Correct parsing for openssl -topk8, relates to github #400.

dghgit · dghgit · commit ef8094551346 · 2026-05-11T18:22:36.000+10:00
diff --git a/docs/releasenotes.html b/docs/releasenotes.html
@@ -46,6 +46,7 @@ <h3>2.1.2 Defects Fixed</h3>
 <li>X509CertificateImpl.hasUnsupportedCriticalExtension() reported a critical extendedKeyUsage (id-ce 37) extension as unsupported, so loading such a certificate through the BC CertificateFactory returned true where the JDK provider returned false. RFC 5280 sec. 4.2.1.12 explicitly permits extendedKeyUsage to be marked critical, and the BC X509Certificate implementation fully recognises it (getExtendedKeyUsage()); the OID has been added to the skip list in hasUnsupportedCriticalExtension() so the BC and JDK providers now agree (issue #1796).</li>
 <li>The BC X.509 CertificateFactory (Provider "BC", "X.509"/"X509") previously recognised only the RFC 2315 PKCS#7 SignedData ContentType OID (1.2.840.113549.1.7.2) when extracting embedded certificates and CRLs from a SignedData wrapper, so generateCertificate{s} / generateCRL{s} returned nothing (or threw "sequence wrong size for a certificate") for a GM/T 0010-2012 SM2 SignedData wrapper (ContentType 1.2.156.10197.6.1.4.2.2). Both SignedData ASN.1 structures are identical apart from the outer ContentType OID, so the factory now treats the SM2 OID equivalently and walks the embedded certificate / CRL sets the same way. New ASN.1 constants for the full GM/T 0010 SM2 content-type arc (1.2.156.10197.6.1.4.2.{1..6}) have been added to GMObjectIdentifiers (issue #1355).</li>
 <li>ESTService.getCSRAttributes treated a server response of 204 No Content or 404 Not Found as "no attributes available" and returned null, but did not drain the response body before letting the surrounding finally block close it. When the server attached a body to the 404 (e.g. a JSON error message), ESTResponse's underlying LimitedInputStream then threw "Stream closed before limit fully read" on close and the caller saw an opaque IOException-wrapping ESTException instead of the 404 status they could act on. The 204 / 404 branches now drain the body via Streams.drain before returning, so the close path completes cleanly and the call returns a null CSRAttributesResponse as documented (issue #781).</li>
+<li>JceOpenSSLPKCS8DecryptorProviderBuilder cast the PBES2 key-derivation-function parameters blind to PBKDF2Params, so an EncryptedPrivateKeyInfo whose KDF inside PBES2 was scrypt (RFC 7914, e.g. anything produced by "openssl pkcs8 -topk8 -scrypt") failed to decrypt with "DLSequence cannot be cast to PBKDF2Params". The builder now dispatches on the KDF algorithm OID: id-PBKDF2 takes the existing PBKDF2 path, id-scrypt parses the parameters as ScryptParams and derives the key via SCrypt.generate (the password is encoded as UTF-8 to match OpenSSL's raw-bytes treatment). PBKDF2-based PBES2, PKCS#5 PBES1 and PKCS#12 PBE paths are unchanged (issue #400).</li>
 </ul>
 <h3>2.2.3 Additional Features and Functionality</h3>
 <ul>
diff --git a/pkix/src/main/java/org/bouncycastle/openssl/jcajce/JceOpenSSLPKCS8DecryptorProviderBuilder.java b/pkix/src/main/java/org/bouncycastle/openssl/jcajce/JceOpenSSLPKCS8DecryptorProviderBuilder.java
@@ -8,7 +8,10 @@
 
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 
+import org.bouncycastle.asn1.misc.MiscObjectIdentifiers;
+import org.bouncycastle.asn1.misc.ScryptParams;
 import org.bouncycastle.asn1.pkcs.EncryptionScheme;
 import org.bouncycastle.asn1.pkcs.KeyDerivationFunc;
 import org.bouncycastle.asn1.pkcs.PBEParameter;
@@ -17,6 +20,7 @@
 import org.bouncycastle.asn1.pkcs.PKCS12PBEParams;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.crypto.CharToByteConverter;
+import org.bouncycastle.crypto.generators.SCrypt;
 import org.bouncycastle.jcajce.PBKDF1KeyWithParameters;
 import org.bouncycastle.jcajce.PKCS12KeyWithParameters;
 import org.bouncycastle.jcajce.io.CipherInputStream;
@@ -73,24 +77,43 @@ public InputDecryptor get(final AlgorithmIdentifier algorithm)
                         PBES2Parameters params = PBES2Parameters.getInstance(algorithm.getParameters());
                         KeyDerivationFunc func = params.getKeyDerivationFunc();
                         EncryptionScheme scheme = params.getEncryptionScheme();
-                        PBKDF2Params defParams = (PBKDF2Params)func.getParameters();
-
-                        int iterationCount = defParams.getIterationCount().intValue();
-                        byte[] salt = defParams.getSalt();
 
                         String oid = scheme.getAlgorithm().getId();
-
                         SecretKey key;
 
