src/crypto/ecdh/nist.go - go.git - Git at Google

 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package ecdh

 import (
 	"bytes"
 	"crypto/internal/boring"
 	"crypto/internal/fips140/ecdh"
 	"crypto/internal/fips140only"
 	"errors"
 	"io"
 )

 type nistCurve struct {
 	name          string
 	generate      func(io.Reader) (*ecdh.PrivateKey, error)
 	newPrivateKey func([]byte) (*ecdh.PrivateKey, error)
 	newPublicKey  func(publicKey []byte) (*ecdh.PublicKey, error)
 	sharedSecret  func(*ecdh.PrivateKey, *ecdh.PublicKey) (sharedSecret []byte, err error)
 }

 func (c *nistCurve) String() string {
 	return c.name
 }

 func (c *nistCurve) GenerateKey(rand io.Reader) (*PrivateKey, error) {
 	if boring.Enabled && rand == boring.RandReader {
 		key, bytes, err := boring.GenerateKeyECDH(c.name)
 		if err != nil {
 			return nil, err
 		}
 		pub, err := key.PublicKey()
 		if err != nil {
 			return nil, err
 		}
 		k := &PrivateKey{
 			curve:      c,
 			privateKey: bytes,
 			publicKey:  &PublicKey{curve: c, publicKey: pub.Bytes(), boring: pub},
 			boring:     key,
 		}
 		return k, nil
 	}

 	if fips140only.Enabled && !fips140only.ApprovedRandomReader(rand) {
 		return nil, errors.New("crypto/ecdh: only crypto/rand.Reader is allowed in FIPS 140-only mode")
 	}

 	privateKey, err := c.generate(rand)
 	if err != nil {
 		return nil, err
 	}

 	k := &PrivateKey{
 		curve:      c,
 		privateKey: privateKey.Bytes(),
 		fips:       privateKey,
 		publicKey: &PublicKey{
 			curve:     c,
 			publicKey: privateKey.PublicKey().Bytes(),
 			fips:      privateKey.PublicKey(),
 		},
 	}
 	if boring.Enabled {
 		bk, err := boring.NewPrivateKeyECDH(c.name, k.privateKey)
 		if err != nil {
 			return nil, err
 		}
 		pub, err := bk.PublicKey()
 		if err != nil {
 			return nil, err
 		}
 		k.boring = bk
 		k.publicKey.boring = pub
 	}
 	return k, nil
 }

 func (c *nistCurve) NewPrivateKey(key []byte) (*PrivateKey, error) {
 	if boring.Enabled {
 		bk, err := boring.NewPrivateKeyECDH(c.name, key)
 		if err != nil {
 			return nil, errors.New("crypto/ecdh: invalid private key")
 		}
 		pub, err := bk.PublicKey()
 		if err != nil {
 			return nil, errors.New("crypto/ecdh: invalid private key")
 		}
 		k := &PrivateKey{
 			curve:      c,
 			privateKey: bytes.Clone(key),
 			publicKey:  &PublicKey{curve: c, publicKey: pub.Bytes(), boring: pub},
 			boring:     bk,
 		}
 		return k, nil
 	}

 	fk, err := c.newPrivateKey(key)
 	if err != nil {
 		return nil, err
 	}
 	k := &PrivateKey{
 		curve:      c,
 		privateKey: bytes.Clone(key),
 		fips:       fk,
 		publicKey: &PublicKey{
 			curve:     c,
 			publicKey: fk.PublicKey().Bytes(),
 			fips:      fk.PublicKey(),
 		},
 	}
 	return k, nil
 }

 func (c *nistCurve) NewPublicKey(key []byte) (*PublicKey, error) {
 	// Reject the point at infinity and compressed encodings.
 	// Note that boring.NewPublicKeyECDH would accept them.
 	if len(key) == 0 || key[0] != 4 {
 		return nil, errors.New("crypto/ecdh: invalid public key")
 	}
 	k := &PublicKey{
 		curve:     c,
 		publicKey: bytes.Clone(key),
 	}
 	if boring.Enabled {
 		bk, err := boring.NewPublicKeyECDH(c.name, k.publicKey)
 		if err != nil {
 			return nil, errors.New("crypto/ecdh: invalid public key")
 		}
 		k.boring = bk
 	} else {
 		fk, err := c.newPublicKey(key)
 		if err != nil {
 			return nil, err
 		}
 		k.fips = fk
 	}
 	return k, nil
 }

 func (c *nistCurve) ecdh(local *PrivateKey, remote *PublicKey) ([]byte, error) {
 	// Note that this function can't return an error, as NewPublicKey rejects
 	// invalid points and the point at infinity, and NewPrivateKey rejects
 	// invalid scalars and the zero value. BytesX returns an error for the point
 	// at infinity, but in a prime order group such as the NIST curves that can
 	// only be the result of a scalar multiplication if one of the inputs is the
 	// zero scalar or the point at infinity.

