Brainpool curve SubjectPublicKeyInfo parsing fails

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Brainpool curve SubjectPublicKeyInfo parsing fails

Matti Aarnio
Hello David et.al.

I have attached code parsing EC public keys and verifying the ECDSA
signature, and I am successfully verifying signatures created on
NIST-P256r1 curve.

However when I try to use Brainpool-P256r1 curve, I get:

$ java -cp lib/'*':'.' BrainpoolEccSigTest
EC Curve oid = 1.3.36.3.3.2.8.1.1.7
java.security.spec.InvalidKeySpecException: encoded key spec not recognised
        at
org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown
Source)
        at
org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineGeneratePublic(Unknown
Source)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:328)
        at BrainpoolEccSigTest.main(BrainpoolEccSigTest.java:38)

This is with BC 1.55, and my suspicion is that lookup of curves by their
OIDs is not in your regression tests...


Our European customer prefers Brainpool curves to NIST curves..

  Best Regards,  Matti Aarnio

PS: Sample NIST-P256r1 curve SubjectPublicKeyInfo is:
3059301306072a8648ce3d020106082a8648ce3d0301070342000476b4bd6af55ef8b522c5a41110e0aef7034cc94a3e40bd50d777779da1683435a7705ce7143823bd9d2b28c35947aa1f000c6c87f6fb8015208115e12f7a1523


BrainpoolEccSigTest.java (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Brainpool curve SubjectPublicKeyInfo parsing fails

David Hook

Hi Matti,

I'm not sure what's going on with the test, but it appears the point
describing the public key is not valid for the curve specified.

Regards,

David

On 13/10/16 03:07, Matti Aarnio wrote:

> Hello David et.al.
>
> I have attached code parsing EC public keys and verifying the ECDSA
> signature, and I am successfully verifying signatures created on
> NIST-P256r1 curve.
>
> However when I try to use Brainpool-P256r1 curve, I get:
>
> $ java -cp lib/'*':'.' BrainpoolEccSigTest
> EC Curve oid = 1.3.36.3.3.2.8.1.1.7
> java.security.spec.InvalidKeySpecException: encoded key spec not recognised
>         at
> org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown
> Source)
>         at
> org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineGeneratePublic(Unknown
> Source)
>         at java.security.KeyFactory.generatePublic(KeyFactory.java:328)
>         at BrainpoolEccSigTest.main(BrainpoolEccSigTest.java:38)
>
> This is with BC 1.55, and my suspicion is that lookup of curves by their
> OIDs is not in your regression tests...
>
>
> Our European customer prefers Brainpool curves to NIST curves..
>
>   Best Regards,  Matti Aarnio
>
> PS: Sample NIST-P256r1 curve SubjectPublicKeyInfo is:
> 3059301306072a8648ce3d020106082a8648ce3d0301070342000476b4bd6af55ef8b522c5a41110e0aef7034cc94a3e40bd50d777779da1683435a7705ce7143823bd9d2b28c35947aa1f000c6c87f6fb8015208115e12f7a1523
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Brainpool curve SubjectPublicKeyInfo parsing fails

Matti Aarnio
Hi David,

Okay, several issues.

I would like to get a bit better error in case the public key is really verified not to be on the curve.
Current bc-git has following public key generator at BaseKeyFactorySpi.java: (prettyprinted)

    protected PublicKey engineGeneratePublic(KeySpec keySpec)  throws InvalidKeySpecException
    {
        if (keySpec instanceof X509EncodedKeySpec)  {
            try {
                return generatePublic(SubjectPublicKeyInfo.getInstance(((X509EncodedKeySpec)keySpec).getEncoded()));
            } catch (Exception e) {
                throw new InvalidKeySpecException("encoded key spec not recognised", e);
            }
        } else {
            throw new InvalidKeySpecException("key spec not recognised");
        }
    }

Given that this works for NIST curves..  and that "encoded key spec not recognized" text does exist only in case it caught an exception: therefore there should be more back trace than what we see.  Or then this second text has has been changed very recently in the git?
Ah, with today's "git pull" it changed to:
        throw new InvalidKeySpecException("encoded key spec not recognised: " + e.getMessage());



Curve definition source code reading:

Looks like the TeleTrusTNamedCurves.java has at least confusing variable naming and commenting.
I used following document to define the parameters:
     http://www.ecc-brainpool.org/download/Domain-parameters.pdf
Observe how 'p' value in Brainpool Domain-parameters.pdf is commented to be 'q' in the source code.
At the same time there is 'q' value in DP doc, which is assigned to 'n' variable.

