 +123,14 @@ protected void checkAlgorithm(Provider.Service service, String alias) throws Alg privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), RSAPrivateKeySpec.class); publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), RSAPublicKeySpec.class); } - } else if (service.getAlgorithm().contains("X25519")) { - KeyPairGenerator kpg = KeysNaiveGenerator.getKeyPairGenerator("X25519", p); - KeyPair kp = kpg.generateKeyPair(); - translated = keyFactory.translateKey(kp.getPublic()); - if (!pkcs11fips) { - // pkcs11 provider in FIPS mode cannot obtain RAW keys - privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); - publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class); - } - } else if (service.getAlgorithm().contains("X448")) { - KeyPairGenerator kpg = KeysNaiveGenerator.getKeyPairGenerator("X448", p); - KeyPair kp = kpg.generateKeyPair(); - translated = keyFactory.translateKey(kp.getPublic()); - if (!pkcs11fips) { - // pkcs11 provider in FIPS mode cannot obtain RAW keys - privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); - publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class); - } - } else if (service.getAlgorithm().contains("XDH")) { - KeyPairGenerator kpg = KeysNaiveGenerator.getKeyPairGenerator("XDH", p); - KeyPair kp = kpg.generateKeyPair(); - translated = keyFactory.translateKey(kp.getPublic()); - if (!pkcs11fips) { - // pkcs11 provider in FIPS mode cannot obtain RAW keys - privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); - publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class); - } - } else if (service.getAlgorithm().startsWith("ML-")) { + } else if (service.getAlgorithm().contains("X25519") + || service.getAlgorithm().contains("X448") + || service.getAlgorithm().contains("XDH") + || service.getAlgorithm().startsWith("ML-")) { KeyPairGenerator kpg = KeysNaiveGenerator.getKeyPairGenerator(service.getAlgorithm(), p); KeyPair kp = kpg.generateKeyPair(); translated = keyFactory.translateKey(kp.getPublic()); - if (!pkcs11fips) { + if (!pkcs11fips) { // pkcs11 provider in FIPS mode cannot obtain RAW keys privateKeySpec = keyFactory.getKeySpec(kp.getPrivate(), PKCS8EncodedKeySpec.class); publicKeySpec = keyFactory.getKeySpec(kp.getPublic(), X509EncodedKeySpec.class);