 	if boring.Enabled {
 		return boring.ECDH(local.boring, remote.boring)
 	}
 	return c.sharedSecret(local.fips, remote.fips)
 }

 // P256 returns a [Curve] which implements NIST P-256 (FIPS 186-3, section D.2.3),
 // also known as secp256r1 or prime256v1.
 //
 // Multiple invocations of this function will return the same value, which can
 // be used for equality checks and switch statements.
 func P256() Curve { return p256 }

 var p256 = &nistCurve{
 	name: "P-256",
 	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
 		return ecdh.GenerateKey(ecdh.P256(), r)
 	},
 	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
 		return ecdh.NewPrivateKey(ecdh.P256(), b)
 	},
 	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
 		return ecdh.NewPublicKey(ecdh.P256(), publicKey)
 	},
 	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
 		return ecdh.ECDH(ecdh.P256(), priv, pub)
 	},
 }

 // P384 returns a [Curve] which implements NIST P-384 (FIPS 186-3, section D.2.4),
 // also known as secp384r1.
 //
 // Multiple invocations of this function will return the same value, which can
 // be used for equality checks and switch statements.
 func P384() Curve { return p384 }

 var p384 = &nistCurve{
 	name: "P-384",
 	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
 		return ecdh.GenerateKey(ecdh.P384(), r)
 	},
 	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
 		return ecdh.NewPrivateKey(ecdh.P384(), b)
 	},
 	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
 		return ecdh.NewPublicKey(ecdh.P384(), publicKey)
 	},
 	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
 		return ecdh.ECDH(ecdh.P384(), priv, pub)
 	},
 }

 // P521 returns a [Curve] which implements NIST P-521 (FIPS 186-3, section D.2.5),
 // also known as secp521r1.
 //
 // Multiple invocations of this function will return the same value, which can
 // be used for equality checks and switch statements.
 func P521() Curve { return p521 }

 var p521 = &nistCurve{
 	name: "P-521",
 	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
 		return ecdh.GenerateKey(ecdh.P521(), r)
 	},
 	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
 		return ecdh.NewPrivateKey(ecdh.P521(), b)
 	},
 	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
 		return ecdh.NewPublicKey(ecdh.P521(), publicKey)
 	},
 	sharedSecret: func(priv *ecdh.PrivateKey, pub *ecdh.PublicKey) (sharedSecret []byte, err error) {
 		return ecdh.ECDH(ecdh.P521(), priv, pub)
 	},
 }
	// Copyright 2022 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package ecdh

	import (
	"bytes"
	"crypto/internal/boring"
	"crypto/internal/fips140/ecdh"
	"crypto/internal/fips140only"
	"errors"
	"io"
	)

	type nistCurve struct {
	name string
	generate func(io.Reader) (*ecdh.PrivateKey, error)
	newPrivateKey func([]byte) (*ecdh.PrivateKey, error)
	newPublicKey func(publicKey []byte) (*ecdh.PublicKey, error)
	sharedSecret func(ecdh.PrivateKey, ecdh.PublicKey) (sharedSecret []byte, err error)
	}

	func (c *nistCurve) String() string {
	return c.name
	}

	func (c nistCurve) GenerateKey(rand io.Reader) (PrivateKey, error) {
	if boring.Enabled && rand == boring.RandReader {
	key, bytes, err := boring.GenerateKeyECDH(c.name)
	if err != nil {
	return nil, err
	}
	pub, err := key.PublicKey()
	if err != nil {
	return nil, err
	}
	k := &PrivateKey{
	curve: c,
	privateKey: bytes,
	publicKey: &PublicKey{curve: c, publicKey: pub.Bytes(), boring: pub},
	boring: key,
	}
	return k, nil
	}

	if fips140only.Enabled && !fips140only.ApprovedRandomReader(rand) {
	return nil, errors.New("crypto/ecdh: only crypto/rand.Reader is allowed in FIPS 140-only mode")
	}

	privateKey, err := c.generate(rand)
	if err != nil {
	return nil, err
	}

	k := &PrivateKey{
	curve: c,
	privateKey: privateKey.Bytes(),
	fips: privateKey,
	publicKey: &PublicKey{
	curve: c,
	publicKey: privateKey.PublicKey().Bytes(),
	fips: privateKey.PublicKey(),
	},
	}
	if boring.Enabled {
	bk, err := boring.NewPrivateKeyECDH(c.name, k.privateKey)
	if err != nil {
	return nil, err
	}
	pub, err := bk.PublicKey()
	if err != nil {
	return nil, err
	}
	k.boring = bk
	k.publicKey.boring = pub
	}
	return k, nil
	}

