Loading raw 64-byte long ECDSA public key in Java
That worked for me with the help of Bouncycastle:
ECParameterSpec ecParameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
ECNamedCurveSpec params = new ECNamedCurveSpec("secp256r1", spec.getCurve(), spec.getG(), spec.getN());
ECPoint publicPoint = ECPointUtil.decodePoint(params.getCurve(), publicKeyByteArray);
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(publicPoint, params);
PublicKey publicKey = keyFactory.generatePublic(pubKeySpec);
What is the cleanest way to load a 64 byte public key so that it can be used to check signatures?
The cleanest I could muster ! Should work with other curves too..
NOTE: Limited to the SunJCE provider or Android API 26+ (there may be more providers with this functionality, I am unaware of them at the moment.
public static ECPublicKey rawToEncodedECPublicKey(String curveName, byte[] rawBytes) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidParameterSpecException {
KeyFactory kf = KeyFactory.getInstance("EC");
byte[] x = Arrays.copyOfRange(rawBytes, 0, rawBytes.length/2);
byte[] y = Arrays.copyOfRange(rawBytes, rawBytes.length/2, rawBytes.length);
ECPoint w = new ECPoint(new BigInteger(1,x), new BigInteger(1,y));
return (ECPublicKey) kf.generatePublic(new ECPublicKeySpec(w, ecParameterSpecForCurve(curveName)));
}
public static ECParameterSpec ecParameterSpecForCurve(String curveName) throws NoSuchAlgorithmException, InvalidParameterSpecException {
AlgorithmParameters params = AlgorithmParameters.getInstance("EC");
params.init(new ECGenParameterSpec(curveName));
return params.getParameterSpec(ECParameterSpec.class);
}
Java 7 is required for the EC functionality and Java 8 for the Base 64 encoder / decoder, no additional libraries - just plain Java. Note that this will actually display the public key as a named curve when printed out, something most other solutions won't do. If you have an up-to-date runtime, this other answer is more clean.
This answer is going to be tough if we do this using ECPublicKeySpec
. So lets cheat a bit and use X509EncodedKeySpec
instead:
private static byte[] P256_HEAD = Base64.getDecoder().decode("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE");
/**
* Converts an uncompressed secp256r1 / P-256 public point to the EC public key it is representing.
* @param w a 64 byte uncompressed EC point consisting of just a 256-bit X and Y
* @return an <code>ECPublicKey</code> that the point represents
*/
public static ECPublicKey generateP256PublicKeyFromFlatW(byte[] w) throws InvalidKeySpecException {
byte[] encodedKey = new byte[P256_HEAD.length + w.length];
System.arraycopy(P256_HEAD, 0, encodedKey, 0, P256_HEAD.length);
System.arraycopy(w, 0, encodedKey, P256_HEAD.length, w.length);
KeyFactory eckf;
try {
eckf = KeyFactory.getInstance("EC");
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("EC key factory not present in runtime");
}
X509EncodedKeySpec ecpks = new X509EncodedKeySpec(encodedKey);
return (ECPublicKey) eckf.generatePublic(ecpks);
}
Usage:
ECPublicKey key = generateP256PublicKeyFromFlatW(w);
System.out.println(key);
The idea behind this is to create a temporary X509 encoded key, which happily ends with the public point w
at the end. The bytes before that contain the ASN.1 DER encoding of the OID of the named curve and structural overhead, ending with byte 04
indicating an uncompressed point. Here is an example what the structure looks like, using value 1 and 2 for the 32-byte X and Y.
The 32-byte X and Y values of the uncompressed point values removed to create the header. This only works because the point is statically sized - it's location at the end is only determined by the size of the curve.
Now all that is required in the function generateP256PublicKeyFromFlatW
is to add the received public point w
to the header and run it through the decoder implemented for X509EncodedKeySpec
.
The above code uses a raw, uncompressed public EC point - just a 32 byte X and Y - without the uncompressed point indicator with value 04
. Of course it is easy to support 65 byte compressed points as well:
/**
* Converts an uncompressed secp256r1 / P-256 public point to the EC public key it is representing.