At ECCurve.java:
        public Fp(BigInteger q, BigInteger a, BigInteger b, BigInteger order, BigInteger cofactor)

Comparing calls for this constructor for secp256r1 and brainpoolP256r1, the brainpool version feeds correct looking value as first parameter, but in that constructor it has very confusing ( = bad ) name.

Everybody has different variable names for these values, ...


    /* -- Brainpool Domain-parameters.pdf:
     * Curve-ID: brainpoolP256r1
     *
     * p: A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377
     * A: 7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9
     * B: 26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6
     * x(P_0): 8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262
     * y(P_0): 547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997
     * q: A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7
     * i: 1
     *
     *
     * -- TeleTrusTNamedCurves.java:
     *
     * static X9ECParametersHolder brainpoolP256r1 = new X9ECParametersHolder() {
     *     protected X9ECParameters createParameters()
     * {
     *     BigInteger n = new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16);
     *     BigInteger h = new BigInteger("01", 16);
     *
     *     ECCurve curve = configureCurve(new ECCurve.Fp(
     *           new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16), // q
     *           new BigInteger("7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 16), // a
     *           new BigInteger("26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 16), // b
     *           n, h));
     *
     *     return new X9ECParameters(
     *           curve,
     *           new X9ECPoint(curve, Hex.decode("048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997")), // G
     *           n, h);
     *   }
     * };
     */

    /*
     * secp256r1
     */
    static X9ECParametersHolder secp256r1 = new X9ECParametersHolder()
    {
        protected X9ECParameters createParameters()
        {
            // p = 2^224 (2^32 - 1) + 2^192 + 2^96 - 1
            BigInteger p = fromHex("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF");
            BigInteger a = fromHex("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC");
            BigInteger b = fromHex("5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B");
            byte[] S = Hex.decode("C49D360886E704936A6678E1139D26B7819F7E90");
            BigInteger n = fromHex("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
            BigInteger h = BigInteger.valueOf(1);

            ECCurve curve = configureCurve(new ECCurve.Fp(p, a, b, n, h));
            //ECPoint G = curve.decodePoint(Hex.decode("03"
            //+ "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"));
            X9ECPoint G = new X9ECPoint(curve, Hex.decode("04"
                + "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"
                + "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"));

            return new X9ECParameters(curve, G, n, h, S);
        }
    };




On 13.10.2016 04:33, David Hook wrote:
Hi Matti,

I'm not sure what's going on with the test, but it appears the point
describing the public key is not valid for the curve specified.

Regards,

David

On 13/10/16 03:07, Matti Aarnio wrote:
Hello David et.al.

I have attached code parsing EC public keys and verifying the ECDSA
signature, and I am successfully verifying signatures created on
NIST-P256r1 curve.

However when I try to use Brainpool-P256r1 curve, I get:

$ java -cp lib/'*':'.' BrainpoolEccSigTest
EC Curve oid = 1.3.36.3.3.2.8.1.1.7
java.security.spec.InvalidKeySpecException: encoded key spec not recognised
        at
org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown
Source)
        at
org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineGeneratePublic(Unknown
Source)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:328)
        at BrainpoolEccSigTest.main(BrainpoolEccSigTest.java:38)

This is with BC 1.55, and my suspicion is that lookup of curves by their
OIDs is not in your regression tests...


Our European customer prefers Brainpool curves to NIST curves..

  Best Regards,  Matti Aarnio

PS: Sample NIST-P256r1 curve SubjectPublicKeyInfo is:
3059301306072a8648ce3d020106082a8648ce3d0301070342000476b4bd6af55ef8b522c5a41110e0aef7034cc94a3e40bd50d777779da1683435a7705ce7143823bd9d2b28c35947aa1f000c6c87f6fb8015208115e12f7a1523



Loading...