ecdsa.go

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
     6  // defined in FIPS 186-4 and SEC 1, Version 2.0.
     7  //
     8  // Signatures generated by this package are not deterministic, but entropy is
     9  // mixed with the private key and the message, achieving the same level of
    10  // security in case of randomness source failure.
    11  //
    12  // Operations involving private keys are implemented using constant-time
    13  // algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
    14  // [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
    15  package ecdsa
    16  
    17  // [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
    18  // That standard is not freely available, which is a problem in an open source
    19  // implementation, because not only the implementer, but also any maintainer,
    20  // contributor, reviewer, auditor, and learner needs access to it. Instead, this
    21  // package references and follows the equivalent [SEC 1, Version 2.0].
    22  //
    23  // [FIPS 186-4]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
    24  // [SEC 1, Version 2.0]: https://www.secg.org/sec1-v2.pdf
    25  
    26  import (
    27  	"bytes"
    28  	"crypto"
    29  	"crypto/aes"
    30  	"crypto/cipher"
    31  	"crypto/ecdh"
    32  	"crypto/elliptic"
    33  	"crypto/internal/bigmod"
    34  	"crypto/internal/boring"
    35  	"crypto/internal/boring/bbig"
    36  	"crypto/internal/nistec"
    37  	"crypto/internal/randutil"
    38  	"crypto/sha512"
    39  	"crypto/subtle"
    40  	"errors"
    41  	"io"
    42  	"math/big"
    43  	"sync"
    44  
    45  	"golang.org/x/crypto/cryptobyte"
    46  	"golang.org/x/crypto/cryptobyte/asn1"
    47  )
    48  
    49  // PublicKey represents an ECDSA public key.
    50  type PublicKey struct {
    51  	elliptic.Curve
    52  	X, Y *big.Int
    53  }
    54  
    55  // Any methods implemented on PublicKey might need to also be implemented on
    56  // PrivateKey, as the latter embeds the former and will expose its methods.
    57  
    58  // ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is
    59  // invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the
    60  // Curve is not supported by crypto/ecdh.
    61  func (k *PublicKey) ECDH() (*ecdh.PublicKey, error) {
    62  	c := curveToECDH(k.Curve)
    63  	if c == nil {
    64  		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
    65  	}
    66  	if !k.Curve.IsOnCurve(k.X, k.Y) {
    67  		return nil, errors.New("ecdsa: invalid public key")
    68  	}
    69  	return c.NewPublicKey(elliptic.Marshal(k.Curve, k.X, k.Y))
    70  }
    71  
    72  // Equal reports whether pub and x have the same value.
    73  //
    74  // Two keys are only considered to have the same value if they have the same Curve value.
    75  // Note that for example [elliptic.P256] and elliptic.P256().Params() are different
    76  // values, as the latter is a generic not constant time implementation.
    77  func (pub *PublicKey) Equal(x crypto.PublicKey) bool {
    78  	xx, ok := x.(*PublicKey)
    79  	if !ok {
    80  		return false
    81  	}
    82  	return bigIntEqual(pub.X, xx.X) && bigIntEqual(pub.Y, xx.Y) &&
    83  		// Standard library Curve implementations are singletons, so this check
    84  		// will work for those. Other Curves might be equivalent even if not
    85  		// singletons, but there is no definitive way to check for that, and
    86  		// better to err on the side of safety.
    87  		pub.Curve == xx.Curve
    88  }
    89  
    90  // PrivateKey represents an ECDSA private key.
    91  type PrivateKey struct {
    92  	PublicKey
    93  	D *big.Int
    94  }
    95  
    96  // ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is
    97  // invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the
    98  // Curve is not supported by [crypto/ecdh].
