Restrict EC curves in computing shared secret

JinhangZhang · JinhangZhang · commit d42020131a72 · 2025-10-28T10:11:48.000-04:00
According to the policy, curve size less than 192 should
not be allowed in computing shared secret in ECDH
keyagreement in FIPS 140-3 mode. This PR proposes an option
to enable/disable this behaviour.

Signed-off-by: JinhangZhang &lt;Jinhang.Zhang@ibm.com&gt;
diff --git a/src/main/java/com/ibm/crypto/plus/provider/ECDHKeyAgreement.java b/src/main/java/com/ibm/crypto/plus/provider/ECDHKeyAgreement.java
@@ -26,6 +26,7 @@
 import javax.crypto.SecretKey;
 import javax.crypto.ShortBufferException;
 import javax.crypto.spec.SecretKeySpec;
+import sun.security.util.ObjectIdentifier;
 
 public final class ECDHKeyAgreement extends KeyAgreementSpi { // implements
                                                               // AlgorithmStatus
@@ -44,6 +45,7 @@ public final class ECDHKeyAgreement extends KeyAgreementSpi { // implements
     private ECPublicKey ecPublicKey = null;
     private ECPrivateKey ecPrivateKey = null;
     private int secretLen;
+    private static boolean disableSmallCurve = Boolean.parseBoolean(System.getProperty("openjceplus.disableSmallerECKeySizeForSharedKeyComputing", "true"));
 
     public ECDHKeyAgreement(OpenJCEPlusProvider provider) {
         // System.out.println ("In ECDHKeyAgreement");
@@ -164,6 +166,33 @@ protected byte[] engineGenerateSecret() throws IllegalStateException {
             throw new IllegalStateException("Wrong state");
         }
 
+        if (provider.isFIPS() && disableSmallCurve) {
+            ECNamedCurve ecPubKeyNamedCurve = ECParameters.getNamedCurve(this.ecPublicKey.getParams());
+            ECNamedCurve ecPriKeyNamedCurve = ECParameters.getNamedCurve(this.ecPrivateKey.getParams());
+            ObjectIdentifier oidPubKey = ECNamedCurve.getOIDFromName(ecPubKeyNamedCurve.getName());
+            ObjectIdentifier oidPriKey = ECNamedCurve.getOIDFromName(ecPriKeyNamedCurve.getName());
+
+            // check if curve is FIPS allowance and if it is allowed for ECDH shared secret computation.
+            if (!ECNamedCurve.isFIPS(oidPubKey.toString())) {
+                throw new IllegalStateException(ecPubKeyNamedCurve.getName() + " curve is not supported in FIPS for public key");
+            }
+            if (!ECNamedCurve.isFIPS(oidPriKey.toString())) {
+                throw new IllegalStateException(ecPriKeyNamedCurve.getName() + " curve is not supported in FIPS for private key");
+            }
+
+            if (!((oidPubKey.toString()).equals("1.2.840.10045.3.1.7") // secp256r1 [NIST P-256, X9.62 prime256v1]
+                || (oidPubKey.toString()).equals("1.3.132.0.33") // secp224r1 [NIST P-224]
+                || (oidPubKey.toString()).equals("1.3.132.0.34") // secp384r1 [NIST P-384]
+                || (oidPubKey.toString()).equals("1.3.132.0.35")) ||
+                !((oidPriKey.toString()).equals("1.2.840.10045.3.1.7") // secp256r1 [NIST P-256, X9.62 prime256v1]
+                || (oidPriKey.toString()).equals("1.3.132.0.33") // secp224r1 [NIST P-224]
+                || (oidPriKey.toString()).equals("1.3.132.0.34") // secp384r1 [NIST P-384]
+                || (oidPriKey.toString()).equals("1.3.132.0.35")) // secp521r1 [NIST P-521]
+            ) {
+                throw new IllegalStateException(ecPubKeyNamedCurve.getName() + " curve is not supported in FIPS for calculating the shared secret");
+            }
+        }
+
         // Reset the key agreement here (in case anything goes wrong)
         generateSecret = false;
         byte[] secret = null;
diff --git a/src/test/java/ibm/jceplus/junit/openjceplusfips/TestECDHKeyAgreementParamValidation.java b/src/test/java/ibm/jceplus/junit/openjceplusfips/TestECDHKeyAgreementParamValidation.java
@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2024
+ * Copyright IBM Corp. 2024, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -8,9 +8,20 @@
 package ibm.jceplus.junit.openjceplusfips;
 
 import ibm.jceplus.junit.base.BaseTestECDHKeyAgreementParamValidation;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.spec.ECGenParameterSpec;
+import javax.crypto.KeyAgreement;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.TestInstance;
 import org.junit.jupiter.api.TestInstance.Lifecycle;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 @TestInstance(Lifecycle.PER_CLASS)
 public class TestECDHKeyAgreementParamValidation extends BaseTestECDHKeyAgreementParamValidation {
@@ -21,4 +32,39 @@ public void beforeAll() throws Exception {
         setProviderName(Utils.TEST_SUITE_PROVIDER_NAME);
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {"secp112r1", "secp112r2", "secp128r1", "secp128r2", "secp160r1", "secp160r2", "secp160k1", "secp192k1", "secp192r1"})
+    public void testECDHKeyAgreementSharedSecretComputation(String curveName) {
+        assumeTrue(
+            Boolean.getBoolean("openjceplus.disableSmallerECKeySizeForSharedKeyComputing"),
+            "Property not true; skipping"
+        );
+
+        try {
+            KeyPair alice = genECKeyPair(curveName);
+            KeyPair bob   = genECKeyPair(curveName);
+
+            ecdhSharedSecretComputation(alice.getPrivate(), bob.getPublic());
+            ecdhSharedSecretComputation(bob.getPrivate(), alice.getPublic());
+
+            fail("Curve " + curveName + " worked unexpectedly");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().equals(curveName + " curve is not supported in FIPS for calculating the shared secret"));
+        }
+    }
+
+    private KeyPair genECKeyPair(String curveName) throws Exception {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC", getProviderName());
+        kpg.initialize(new ECGenParameterSpec(curveName));
+        KeyPair kp = kpg.generateKeyPair();
+        return kp;
+    }
+
+    private byte[] ecdhSharedSecretComputation(PrivateKey priv, PublicKey peerPub) throws Exception {
+        KeyAgreement ka = KeyAgreement.getInstance("ECDH", getProviderName());
+        ka.init(priv);
+        ka.doPhase(peerPub, true);
+        return ka.generateSecret();
+    }
+
 }