	func (c nistCurve) NewPrivateKey(key []byte) (PrivateKey, error) {
	if boring.Enabled {
	bk, err := boring.NewPrivateKeyECDH(c.name, key)
	if err != nil {
	return nil, errors.New("crypto/ecdh: invalid private key")
	}
	pub, err := bk.PublicKey()
	if err != nil {
	return nil, errors.New("crypto/ecdh: invalid private key")
	}
	k := &PrivateKey{
	curve: c,
	privateKey: bytes.Clone(key),
	publicKey: &PublicKey{curve: c, publicKey: pub.Bytes(), boring: pub},
	boring: bk,
	}
	return k, nil
	}

	fk, err := c.newPrivateKey(key)
	if err != nil {
	return nil, err
	}
	k := &PrivateKey{
	curve: c,
	privateKey: bytes.Clone(key),
	fips: fk,
	publicKey: &PublicKey{
	curve: c,
	publicKey: fk.PublicKey().Bytes(),
	fips: fk.PublicKey(),
	},
	}
	return k, nil
	}

	func (c nistCurve) NewPublicKey(key []byte) (PublicKey, error) {
	// Reject the point at infinity and compressed encodings.
	// Note that boring.NewPublicKeyECDH would accept them.
	if len(key) == 0 \|\| key[0] != 4 {
	return nil, errors.New("crypto/ecdh: invalid public key")
	}
	k := &PublicKey{
	curve: c,
	publicKey: bytes.Clone(key),
	}
	if boring.Enabled {
	bk, err := boring.NewPublicKeyECDH(c.name, k.publicKey)
	if err != nil {
	return nil, errors.New("crypto/ecdh: invalid public key")
	}
	k.boring = bk
	} else {
	fk, err := c.newPublicKey(key)
	if err != nil {
	return nil, err
	}
	k.fips = fk
	}
	return k, nil
	}

	func (c nistCurve) ecdh(local PrivateKey, remote *PublicKey) ([]byte, error) {
	// Note that this function can't return an error, as NewPublicKey rejects
	// invalid points and the point at infinity, and NewPrivateKey rejects
	// invalid scalars and the zero value. BytesX returns an error for the point
	// at infinity, but in a prime order group such as the NIST curves that can
	// only be the result of a scalar multiplication if one of the inputs is the
	// zero scalar or the point at infinity.

	if boring.Enabled {
	return boring.ECDH(local.boring, remote.boring)
	}
	return c.sharedSecret(local.fips, remote.fips)
	}

	// P256 returns a [Curve] which implements NIST P-256 (FIPS 186-3, section D.2.3),
	// also known as secp256r1 or prime256v1.
	//
	// Multiple invocations of this function will return the same value, which can
	// be used for equality checks and switch statements.
	func P256() Curve { return p256 }

	var p256 = &nistCurve{
	name: "P-256",
	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
	return ecdh.GenerateKey(ecdh.P256(), r)
	},
	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
	return ecdh.NewPrivateKey(ecdh.P256(), b)
	},
	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
	return ecdh.NewPublicKey(ecdh.P256(), publicKey)
	},
	sharedSecret: func(priv ecdh.PrivateKey, pub ecdh.PublicKey) (sharedSecret []byte, err error) {
	return ecdh.ECDH(ecdh.P256(), priv, pub)
	},
	}

	// P384 returns a [Curve] which implements NIST P-384 (FIPS 186-3, section D.2.4),
	// also known as secp384r1.
	//
	// Multiple invocations of this function will return the same value, which can
	// be used for equality checks and switch statements.
	func P384() Curve { return p384 }

	var p384 = &nistCurve{
	name: "P-384",
	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
	return ecdh.GenerateKey(ecdh.P384(), r)
	},
	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
	return ecdh.NewPrivateKey(ecdh.P384(), b)
	},
	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
	return ecdh.NewPublicKey(ecdh.P384(), publicKey)
	},
	sharedSecret: func(priv ecdh.PrivateKey, pub ecdh.PublicKey) (sharedSecret []byte, err error) {
	return ecdh.ECDH(ecdh.P384(), priv, pub)
	},
	}

	// P521 returns a [Curve] which implements NIST P-521 (FIPS 186-3, section D.2.5),
	// also known as secp521r1.
	//
	// Multiple invocations of this function will return the same value, which can
	// be used for equality checks and switch statements.
	func P521() Curve { return p521 }

	var p521 = &nistCurve{
	name: "P-521",
	generate: func(r io.Reader) (*ecdh.PrivateKey, error) {
	return ecdh.GenerateKey(ecdh.P521(), r)
	},
	newPrivateKey: func(b []byte) (*ecdh.PrivateKey, error) {
	return ecdh.NewPrivateKey(ecdh.P521(), b)
	},
	newPublicKey: func(publicKey []byte) (*ecdh.PublicKey, error) {
	return ecdh.NewPublicKey(ecdh.P521(), publicKey)
	},
	sharedSecret: func(priv ecdh.PrivateKey, pub ecdh.PublicKey) (sharedSecret []byte, err error) {
	return ecdh.ECDH(ecdh.P521(), priv, pub)
	},
	}