    99  func (k *PrivateKey) ECDH() (*ecdh.PrivateKey, error) {
   100  	c := curveToECDH(k.Curve)
   101  	if c == nil {
   102  		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
   103  	}
   104  	size := (k.Curve.Params().N.BitLen() + 7) / 8
   105  	if k.D.BitLen() > size*8 {
   106  		return nil, errors.New("ecdsa: invalid private key")
   107  	}
   108  	return c.NewPrivateKey(k.D.FillBytes(make([]byte, size)))
   109  }
   110  
   111  func curveToECDH(c elliptic.Curve) ecdh.Curve {
   112  	switch c {
   113  	case elliptic.P256():
   114  		return ecdh.P256()
   115  	case elliptic.P384():
   116  		return ecdh.P384()
   117  	case elliptic.P521():
   118  		return ecdh.P521()
   119  	default:
   120  		return nil
   121  	}
   122  }
   123  
   124  // Public returns the public key corresponding to priv.
   125  func (priv *PrivateKey) Public() crypto.PublicKey {
   126  	return &priv.PublicKey
   127  }
   128  
   129  // Equal reports whether priv and x have the same value.
   130  //
   131  // See [PublicKey.Equal] for details on how Curve is compared.
   132  func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
   133  	xx, ok := x.(*PrivateKey)
   134  	if !ok {
   135  		return false
   136  	}
   137  	return priv.PublicKey.Equal(&xx.PublicKey) && bigIntEqual(priv.D, xx.D)
   138  }
   139  
   140  // bigIntEqual reports whether a and b are equal leaking only their bit length
   141  // through timing side-channels.
   142  func bigIntEqual(a, b *big.Int) bool {
   143  	return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1
   144  }
   145  
   146  // Sign signs digest with priv, reading randomness from rand. The opts argument
   147  // is not currently used but, in keeping with the crypto.Signer interface,
   148  // should be the hash function used to digest the message.
   149  //
   150  // This method implements crypto.Signer, which is an interface to support keys
   151  // where the private part is kept in, for example, a hardware module. Common
   152  // uses can use the [SignASN1] function in this package directly.
   153  func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
   154  	return SignASN1(rand, priv, digest)
   155  }
   156  
   157  // GenerateKey generates a new ECDSA private key for the specified curve.
   158  //
   159  // Most applications should use [crypto/rand.Reader] as rand. Note that the
   160  // returned key does not depend deterministically on the bytes read from rand,
   161  // and may change between calls and/or between versions.
   162  func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
   163  	randutil.MaybeReadByte(rand)
   164  
   165  	if boring.Enabled && rand == boring.RandReader {
   166  		x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
   167  		if err != nil {
   168  			return nil, err
   169  		}
   170  		return &PrivateKey{PublicKey: PublicKey{Curve: c, X: bbig.Dec(x), Y: bbig.Dec(y)}, D: bbig.Dec(d)}, nil
   171  	}
   172  	boring.UnreachableExceptTests()
   173  
   174  	switch c.Params() {
   175  	case elliptic.P224().Params():
   176  		return generateNISTEC(p224(), rand)
   177  	case elliptic.P256().Params():
   178  		return generateNISTEC(p256(), rand)
   179  	case elliptic.P384().Params():
   180  		return generateNISTEC(p384(), rand)
   181  	case elliptic.P521().Params():
   182  		return generateNISTEC(p521(), rand)
   183  	default:
   184  		return generateLegacy(c, rand)
   185  	}
   186  }
   187  
   188  func generateNISTEC[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (*PrivateKey, error) {
   189  	k, Q, err := randomPoint(c, rand)
   190  	if err != nil {
   191  		return nil, err
   192  	}
   193  
   194  	priv := new(PrivateKey)
   195  	priv.PublicKey.Curve = c.curve
   196  	priv.D = new(big.Int).SetBytes(k.Bytes(c.N))
   197  	priv.PublicKey.X, priv.PublicKey.Y, err = c.pointToAffine(Q)
   198  	if err != nil {
   199  		return nil, err
   200  	}
   201  	return priv, nil
   202  }
   203  
   204  // randomPoint returns a random scalar and the corresponding point using the
   205  // procedure given in FIPS 186-4, Appendix B.5.2 (rejection sampling).
