go-pulse/crypto/ecies/asn1.go
Gustav Simonsson c8ad64f33c crypto, crypto/ecies, crypto/secp256k1: libsecp256k1 scalar mult
thanks to Felix Lange (fjl) for help with design & impl
2015-11-30 13:43:32 +01:00

585 lines
14 KiB
Go

// Copyright (c) 2013 Kyle Isom <kyle@tyrfingr.is>
// Copyright (c) 2012 The Go Authors. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
package ecies
import (
"bytes"
"crypto"
"crypto/elliptic"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"encoding/asn1"
"encoding/pem"
"fmt"
"hash"
"math/big"
"github.com/ethereum/go-ethereum/crypto/secp256k1"
)
var (
secgScheme = []int{1, 3, 132, 1}
shaScheme = []int{2, 16, 840, 1, 101, 3, 4, 2}
ansiX962Scheme = []int{1, 2, 840, 10045}
x963Scheme = []int{1, 2, 840, 63, 0}
)
var ErrInvalidPrivateKey = fmt.Errorf("ecies: invalid private key")
func doScheme(base, v []int) asn1.ObjectIdentifier {
var oidInts asn1.ObjectIdentifier
oidInts = append(oidInts, base...)
return append(oidInts, v...)
}
// curve OID code taken from crypto/x509, including
// - oidNameCurve*
// - namedCurveFromOID
// - oidFromNamedCurve
// RFC 5480, 2.1.1.1. Named Curve
//
// secp224r1 OBJECT IDENTIFIER ::= {
// iso(1) identified-organization(3) certicom(132) curve(0) 33 }
//
// secp256r1 OBJECT IDENTIFIER ::= {
// iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
// prime(1) 7 }
//
// secp384r1 OBJECT IDENTIFIER ::= {
// iso(1) identified-organization(3) certicom(132) curve(0) 34 }
//
// secp521r1 OBJECT IDENTIFIER ::= {
// iso(1) identified-organization(3) certicom(132) curve(0) 35 }
//
// NB: secp256r1 is equivalent to prime256v1
type secgNamedCurve asn1.ObjectIdentifier
var (
secgNamedCurveS256 = secgNamedCurve{1, 3, 132, 0, 10}
secgNamedCurveP256 = secgNamedCurve{1, 2, 840, 10045, 3, 1, 7}
secgNamedCurveP384 = secgNamedCurve{1, 3, 132, 0, 34}
secgNamedCurveP521 = secgNamedCurve{1, 3, 132, 0, 35}
rawCurveP256 = []byte{6, 8, 4, 2, 1, 3, 4, 7, 2, 2, 0, 6, 6, 1, 3, 1, 7}
rawCurveP384 = []byte{6, 5, 4, 3, 1, 2, 9, 4, 0, 3, 4}
rawCurveP521 = []byte{6, 5, 4, 3, 1, 2, 9, 4, 0, 3, 5}
)
func rawCurve(curve elliptic.Curve) []byte {
switch curve {
case elliptic.P256():
return rawCurveP256
case elliptic.P384():
return rawCurveP384
case elliptic.P521():
return rawCurveP521
default:
return nil
}
}
func (curve secgNamedCurve) Equal(curve2 secgNamedCurve) bool {
if len(curve) != len(curve2) {
return false
}
for i, _ := range curve {
if curve[i] != curve2[i] {
return false
}
}
return true
}
func namedCurveFromOID(curve secgNamedCurve) elliptic.Curve {
switch {
case curve.Equal(secgNamedCurveS256):
return secp256k1.S256()
case curve.Equal(secgNamedCurveP256):
return elliptic.P256()
case curve.Equal(secgNamedCurveP384):
return elliptic.P384()
case curve.Equal(secgNamedCurveP521):
return elliptic.P521()
}
return nil
}
func oidFromNamedCurve(curve elliptic.Curve) (secgNamedCurve, bool) {
switch curve {
case elliptic.P256():
return secgNamedCurveP256, true
case elliptic.P384():
return secgNamedCurveP384, true
case elliptic.P521():
return secgNamedCurveP521, true
case secp256k1.S256():
return secgNamedCurveS256, true
}
return nil, false
}
// asnAlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
// 5280, section 4.1.1.2.
