// New methods using proper ecdsa keys from the stdlib func ToECDSA(prv []byte) *ecdsa.PrivateKey { if len(prv) == 0 { return nil } priv := new(ecdsa.PrivateKey) priv.PublicKey.Curve = secp256k1.S256() priv.D = common.BigD(prv) priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(prv) return priv }
// TODO: remove after refactoring packages crypto and crypto/ecies func hexKey(prv string) *PrivateKey { priv := new(ecdsa.PrivateKey) priv.PublicKey.Curve = secp256k1.S256() priv.D, _ = new(big.Int).SetString(prv, 16) priv.PublicKey.X, priv.PublicKey.Y = secp256k1.S256().ScalarBaseMult(priv.D.Bytes()) return ImportECDSA(priv) }
func ToECDSAPub(pub []byte) *ecdsa.PublicKey { if len(pub) == 0 { return nil } x, y := elliptic.Unmarshal(secp256k1.S256(), pub) return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y} }
// Tests whether a message can be signed, and wrapped in plain-text. func TestMessageCleartextSignRecover(t *testing.T) { key, err := crypto.GenerateKey() if err != nil { t.Fatalf("failed to create crypto key: %v", err) } payload := []byte("hello world") msg := NewMessage(payload) if _, err := msg.Wrap(DefaultPoW, Options{ From: key, }); err != nil { t.Fatalf("failed to sign message: %v", err) } if msg.Flags&signatureFlag != signatureFlag { t.Fatalf("signature flag mismatch: have %d, want %d", msg.Flags&signatureFlag, signatureFlag) } if bytes.Compare(msg.Payload, payload) != 0 { t.Fatalf("payload mismatch after signing: have 0x%x, want 0x%x", msg.Payload, payload) } pubKey := msg.Recover() if pubKey == nil { t.Fatalf("failed to recover public key") } p1 := elliptic.Marshal(secp256k1.S256(), key.PublicKey.X, key.PublicKey.Y) p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y) if !bytes.Equal(p1, p2) { t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) } }
func SigToPub(hash, sig []byte) (*ecdsa.PublicKey, error) { s, err := Ecrecover(hash, sig) if err != nil { return nil, err } x, y := elliptic.Unmarshal(secp256k1.S256(), s) return &ecdsa.PublicKey{Curve: secp256k1.S256(), X: x, Y: y}, nil }
func newKey(rand io.Reader) (*Key, error) { privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), rand) if err != nil { return nil, err } return newKeyFromECDSA(privateKeyECDSA), nil }
func (h *encHandshake) handleAuthMsg(msg *authMsgV4, prv *ecdsa.PrivateKey) error { // Import the remote identity. h.initNonce = msg.Nonce[:] h.remoteID = msg.InitiatorPubkey rpub, err := h.remoteID.Pubkey() if err != nil { return fmt.Errorf("bad remoteID: %#v", err) } h.remotePub = ecies.ImportECDSAPublic(rpub) // Generate random keypair for ECDH. // If a private key is already set, use it instead of generating one (for testing). if h.randomPrivKey == nil { h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil) if err != nil { return err } } // Check the signature. token, err := h.staticSharedSecret(prv) if err != nil { return err } signedMsg := xor(token, h.initNonce) remoteRandomPub, err := secp256k1.RecoverPubkey(signedMsg, msg.Signature[:]) if err != nil { return err } h.remoteRandomPub, _ = importPublicKey(remoteRandomPub) return nil }
// makeAuthMsg creates the initiator handshake message. func (h *encHandshake) makeAuthMsg(prv *ecdsa.PrivateKey, token []byte) (*authMsgV4, error) { rpub, err := h.remoteID.Pubkey() if err != nil { return nil, fmt.Errorf("bad remoteID: %v", err) } h.remotePub = ecies.ImportECDSAPublic(rpub) // Generate random initiator nonce. h.initNonce = make([]byte, shaLen) if _, err := rand.Read(h.initNonce); err != nil { return nil, err } // Generate random keypair to for ECDH. h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, secp256k1.S256(), nil) if err != nil { return nil, err } // Sign known message: static-shared-secret ^ nonce token, err = h.staticSharedSecret(prv) if err != nil { return nil, err } signed := xor(token, h.initNonce) signature, err := crypto.Sign(signed, h.randomPrivKey.ExportECDSA()) if err != nil { return nil, err } msg := new(authMsgV4) copy(msg.Signature[:], signature) copy(msg.InitiatorPubkey[:], crypto.FromECDSAPub(&prv.PublicKey)[1:]) copy(msg.Nonce[:], h.initNonce) msg.Version = 4 return msg, nil }
// Tests whether a message can be properly signed and encrypted. func TestMessageFullCrypto(t *testing.T) { fromKey, err := crypto.GenerateKey() if err != nil { t.Fatalf("failed to create sender crypto key: %v", err) } toKey, err := crypto.GenerateKey() if err != nil { t.Fatalf("failed to create recipient crypto key: %v", err) } payload := []byte("hello world") msg := NewMessage(payload) envelope, err := msg.Wrap(DefaultPoW, Options{ From: fromKey, To: &toKey.PublicKey, }) if err != nil { t.Fatalf("failed to encrypt message: %v", err) } if msg.Flags&signatureFlag != signatureFlag { t.Fatalf("signature flag mismatch: have %d, want %d", msg.Flags&signatureFlag, signatureFlag) } if len(msg.Signature) == 0 { t.Fatalf("no signature found for signed message") } out, err := envelope.Open(toKey) if err != nil { t.Fatalf("failed to open encrypted message: %v", err) } if !bytes.Equal(out.Payload, payload) { t.Errorf("payload mismatch: have 0x%x, want 0x%x", out.Payload, payload) } pubKey := out.Recover() if pubKey == nil { t.Fatalf("failed to recover public key") } p1 := elliptic.Marshal(secp256k1.S256(), fromKey.PublicKey.X, fromKey.PublicKey.Y) p2 := elliptic.Marshal(secp256k1.S256(), pubKey.X, pubKey.Y) if !bytes.Equal(p1, p2) { t.Fatalf("public key mismatch: have 0x%x, want 0x%x", p2, p1) } }
// Pubkey returns the public key represented by the node ID. // It returns an error if the ID is not a point on the curve. func (id NodeID) Pubkey() (*ecdsa.PublicKey, error) { p := &ecdsa.PublicKey{Curve: secp256k1.S256(), X: new(big.Int), Y: new(big.Int)} half := len(id) / 2 p.X.SetBytes(id[:half]) p.Y.SetBytes(id[half:]) if !p.Curve.IsOnCurve(p.X, p.Y) { return nil, errors.New("id is invalid secp256k1 curve point") } return p, nil }
// Benchmark the generation of S256 shared keys. func BenchmarkGenSharedKeyS256(b *testing.B) { prv, err := GenerateKey(rand.Reader, secp256k1.S256(), nil) if err != nil { fmt.Println(err.Error()) b.FailNow() } b.ResetTimer() for i := 0; i < b.N; i++ { _, err := prv.GenerateShared(&prv.PublicKey, 16, 16) if err != nil { fmt.Println(err.Error()) b.FailNow() } } }
// NewKeyForDirectICAP generates a key whose address fits into < 155 bits so it can fit // into the Direct ICAP spec. for simplicity and easier compatibility with other libs, we // retry until the first byte is 0. func NewKeyForDirectICAP(rand io.Reader) *Key { randBytes := make([]byte, 64) _, err := rand.Read(randBytes) if err != nil { panic("key generation: could not read from random source: " + err.Error()) } reader := bytes.NewReader(randBytes) privateKeyECDSA, err := ecdsa.GenerateKey(secp256k1.S256(), reader) if err != nil { panic("key generation: ecdsa.GenerateKey failed: " + err.Error()) } key := newKeyFromECDSA(privateKeyECDSA) if !strings.HasPrefix(key.Address.Hex(), "0x00") { return NewKeyForDirectICAP(rand) } return key }
func GenerateKey() (*ecdsa.PrivateKey, error) { return ecdsa.GenerateKey(secp256k1.S256(), rand.Reader) }
func FromECDSAPub(pub *ecdsa.PublicKey) []byte { if pub == nil || pub.X == nil || pub.Y == nil { return nil } return elliptic.Marshal(secp256k1.S256(), pub.X, pub.Y) }
import ( "crypto" "crypto/aes" "crypto/cipher" "crypto/elliptic" "crypto/sha256" "crypto/sha512" "fmt" "hash" "github.com/expanse-project/go-expanse/crypto/secp256k1" ) var ( DefaultCurve = secp256k1.S256() ErrUnsupportedECDHAlgorithm = fmt.Errorf("ecies: unsupported ECDH algorithm") ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters") ) type ECIESParams struct { Hash func() hash.Hash // hash function hashAlgo crypto.Hash Cipher func([]byte) (cipher.Block, error) // symmetric cipher BlockSize int // block size of symmetric cipher KeyLen int // length of symmetric key } // Standard ECIES parameters: // * ECIES using AES128 and HMAC-SHA-256-16 // * ECIES using AES256 and HMAC-SHA-256-32