   206  func randomPoint[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (k *bigmod.Nat, p Point, err error) {
   207  	k = bigmod.NewNat()
   208  	for {
   209  		b := make([]byte, c.N.Size())
   210  		if _, err = io.ReadFull(rand, b); err != nil {
   211  			return
   212  		}
   213  
   214  		// Mask off any excess bits to increase the chance of hitting a value in
   215  		// (0, N). These are the most dangerous lines in the package and maybe in
   216  		// the library: a single bit of bias in the selection of nonces would likely
   217  		// lead to key recovery, but no tests would fail. Look but DO NOT TOUCH.
   218  		if excess := len(b)*8 - c.N.BitLen(); excess > 0 {
   219  			// Just to be safe, assert that this only happens for the one curve that
   220  			// doesn't have a round number of bits.
   221  			if excess != 0 && c.curve.Params().Name != "P-521" {
   222  				panic("ecdsa: internal error: unexpectedly masking off bits")
   223  			}
   224  			b[0] >>= excess
   225  		}
   226  
   227  		// FIPS 186-4 makes us check k <= N - 2 and then add one.
   228  		// Checking 0 < k <= N - 1 is strictly equivalent.
   229  		// None of this matters anyway because the chance of selecting
   230  		// zero is cryptographically negligible.
   231  		if _, err = k.SetBytes(b, c.N); err == nil && k.IsZero() == 0 {
   232  			break
   233  		}
   234  
   235  		if testingOnlyRejectionSamplingLooped != nil {
   236  			testingOnlyRejectionSamplingLooped()
   237  		}
   238  	}
   239  
   240  	p, err = c.newPoint().ScalarBaseMult(k.Bytes(c.N))
   241  	return
   242  }
   243  
   244  // testingOnlyRejectionSamplingLooped is called when rejection sampling in
   245  // randomPoint rejects a candidate for being higher than the modulus.
   246  var testingOnlyRejectionSamplingLooped func()
   247  
   248  // errNoAsm is returned by signAsm and verifyAsm when the assembly
   249  // implementation is not available.
   250  var errNoAsm = errors.New("no assembly implementation available")
   251  
   252  // SignASN1 signs a hash (which should be the result of hashing a larger message)
   253  // using the private key, priv. If the hash is longer than the bit-length of the
   254  // private key's curve order, the hash will be truncated to that length. It
   255  // returns the ASN.1 encoded signature.
   256  //
   257  // The signature is randomized. Most applications should use [crypto/rand.Reader]
   258  // as rand. Note that the returned signature does not depend deterministically on
   259  // the bytes read from rand, and may change between calls and/or between versions.
   260  func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
   261  	randutil.MaybeReadByte(rand)
   262  
   263  	if boring.Enabled && rand == boring.RandReader {
   264  		b, err := boringPrivateKey(priv)
   265  		if err != nil {
   266  			return nil, err
   267  		}
   268  		return boring.SignMarshalECDSA(b, hash)
   269  	}
   270  	boring.UnreachableExceptTests()
   271  
   272  	csprng, err := mixedCSPRNG(rand, priv, hash)
   273  	if err != nil {
   274  		return nil, err
   275  	}
   276  
   277  	if sig, err := signAsm(priv, csprng, hash); err != errNoAsm {
   278  		return sig, err
   279  	}
   280  
   281  	switch priv.Curve.Params() {
   282  	case elliptic.P224().Params():
   283  		return signNISTEC(p224(), priv, csprng, hash)
   284  	case elliptic.P256().Params():
   285  		return signNISTEC(p256(), priv, csprng, hash)
   286  	case elliptic.P384().Params():
   287  		return signNISTEC(p384(), priv, csprng, hash)
   288  	case elliptic.P521().Params():
   289  		return signNISTEC(p521(), priv, csprng, hash)
   290  	default:
   291  		return signLegacy(priv, csprng, hash)
   292  	}
   293  }
   294  
   295  func signNISTEC[Point nistPoint[Point]](c *nistCurve[Point], priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
   296  	// SEC 1, Version 2.0, Section 4.1.3
   297  
   298  	k, R, err := randomPoint(c, csprng)
   299  	if err != nil {
   300  		return nil, err
   301  	}
   302  
   303  	// kInv = k⁻¹
   304  	kInv := bigmod.NewNat()
   305  	inverse(c, kInv, k)
   306  
   307  	Rx, err := R.BytesX()
   308  	if err != nil {
   309  		return nil, err
   310  	}
   311  	r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
   312  	if err != nil {
   313  		return nil, err
   314  	}
   315  
   316  	// The spec wants us to retry here, but the chance of hitting this condition
   317  	// on a large prime-order group like the NIST curves we support is
   318  	// cryptographically negligible. If we hit it, something is awfully wrong.