-                        if (PEMUtilities.isHmacSHA1(defParams.getPrf()))
+                        if (MiscObjectIdentifiers.id_scrypt.equals(func.getAlgorithm()))
                         {
-                            key = PEMUtilities.generateSecretKeyForPKCS5Scheme2(helper, oid, password, salt, iterationCount);
+                            // RFC 7914 / RFC 8018 scrypt KDF inside PBES2.
+                            // OpenSSL 1.1+ "openssl pkcs8 -topk8 -scrypt" produces this form;
+                            // the caller-supplied char[] password is fed as UTF-8 bytes,
+                            // matching OpenSSL's raw-bytes treatment (github #400).
+                            ScryptParams scrypt = ScryptParams.getInstance(func.getParameters());
+                            int keySizeBits = PEMUtilities.getKeySize(oid);
+                            byte[] derived = SCrypt.generate(Strings.toUTF8ByteArray(password),
+                                scrypt.getSalt(),
+                                scrypt.getCostParameter().intValue(),
+                                scrypt.getBlockSize().intValue(),
+                                scrypt.getParallelizationParameter().intValue(),
+                                (keySizeBits + 7) / 8);
+                            key = new SecretKeySpec(derived, PEMUtilities.getAlgorithmName(oid));
                         }
                         else
                         {
-                            key = PEMUtilities.generateSecretKeyForPKCS5Scheme2(helper, oid, password, salt, iterationCount, defParams.getPrf());
+                            PBKDF2Params defParams = (PBKDF2Params)func.getParameters();
+
+                            int iterationCount = defParams.getIterationCount().intValue();
+                            byte[] salt = defParams.getSalt();
+
+                            if (PEMUtilities.isHmacSHA1(defParams.getPrf()))
+                            {
+                                key = PEMUtilities.generateSecretKeyForPKCS5Scheme2(helper, oid, password, salt, iterationCount);
+                            }
+                            else
+                            {
+                                key = PEMUtilities.generateSecretKeyForPKCS5Scheme2(helper, oid, password, salt, iterationCount, defParams.getPrf());
+                            }
                         }
-                        
+
                         cipher = helper.createCipher(PEMUtilities.getCipherName(scheme.getAlgorithm()));
                         AlgorithmParameters algParams = helper.createAlgorithmParameters(oid);
 
diff --git a/pkix/src/test/java/org/bouncycastle/openssl/test/AllTests.java b/pkix/src/test/java/org/bouncycastle/openssl/test/AllTests.java
@@ -182,6 +182,46 @@ public void testVectors()
         TestCase.assertEquals(key, rdKey);
     }
 
+    /**
+     * github #400: OpenSSL 1.1+ "openssl pkcs8 -topk8 -scrypt" emits a PBES2
+     * EncryptedPrivateKeyInfo whose key-derivation function is scrypt
+     * (RFC 7914) rather than PBKDF2. JceOpenSSLPKCS8DecryptorProviderBuilder
+     * previously cast the KDF parameters blind to PBKDF2Params and threw
+     * "DLSequence cannot be cast to PBKDF2Params". The builder now recognises
+     * id-scrypt inside PBES2 and derives the key via SCrypt.generate.
+     *
+     * Fixture from RFC 7914 sec. 7.2 (password "Rabbit").
+     */
+    public void testScryptOpenSSLDecryptorIssue400()
+        throws Exception
+    {
+        if (Security.getProvider("BC") == null)
+        {
+            Security.addProvider(new BouncyCastleProvider());
+        }
+
+        byte[] pkcs8Scrypt = Base64.decode(
+            "MIHiME0GCSqGSIb3DQEFDTBAMB8GCSsGAQQB2kcECzASBAVNb3VzZQIDEAAAAgEI" +
+            "AgEBMB0GCWCGSAFlAwQBKgQQyYmguHMsOwzGMPoyObk/JgSBkJb47EWd5iAqJlyy" +
+            "+ni5ftd6gZgOPaLQClL7mEZc2KQay0VhjZm/7MbBUNbqOAXNM6OGebXxVp6sHUAL" +
+            "iBGY/Dls7B1TsWeGObE0sS1MXEpuREuloZjcsNVcNXWPlLdZtkSH6uwWzR0PyG/Z" +
+            "+ZXfNodZtd/voKlvLOw5B3opGIFaLkbtLZQwMiGtl42AS89lZg==");
+
+        byte[] expected = Base64.decode(
+            "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg4RaNK5CuHY3CXr9f" +
+            "/CdVgOhEurMohrQmWbbLZK4ZInyhRANCAARs2WMV6UMlLjLaoc0Dsdnj4Vlffc9T" +
+            "t48lJU0RiCzXc280Vg/H5fm1xAP1B7UnIVcBqgDHDcfqWm1h/xSeCHXS");
+
+        PKCS8EncryptedPrivateKeyInfo info = new PKCS8EncryptedPrivateKeyInfo(pkcs8Scrypt);
+
+        PrivateKeyInfo pkInfo = info.decryptPrivateKeyInfo(
+            new JceOpenSSLPKCS8DecryptorProviderBuilder()
+                .setProvider("BC")
+                .build("Rabbit".toCharArray()));
+
+        assertTrue(org.bouncycastle.util.Arrays.areEqual(expected, pkInfo.getEncoded()));
+    }
+
     public void testPKCS8PlainNew()
         throws Exception
     {
