[JDK] Implement API to get public key from private key for RSA and EC

Author: whyoleg

cryptography-providers/jdk/build.gradle.kts

@@ -27,6 +27,9 @@ kotlin {
         jvmMain.dependencies {
             api(projects.cryptographyCore)
             implementation(projects.cryptographyProviderBase)
+
+            // should be used carefully, for specific cases
+            compileOnly(libs.bouncycastle)
         }
     }
 }

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt

@@ -16,17 +16,17 @@ import java.math.*
 import java.security.interfaces.*
 import java.security.spec.*
 
-internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey, KP : EC.KeyPair<PublicK, PrivateK>>(
+internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey<PublicK>, KP : EC.KeyPair<PublicK, PrivateK>>(
     protected val state: JdkCryptographyState,
 ) : EC<PublicK, PrivateK, KP> {
+    protected abstract val wrapPublicKey: (JPublicKey) -> PublicK
+    protected abstract val wrapPrivateKey: (JPrivateKey, PublicK?) -> PrivateK
+    protected abstract val wrapKeyPair: (PublicK, PrivateK) -> KP
+
     private fun algorithmParameters(spec: AlgorithmParameterSpec): JAlgorithmParameters {
         return state.algorithmParameters("EC").also { it.init(spec) }
     }
 
-    protected abstract fun JPublicKey.convert(): PublicK
-    protected abstract fun JPrivateKey.convert(): PrivateK
-    protected abstract fun JKeyPair.convert(): KP
-
     final override fun publicKeyDecoder(curve: EC.Curve): KeyDecoder<EC.PublicKey.Format, PublicK> {
         return EcPublicKeyDecoder(algorithmParameters(ECGenParameterSpec(curve.jdkName)).curveName())
     }
@@ -54,19 +54,30 @@ internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey, KP
             initialize(keyGenParameters, state.secureRandom)
         }
 
-        override fun JKeyPair.convert(): KP = with(this@JdkEc) { convert() }
+        override fun JKeyPair.convert(): KP {
+            val publicKey = wrapPublicKey(public)
+            val privateKey = wrapPrivateKey(private, publicKey)
+            return wrapKeyPair(publicKey, privateKey)
+        }
     }
 
     private inner class EcPublicKeyDecoder(
         private val curveName: String,
     ) : JdkPublicKeyDecoder<EC.PublicKey.Format, PublicK>(state, "EC") {
+
+        fun fromPrivateKey(privateKey: ECPrivateKey): PublicK = decode(
+            BouncyCastleBridge.derivePublicKey(privateKey, curveName) ?: error(
+                "Getting public key from private key for EC is not supported in JDK without BouncyCastle APIs"
+            )
+        )
+
         override fun JPublicKey.convert(): PublicK {
             check(this is ECPublicKey)
 
             val keyCurve = algorithmParameters(params).curveName()
             check(curveName == keyCurve) { "Key curve $keyCurve is not equal to expected curve $curveName" }
 
-            return with(this@JdkEc) { convert() }
+            return wrapPublicKey(this)
         }
 
         override fun decodeFromByteArrayBlocking(format: EC.PublicKey.Format, bytes: ByteArray): PublicK = when (format) {
@@ -98,7 +109,7 @@ internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey, KP
             val keyCurve = algorithmParameters(params).curveName()
             check(curveName == keyCurve) { "Key curve $keyCurve is not equal to expected curve $curveName" }
 
-            return with(this@JdkEc) { convert() }
+            return wrapPrivateKey(this, null)
         }
 
         override fun decodeFromByteArrayBlocking(format: EC.PrivateKey.Format, bytes: ByteArray): PrivateK = when (format) {
@@ -116,7 +127,7 @@ internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey, KP
     }
 
     protected abstract class BaseEcPublicKey(
-        private val key: JPublicKey,
+        val key: JPublicKey,
     ) : EC.PublicKey, JdkEncodableKey<EC.PublicKey.Format>(key) {
         final override fun encodeToByteArrayBlocking(format: EC.PublicKey.Format): ByteArray = when (format) {
             EC.PublicKey.Format.JWK            -> error("$format is not supported")
@@ -150,9 +161,19 @@ internal sealed class JdkEc<PublicK : EC.PublicKey, PrivateK : EC.PrivateKey, KP
 
     }
 
-    protected abstract class BaseEcPrivateKey(
-        private val key: JPrivateKey,
-    ) : EC.PrivateKey, JdkEncodableKey<EC.PrivateKey.Format>(key) {
+    protected abstract inner class BaseEcPrivateKey(
+        val key: JPrivateKey,
+        private var publicKey: PublicK?,
+    ) : EC.PrivateKey<PublicK>, JdkEncodableKey<EC.PrivateKey.Format>(key) {
+        override fun getPublicKeyBlocking(): PublicK {
+            if (publicKey == null) {
+                key as ECPrivateKey
+                val curveName = algorithmParameters(key.params).curveName()
+                publicKey = EcPublicKeyDecoder(curveName).fromPrivateKey(key)
+            }
+            return publicKey!!
+        }
+
         final override fun encodeToByteArrayBlocking(format: EC.PrivateKey.Format): ByteArray = when (format) {
             EC.PrivateKey.Format.JWK      -> error("$format is not supported")
             EC.PrivateKey.Format.DER      -> encodeToDer()

