Cleanup around RFC 8998 prep

peterdettman · peterdettman · commit df9de32548b4 · 2026-02-25T17:47:42.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/FipsUtils.java b/tls/src/main/java/org/bouncycastle/jsse/provider/FipsUtils.java
@@ -231,6 +231,7 @@ static boolean isFipsSignatureScheme(int signatureScheme)
         case SignatureScheme.DRAFT_slhdsa_shake_192f:
         case SignatureScheme.DRAFT_slhdsa_shake_256s:
         case SignatureScheme.DRAFT_slhdsa_shake_256f:
+        case SignatureScheme.sm2sig_sm3:
         default:
             return false;
         }
diff --git a/tls/src/main/java/org/bouncycastle/tls/SignatureAndHashAlgorithm.java b/tls/src/main/java/org/bouncycastle/tls/SignatureAndHashAlgorithm.java
@@ -48,6 +48,7 @@ public class SignatureAndHashAlgorithm
     public static final SignatureAndHashAlgorithm slhdsa_shake_192f = create(SignatureScheme.DRAFT_slhdsa_shake_192f);
     public static final SignatureAndHashAlgorithm slhdsa_shake_256s = create(SignatureScheme.DRAFT_slhdsa_shake_256s);
     public static final SignatureAndHashAlgorithm slhdsa_shake_256f = create(SignatureScheme.DRAFT_slhdsa_shake_256f);
+    public static final SignatureAndHashAlgorithm sm2sig_sm3 = create(SignatureScheme.sm2sig_sm3);
 
     public static SignatureAndHashAlgorithm getInstance(short hashAlgorithm, short signatureAlgorithm)
     {
diff --git a/tls/src/main/java/org/bouncycastle/tls/SignatureScheme.java b/tls/src/main/java/org/bouncycastle/tls/SignatureScheme.java
@@ -280,7 +280,6 @@ public static short getHashAlgorithm(int signatureScheme)
 
     public static short getSignatureAlgorithm(int signatureScheme)
     {
-        // TODO[RFC 8998] sm2sig_sm3
         return (short)(signatureScheme & 0xFF);
     }
 
@@ -322,6 +321,8 @@ public static SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(int signatu
             return SignatureAndHashAlgorithm.slhdsa_shake_256s;
         case DRAFT_slhdsa_shake_256f:
             return SignatureAndHashAlgorithm.slhdsa_shake_256f;
+        case sm2sig_sm3:
+            return SignatureAndHashAlgorithm.sm2sig_sm3;
         default:
             return SignatureAndHashAlgorithm.getInstance(
                 getHashAlgorithm(signatureScheme),
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
@@ -21,6 +21,7 @@
 import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
 import org.bouncycastle.asn1.eac.EACObjectIdentifiers;
 import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
+import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
@@ -138,8 +139,7 @@ private static Hashtable createCertSigAlgOIDs()
         addCertSigAlgOID(h, RosstandartObjectIdentifiers.id_tc26_signwithdigest_gost_3410_12_512,
             SignatureAndHashAlgorithm.gostr34102012_512);
 
-        // TODO[RFC 8998]
-//        addCertSigAlgOID(h, GMObjectIdentifiers.sm2sign_with_sm3, HashAlgorithm.sm3, SignatureAlgorithm.sm2);
+        addCertSigAlgOID(h, GMObjectIdentifiers.sm2sign_with_sm3, SignatureAndHashAlgorithm.sm2sig_sm3);
 
