RFR: 8368841: X25519 implementation differs from the specification in RFC 7748 [v3]
Anthony Scarpino
ascarpino at openjdk.org
Tue Feb 24 02:15:33 UTC 2026
On Thu, 19 Feb 2026 20:03:25 GMT, Ben Perez <bperez at openjdk.org> wrote:
>> Our implementation of X25519 does not zero the MSB of the `u` coordinate as required by RFC 7748. Currently the test `jdk/sun/security/ec/xec/TestXDH.java` zeroes the bit manually while parsing test vectors, which is likely why this went uncaught.
>
> Ben Perez has updated the pull request incrementally with one additional commit since the last revision:
>
> removed parsing functionality in TestXDH that manually clears MSB
src/java.base/share/classes/sun/security/ec/XDHPublicKeyImpl.java line 59:
> 57:
> 58: // RFC 7748 Section 5 requires the MSB of `u` to be zeroed for X25519
> 59: this.u = params.getName().equals("X448") ? u.mod(params.getP()) :
I think it would cleaner to compare `NamedParameterSpec` instead of the String. `(paramSpec == NamedParameterSpec.X448) ?`. For here an the other constructor.
test/jdk/sun/security/ec/xec/TestXDH.java line 2:
> 1: /*
> 2: * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
Update the year
test/jdk/sun/security/ec/xec/TestXDH.java line 369:
> 367: PrivateKey privateKey = kf.generatePrivate(privateSpec);
> 368: KeySpec publicSpec = new XECPublicKeySpec(paramSpec,
> 369: Convert.hexStringToBigInteger(b_pub));
Can this be replaced with `new BigInteger(b_pub, 16)`? If so, the Convert.java change isn't needed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29750#discussion_r2844074229
PR Review Comment: https://git.openjdk.org/jdk/pull/29750#discussion_r2844082050
PR Review Comment: https://git.openjdk.org/jdk/pull/29750#discussion_r2844074580
More information about the security-dev
mailing list