* @param w a 64 byte uncompressed EC point starting with <code>04</code>
* @return an <code>ECPublicKey</code> that the point represents
*/
public static ECPublicKey generateP256PublicKeyFromUncompressedW(byte[] w) throws InvalidKeySpecException {
if (w[0] != 0x04) {
throw new InvalidKeySpecException("w is not an uncompressed key");
}
return generateP256PublicKeyFromFlatW(Arrays.copyOfRange(w, 1, w.length));
}
Finally, I generated the constant P256_HEAD
head value in base 64 using:
private static byte[] createHeadForNamedCurve(String name, int size)
throws NoSuchAlgorithmException,
InvalidAlgorithmParameterException, IOException {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec m = new ECGenParameterSpec(name);
kpg.initialize(m);
KeyPair kp = kpg.generateKeyPair();
byte[] encoded = kp.getPublic().getEncoded();
return Arrays.copyOf(encoded, encoded.length - 2 * (size / Byte.SIZE));
}
called by:
String name = "NIST P-256";
int size = 256;
byte[] head = createHeadForNamedCurve(name, size);
System.out.println(Base64.getEncoder().encodeToString(head));
Java does make cryptography very long winded.
The procedure to create a public key from a given EC point:
- Construct an
ECPoint
object from your given co-ordinates. - Construct an
ECParameterSpec
object from information of your curve. - Construct an
ECPublicKeySpec
object from yourECPoint
and yourECParameterSpec
object. - Invoke
KeyFactory.generatePublic()
with yourECPublicKeySpec
object to retrieve aPublicKey
object. - Cast the
PublicKey
into anECPublicKey
as necessary.
Example below:
// Setup for P-256 curve params
BigInteger p256_p = new BigInteger("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16);
BigInteger p256_a = new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16);
BigInteger p256_b = new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16);
byte[] p256_seed = {
(byte) 0xc4, (byte) 0x9d, (byte) 0x36, (byte) 0x08,
(byte) 0x86, (byte) 0xe7, (byte) 0x04, (byte) 0x93,
(byte) 0x6a, (byte) 0x66, (byte) 0x78, (byte) 0xe1,
(byte) 0x13, (byte) 0x9d, (byte) 0x26, (byte) 0xb7,
(byte) 0x81, (byte) 0x9f, (byte) 0x7e, (byte) 0x90
};
BigInteger p256_xg = new BigInteger("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", 16);
BigInteger p256_yg = new BigInteger("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", 16);
BigInteger p256_n = new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16);
// Construct prime field
ECFieldFp p256_field = new ECFieldFp(p256_p);
// Construct curve from parameters
EllipticCurve p256 = new EllipticCurve(p256_field, p256_a, p256_b, p256_seed);
// Construct base point for curve
ECPoint p256_base = new ECPoint(p256_xg, p256_yg);
// Construct curve parameter specifications object
ECParameterSpec p256spec = new ECParameterSpec(p256, p256_base, p256_n, 1); // Co-factor 1 for prime curves
// ------------------------------------------------------------- //
// Construct EC point from "raw" public key
ECPoint point = new ECPoint(r, s); // r, s is of type BigInteger
// Create a EC public key specification object from point and curve
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, p256spec);
// Retrieve EC KeyFactory
KeyFactory ECFactory = KeyFactory.getInstance("EC");
// Generate public key via KeyFactory
PublicKey pubKey = ECFactory.generatePublic(pubKeySpec);
ECPublicKey ECPubKey = (ECPublicKey) pubKey;
It may be helpful to generate the ECParameterSpec once (perhaps in a static initializer block) for performance reasons.
Note: There is probably a much simpler way to generate the ECParameterSpec object (via named curves for example) but so far I've only found that ECGenParameterSpec
has this feature. Let me know in comments if there is a less painful approach.
To save yourself the pain of doing the above, encode your EC key under X.509, which will fully describe the key and make loading it much much easier.
In java, with the ECPublicKey, all you need to do is call ECPublicKey.getEncoded()
and pass/save the byte array to where you need the key next. The X.509 encoded key can then be reconstructed via:
// Retrieve EC KeyFactory
KeyFactory ECFactory = KeyFactory.getInstance("EC");
// Generate public key via KeyFactory
PublicKey pubKey = ECFactory.generatePublic(new X509EncodedKeySpec(data));
ECPublicKey ECPubKey = (ECPublicKey) pubKey;
where "data" is the encoded byte array.