Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: migrate to crypto/ecdh #178

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 0 additions & 12 deletions ecdsa_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,18 +172,6 @@ func generateTestECDSAKey(t *testing.T) *ecdsa.PrivateKey {
return key
}

func Test_customCurveKeySigner(t *testing.T) {
// https://github.com/veraison/go-cose/issues/59
pCustom := *elliptic.P256().Params()
pCustom.Name = "P-custom"
pCustom.BitSize /= 2
key, err := ecdsa.GenerateKey(&pCustom, rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey() error = %v", err)
}
testSignVerify(t, AlgorithmES256, key, false)
}

func Test_ecdsaKeySigner(t *testing.T) {
key := generateTestECDSAKey(t)
testSignVerify(t, AlgorithmES256, key, false)
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/veraison/go-cose

go 1.18
go 1.21

require github.com/fxamacker/cbor/v2 v2.5.0

Expand Down
35 changes: 26 additions & 9 deletions key.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@

import (
"crypto"
"crypto/ecdh"

Check failure on line 5 in key.go

View workflow job for this annotation

GitHub Actions / tests (1.18)

package crypto/ecdh is not in GOROOT (/opt/hostedtoolcache/go/1.18.10/x64/src/crypto/ecdh)

Check failure on line 5 in key.go

View workflow job for this annotation

GitHub Actions / tests (1.19)

package crypto/ecdh is not in GOROOT (/opt/hostedtoolcache/go/1.19.13/x64/src/crypto/ecdh)
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/x509"
"errors"
"fmt"
"math/big"
Expand Down Expand Up @@ -703,8 +705,29 @@

switch alg {
case AlgorithmES256, AlgorithmES384, AlgorithmES512:
var curve elliptic.Curve
_, x, y, d := k.EC2()
if len(x) == 0 || len(y) == 0 {
var curve ecdh.Curve
switch alg {
case AlgorithmES256:
curve = ecdh.P256()
case AlgorithmES384:
curve = ecdh.P384()
case AlgorithmES512:
curve = ecdh.P521()
}
key, err := curve.NewPrivateKey(d)
if err != nil {
return nil, err
}
encodedKey, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return nil, err
}
return x509.ParsePKCS8PrivateKey(encodedKey)
}

var curve elliptic.Curve
switch alg {
case AlgorithmES256:
curve = elliptic.P256()
Expand All @@ -714,14 +737,8 @@
curve = elliptic.P521()
}

_, x, y, d := k.EC2()
var bx, by *big.Int
if len(x) == 0 || len(y) == 0 {
bx, by = curve.ScalarBaseMult(d)
} else {
bx = new(big.Int).SetBytes(x)
by = new(big.Int).SetBytes(y)
}
bx := new(big.Int).SetBytes(x)
by := new(big.Int).SetBytes(y)
bd := new(big.Int).SetBytes(d)

return &ecdsa.PrivateKey{
Expand Down
9 changes: 7 additions & 2 deletions verifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ type DigestVerifier interface {
// NewVerifier returns a verifier with a given public key.
// Only golang built-in crypto public keys of type `*rsa.PublicKey`,
// `*ecdsa.PublicKey`, and `ed25519.PublicKey` are accepted.
// When `*ecdsa.PublicKey` is specified, its curve must be supported by
// crypto/ecdh.
//
// The returned signer for rsa and ecdsa keys also implements `cose.DigestSigner`.
func NewVerifier(alg Algorithm, key crypto.PublicKey) (Verifier, error) {
Expand All @@ -60,8 +62,11 @@ func NewVerifier(alg Algorithm, key crypto.PublicKey) (Verifier, error) {
if !ok {
return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPubKey)
}
if !vk.Curve.IsOnCurve(vk.X, vk.Y) {
return nil, errors.New("public key point is not on curve")
if _, err := vk.ECDH(); err != nil {
if err.Error() == "ecdsa: invalid public key" {
return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPubKey)
}
return nil, fmt.Errorf("%v: %w: %v", alg, ErrInvalidPubKey, err)
}
return &ecdsaVerifier{
alg: alg,
Expand Down
15 changes: 14 additions & 1 deletion verifier_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ func TestNewVerifier(t *testing.T) {
// craft an EC public key with the x-coord not on curve
ecdsaKeyPointNotOnCurve := generateBogusECKey()

// craft an EC public key with a curve not supported by crypto/ecdh
ecdsaKeyUnsupportedCurve := &ecdsa.PublicKey{
Curve: ecdsaKey.Curve.Params(),
X: ecdsaKey.X,
Y: ecdsaKey.Y,
}

// run tests
tests := []struct {
name string
Expand Down Expand Up @@ -125,7 +132,13 @@ func TestNewVerifier(t *testing.T) {
name: "bogus ecdsa public key (point not on curve)",
alg: AlgorithmES256,
key: ecdsaKeyPointNotOnCurve,
wantErr: "public key point is not on curve",
wantErr: "ES256: invalid public key",
},
{
name: "ecdsa public key with unsupported curve",
alg: AlgorithmES256,
key: ecdsaKeyUnsupportedCurve,
wantErr: "ES256: invalid public key: ecdsa: unsupported curve by crypto/ecdh",
},
}
for _, tt := range tests {
Expand Down
Loading