type asnAlgorithmIdentifier struct {
Algorithm asn1.ObjectIdentifier
Parameters asn1.RawValue `asn1:"optional"`
}
func (a asnAlgorithmIdentifier) Cmp(b asnAlgorithmIdentifier) bool {
if len(a.Algorithm) != len(b.Algorithm) {
return false
}
for i, _ := range a.Algorithm {
if a.Algorithm[i] != b.Algorithm[i] {
return false
}
}
return true
}
type asnHashFunction asnAlgorithmIdentifier
var (
oidSHA1 = asn1.ObjectIdentifier{1, 3, 14, 3, 2, 26}
oidSHA224 = doScheme(shaScheme, []int{4})
oidSHA256 = doScheme(shaScheme, []int{1})
oidSHA384 = doScheme(shaScheme, []int{2})
oidSHA512 = doScheme(shaScheme, []int{3})
)
func hashFromOID(oid asn1.ObjectIdentifier) func() hash.Hash {
switch {
case oid.Equal(oidSHA1):
return sha1.New
case oid.Equal(oidSHA224):
return sha256.New224
case oid.Equal(oidSHA256):
return sha256.New
case oid.Equal(oidSHA384):
return sha512.New384
case oid.Equal(oidSHA512):
return sha512.New
}
return nil
}
func oidFromHash(hash crypto.Hash) (asn1.ObjectIdentifier, bool) {
switch hash {
case crypto.SHA1:
return oidSHA1, true
case crypto.SHA224:
return oidSHA224, true
case crypto.SHA256:
return oidSHA256, true
case crypto.SHA384:
return oidSHA384, true
case crypto.SHA512:
return oidSHA512, true
default:
return nil, false
}
}
var (
asnAlgoSHA1 = asnHashFunction{
Algorithm: oidSHA1,
}
asnAlgoSHA224 = asnHashFunction{
Algorithm: oidSHA224,
}
asnAlgoSHA256 = asnHashFunction{
Algorithm: oidSHA256,
}
asnAlgoSHA384 = asnHashFunction{
Algorithm: oidSHA384,
}
asnAlgoSHA512 = asnHashFunction{
Algorithm: oidSHA512,
}
)
// type ASNasnSubjectPublicKeyInfo struct {
//
// }
//
type asnSubjectPublicKeyInfo struct {
Algorithm asn1.ObjectIdentifier
PublicKey asn1.BitString
Supplements ecpksSupplements `asn1:"optional"`
}
type asnECPKAlgorithms struct {
Type asn1.ObjectIdentifier
}
var idPublicKeyType = doScheme(ansiX962Scheme, []int{2})
var idEcPublicKey = doScheme(idPublicKeyType, []int{1})
var idEcPublicKeySupplemented = doScheme(idPublicKeyType, []int{0})
func curveToRaw(curve elliptic.Curve) (rv asn1.RawValue, ok bool) {
switch curve {
case elliptic.P256(), elliptic.P384(), elliptic.P521():
raw := rawCurve(curve)
return asn1.RawValue{
Tag: 30,
Bytes: raw[2:],
FullBytes: raw,
}, true
default:
return rv, false
}
}
func asnECPublicKeyType(curve elliptic.Curve) (algo asnAlgorithmIdentifier, ok bool) {
raw, ok := curveToRaw(curve)
if !ok {
return
} else {
return asnAlgorithmIdentifier{Algorithm: idEcPublicKey,
Parameters: raw}, true
}
}
type asnECPrivKeyVer int
var asnECPrivKeyVer1 asnECPrivKeyVer = 1
type asnPrivateKey struct {
Version asnECPrivKeyVer
Private []byte
Curve secgNamedCurve `asn1:"optional"`
Public asn1.BitString
}
var asnECDH = doScheme(secgScheme, []int{12})
type asnECDHAlgorithm asnAlgorithmIdentifier
var (
dhSinglePass_stdDH_sha1kdf = asnECDHAlgorithm{
Algorithm: doScheme(x963Scheme, []int{2}),
}
dhSinglePass_stdDH_sha256kdf = asnECDHAlgorithm{
Algorithm: doScheme(secgScheme, []int{11, 1}),
}
dhSinglePass_stdDH_sha384kdf = asnECDHAlgorithm{
Algorithm: doScheme(secgScheme, []int{11, 2}),
}
dhSinglePass_stdDH_sha224kdf = asnECDHAlgorithm{
Algorithm: doScheme(secgScheme, []int{11, 0}),
}
dhSinglePass_stdDH_sha512kdf = asnECDHAlgorithm{
Algorithm: doScheme(secgScheme, []int{11, 3}),
}
)
func (a asnECDHAlgorithm) Cmp(b asnECDHAlgorithm) bool {
if len(a.Algorithm) != len(b.Algorithm) {
return false
}
for i, _ := range a.Algorithm {
if a.Algorithm[i] != b.Algorithm[i] {
return false
}
}
return true
}
// asnNISTConcatenation is the only supported KDF at this time.
