peterdettman
commented
6 years ago This is a point format and/or curve form mismatch. Skip to the last paragraph for the easy solution, or read on if you need to make things work via the provider code above.
X25519 uses the Montgomery curve "Curve25519", and specifies the public key format as the (exactly) 32-byte X coordinate (little-endian).
On the other hand, when you get an implementation of "Curve25519" (or any curve) from ECNamedCurveTable, it will be for a short-Weierstrass (SW) curve, and the expected public key format is from the SEC standards, so that it includes a format byte at the start, followed by the 32-byte X coordinate, and possibly the Y coordinate, both in big-endian order.
This can be made to work by converting the input as follows:
- parse the input Montgomery X coordinate ("publicKey") as a BigInteger (byte-reversed)
- convert the Montgomery X coordinate to a Weierstrass X coordinate via the point map: Xw = Xm + D mod P, where P == 2^255 - 19, D == 486662 / 3 mod P
- build a SEC compressed point encoding for the Weierstrass X coordinate
- ...which can then be passed to decodePoint
Sample code:
static BigInteger P = BigInteger.ONE.shiftLeft(255).subtract(BigInteger.valueOf(19));
static BigInteger D = BigInteger.valueOf(3).modInverse(P).multiply(BigInteger.valueOf(486662)).mod(P);
byte[] convertInput(byte[] montPubKey)
{
BigInteger Xm = new BigInteger(1, Arrays.reverse(montPubKey));
BigInteger Xw = Xm.add(D).mod(P);
byte[] weierPubKey = BigIntegers.asUnsignedByteArray(33, Xw);
weierPubKey[0] = 0x02;
return weierPubKey;
}If you want to also send a public key in X25519 format, you'll need to do a similar conversion (Xm = Xw - D mod P) from the point encoding you get from the Weierstrass curve.
However I should point out that we have just committed a proper implementation of X25519 (https://github.com/bcgit/bc-java/commit/1f559bba32d601ddc76e1b306c566ba20d23b4ea). We have more work to do on trying to present that in the provider and through the usual interfaces, but if you just want to do ECDH with X25519, you could use that class directly (copy it for now, or wait for the next release - or beta).
plmn22
hamirshekhawat
I need to create a shared secret for the DH (Diffie–Hellman Key Exchange), using my private key and a public key that I receive from Apache Server. The code is written in Java + Bouncy Castle 1.57.
I have attached a screen shot from OpenSSL:
I have used openSSL in order to connect to a server, that implement, Curve25519. I have taken the public key, that have returned in the response and use it, as byte array, in the following code:
// **** START OF BOUNCY CASTLE CODE
byte[] publicKey = new byte[]{(byte)0xF1, (byte)0x6D, (byte)0x48, (byte)0x25, (byte)0x0C, (byte)0xE2, (byte)0xA2, (byte)0xA4, (byte)0xFD, (byte)0x4D, (byte)0x9B, (byte)0x08, (byte)0x57, (byte)0x7B, (byte)0x2D, (byte)0x3F, (byte)0x92, (byte)0xC6, (byte)0x4D, (byte)0x09, (byte)0x3C, (byte)0xD9, (byte)0x68, (byte)0xE6, (byte)0xC7, (byte)0x32, (byte)0x5E, (byte)0x40, (byte)0x30, (byte)0xB7, (byte)0xF2, (byte)0x06 };
ECParameterSpec ecP = ECNamedCurveTable.getParameterSpec(this.namedCarved);
ECPublicKeySpec pubKey = new ECPublicKeySpec(ecP.getCurve().decodePoint(publicKey), ecP);
KeyFactory kf = KeyFactory.getInstance("ECDH", "BC"); return kf.generatePublic(pubKey);
// **** END OF BOUNCY CASTLE CODE
The problem it that the function ecP.getCurve().decodePoint(publicKey) throws an exception: "java.lang.IllegalArgumentException: Invalid point encoding 0xF1"