   319  	if r.IsZero() == 1 {
   320  		return nil, errors.New("ecdsa: internal error: r is zero")
   321  	}
   322  
   323  	e := bigmod.NewNat()
   324  	hashToNat(c, e, hash)
   325  
   326  	s, err := bigmod.NewNat().SetBytes(priv.D.Bytes(), c.N)
   327  	if err != nil {
   328  		return nil, err
   329  	}
   330  	s.Mul(r, c.N)
   331  	s.Add(e, c.N)
   332  	s.Mul(kInv, c.N)
   333  
   334  	// Again, the chance of this happening is cryptographically negligible.
   335  	if s.IsZero() == 1 {
   336  		return nil, errors.New("ecdsa: internal error: s is zero")
   337  	}
   338  
   339  	return encodeSignature(r.Bytes(c.N), s.Bytes(c.N))
   340  }
   341  
   342  func encodeSignature(r, s []byte) ([]byte, error) {
   343  	var b cryptobyte.Builder
   344  	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
   345  		addASN1IntBytes(b, r)
   346  		addASN1IntBytes(b, s)
   347  	})
   348  	return b.Bytes()
   349  }
   350  
   351  // addASN1IntBytes encodes in ASN.1 a positive integer represented as
   352  // a big-endian byte slice with zero or more leading zeroes.
   353  func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
   354  	for len(bytes) > 0 && bytes[0] == 0 {
   355  		bytes = bytes[1:]
   356  	}
   357  	if len(bytes) == 0 {
   358  		b.SetError(errors.New("invalid integer"))
   359  		return
   360  	}
   361  	b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
   362  		if bytes[0]&0x80 != 0 {
   363  			c.AddUint8(0)
   364  		}
   365  		c.AddBytes(bytes)
   366  	})
   367  }
   368  
   369  // inverse sets kInv to the inverse of k modulo the order of the curve.
   370  func inverse[Point nistPoint[Point]](c *nistCurve[Point], kInv, k *bigmod.Nat) {
   371  	if c.curve.Params().Name == "P-256" {
   372  		kBytes, err := nistec.P256OrdInverse(k.Bytes(c.N))
   373  		// Some platforms don't implement P256OrdInverse, and always return an error.
   374  		if err == nil {
   375  			_, err := kInv.SetBytes(kBytes, c.N)
   376  			if err != nil {
   377  				panic("ecdsa: internal error: P256OrdInverse produced an invalid value")
   378  			}
   379  			return
   380  		}
   381  	}
   382  
   383  	// Calculate the inverse of s in GF(N) using Fermat's method
   384  	// (exponentiation modulo P - 2, per Euler's theorem)
   385  	kInv.Exp(k, c.nMinus2, c.N)
   386  }
   387  
   388  // hashToNat sets e to the left-most bits of hash, according to
   389  // SEC 1, Section 4.1.3, point 5 and Section 4.1.4, point 3.
   390  func hashToNat[Point nistPoint[Point]](c *nistCurve[Point], e *bigmod.Nat, hash []byte) {
   391  	// ECDSA asks us to take the left-most log2(N) bits of hash, and use them as
   392  	// an integer modulo N. This is the absolute worst of all worlds: we still
   393  	// have to reduce, because the result might still overflow N, but to take
   394  	// the left-most bits for P-521 we have to do a right shift.