         return h;
     }
@@ -2022,9 +2022,6 @@ public static ASN1ObjectIdentifier getOIDForHashAlgorithm(short hashAlgorithm)
             return NISTObjectIdentifiers.id_sha384;
         case HashAlgorithm.sha512:
             return NISTObjectIdentifiers.id_sha512;
-        // TODO[RFC 8998]
-//        case HashAlgorithm.sm3:
-//            return GMObjectIdentifiers.sm3;
         default:
             throw new IllegalArgumentException("invalid HashAlgorithm: " + HashAlgorithm.getText(hashAlgorithm));
         }
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCryptoUtils.java b/tls/src/main/java/org/bouncycastle/tls/crypto/TlsCryptoUtils.java
@@ -3,6 +3,7 @@
 import java.io.IOException;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers;
@@ -140,9 +141,8 @@ public static ASN1ObjectIdentifier getOIDForHash(int cryptoHashAlgorithm)
             return NISTObjectIdentifiers.id_sha384;
         case CryptoHashAlgorithm.sha512:
             return NISTObjectIdentifiers.id_sha512;
-        // TODO[RFC 8998]
-//        case CryptoHashAlgorithm.sm3:
-//            return GMObjectIdentifiers.sm3;
+        case CryptoHashAlgorithm.sm3:
+            return GMObjectIdentifiers.sm3;
         case CryptoHashAlgorithm.gostr3411_2012_256:
             return RosstandartObjectIdentifiers.id_tc26_gost_3411_12_256;
         default:
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcDefaultTlsCredentialedSigner.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcDefaultTlsCredentialedSigner.java
@@ -49,15 +49,14 @@ else if (privateKey instanceof ECPrivateKeyParameters)
 
             if (signatureAndHashAlgorithm != null)
             {
+                int signatureScheme = SignatureScheme.from(signatureAndHashAlgorithm);
+
                 // TODO[RFC 8998]
-//                short signatureAlgorithm = signatureAndHashAlgorithm.getSignature();
-//                switch (signatureAlgorithm)
+//                if (SignatureScheme.sm2sig_sm3 == signatureScheme)
 //                {
-//                case SignatureAlgorithm.sm2:
 //                    return new BcTlsSM2Signer(crypto, privKeyEC, Strings.toByteArray("TLSv1.3+GM+Cipher+Suite"));
 //                }
 
-                int signatureScheme = SignatureScheme.from(signatureAndHashAlgorithm);
                 if (SignatureScheme.isECDSA(signatureScheme))
                 {
                     return new BcTlsECDSA13Signer(crypto, privKeyEC, signatureScheme);
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsCrypto.java
@@ -444,9 +444,6 @@ public boolean hasSignatureAlgorithm(short signatureAlgorithm)
         case SignatureAlgorithm.gostr34102012_256:
         case SignatureAlgorithm.gostr34102012_512:
 
-        // TODO[RFC 8998]
-//        case SignatureAlgorithm.sm2:
-
         default:
             return false;
         }
diff --git a/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsSM2Signer.java b/tls/src/main/java/org/bouncycastle/tls/crypto/impl/bc/BcTlsSM2Signer.java
@@ -5,6 +5,7 @@
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 import org.bouncycastle.crypto.signers.SM2Signer;
 import org.bouncycastle.tls.SignatureAndHashAlgorithm;
+import org.bouncycastle.tls.SignatureScheme;
 import org.bouncycastle.tls.crypto.TlsStreamSigner;
 import org.bouncycastle.util.Arrays;
 
@@ -22,11 +23,7 @@ public BcTlsSM2Signer(BcTlsCrypto crypto, ECPrivateKeyParameters privateKey, byt
 
     public TlsStreamSigner getStreamSigner(SignatureAndHashAlgorithm algorithm)
     {
-        if (algorithm == null
-            // TODO[RFC 8998] 
-//            || algorithm.getSignature() != SignatureAlgorithm.sm2
-//            || algorithm.getHash() != HashAlgorithm.sm3
-            )
+        if (algorithm == null || SignatureScheme.from(algorithm) != SignatureScheme.sm2sig_sm3)
         {
             throw new IllegalStateException("Invalid algorithm: " + algorithm);
         }

Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,7 @@ static boolean isFipsSignatureScheme(int signatureScheme)`
`231`	`231`	`case SignatureScheme.DRAFT_slhdsa_shake_192f:`
`232`	`232`	`case SignatureScheme.DRAFT_slhdsa_shake_256s:`
`233`	`233`	`case SignatureScheme.DRAFT_slhdsa_shake_256f:`
	`234`	`+ case SignatureScheme.sm2sig_sm3:`
`234`	`235`	`default:`
`235`	`236`	`return false;`
`236`	`237`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ public class SignatureAndHashAlgorithm`
`48`	`48`	`public static final SignatureAndHashAlgorithm slhdsa_shake_192f = create(SignatureScheme.DRAFT_slhdsa_shake_192f);`
`49`	`49`	`public static final SignatureAndHashAlgorithm slhdsa_shake_256s = create(SignatureScheme.DRAFT_slhdsa_shake_256s);`
`50`	`50`	`public static final SignatureAndHashAlgorithm slhdsa_shake_256f = create(SignatureScheme.DRAFT_slhdsa_shake_256f);`
	`51`	`+ public static final SignatureAndHashAlgorithm sm2sig_sm3 = create(SignatureScheme.sm2sig_sm3);`
`51`	`52`
`52`	`53`	`public static SignatureAndHashAlgorithm getInstance(short hashAlgorithm, short signatureAlgorithm)`
`53`	`54`	`{`
Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,6 @@ public static short getHashAlgorithm(int signatureScheme)`
`280`	`280`
`281`	`281`	`public static short getSignatureAlgorithm(int signatureScheme)`
`282`	`282`	`{`
`283`		`- // TODO[RFC 8998] sm2sig_sm3`
`284`	`283`	`return (short)(signatureScheme & 0xFF);`
`285`	`284`	`}`
`286`	`285`
`@@ -322,6 +321,8 @@ public static SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(int signatu`
`322`	`321`	`return SignatureAndHashAlgorithm.slhdsa_shake_256s;`
`323`	`322`	`case DRAFT_slhdsa_shake_256f:`
`324`	`323`	`return SignatureAndHashAlgorithm.slhdsa_shake_256f;`
	`324`	`+ case sm2sig_sm3:`
	`325`	`+ return SignatureAndHashAlgorithm.sm2sig_sm3;`
`325`	`326`	`default:`
`326`	`327`	`return SignatureAndHashAlgorithm.getInstance(`
`327`	`328`	`getHashAlgorithm(signatureScheme),`
Original file line number	Diff line number	Diff line change
`@@ -444,9 +444,6 @@ public boolean hasSignatureAlgorithm(short signatureAlgorithm)`
`444`	`444`	`case SignatureAlgorithm.gostr34102012_256:`
`445`	`445`	`case SignatureAlgorithm.gostr34102012_512:`
`446`	`446`
`447`		`- // TODO[RFC 8998]`
`448`		`-// case SignatureAlgorithm.sm2:`
`449`		`-`
`450`	`447`	`default:`
`451`	`448`	`return false;`
`452`	`449`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`import org.bouncycastle.crypto.params.ParametersWithRandom;`
`6`	`6`	`import org.bouncycastle.crypto.signers.SM2Signer;`
`7`	`7`	`import org.bouncycastle.tls.SignatureAndHashAlgorithm;`
	`8`	`+import org.bouncycastle.tls.SignatureScheme;`
`8`	`9`	`import org.bouncycastle.tls.crypto.TlsStreamSigner;`
`9`	`10`	`import org.bouncycastle.util.Arrays;`
`10`	`11`
`@@ -22,11 +23,7 @@ public BcTlsSM2Signer(BcTlsCrypto crypto, ECPrivateKeyParameters privateKey, byt`
`22`	`23`
`23`	`24`	`public TlsStreamSigner getStreamSigner(SignatureAndHashAlgorithm algorithm)`
`24`	`25`	`{`
`25`		`- if (algorithm == null`
`26`		`- // TODO[RFC 8998]`
`27`		`-// \|\| algorithm.getSignature() != SignatureAlgorithm.sm2`
`28`		`-// \|\| algorithm.getHash() != HashAlgorithm.sm3`
`29`		`- )`
	`26`	`+ if (algorithm == null \|\| SignatureScheme.from(algorithm) != SignatureScheme.sm2sig_sm3)`
`30`	`27`	`{`
`31`	`28`	`throw new IllegalStateException("Invalid algorithm: " + algorithm);`
`32`	`29`	`}`