EdDSA in bc-fips 2.0.0: support for EdECPublicKeySpec and EdECPrivateKeySpec

[marnix]

As can be seen in reproduction scenario marnix/eddsa-keyspec-bc-fips, when using bc-fips-2.0.0.jar without the SunEC provider, on Java 17, a BCFIPS EdDSA KeyFactory cannot generate a public key based on a java.security.spec.EdECPublicKeySpec.

Instead,

KeyFactory keyFactory = KeyFactory.getInstance("EdDSA");
keyFactory.generatePublic(publicKeySpec);

fails like this:

java.security.spec.InvalidKeySpecException: keySpec for PublicKey not recognized: java.security.spec.EdECPublicKeySpec
        at org.bouncycastle.jcajce.provider.BaseKeyFactory.engineGeneratePublic(BaseKeyFactory.java:60)
        at org.bouncycastle.jcajce.provider.ProvEdEC$KeyFactorySpi.engineGeneratePublic(ProvEdEC.java:374)
        at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:351)
        at ...

(And I'm suspecting something similar would happen for java.security.spec.EdECPrivateKeySpec.)

Am I doing something wrong here?

Thanks in advance!

---

Background information.

In my use case, the EdECPublicKeySpec is created in the context of an SSH connection set up by mwiede/jsch, which has Java 15+ code that does the above.

And we like to run this in a FIPS 140-3 compliant environment.

[marnix]

Note that if the SunEC provider is in place, then that will be doing the public key generation, so this scenario will work

But I'm fairly sure it is not allowed to use SunEC in a full FIPS compliant approved-only configuration, because SunEC is not a FIPS-validated module.

[dghgit]

Yes, the SunEC provider is not allowed for FIPS.

The 2.0.0 provider does not currently support EdECPrivateKeySpec or EdECPublicKeySpec, only support for the NamedParameterSpec is provided. You could work around this by using the appropriate constructors on AsymmetricEdDSAPrivateKey and AsymmetricEdDSAPublicKey and then calling getEncoded() passing the resulting byte[] to PKCS8EncodedKeySpec and X509EncodedKeySpec.

There is a catch though, 2.0.0 was submitted before 186-5 was a thing. There's no support for EdDSA in FIPS mode in 2.0.0, it simply was not possible to add.

[marnix]

@dghgit Thanks! So if I understand you correctly, when bc-fips-2.0.0.jar was submitted for certification in July 2023, FIPS 186-4 was still in effect, and EdDSA was therefore not yet allowed, at least not in approved-only mode, and therefore BC-FJA 2.0.0 doesn't support it.

That is clear.

Thanks for the workaround suggestion-- however, I don't think mwiede/jsch is going to use that. :-)

Now that (since October 2023) FIPS 186-5 (and therefore FIPS 140-3) allows EdDSA, I'm assuming you are planning to add support for EdECPrivateKeySpec and EdECPublicKeySpec? In 2.0.1? 2.0.x? later? What would be a (very rough!) ETA for that support? (In general operation mode? in approved-only mode?)

[dghgit]

We'll try and get it into BC-FJA 2.2.0, have some constraints on that though as if we add too much new code it becomes a new submission rather than an update and we are really focusing on adding the PQC algorithms. We'll need to add it to the regular BC multi-release jar first in any case.

If we can add it to BC-FJA 2.2.0, you might see support within 6 months. If not it will really depend on what the new administration in the US does to speed up the queue at the CMVP, at the moment you could be looking at 3 years, if you're lucky (not great once you consider that the use of EC and RSA will be deprecated in 2030).

[marnix]

@dghgit Thanks for that update, that is clear! So assuming you have some way to track adding EdECPrivateKeySpec and EdECPublicKeySpec support to a regular BC release, this GitHub issue can be closed.

Again, thanks!