   395  	if size := c.N.Size(); len(hash) >= size {
   396  		hash = hash[:size]
   397  		if excess := len(hash)*8 - c.N.BitLen(); excess > 0 {
   398  			hash = bytes.Clone(hash)
   399  			for i := len(hash) - 1; i >= 0; i-- {
   400  				hash[i] >>= excess
   401  				if i > 0 {
   402  					hash[i] |= hash[i-1] << (8 - excess)
   403  				}
   404  			}
   405  		}
   406  	}
   407  	_, err := e.SetOverflowingBytes(hash, c.N)
   408  	if err != nil {
   409  		panic("ecdsa: internal error: truncated hash is too long")
   410  	}
   411  }
   412  
   413  // mixedCSPRNG returns a CSPRNG that mixes entropy from rand with the message
   414  // and the private key, to protect the key in case rand fails. This is
   415  // equivalent in security to RFC 6979 deterministic nonce generation, but still
   416  // produces randomized signatures.
   417  func mixedCSPRNG(rand io.Reader, priv *PrivateKey, hash []byte) (io.Reader, error) {
   418  	// This implementation derives the nonce from an AES-CTR CSPRNG keyed by:
   419  	//
   420  	//    SHA2-512(priv.D || entropy || hash)[:32]
   421  	//
   422  	// The CSPRNG key is indifferentiable from a random oracle as shown in
   423  	// [Coron], the AES-CTR stream is indifferentiable from a random oracle
   424  	// under standard cryptographic assumptions (see [Larsson] for examples).
   425  	//
   426  	// [Coron]: https://cs.nyu.edu/~dodis/ps/merkle.pdf
   427  	// [Larsson]: https://web.archive.org/web/20040719170906/https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf
   428  
   429  	// Get 256 bits of entropy from rand.
   430  	entropy := make([]byte, 32)
   431  	if _, err := io.ReadFull(rand, entropy); err != nil {
   432  		return nil, err
   433  	}
   434  
   435  	// Initialize an SHA-512 hash context; digest...
   436  	md := sha512.New()
   437  	md.Write(priv.D.Bytes()) // the private key,
   438  	md.Write(entropy)        // the entropy,
   439  	md.Write(hash)           // and the input hash;
   440  	key := md.Sum(nil)[:32]  // and compute ChopMD-256(SHA-512),
   441  	// which is an indifferentiable MAC.
   442  
   443  	// Create an AES-CTR instance to use as a CSPRNG.
   444  	block, err := aes.NewCipher(key)
   445  	if err != nil {
   446  		return nil, err
   447  	}
   448  
   449  	// Create a CSPRNG that xors a stream of zeros with
   450  	// the output of the AES-CTR instance.
   451  	const aesIV = "IV for ECDSA CTR"
   452  	return &cipher.StreamReader{
   453  		R: zeroReader,
   454  		S: cipher.NewCTR(block, []byte(aesIV)),
   455  	}, nil
   456  }
   457  
   458  type zr struct{}
   459  
   460  var zeroReader = zr{}
   461  
   462  // Read replaces the contents of dst with zeros. It is safe for concurrent use.
   463  func (zr) Read(dst []byte) (n int, err error) {
   464  	clear(dst)
   465  	return len(dst), nil
   466  }
   467  
   468  // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
   469  // public key, pub. Its return value records whether the signature is valid.
   470  //
   471  // The inputs are not considered confidential, and may leak through timing side
   472  // channels, or if an attacker has control of part of the inputs.
