SRP6 methods to calculate and verify the evidence messages M1, M2 and for the session Key

[dangrasso]

I added java support for the missing parts of the standard SRP-6 protocol
M1 = H(A,B,S)
M2 = H(A,M1,S)
Key = H(S)

@see also: http://www.bouncycastle.org/devmailarchive/msg13267.html

[peterdettman]

Hi Dan, yes these were left out of the initial implementation as TLS doesn't need them, but we'd be happy to include them.

As to the patch itself, I am concerned about the way the BigInteger values are hashed in your new SRP6Util methods. If you look at some of the other existing methods in SRP6Util you will note that a BigInteger is first converted to an unsigned byte array and then zero-padded to the same size as N, before being sent to the digest. I would assume that similar treatment is required for these new calculations.

It'd be nice if a few test cases were included with the patch too (see core/src/test/java/org/bouncycastle/crypto/test/SRP6Test.java), ideally test data from a reference implementation, or official test vectors if they exist.

[dangrasso]

you're right! i'll make it consistent with the rest.
Thanks for the good point

[cowwoc]

@peterdettman Are you waiting for anything further?

[peterdettman]

Finally merged this, with a couple of minor fixes. Thanks for the patch.