Update KeyAgreement classes to support Generic secret generation (#573)

The engineGenerateSecret(String) method in KeyAgreement
classes currently only supports "TlsPremasterSecret",
but the expectation starting in Java 25 is that
"Generic" should be accepted as well. This change
accomplishes that.

Additional test cases to verify said behaviour are
added.

Signed-off-by: Kostas Tsiounis <[email protected]>

Author: KostasTsiounis

src/main/java/com/ibm/crypto/plus/provider/DHKeyAgreement.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -201,9 +201,11 @@ protected SecretKey engineGenerateSecret(String algorithm)
             throw new NoSuchAlgorithmException("null algorithm");
         }
 
-        if (!algorithm.equalsIgnoreCase("TlsPremasterSecret") && !AllowKDF.VALUE) {
+        if (!(algorithm.equalsIgnoreCase("TlsPremasterSecret")
+                || algorithm.equalsIgnoreCase("Generic"))
+            && !AllowKDF.VALUE) {
             throw new NoSuchAlgorithmException(
-                    "Unsupported secret key " + "algorithm: " + algorithm);
+                    "Unsupported secret key algorithm: " + algorithm);
         }
 
         byte[] secret = engineGenerateSecret();
@@ -229,12 +231,15 @@ protected SecretKey engineGenerateSecret(String algorithm)
                 throw new InvalidKeyException("Key material is too short");
             }
             return skey;
-        } else if (algorithm.equals("TlsPremasterSecret")) {
+        } else if (algorithm.equalsIgnoreCase("TlsPremasterSecret")) {
             // remove leading zero bytes per RFC 5246 Section 8.1.2
-            return new SecretKeySpec(KeyUtil.trimZeroes(secret), "TlsPremasterSecret");
+            return new SecretKeySpec(
+                    KeyUtil.trimZeroes(secret), "TlsPremasterSecret");
+        } else if (algorithm.equalsIgnoreCase("Generic")) {
+            return new SecretKeySpec(secret, algorithm);
         } else {
             throw new NoSuchAlgorithmException(
-                    "Unsupported secret key " + "algorithm: " + algorithm);
+                    "Unsupported secret key algorithm: " + algorithm);
         }
     }
 

src/main/java/com/ibm/crypto/plus/provider/ECDHKeyAgreement.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -203,10 +203,12 @@ protected SecretKey engineGenerateSecret(String algorithm)
         if (algorithm == null) {
             throw new NoSuchAlgorithmException("Algorithm must not be null");
         }
-        if (!(algorithm.equals("TlsPremasterSecret"))) {
-            throw new NoSuchAlgorithmException("Only supported for algorithm TlsPremasterSecret");
+        if (!(algorithm.equalsIgnoreCase("TlsPremasterSecret")
+                || algorithm.equalsIgnoreCase("Generic"))) {
+            throw new NoSuchAlgorithmException(
+                    "Unsupported secret key algorithm: " + algorithm);
         }
-        return new SecretKeySpec(engineGenerateSecret(), "TlsPremasterSecret");
+        return new SecretKeySpec(engineGenerateSecret(), algorithm);
     }
 
     @Override

src/main/java/com/ibm/crypto/plus/provider/XDHKeyAgreement.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -150,9 +150,12 @@ protected SecretKey engineGenerateSecret(String algorithm)
             throws IllegalStateException, NoSuchAlgorithmException, InvalidKeyException {
         if (algorithm == null)
             throw new NoSuchAlgorithmException("Algorithm must not be null");
-        if (!(algorithm.equals("TlsPremasterSecret")))
-            throw new NoSuchAlgorithmException("Only supported for algorithm TlsPremasterSecret");
-        return new SecretKeySpec(engineGenerateSecret(), "TlsPremasterSecret");
+        if (!(algorithm.equalsIgnoreCase("TlsPremasterSecret")
+                || algorithm.equalsIgnoreCase("Generic"))) {
+            throw new NoSuchAlgorithmException(
+                    "Unsupported secret key algorithm: " + algorithm);
+        }
+        return new SecretKeySpec(engineGenerateSecret(), algorithm);
     }
 
     @Override

src/test/java/ibm/jceplus/junit/base/BaseTestDH.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -17,10 +17,12 @@
 import java.security.NoSuchProviderException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Arrays;
+import java.util.List;
 import javax.crypto.KeyAgreement;
 import javax.crypto.spec.DHParameterSpec;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class BaseTestDH extends BaseTestJunit5 {
@@ -212,6 +214,23 @@ public void testDH_DHSpec() throws Exception {
 