   473  func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
   474  	if boring.Enabled {
   475  		key, err := boringPublicKey(pub)
   476  		if err != nil {
   477  			return false
   478  		}
   479  		return boring.VerifyECDSA(key, hash, sig)
   480  	}
   481  	boring.UnreachableExceptTests()
   482  
   483  	if err := verifyAsm(pub, hash, sig); err != errNoAsm {
   484  		return err == nil
   485  	}
   486  
   487  	switch pub.Curve.Params() {
   488  	case elliptic.P224().Params():
   489  		return verifyNISTEC(p224(), pub, hash, sig)
   490  	case elliptic.P256().Params():
   491  		return verifyNISTEC(p256(), pub, hash, sig)
   492  	case elliptic.P384().Params():
   493  		return verifyNISTEC(p384(), pub, hash, sig)
   494  	case elliptic.P521().Params():
   495  		return verifyNISTEC(p521(), pub, hash, sig)
   496  	default:
   497  		return verifyLegacy(pub, hash, sig)
   498  	}
   499  }
   500  
   501  func verifyNISTEC[Point nistPoint[Point]](c *nistCurve[Point], pub *PublicKey, hash, sig []byte) bool {
   502  	rBytes, sBytes, err := parseSignature(sig)
   503  	if err != nil {
   504  		return false
   505  	}
   506  
   507  	Q, err := c.pointFromAffine(pub.X, pub.Y)
   508  	if err != nil {
   509  		return false
   510  	}
   511  
   512  	// SEC 1, Version 2.0, Section 4.1.4
   513  
   514  	r, err := bigmod.NewNat().SetBytes(rBytes, c.N)
   515  	if err != nil || r.IsZero() == 1 {
   516  		return false
   517  	}
   518  	s, err := bigmod.NewNat().SetBytes(sBytes, c.N)
   519  	if err != nil || s.IsZero() == 1 {
   520  		return false
   521  	}
   522  
   523  	e := bigmod.NewNat()
   524  	hashToNat(c, e, hash)
   525  
   526  	// w = s⁻¹
   527  	w := bigmod.NewNat()
   528  	inverse(c, w, s)
   529  
   530  	// p₁ = [e * s⁻¹]G
   531  	p1, err := c.newPoint().ScalarBaseMult(e.Mul(w, c.N).Bytes(c.N))
   532  	if err != nil {
   533  		return false
   534  	}
   535  	// p₂ = [r * s⁻¹]Q
   536  	p2, err := Q.ScalarMult(Q, w.Mul(r, c.N).Bytes(c.N))
   537  	if err != nil {
   538  		return false
   539  	}
   540  	// BytesX returns an error for the point at infinity.
   541  	Rx, err := p1.Add(p1, p2).BytesX()
   542  	if err != nil {
   543  		return false
   544  	}
   545  
   546  	v, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
   547  	if err != nil {
   548  		return false
   549  	}
   550  
   551  	return v.Equal(r) == 1
   552  }
   553  
   554  func parseSignature(sig []byte) (r, s []byte, err error) {
   555  	var inner cryptobyte.String
   556  	input := cryptobyte.String(sig)
   557  	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
   558  		!input.Empty() ||
   559  		!inner.ReadASN1Integer(&r) ||
   560  		!inner.ReadASN1Integer(&s) ||
   561  		!inner.Empty() {
   562  		return nil, nil, errors.New("invalid ASN.1")
   563  	}
   564  	return r, s, nil
   565  }
   566  
   567  type nistCurve[Point nistPoint[Point]] struct {
   568  	newPoint func() Point
   569  	curve    elliptic.Curve
   570  	N        *bigmod.Modulus
   571  	nMinus2  []byte
   572  }
   573  
   574  // nistPoint is a generic constraint for the nistec Point types.
   575  type nistPoint[T any] interface {
   576  	Bytes() []byte
   577  	BytesX() ([]byte, error)
   578  	SetBytes([]byte) (T, error)
   579  	Add(T, T) T
   580  	ScalarMult(T, []byte) (T, error)
   581  	ScalarBaseMult([]byte) (T, error)
   582  }
   583  
   584  // pointFromAffine is used to convert the PublicKey to a nistec Point.
   585  func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, err error) {
   586  	bitSize := curve.curve.Params().BitSize
   587  	// Reject values that would not get correctly encoded.