type asnKeyDerivationFunction asnAlgorithmIdentifier
var asnNISTConcatenationKDF = asnKeyDerivationFunction{
Algorithm: doScheme(secgScheme, []int{17, 1}),
}
func (a asnKeyDerivationFunction) Cmp(b asnKeyDerivationFunction) bool {
if len(a.Algorithm) != len(b.Algorithm) {
return false
}
for i, _ := range a.Algorithm {
if a.Algorithm[i] != b.Algorithm[i] {
return false
}
}
return true
}
var eciesRecommendedParameters = doScheme(secgScheme, []int{7})
var eciesSpecifiedParameters = doScheme(secgScheme, []int{8})
type asnECIESParameters struct {
KDF asnKeyDerivationFunction `asn1:"optional"`
Sym asnSymmetricEncryption `asn1:"optional"`
MAC asnMessageAuthenticationCode `asn1:"optional"`
}
type asnSymmetricEncryption asnAlgorithmIdentifier
var (
aes128CTRinECIES = asnSymmetricEncryption{
Algorithm: doScheme(secgScheme, []int{21, 0}),
}
aes192CTRinECIES = asnSymmetricEncryption{
Algorithm: doScheme(secgScheme, []int{21, 1}),
}
aes256CTRinECIES = asnSymmetricEncryption{
Algorithm: doScheme(secgScheme, []int{21, 2}),
}
)
func (a asnSymmetricEncryption) Cmp(b asnSymmetricEncryption) bool {
if len(a.Algorithm) != len(b.Algorithm) {
return false
}
for i, _ := range a.Algorithm {
if a.Algorithm[i] != b.Algorithm[i] {
return false
}
}
return true
}
type asnMessageAuthenticationCode asnAlgorithmIdentifier
var (
hmacFull = asnMessageAuthenticationCode{
Algorithm: doScheme(secgScheme, []int{22}),
}
)
func (a asnMessageAuthenticationCode) Cmp(b asnMessageAuthenticationCode) bool {
if len(a.Algorithm) != len(b.Algorithm) {
return false
}
for i, _ := range a.Algorithm {
if a.Algorithm[i] != b.Algorithm[i] {
return false
}
}
return true
}
type ecpksSupplements struct {
ECDomain secgNamedCurve
ECCAlgorithms eccAlgorithmSet
}
type eccAlgorithmSet struct {
ECDH asnECDHAlgorithm `asn1:"optional"`
ECIES asnECIESParameters `asn1:"optional"`
}
func marshalSubjectPublicKeyInfo(pub *PublicKey) (subj asnSubjectPublicKeyInfo, err error) {
subj.Algorithm = idEcPublicKeySupplemented
curve, ok := oidFromNamedCurve(pub.Curve)
if !ok {
err = ErrInvalidPublicKey
return
}
subj.Supplements.ECDomain = curve
if pub.Params != nil {
subj.Supplements.ECCAlgorithms.ECDH = paramsToASNECDH(pub.Params)
subj.Supplements.ECCAlgorithms.ECIES = paramsToASNECIES(pub.Params)
}
pubkey := elliptic.Marshal(pub.Curve, pub.X, pub.Y)
subj.PublicKey = asn1.BitString{
BitLength: len(pubkey) * 8,
Bytes: pubkey,
}
return
}
// Encode a public key to DER format.
func MarshalPublic(pub *PublicKey) ([]byte, error) {
subj, err := marshalSubjectPublicKeyInfo(pub)
if err != nil {
return nil, err
}
return asn1.Marshal(subj)
}
// Decode a DER-encoded public key.
