You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I generate a CMS EnvelopedData containing a KeyAgreeRecipientInfo, the recipient info will have an OriginatorPublicKey whose key's AlgorithmIdentifier is missing the curve name -- Which must be set as the algorithm parameters per RFC 5480.
importorg.bouncycastle.cms.CMSAlgorithmimportorg.bouncycastle.cms.CMSEnvelopedDataimportorg.bouncycastle.cms.CMSEnvelopedDataGeneratorimportorg.bouncycastle.cms.CMSProcessableByteArrayimportorg.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilderimportorg.bouncycastle.cms.jcajce.JceKeyAgreeRecipientInfoGeneratorimportorg.bouncycastle.jce.provider.BouncyCastleProviderimportorg.bouncycastle.util.encoders.Base64importjava.security.KeyPairimportjava.security.KeyPairGeneratorimportjava.security.PublicKeyimportjava.security.spec.ECGenParameterSpecval bcProvider =BouncyCastleProvider()
fungenerateECDHKeyPair(curveName:String = "P-256"): KeyPair {
val keyGen =KeyPairGenerator.getInstance("EC", bcProvider)
val ecSpec =ECGenParameterSpec(curveName)
keyGen.initialize(ecSpec)
return keyGen.generateKeyPair()
}
funbcEncrypt(
plaintext:ByteArray,
recipientKeyId:ByteArray,
recipientPublicKey:PublicKey,
senderKeyPair:KeyPair
): CMSEnvelopedData {
val cmsEnvelopedDataGenerator =CMSEnvelopedDataGenerator()
val recipientInfoGenerator =JceKeyAgreeRecipientInfoGenerator(
CMSAlgorithm.ECDH_SHA256KDF,
senderKeyPair.private,
senderKeyPair.public,
CMSAlgorithm.AES128_WRAP
).addRecipient(recipientKeyId, recipientPublicKey)
cmsEnvelopedDataGenerator
.addRecipientInfoGenerator(recipientInfoGenerator.setProvider(bcProvider))
val msg =CMSProcessableByteArray(plaintext)
val encryptorBuilder =JceCMSContentEncryptorBuilder(CMSAlgorithm.AES128_CBC).setProvider(bcProvider)
return cmsEnvelopedDataGenerator.generate(msg, encryptorBuilder.build())
}
val senderKeyPair = generateECDHKeyPair()
val recipientKeyPair = generateECDHKeyPair()
Base64.toBase64String(senderKeyPair.public.encoded)
val envelopedData = bcEncrypt(
"the plaintext".toByteArray(),
"the key id".toByteArray(),
recipientKeyPair.public,
senderKeyPair
)
Base64.toBase64String(envelopedData.encoded)
Its OriginatorPublicKey has its AlgorithmIdentifier's parameters set to NULL, which is illegal per RFC 5480:
The parameter for id-ecPublicKey is as follows and MUST always be present:
ECParameters ::= CHOICE {
namedCurve OBJECT IDENTIFIER
-- implicitCurve NULL
-- specifiedCurve SpecifiedECDomain
}
-- implicitCurve and specifiedCurve MUST NOT be used in PKIX.
(...)
implicitCurve allows the elliptic curve domain parameters to be inherited. This choice MUST NOT be used.
Note that the public key that gets passed to JceKeyAgreeRecipientInfoGenerator() does have the curve name included (as expected), so there must be something along the way that drops the algorithm identifier parameters. But I can't find the place where that's happening. Here's what I get if I encode the senderKeyPair.public above:
I need the namedCurve to be present because my JVM code communicates with a JavaScript peer, which uses the WebCrypto API. And the WebCrypto API requires the curve name to be passed when decoding a public key.
The text was updated successfully, but these errors were encountered:
For some reason, probably the wrong one, the algorithm parameters were been set to NULL. I couldn't find any reason for this in RFC 5652 so I've fixed it so that OriginatorPublicKey always reflects everything in the SubjectPublicKeyInfo of the key being used. The fix for this will appear in 169b04, which will appear on https://www.bouncycastle.org/betas in a few hours.
When I generate a CMS
EnvelopedData
containing aKeyAgreeRecipientInfo
, the recipient info will have anOriginatorPublicKey
whose key'sAlgorithmIdentifier
is missing the curve name -- Which must be set as the algorithm parameters per RFC 5480.Consider this CMS EnvelopedData generated with the code below:
Its
OriginatorPublicKey
has itsAlgorithmIdentifier
's parameters set toNULL
, which is illegal per RFC 5480:Note that the public key that gets passed to
JceKeyAgreeRecipientInfoGenerator()
does have the curve name included (as expected), so there must be something along the way that drops the algorithm identifier parameters. But I can't find the place where that's happening. Here's what I get if I encode thesenderKeyPair.public
above:I need the
namedCurve
to be present because my JVM code communicates with a JavaScript peer, which uses the WebCrypto API. And the WebCrypto API requires the curve name to be passed when decoding a public key.The text was updated successfully, but these errors were encountered: