func decodeAuthMsg(prv *ecdsa.PrivateKey, token []byte, auth []byte) (*encHandshake, error) { var err error h := new(encHandshake) // generate random keypair for session h.randomPrivKey, err = ecies.GenerateKey(rand.Reader, crypto.S256(), nil) if err != nil { return nil, err } // generate random nonce h.respNonce = make([]byte, shaLen) if _, err = rand.Read(h.respNonce); err != nil { return nil, err } msg, err := crypto.Decrypt(prv, auth) if err != nil { return nil, fmt.Errorf("could not decrypt auth message (%v)", err) } // decode message parameters // signature || sha3(ecdhe-random-pubk) || pubk || nonce || token-flag h.initNonce = msg[authMsgLen-shaLen-1 : authMsgLen-1] copy(h.remoteID[:], msg[sigLen+shaLen:sigLen+shaLen+pubLen]) rpub, err := h.remoteID.Pubkey() if err != nil { return nil, fmt.Errorf("bad remoteID: %#v", err) } h.remotePub = ecies.ImportECDSAPublic(rpub) // recover remote random pubkey from signed message. if token == nil { // TODO: it is an error if the initiator has a token and we don't. check that. // no session token means we need to generate shared secret. // ecies shared secret is used as initial session token for new peers. // generate shared key from prv and remote pubkey. if token, err = h.ecdhShared(prv); err != nil { return nil, err } } signedMsg := xor(token, h.initNonce) remoteRandomPub, err := secp256k1.RecoverPubkey(signedMsg, msg[:sigLen]) if err != nil { return nil, err } // validate the sha3 of recovered pubkey remoteRandomPubMAC := msg[sigLen : sigLen+shaLen] shaRemoteRandomPub := crypto.Sha3(remoteRandomPub[1:]) if !bytes.Equal(remoteRandomPubMAC, shaRemoteRandomPub) { return nil, fmt.Errorf("sha3 of recovered ephemeral pubkey does not match checksum in auth message") } h.remoteRandomPub, _ = importPublicKey(remoteRandomPub) return h, nil }
func TestSharedSecret(t *testing.T) { prv0, _ := crypto.GenerateKey() // = ecdsa.GenerateKey(crypto.S256(), rand.Reader) pub0 := &prv0.PublicKey prv1, _ := crypto.GenerateKey() pub1 := &prv1.PublicKey ss0, err := ecies.ImportECDSA(prv0).GenerateShared(ecies.ImportECDSAPublic(pub1), sskLen, sskLen) if err != nil { return } ss1, err := ecies.ImportECDSA(prv1).GenerateShared(ecies.ImportECDSAPublic(pub0), sskLen, sskLen) if err != nil { return } t.Logf("Secret:\n%v %x\n%v %x", len(ss0), ss0, len(ss0), ss1) if !bytes.Equal(ss0, ss1) { t.Errorf("dont match :(") } }
// importPublicKey unmarshals 512 bit public keys. func importPublicKey(pubKey []byte) (*ecies.PublicKey, error) { var pubKey65 []byte switch len(pubKey) { case 64: // add 'uncompressed key' flag pubKey65 = append([]byte{0x04}, pubKey...) case 65: pubKey65 = pubKey default: return nil, fmt.Errorf("invalid public key length %v (expect 64/65)", len(pubKey)) } // TODO: fewer pointless conversions return ecies.ImportECDSAPublic(crypto.ToECDSAPub(pubKey65)), nil }
func newInitiatorHandshake(remoteID discover.NodeID) (*encHandshake, error) { rpub, err := remoteID.Pubkey() if err != nil { return nil, fmt.Errorf("bad remoteID: %v", err) } // generate random initiator nonce n := make([]byte, shaLen) if _, err := rand.Read(n); err != nil { return nil, err } // generate random keypair to use for signing randpriv, err := ecies.GenerateKey(rand.Reader, crypto.S256(), nil) if err != nil { return nil, err } h := &encHandshake{ initiator: true, remoteID: remoteID, remotePub: ecies.ImportECDSAPublic(rpub), initNonce: n, randomPrivKey: randpriv, } return h, nil }
func Encrypt(pub *ecdsa.PublicKey, message []byte) ([]byte, error) { return ecies.Encrypt(rand.Reader, ecies.ImportECDSAPublic(pub), message, nil, nil) }