   588  	if x.Sign() < 0 || y.Sign() < 0 {
   589  		return p, errors.New("negative coordinate")
   590  	}
   591  	if x.BitLen() > bitSize || y.BitLen() > bitSize {
   592  		return p, errors.New("overflowing coordinate")
   593  	}
   594  	// Encode the coordinates and let SetBytes reject invalid points.
   595  	byteLen := (bitSize + 7) / 8
   596  	buf := make([]byte, 1+2*byteLen)
   597  	buf[0] = 4 // uncompressed point
   598  	x.FillBytes(buf[1 : 1+byteLen])
   599  	y.FillBytes(buf[1+byteLen : 1+2*byteLen])
   600  	return curve.newPoint().SetBytes(buf)
   601  }
   602  
   603  // pointToAffine is used to convert a nistec Point to a PublicKey.
   604  func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int, err error) {
   605  	out := p.Bytes()
   606  	if len(out) == 1 && out[0] == 0 {
   607  		// This is the encoding of the point at infinity.
   608  		return nil, nil, errors.New("ecdsa: public key point is the infinity")
   609  	}
   610  	byteLen := (curve.curve.Params().BitSize + 7) / 8
   611  	x = new(big.Int).SetBytes(out[1 : 1+byteLen])
   612  	y = new(big.Int).SetBytes(out[1+byteLen:])
   613  	return x, y, nil
   614  }
   615  
   616  var p224Once sync.Once
   617  var _p224 *nistCurve[*nistec.P224Point]
   618  
   619  func p224() *nistCurve[*nistec.P224Point] {
   620  	p224Once.Do(func() {
   621  		_p224 = &nistCurve[*nistec.P224Point]{
   622  			newPoint: func() *nistec.P224Point { return nistec.NewP224Point() },
   623  		}
   624  		precomputeParams(_p224, elliptic.P224())
   625  	})
   626  	return _p224
   627  }
   628  
   629  var p256Once sync.Once
   630  var _p256 *nistCurve[*nistec.P256Point]
   631  
   632  func p256() *nistCurve[*nistec.P256Point] {
   633  	p256Once.Do(func() {
   634  		_p256 = &nistCurve[*nistec.P256Point]{
   635  			newPoint: func() *nistec.P256Point { return nistec.NewP256Point() },
   636  		}
   637  		precomputeParams(_p256, elliptic.P256())
   638  	})
   639  	return _p256
   640  }
   641  
   642  var p384Once sync.Once
   643  var _p384 *nistCurve[*nistec.P384Point]
   644  
   645  func p384() *nistCurve[*nistec.P384Point] {
   646  	p384Once.Do(func() {
   647  		_p384 = &nistCurve[*nistec.P384Point]{
   648  			newPoint: func() *nistec.P384Point { return nistec.NewP384Point() },
   649  		}
   650  		precomputeParams(_p384, elliptic.P384())
   651  	})
   652  	return _p384
   653  }
   654  
   655  var p521Once sync.Once
   656  var _p521 *nistCurve[*nistec.P521Point]
   657  
   658  func p521() *nistCurve[*nistec.P521Point] {
   659  	p521Once.Do(func() {
   660  		_p521 = &nistCurve[*nistec.P521Point]{
   661  			newPoint: func() *nistec.P521Point { return nistec.NewP521Point() },
   662  		}
   663  		precomputeParams(_p521, elliptic.P521())
   664  	})
   665  	return _p521
   666  }
   667  
   668  func precomputeParams[Point nistPoint[Point]](c *nistCurve[Point], curve elliptic.Curve) {
   669  	params := curve.Params()
   670  	c.curve = curve
   671  	var err error
   672  	c.N, err = bigmod.NewModulusFromBig(params.N)
   673  	if err != nil {
   674  		panic(err)
   675  	}
   676  	c.nMinus2 = new(big.Int).Sub(params.N, big.NewInt(2)).Bytes()
   677  }
   678
View as plain text