new KeyPairValidator to check if public/private keys match

hhund · hhund · commit 7c6d86207733 · 2025-03-05T02:38:12.000+01:00
diff --git a/src/main/java/de/hsheilbronn/mi/utils/crypto/keypair/KeyPairValidator.java b/src/main/java/de/hsheilbronn/mi/utils/crypto/keypair/KeyPairValidator.java
@@ -0,0 +1,112 @@
+package de.hsheilbronn.mi.utils.crypto.keypair;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.Arrays;
+import java.util.Random;
+import java.util.function.Predicate;
+
+import javax.crypto.DecapsulateException;
+import javax.crypto.KEM;
+import javax.crypto.KEM.Decapsulator;
+import javax.crypto.KEM.Encapsulated;
+import javax.crypto.KEM.Encapsulator;
+
+public class KeyPairValidator
+{
+	private KeyPairValidator()
+	{
+	}
+
+	private static final Random RANDOM = new Random();
+
+	/**
+	 * Checks if the given <b>privateKey</b> and <b>publicKey</b> match by checking if a generated signature can be
+	 * verified for RSA, EC and EdDSA key pairs or a Diffie-Hellman key agreement produces the same secret key for a XDH
+	 * key pair.
+	 * 
+	 * @param privateKey
+	 *            may be <code>null</code>
+	 * @param publicKey
+	 *            may be <code>null</code>
+	 * @return <code>true</code> if the given keys are not <code>null</code> and match
+	 */
+	public static boolean matches(PrivateKey privateKey, PublicKey publicKey)
+	{
+		if (privateKey == null || publicKey == null || !privateKey.getAlgorithm().equals(publicKey.getAlgorithm()))
+			return false;
+
+		return match(publicKey).test(privateKey);
+	}
+
+	private static Predicate<PrivateKey> match(PublicKey publicKey)
+	{
+		return switch (publicKey.getAlgorithm())
+		{
+			case "RSA" -> matchesRsaEcEdDsa(publicKey, "NONEwithRSA");
+			case "EC" -> matchesRsaEcEdDsa(publicKey, "NONEwithECDSA");
+			case "EdDSA" -> matchesRsaEcEdDsa(publicKey, "EdDSA");
+			case "XDH" -> matchesXdh(publicKey);
+
+			default -> throw new IllegalArgumentException(
+					"PublicKey algorithm " + publicKey.getAlgorithm() + " not supported");
+		};
+	}
+
+	private static Predicate<PrivateKey> matchesRsaEcEdDsa(PublicKey publicKey, String algorithm)
+	{
+		return privateKey ->
+		{
+			try
+			{
+				byte[] b = random(16);
+
+				Signature signature = Signature.getInstance(algorithm);
+				signature.initSign(privateKey);
+				signature.update(b);
+
+				byte[] signed = signature.sign();
+
+				signature.initVerify(publicKey);
+				signature.update(b);
+
+				return signature.verify(signed);
+			}
+			catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e)
+			{
+				throw new RuntimeException(e);
+			}
+		};
+	}
+
+	private static byte[] random(int length)
+	{
+		byte[] b = new byte[length];
+		RANDOM.nextBytes(b);
+		return b;
+	}
+
+	private static Predicate<PrivateKey> matchesXdh(PublicKey publicKey)
+	{
+		return privateKey ->
+		{
+			try
+			{
+				KEM kem = KEM.getInstance("DHKEM");
+				Encapsulator e = kem.newEncapsulator(publicKey);
+				Encapsulated en = e.encapsulate();
+				Decapsulator d = kem.newDecapsulator(privateKey);
+
+				return Arrays.equals(en.key().getEncoded(), d.decapsulate(en.encapsulation()).getEncoded());
+			}
+			catch (InvalidKeyException | NoSuchAlgorithmException | DecapsulateException e)
+			{
+				throw new RuntimeException(e);
+			}
+		};
+	}
+}
diff --git a/src/test/java/de/hsheilbronn/mi/utils/crypto/keypair/KeyPairValidatorTest.java b/src/test/java/de/hsheilbronn/mi/utils/crypto/keypair/KeyPairValidatorTest.java
@@ -0,0 +1,43 @@
+package de.hsheilbronn.mi.utils.crypto.keypair;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.stream.Stream;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+public class KeyPairValidatorTest
+{
+	private static Stream<Arguments> forTestMatches()
+	{
+		PrivateKey privateEd25519 = KeyPairGeneratorFactory.ed25519().initialize().generateKeyPair().getPrivate();
+		PublicKey publicRsa1024 = KeyPairGeneratorFactory.rsa1024().initialize().generateKeyPair().getPublic();
+
+		return Stream.concat(Stream.of(KeyPairGeneratorFactory.ed25519(), KeyPairGeneratorFactory.ed448(),
+				KeyPairGeneratorFactory.rsa1024(), KeyPairGeneratorFactory.rsa2048(), KeyPairGeneratorFactory.rsa3072(),
+				KeyPairGeneratorFactory.rsa4096(), KeyPairGeneratorFactory.secp256r1(),
+				KeyPairGeneratorFactory.secp384r1(), KeyPairGeneratorFactory.secp521r1(),
+				KeyPairGeneratorFactory.x25519(), KeyPairGeneratorFactory.x448()).flatMap(f ->
+				{
+					KeyPair kp1 = f.initialize().generateKeyPair();
+					KeyPair kp2 = f.initialize().generateKeyPair();
+					return Stream.of(Arguments.of(true, kp1.getPublic(), kp1.getPrivate()),
+							Arguments.of(false, kp2.getPublic(), kp1.getPrivate()),
+							Arguments.of(false, kp1.getPublic(), kp2.getPrivate()),
+							Arguments.of(false, kp1.getPublic(), null), Arguments.of(false, null, kp2.getPrivate()));
+				}), Stream.of(Arguments.of(false, publicRsa1024, privateEd25519)));
+
+	}
+
+	@ParameterizedTest
+	@MethodSource("forTestMatches")
+	public void testMatches(boolean expected, PublicKey publicKey, PrivateKey privateKey) throws Exception
+	{
+		assertEquals(expected, KeyPairValidator.matches(privateKey, publicKey));
+	}
+}