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEcdh.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2024-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.jdk.algorithms
@@ -10,18 +10,17 @@ import dev.whyoleg.cryptography.providers.jdk.*
 import dev.whyoleg.cryptography.providers.jdk.operations.*
 
 internal class JdkEcdh(state: JdkCryptographyState) : JdkEc<ECDH.PublicKey, ECDH.PrivateKey, ECDH.KeyPair>(state), ECDH {
-    override fun JPublicKey.convert(): ECDH.PublicKey = EcdhPublicKey(state, this)
-    override fun JPrivateKey.convert(): ECDH.PrivateKey = EcdhPrivateKey(state, this)
-    override fun JKeyPair.convert(): ECDH.KeyPair = EcdhKeyPair(public.convert(), private.convert())
+    override val wrapPublicKey: (JPublicKey) -> ECDH.PublicKey = ::EcdhPublicKey
+    override val wrapPrivateKey: (JPrivateKey, ECDH.PublicKey?) -> ECDH.PrivateKey = ::EcdhPrivateKey
+    override val wrapKeyPair: (ECDH.PublicKey, ECDH.PrivateKey) -> ECDH.KeyPair = ::EcdhKeyPair
 
     private class EcdhKeyPair(
         override val publicKey: ECDH.PublicKey,
         override val privateKey: ECDH.PrivateKey,
     ) : ECDH.KeyPair
 
-    private class EcdhPublicKey(
-        private val state: JdkCryptographyState,
-        val key: JPublicKey,
+    private inner class EcdhPublicKey(
+        key: JPublicKey,
     ) : ECDH.PublicKey, BaseEcPublicKey(key), SharedSecretGenerator<ECDH.PrivateKey> {
         private val keyAgreement = state.keyAgreement("ECDH")
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PrivateKey> = this
@@ -32,10 +31,10 @@ internal class JdkEcdh(state: JdkCryptographyState) : JdkEc<ECDH.PublicKey, ECDH
         }
     }
 
-    private class EcdhPrivateKey(
-        private val state: JdkCryptographyState,
-        val key: JPrivateKey,
-    ) : ECDH.PrivateKey, BaseEcPrivateKey(key), SharedSecretGenerator<ECDH.PublicKey> {
+    private inner class EcdhPrivateKey(
+        key: JPrivateKey,
+        publicKey: ECDH.PublicKey?,
+    ) : ECDH.PrivateKey, BaseEcPrivateKey(key, publicKey), SharedSecretGenerator<ECDH.PublicKey> {
         private val keyAgreement = state.keyAgreement("ECDH")
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PublicKey> = this
         override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PublicKey): ByteArray {

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEcdsa.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023-2024 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ * Copyright (c) 2023-2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
  */
 
 package dev.whyoleg.cryptography.providers.jdk.algorithms
@@ -17,18 +17,17 @@ import dev.whyoleg.cryptography.serialization.asn1.modules.*
 import java.security.interfaces.*
 
 internal class JdkEcdsa(state: JdkCryptographyState) : JdkEc<ECDSA.PublicKey, ECDSA.PrivateKey, ECDSA.KeyPair>(state), ECDSA {
-    override fun JPublicKey.convert(): ECDSA.PublicKey = EcdsaPublicKey(state, this)
-    override fun JPrivateKey.convert(): ECDSA.PrivateKey = EcdsaPrivateKey(state, this)
-    override fun JKeyPair.convert(): ECDSA.KeyPair = EcdsaKeyPair(public.convert(), private.convert())
+    override val wrapPublicKey: (JPublicKey) -> ECDSA.PublicKey = ::EcdsaPublicKey
+    override val wrapPrivateKey: (JPrivateKey, ECDSA.PublicKey?) -> ECDSA.PrivateKey = ::EcdsaPrivateKey
+    override val wrapKeyPair: (ECDSA.PublicKey, ECDSA.PrivateKey) -> ECDSA.KeyPair = ::EcdsaKeyPair
 
     private class EcdsaKeyPair(
         override val publicKey: ECDSA.PublicKey,
         override val privateKey: ECDSA.PrivateKey,
     ) : ECDSA.KeyPair
 
-    private class EcdsaPublicKey(
-        private val state: JdkCryptographyState,
-        private val key: JPublicKey,
+    private inner class EcdsaPublicKey(
+        key: JPublicKey,
     ) : ECDSA.PublicKey, BaseEcPublicKey(key) {
         override fun signatureVerifier(digest: CryptographyAlgorithmId<Digest>, format: ECDSA.SignatureFormat): SignatureVerifier {
             val verifier = JdkSignatureVerifier(state, key, digest.hashAlgorithmName() + "withECDSA", null)
@@ -39,10 +38,10 @@ internal class JdkEcdsa(state: JdkCryptographyState) : JdkEc<ECDSA.PublicKey, EC
         }
     }
 
-    private class EcdsaPrivateKey(
-        private val state: JdkCryptographyState,
-        private val key: JPrivateKey,
-    ) : ECDSA.PrivateKey, BaseEcPrivateKey(key) {
+    private inner class EcdsaPrivateKey(
+        key: JPrivateKey,
+        publicKey: ECDSA.PublicKey?,
+    ) : ECDSA.PrivateKey, BaseEcPrivateKey(key, publicKey) {
         override fun signatureGenerator(digest: CryptographyAlgorithmId<Digest>, format: ECDSA.SignatureFormat): SignatureGenerator {
             val generator = JdkSignatureGenerator(state, key, digest.hashAlgorithmName() + "withECDSA", null)
             return when (format) {