Split Public Keys

Author: Korbik

pom.xml

@@ -221,7 +221,7 @@
                 <artifactId>maven-failsafe-plugin</artifactId>
                 <version>2.22.2</version>
             </plugin>
-             <plugin>
+            <plugin>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>3.2.5</version>
                 <dependencies>
@@ -237,7 +237,7 @@
                         <disable>true</disable>
                     </consoleOutputReporter>
                     <statelessTestsetInfoReporter
-                        implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
+                            implementation="org.apache.maven.plugin.surefire.extensions.junit5.JUnit5StatelessTestsetInfoTreeReporter">
                         <printStacktraceOnError>true</printStacktraceOnError>
                         <printStacktraceOnFailure>true</printStacktraceOnFailure>
                         <printStdoutOnError>true</printStdoutOnError>

src/main/java/org/biscuitsec/biscuit/crypto/Ed25519KeyPair.java

@@ -1,23 +1,16 @@
 package org.biscuitsec.biscuit.crypto;
 
-import biscuit.format.schema.Schema;
-
-import java.io.IOException;
-import java.security.*;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.NamedParameterSpec;
-import java.security.spec.X509EncodedKeySpec;
-
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.SignatureException;
 import org.biscuitsec.biscuit.token.builder.Utils;
-import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
+import org.bouncycastle.crypto.generators.Ed25519KeyPairGenerator;
+import org.bouncycastle.crypto.params.Ed25519KeyGenerationParameters;
 import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters;
 import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
 import org.bouncycastle.crypto.signers.Ed25519Signer;
-import org.bouncycastle.internal.asn1.edec.EdECObjectIdentifiers;
-import org.bouncycastle.jcajce.provider.asymmetric.dh.BCDHPublicKey;
-import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey;
-import org.bouncycastle.util.encoders.Hex;
 
 final class Ed25519KeyPair extends KeyPair {
   private static final int BUFFER_SIZE = 32;
@@ -36,12 +29,13 @@ final class Ed25519KeyPair extends KeyPair {
   }
 
   Ed25519KeyPair(SecureRandom rng) {
-    byte[] b = new byte[BUFFER_SIZE];
-    rng.nextBytes(b);
 
-    Ed25519PrivateKeyParameters privateKey = new Ed25519PrivateKeyParameters(b);
+    Ed25519KeyPairGenerator kpg = new Ed25519KeyPairGenerator();
+    kpg.init(new Ed25519KeyGenerationParameters(rng));
 
-    Ed25519PublicKeyParameters publicKey = privateKey.generatePublicKey();
+    AsymmetricCipherKeyPair kp = kpg.generateKeyPair();
+    Ed25519PrivateKeyParameters privateKey = (Ed25519PrivateKeyParameters) kp.getPrivate();
+    Ed25519PublicKeyParameters publicKey = (Ed25519PublicKeyParameters) kp.getPublic();
 
     this.privateKey = privateKey;
     this.publicKey = publicKey;
@@ -51,22 +45,6 @@ final class Ed25519KeyPair extends KeyPair {
     this(Utils.hexStringToByteArray(hex));
   }
 
-  /*
-  public static java.security.PublicKey decode(byte[] data) {
-    var keyFactory = KeyFactory.getInstance("Ed25519");
-
-    // Wrap public key in ASN.1 format so we can use X509EncodedKeySpec to read it
-    var pubKeyInfo = new SubjectPublicKeyInfo(new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), data);
-    var x509KeySpec = new X509EncodedKeySpec(pubKeyInfo.getEncoded());
-
-    return new BCDHPublicKey(x509KeySpec);
-  }
-
-
-  public static Signature getSignature() throws NoSuchAlgorithmException {
-    return new EdDSAEngine(MessageDigest.getInstance(ED_25519.getHashAlgorithm()));
-  }*/
-
   @Override
   public byte[] sign(byte[] data)
       throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
@@ -76,13 +54,6 @@ public byte[] sign(byte[] data)
     return sgr.generateSignature();
   }
 
-  public static boolean verify(PublicKey publicKey, byte[] data, byte[] signature) {
-    var sgr = new Ed25519Signer();
-    sgr.init(false, new Ed25519PublicKeyParameters(publicKey.toBytes()));
-    sgr.update(data, 0, data.length);
-    return sgr.verifySignature(signature);
-  }
-
   @Override
   public byte[] toBytes() {
     return privateKey.getEncoded();
@@ -95,6 +66,6 @@ public String toHex() {
 
