I'm reading openssh format elliptic curve public keys (RFC 5656, section 3.1) and would like to get from a BigInteger Q value to an ECPublicKey
instance using JCE (rather than say BouncyCastle). I want to do this to verify JWT signatures.
e.g. https://api.github.com/users/davidcarboni/keys:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK8hPtB72/sfYgNw1WTska2DNOJFx+QhUxuV6OLINSD2ty+6gxcM8yZrvMqWdMePGRb2cGh8L/0bGOk+64IQ/pM=
It looks like I can use ECPublicKeySpec
. This takes two parameters. An ECPoint
and an ECParameterSpec
. I'm able to get the parameter spec using the following JCE code (and the openssh identifier from the key data, say "nistp256"):
ECParameterSpec getECParameterSpec(String identifier) {
try {
AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC");
String name = identifier.replace("nist", "sec") + "r1";
parameters.init(new ECGenParameterSpec(name));
return parameters.getParameterSpec(ECParameterSpec.class);
} catch (InvalidParameterSpecException | NoSuchAlgorithmException e) {
throw new IllegalArgumentException("Unable to get parameter spec for identifier " + identifier, e);
}
}
I've successfully parsed the Q value from the key data. RFC 5656 tells me that "Q is the public key encoded from an elliptic curve point into an octet string") however the constructor of JCE's ECPoint
class takes two parameters, X and Y.
Can I get to X and Y from Q, or do I need to take a different approach?
(NB I quite rightly don't have access to the private key)