// validateECPublicKey checks that the point is a valid public key for
// the given curve. See [SEC1], 3.2.2
func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool {
if x.Sign() == 0 && y.Sign() == 0 {
return false
}
if x.Cmp(curve.Params().P) >= 0 {
return false
}
if y.Cmp(curve.Params().P) >= 0 {
return false
}
if !curve.IsOnCurve(x, y) {
return false
}
// We don't check if N * PubKey == 0, since
//
// - the NIST curves have cofactor = 1, so this is implicit.
// (We don't foresee an implementation that supports non NIST
// curves)
//
// - for ephemeral keys, we don't need to worry about small
// subgroup attacks.
return true
}
func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
var curve elliptic.Curve
switch key.Crv {
case "P-256":
curve = elliptic.P256()
case "P-384":
curve = elliptic.P384()
case "P-521":
curve = elliptic.P521()
default:
return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
if key.X == nil || key.Y == nil || key.D == nil {
return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
}
x := key.X.bigInt()
y := key.Y.bigInt()
if !curve.IsOnCurve(x, y) {
return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: curve,
X: x,
Y: y,
},
D: key.D.bigInt(),
}, nil
}
func testKeyGeneration(t *testing.T, c elliptic.Curve, tag string) {
priv, err := GenerateKey(c, rand.Reader)
if err != nil {
t.Errorf("%s: error: %s", tag, err)
return
}
if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) {
t.Errorf("%s: public key invalid: %s", tag, err)
}
}
// Generates an ephemeral public key and returns a function that will compute
// the shared secret key. Used in the identify module.
//
// Focuses only on ECDH now, but can be made more general in the future.
func GenerateEKeyPair(curveName string) ([]byte, GenSharedKey, error) {
var curve elliptic.Curve
switch curveName {
case "P-224":
curve = elliptic.P224()
case "P-256":
curve = elliptic.P256()
case "P-384":
curve = elliptic.P384()
case "P-521":
curve = elliptic.P521()
}
priv, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
if err != nil {
return nil, nil, err
}
var pubKey bytes.Buffer
pubKey.Write(x.Bytes())
pubKey.Write(y.Bytes())
done := func(theirPub []byte) ([]byte, error) {
// Verify and unpack node's public key.
curveSize := curve.Params().BitSize
if len(theirPub) != (curveSize / 4) {
return nil, errors.New("Malformed public key.")
}
bound := (curveSize / 8)
x := big.NewInt(0)
y := big.NewInt(0)
x.SetBytes(theirPub[0:bound])
y.SetBytes(theirPub[bound : bound*2])
if !curve.IsOnCurve(x, y) {
return nil, errors.New("Invalid public key.")
}
// Generate shared secret.
secret, _ := curve.ScalarMult(x, y, priv)
return secret.Bytes(), nil
}
return pubKey.Bytes(), done, nil
}
func IsValidBox(c elliptic.Curve, box *Checkbox,
px *big.Int, py *big.Int) bool {
if !c.IsOnCurve(box.ax, box.ay) ||
!c.IsOnCurve(box.bx, box.by) {
return false
}
//Explanation of how this works
//(c1,r1) validates equality of log g A and log p B-g
//(c2, r2) validates euqality of log g A and log p B
//each of these proofs is just a Schnorr proof of knowledge of
//the log, which work for both simultaneously
//We require c1+c2=H(A, B t1,t2,t3,t4) which enforces that only one
//of these can be faked, hence giving an or proof
v1x, v1y := doublescalarmult(c, c.Params().Gx, c.Params().Gy,
box.r1.Bytes(), box.ax, box.ay, box.c1.Bytes())
t4x := c.Params().Gx
t4y := new(big.Int)
t4y.Neg(c.Params().Gy)
t4y.Mod(t4y, c.Params().P)
bgx, bgy := c.Add(box.bx, box.by, t4x, t4y)
v2x, v2y := doublescalarmult(c, px, py, box.r1.Bytes(),
bgx, bgy, box.c1.Bytes())
v3x, v3y := doublescalarmult(c, c.Params().Gx, c.Params().Gy,
box.r2.Bytes(), box.ax, box.ay, box.c2.Bytes())
v4x, v4y := doublescalarmult(c, px, py, box.r2.Bytes(),
box.bx, box.by, box.c2.Bytes())
var entries [6][]byte
entries[0] = elliptic.Marshal(c, box.ax, box.ay)
entries[1] = elliptic.Marshal(c, box.bx, box.by)
entries[2] = elliptic.Marshal(c, v1x, v1y)
entries[3] = elliptic.Marshal(c, v2x, v2y)
entries[4] = elliptic.Marshal(c, v3x, v3y)
entries[5] = elliptic.Marshal(c, v4x, v4y)
challenge := sha256.Sum256(bytes.Join(entries[:], []byte{}))
ctot := big.NewInt(0)
ctot.SetBytes(challenge[:])
ctot.Mod(ctot, c.Params().N)
t := big.NewInt(0)
t.Add(box.c1, box.c2)
t.Mod(t, c.Params().N)
if t.Cmp(ctot) != 0 {
return false
}
return true
}
// Generates an ephemeral public key and returns a function that will compute
// the shared secret key. Used in the identify module.
//
// Focuses only on ECDH now, but can be made more general in the future.
func GenerateEKeyPair(curveName string) ([]byte, GenSharedKey, error) {
var curve elliptic.Curve
switch curveName {
case "P-224":
curve = elliptic.P224()
case "P-256":
curve = elliptic.P256()
case "P-384":
curve = elliptic.P384()
case "P-521":
curve = elliptic.P521()
}
priv, x, y, err := elliptic.GenerateKey(curve, rand.Reader)
if err != nil {
return nil, nil, err
}
pubKey := elliptic.Marshal(curve, x, y)
// log.Debug("GenerateEKeyPair %d", len(pubKey))
done := func(theirPub []byte) ([]byte, error) {
// Verify and unpack node's public key.
x, y := elliptic.Unmarshal(curve, theirPub)
if x == nil {
return nil, fmt.Errorf("Malformed public key: %d %v", len(theirPub), theirPub)
}
if !curve.IsOnCurve(x, y) {
return nil, errors.New("Invalid public key.")
}
// Generate shared secret.
secret, _ := curve.ScalarMult(x, y, priv)
return secret.Bytes(), nil
}
return pubKey, done, nil
}