   @Override
   public PublicKey getPublicKey() {
-    return new PublicKey(Schema.PublicKey.Algorithm.Ed25519, this.publicKey.getEncoded());
+    return new Ed25519PublicKey(this.publicKey);
   }
 }

src/main/java/org/biscuitsec/biscuit/crypto/Ed25519PublicKey.java

@@ -0,0 +1,60 @@
+package org.biscuitsec.biscuit.crypto;
+
+import biscuit.format.schema.Schema.PublicKey.Algorithm;
+import java.util.Arrays;
+import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
+import org.bouncycastle.crypto.signers.Ed25519Signer;
+
+class Ed25519PublicKey extends PublicKey {
+  private final Ed25519PublicKeyParameters publicKey;
+
+  Ed25519PublicKey(final Ed25519PublicKeyParameters publicKey) {
+    super();
+    this.publicKey = publicKey;
+  }
+
+  static Ed25519PublicKey loadEd25519(byte[] data) {
+    return new Ed25519PublicKey(new Ed25519PublicKeyParameters(data));
+  }
+
+  @Override
+  public byte[] toBytes() {
+    return this.publicKey.getEncoded();
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (this == o) {
+      return true;
+    }
+    if (o == null || getClass() != o.getClass()) {
+      return false;
+    }
+
+    Ed25519PublicKey publicKey = (Ed25519PublicKey) o;
+
+    return Arrays.equals(this.toBytes(), publicKey.toBytes());
+  }
+
+  @Override
+  public int hashCode() {
+    return this.publicKey.hashCode();
+  }
+
+  @Override
+  public String toString() {
+    return "ed25519/" + toHex().toLowerCase();
+  }
+
+  public Algorithm getAlgorithm() {
+    return Algorithm.Ed25519;
+  }
+
+  @Override
+  public boolean verify(byte[] data, byte[] signature) {
+    var sgr = new Ed25519Signer();
+    sgr.init(false, this.publicKey);
+    sgr.update(data, 0, data.length);
+    return sgr.verifySignature(signature);
+  }
+}

src/main/java/org/biscuitsec/biscuit/crypto/KeyPair.java

@@ -1,11 +1,8 @@
 package org.biscuitsec.biscuit.crypto;
 
 import biscuit.format.schema.Schema.PublicKey.Algorithm;
-
-import java.io.IOException;
-import java.security.*;
-import java.security.spec.InvalidKeySpecException;
-
+import java.security.SecureRandom;
+import java.security.Security;
 import org.biscuitsec.biscuit.token.builder.Utils;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
@@ -44,28 +41,6 @@ public static KeyPair generate(Algorithm algorithm, SecureRandom rng) {
     }
   }
 
-/*
-  public static Signature generateSignature(Algorithm algorithm) throws NoSuchAlgorithmException {
-    if (algorithm == Algorithm.Ed25519) {
-      return Ed25519KeyPair.getSignature();
-    } else if (algorithm == Algorithm.SECP256R1) {
-      return SECP256R1KeyPair.getSignature();
-    } else {
-      throw new NoSuchAlgorithmException("Unsupported algorithm");
-    }
-  }*/
-
-  public static boolean verify(PublicKey publicKey, byte[] data, byte[] signature)
-      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-    if (publicKey.getAlgorithm() == Algorithm.Ed25519) {
-      return Ed25519KeyPair.verify(publicKey,data, signature);
-    } else if (publicKey.getAlgorithm() == Algorithm.SECP256R1) {
-      return SECP256R1KeyPair.verify(publicKey, data, signature);
-    } else {
-      throw new NoSuchAlgorithmException("Unsupported algorithm");
-    }
-  }
-
   public abstract byte[] toBytes();
 
   public abstract String toHex();

src/main/java/org/biscuitsec/biscuit/crypto/PublicKey.java

@@ -3,45 +3,34 @@
 import biscuit.format.schema.Schema;
 import biscuit.format.schema.Schema.PublicKey.Algorithm;
 import com.google.protobuf.ByteString;
-
-import java.io.IOException;
+import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Arrays;
+import java.security.SignatureException;
 import java.util.Optional;
 import java.util.Set;
 import org.biscuitsec.biscuit.error.Error;
 import org.biscuitsec.biscuit.token.builder.Utils;
-import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
-import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
-import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey;
-
-public final class PublicKey {
 
-  private final byte[] key;
-  private final Algorithm algorithm;
+public abstract class PublicKey {
 
   private static final Set<Algorithm> SUPPORTED_ALGORITHMS =
       Set.of(Algorithm.Ed25519, Algorithm.SECP256R1);
 
-  public PublicKey(Algorithm algorithm, java.security.PublicKey publicKey) {
-    this.key = publicKey.getEncoded();
-    this.algorithm = algorithm;
-  }
-
-  public PublicKey(Algorithm algorithm, byte[] data) {
-    this.key = data;
-    this.algorithm = algorithm;
+  public static PublicKey load(Algorithm algorithm, byte[] data) {
+    if (algorithm == Algorithm.Ed25519) {
+      return Ed25519PublicKey.loadEd25519(data);
+    } else if (algorithm == Algorithm.SECP256R1) {
+      return Secp256R1PublicKey.loadSecp256r1(data);
+    } else {
+      throw new IllegalArgumentException("Unsupported algorithm");
+    }
   }
 