     }
 
+    @Test
+    public void test_engineGenerateSecret() throws Exception {
+        try {
+            KeyPairGenerator g = KeyPairGenerator.getInstance("DH", getProviderName());
+            KeyPair kp1 = g.generateKeyPair();
+            KeyPair kp2 = g.generateKeyPair();
+            KeyAgreement ka = KeyAgreement.getInstance("DH", getProviderName());
+            for (String alg : List.of("TlsPremasterSecret", "Generic")) {
+                ka.init(kp1.getPrivate());
+                ka.doPhase(kp2.getPublic(), true);
+                assertEquals(ka.generateSecret(alg).getAlgorithm(), alg);
+            }
+        } catch (Exception e) {
+            throw e;
+        }
+    }
+
     void compute_dh_key(String idString, AlgorithmParameterSpec algParameterSpec)
             throws NoSuchAlgorithmException, InvalidAlgorithmParameterException,
             NoSuchProviderException, InvalidKeyException {

src/test/java/ibm/jceplus/junit/base/BaseTestECDH.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -25,9 +25,11 @@
 import java.security.spec.EllipticCurve;
 import java.security.spec.InvalidParameterSpecException;
 import java.util.Arrays;
+import java.util.List;
 import javax.crypto.KeyAgreement;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -301,6 +303,23 @@ public void testEC_engineInit_AlgorithmParameterSpec_paramSpec() throws Exceptio
         fail("InvalidParameterSpecException expected but no exception was thrown");
     }
 
+    @Test
+    public void test_engineGenerateSecret() throws Exception {
+        try {
+            KeyPairGenerator g = KeyPairGenerator.getInstance("DH", getProviderName());
+            KeyPair kp1 = g.generateKeyPair();
+            KeyPair kp2 = g.generateKeyPair();
+            KeyAgreement ka = KeyAgreement.getInstance("DH", getProviderName());
+            for (String alg : List.of("TlsPremasterSecret", "Generic")) {
+                ka.init(kp1.getPrivate());
+                ka.doPhase(kp2.getPublic(), true);
+                assertEquals(ka.generateSecret(alg).getAlgorithm(), alg);
+            }
+        } catch (Exception e) {
+            throw e;
+        }
+    }
+
     void compute_ecdh_key_with_global_key(String idString, AlgorithmParameterSpec algParameterSpec)
             throws NoSuchAlgorithmException, InvalidAlgorithmParameterException,
             NoSuchProviderException, InvalidKeyException {

src/test/java/ibm/jceplus/junit/base/BaseTestXDH.java

@@ -1,5 +1,5 @@
 /*
- * Copyright IBM Corp. 2023, 2024
+ * Copyright IBM Corp. 2023, 2025
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms provided by IBM in the LICENSE file that accompanied
@@ -29,6 +29,7 @@
 import java.security.spec.XECPrivateKeySpec;
 import java.security.spec.XECPublicKeySpec;
 import java.util.Arrays;
+import java.util.List;
 import javax.crypto.KeyAgreement;
 import org.junit.jupiter.api.Test;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -90,6 +91,23 @@ public void testXDH_runCurveMixTest() throws Exception {
         runCurveMixTest();
     }
 
+    @Test
+    public void test_engineGenerateSecret() throws Exception {
+        try {
+            KeyPairGenerator g = KeyPairGenerator.getInstance("DH", getProviderName());
+            KeyPair kp1 = g.generateKeyPair();
+            KeyPair kp2 = g.generateKeyPair();
+            KeyAgreement ka = KeyAgreement.getInstance("DH", getProviderName());
+            for (String alg : List.of("TlsPremasterSecret", "Generic")) {
+                ka.init(kp1.getPrivate());
+                ka.doPhase(kp2.getPublic(), true);
+                assertEquals(ka.generateSecret(alg).getAlgorithm(), alg);
+            }
+        } catch (Exception e) {
+            throw e;
+        }
+    }
+
     void compute_xdh_key(String idString, NamedParameterSpec algParameterSpec)
             throws NoSuchAlgorithmException, InvalidAlgorithmParameterException,
             NoSuchProviderException, InvalidKeyException {