func UnmarshalPublic(in []byte) (pub *PublicKey, err error) {
var subj asnSubjectPublicKeyInfo
if _, err = asn1.Unmarshal(in, &subj); err != nil {
return
}
if !subj.Algorithm.Equal(idEcPublicKeySupplemented) {
err = ErrInvalidPublicKey
return
}
pub = new(PublicKey)
pub.Curve = namedCurveFromOID(subj.Supplements.ECDomain)
x, y := elliptic.Unmarshal(pub.Curve, subj.PublicKey.Bytes)
if x == nil {
err = ErrInvalidPublicKey
return
}
pub.X = x
pub.Y = y
pub.Params = new(ECIESParams)
asnECIEStoParams(subj.Supplements.ECCAlgorithms.ECIES, pub.Params)
asnECDHtoParams(subj.Supplements.ECCAlgorithms.ECDH, pub.Params)
if pub.Params == nil {
if pub.Params = ParamsFromCurve(pub.Curve); pub.Params == nil {
err = ErrInvalidPublicKey
}
}
return
}
func marshalPrivateKey(prv *PrivateKey) (ecprv asnPrivateKey, err error) {
ecprv.Version = asnECPrivKeyVer1
ecprv.Private = prv.D.Bytes()
var ok bool
ecprv.Curve, ok = oidFromNamedCurve(prv.PublicKey.Curve)
if !ok {
err = ErrInvalidPrivateKey
return
}
var pub []byte
if pub, err = MarshalPublic(&prv.PublicKey); err != nil {
return
} else {
ecprv.Public = asn1.BitString{
BitLength: len(pub) * 8,
Bytes: pub,
}
}
return
}
// Encode a private key to DER format.
func MarshalPrivate(prv *PrivateKey) ([]byte, error) {
ecprv, err := marshalPrivateKey(prv)
if err != nil {
return nil, err
}
return asn1.Marshal(ecprv)
}
// Decode a private key from a DER-encoded format.
func UnmarshalPrivate(in []byte) (prv *PrivateKey, err error) {
var ecprv asnPrivateKey
if _, err = asn1.Unmarshal(in, &ecprv); err != nil {
return
} else if ecprv.Version != asnECPrivKeyVer1 {
err = ErrInvalidPrivateKey
return
}
privateCurve := namedCurveFromOID(ecprv.Curve)
if privateCurve == nil {
err = ErrInvalidPrivateKey
return
}
prv = new(PrivateKey)
prv.D = new(big.Int).SetBytes(ecprv.Private)
if pub, err := UnmarshalPublic(ecprv.Public.Bytes); err != nil {
return nil, err
} else {
prv.PublicKey = *pub
}
return
}
// Export a public key to PEM format.
func ExportPublicPEM(pub *PublicKey) (out []byte, err error) {
der, err := MarshalPublic(pub)
if err != nil {
return
}
var block pem.Block
block.Type = "ELLIPTIC CURVE PUBLIC KEY"
block.Bytes = der
buf := new(bytes.Buffer)
err = pem.Encode(buf, &block)
if err != nil {
return
} else {
out = buf.Bytes()
}
return
}
// Export a private key to PEM format.
func ExportPrivatePEM(prv *PrivateKey) (out []byte, err error) {
der, err := MarshalPrivate(prv)
if err != nil {
return
}
var block pem.Block
block.Type = "ELLIPTIC CURVE PRIVATE KEY"
block.Bytes = der
buf := new(bytes.Buffer)
err = pem.Encode(buf, &block)
if err != nil {
return
} else {
out = buf.Bytes()
}
return
}
// Import a PEM-encoded public key.
func ImportPublicPEM(in []byte) (pub *PublicKey, err error) {
p, _ := pem.Decode(in)
if p == nil || p.Type != "ELLIPTIC CURVE PUBLIC KEY" {
return nil, ErrInvalidPublicKey
}
pub, err = UnmarshalPublic(p.Bytes)
return
}
// Import a PEM-encoded private key.
func ImportPrivatePEM(in []byte) (prv *PrivateKey, err error) {
p, _ := pem.Decode(in)
if p == nil || p.Type != "ELLIPTIC CURVE PRIVATE KEY" {
return nil, ErrInvalidPrivateKey
}
prv, err = UnmarshalPrivate(p.Bytes)
return
}