-  public PublicKey(Algorithm algorithm, String hex) {
-    this.key = Utils.hexStringToByteArray(hex);
-    this.algorithm = algorithm;
+  public static PublicKey load(Algorithm algorithm, String hex) {
+    return load(algorithm, Utils.hexStringToByteArray(hex));
   }
 
-  public byte[] toBytes() {
-    return this.key;
-  }
+  public abstract byte[] toBytes();
 
   public String toHex() {
     return Utils.byteArrayToHexString(this.toBytes());
@@ -50,7 +39,7 @@ public String toHex() {
   public Schema.PublicKey serialize() {
     Schema.PublicKey.Builder publicKey = Schema.PublicKey.newBuilder();
     publicKey.setKey(ByteString.copyFrom(this.toBytes()));
-    publicKey.setAlgorithm(this.algorithm);
+    publicKey.setAlgorithm(this.getAlgorithm());
     return publicKey.build();
   }
 
@@ -59,7 +48,7 @@ public static PublicKey deserialize(Schema.PublicKey pk)
     if (!pk.hasAlgorithm() || !pk.hasKey() || !SUPPORTED_ALGORITHMS.contains(pk.getAlgorithm())) {
       throw new Error.FormatError.DeserializationError("Invalid public key");
     }
-    return new PublicKey(pk.getAlgorithm(), pk.getKey().toByteArray());
+    return PublicKey.load(pk.getAlgorithm(), pk.getKey().toByteArray());
   }
 
   public static Optional<Error> validateSignatureLength(Algorithm algorithm, int length) {
@@ -80,37 +69,8 @@ public static Optional<Error> validateSignatureLength(Algorithm algorithm, int l
     return error;
   }
 
-  @Override
-  public boolean equals(Object o) {
-    if (this == o) {
-      return true;
-    }
-    if (o == null || getClass() != o.getClass()) {
-      return false;
-    }
+  public abstract Algorithm getAlgorithm();
 
-    PublicKey publicKey = (PublicKey) o;
-
-    return this.algorithm.equals(publicKey.algorithm) && Arrays.equals(this.key, publicKey.toBytes());
-  }
-
-  @Override
-  public int hashCode() {
-    return Arrays.hashCode(this.key);
-  }
-
-  @Override
-  public String toString() {
-    if (this.algorithm == Algorithm.Ed25519) {
-      return "ed25519/" + toHex().toLowerCase();
-    } else if (this.algorithm == Algorithm.SECP256R1) {
-      return "secp256r1/" + toHex().toLowerCase();
-    } else {
-      return null;
-    }
-  }
-
-  public Algorithm getAlgorithm() {
-    return this.algorithm;
-  }
+  public abstract boolean verify(byte[] data, byte[] signature)
+      throws InvalidKeyException, SignatureException, NoSuchAlgorithmException;
 }

src/main/java/org/biscuitsec/biscuit/crypto/SECP256R1KeyPair.java

@@ -1,10 +1,8 @@
 package org.biscuitsec.biscuit.crypto;
 
-import biscuit.format.schema.Schema;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.security.Security;
 import java.security.Signature;
 import java.security.SignatureException;
 import org.biscuitsec.biscuit.token.builder.Utils;
@@ -27,11 +25,9 @@ final class SECP256R1KeyPair extends KeyPair {
   private final BCECPrivateKey privateKey;
   private final BCECPublicKey publicKey;
 
-  private static final String ALGORITHM = "ECDSA";
-  private static final String CURVE = "secp256r1";
-  private static final ECNamedCurveParameterSpec SECP256R1 =
-      ECNamedCurveTable.getParameterSpec(CURVE);
-
+  static final String ALGORITHM = "ECDSA";
+  static final String CURVE = "secp256r1";
+  static final ECNamedCurveParameterSpec SECP256R1 = ECNamedCurveTable.getParameterSpec(CURVE);
 
   SECP256R1KeyPair(byte[] bytes) {
     var privateKeySpec = new ECPrivateKeySpec(BigIntegers.fromUnsignedByteArray(bytes), SECP256R1);
@@ -72,7 +68,7 @@ public static java.security.PublicKey decode(byte[] data) {
     return new BCECPublicKey(ALGORITHM, spec, BouncyCastleProvider.CONFIGURATION);
   }
 
-  private static Signature getSignature() throws NoSuchAlgorithmException {
+  static Signature getSignature() throws NoSuchAlgorithmException {
     return Signature.getInstance("SHA256withECDSA", new BouncyCastleProvider());
   }
 
@@ -86,7 +82,7 @@ public byte[] sign(byte[] data)
   }
 
   public static boolean verify(PublicKey publicKey, byte[] data, byte[] signature)
-          throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+      throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
     var sgr = getSignature();
     sgr.initVerify(decode(publicKey.toBytes()));
     sgr.update(data);
@@ -105,6 +101,6 @@ public String toHex() {
 
   @Override
   public PublicKey getPublicKey() {
-    return new PublicKey(Schema.PublicKey.Algorithm.SECP256R1, publicKey);
+    return new Secp256R1PublicKey(this.publicKey);
   }
 }