frostfs-crypto/ecdsa.go

package crypto

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/sha512"
	"crypto/x509"
	"math/big"

	"github.com/nspcc-dev/neofs-crypto/internal"
	"github.com/pkg/errors"
)

const (
	// ErrEmptyPublicKey when PK passed to Verify method is nil.
	ErrEmptyPublicKey = internal.Error("empty public key")

	// ErrInvalidSignature when signature passed to Verify method is mismatch.
	ErrInvalidSignature = internal.Error("invalid signature")

	// ErrCannotUnmarshal when signature ([]byte) passed to Verify method has wrong format
	// and cannot be parsed.
	ErrCannotUnmarshal = internal.Error("could not unmarshal signature")

	// PrivateKeyCompressedSize is constant with compressed size of private key (SK).
	// D coordinate stored, recover PK by formula x, y = curve.ScalarBaseMul(d,bytes).
	PrivateKeyCompressedSize = 32

	// PublicKeyCompressedSize is constant with compressed size of public key (PK).
	PublicKeyCompressedSize = 33

	// PublicKeyUncompressedSize is constant with uncompressed size of public key (PK).
	// First byte always should be 0x4 other 64 bytes is X and Y (32 bytes per coordinate).
	// 2 * 32 + 1
	PublicKeyUncompressedSize = 65
)

// P256 is base elliptic curve.
var curve = elliptic.P256()

// Marshal converts a points into the uncompressed form specified in section 4.3.6 of ANSI X9.62.
func marshalXY(x, y *big.Int) []byte {
	return elliptic.Marshal(curve, x, y)
}

// unmarshalXY converts a point, serialized by Marshal, into an x, y pair.
// It is an error if the point is not in uncompressed form.
// On error, x,y = nil.
// Unlike the original version of the code, we ignore that x or y not on the curve
// --------------
// It's copy-paste elliptic.Unmarshal(curve, data) stdlib function, without last line
// of code.
// Link - https://golang.org/pkg/crypto/elliptic/#Unmarshal
func unmarshalXY(data []byte) (x *big.Int, y *big.Int) {
	if len(data) != PublicKeyUncompressedSize {
		return
	} else if data[0] != 4 { // uncompressed form
		return
	}

	p := curve.Params().P
	x = new(big.Int).SetBytes(data[1:PublicKeyCompressedSize])
	y = new(big.Int).SetBytes(data[PublicKeyCompressedSize:])

	if x.Cmp(p) >= 0 || y.Cmp(p) >= 0 {
		x, y = nil, nil
	}

	return
}

// MarshalPublicKey to bytes.
func MarshalPublicKey(key *ecdsa.PublicKey) []byte {
	if key == nil || key.X == nil || key.Y == nil {
		return nil
	}

	return encodePoint(key.X, key.Y)
}

// UnmarshalPublicKey from bytes.
func UnmarshalPublicKey(data []byte) *ecdsa.PublicKey {
	if x, y := decodePoint(data); x != nil && y != nil {
		return &ecdsa.PublicKey{
			Curve: curve,
			X:     x,
			Y:     y,
		}
	}

	return nil
}

// UnmarshalPrivateKey from bytes.
// It is similar to `ecdsa.Generate()` but uses pre-defined big.Int and
// curve for NEO Blockchain (elliptic.P256)
// Link - https://golang.org/pkg/crypto/ecdsa/#GenerateKey
func UnmarshalPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {
	if len(data) == PrivateKeyCompressedSize { // todo: consider using only NEO blockchain private keys
		d := new(big.Int).SetBytes(data)
		priv := new(ecdsa.PrivateKey)
		priv.PublicKey.Curve = curve
		priv.D = d
		priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(data)

		return priv, nil
	}

	return x509.ParseECPrivateKey(data)
}

// MarshalPrivateKey to bytes.
func MarshalPrivateKey(key *ecdsa.PrivateKey) []byte {
	return key.D.Bytes()
}

// hashBytes returns the sha512 sum.
func hashBytes(data []byte) []byte {
	buf := sha512.Sum512(data)
	return buf[:]
}

// Verify verifies the signature of msg using the public key pub. It returns
// nil only if signature is valid.
func Verify(pub *ecdsa.PublicKey, msg, sig []byte) error {
	if r, s := unmarshalXY(sig); r == nil || s == nil {
		return ErrCannotUnmarshal
	} else if pub == nil {
		return ErrEmptyPublicKey
	} else if !ecdsa.Verify(pub, hashBytes(msg), r, s) {
		return errors.Wrapf(ErrInvalidSignature, "%0x : %0x", r, s)
	}

	return nil
}

// Sign signs a message using the private key. If the sha512 hash of msg
// is longer than the bit-length of the private key's curve order, the hash
// will be truncated to that length. It returns the signature as slice bytes.
// The security of the private key depends on the entropy of rand.
func Sign(key *ecdsa.PrivateKey, msg []byte) ([]byte, error) {
	x, y, err := ecdsa.Sign(rand.Reader, key, hashBytes(msg))
	if err != nil {
		return nil, err
	}

	return marshalXY(x, y), nil
}
initial 2019-10-17 13:11:58 +00:00			`package crypto`

			`import (`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`"crypto/sha512"`
initial 2019-10-17 13:11:58 +00:00			`"crypto/x509"`
			`"math/big"`

			`"github.com/nspcc-dev/neofs-crypto/internal"`
			`"github.com/pkg/errors"`
			`)`

			`const (`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// ErrEmptyPublicKey when PK passed to Verify method is nil.`
initial 2019-10-17 13:11:58 +00:00			`ErrEmptyPublicKey = internal.Error("empty public key")`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// ErrInvalidSignature when signature passed to Verify method is mismatch.`
initial 2019-10-17 13:11:58 +00:00			`ErrInvalidSignature = internal.Error("invalid signature")`

			`// ErrCannotUnmarshal when signature ([]byte) passed to Verify method has wrong format`
			`// and cannot be parsed.`
			`ErrCannotUnmarshal = internal.Error("could not unmarshal signature")`

			`// PrivateKeyCompressedSize is constant with compressed size of private key (SK).`
			`// D coordinate stored, recover PK by formula x, y = curve.ScalarBaseMul(d,bytes).`
			`PrivateKeyCompressedSize = 32`

			`// PublicKeyCompressedSize is constant with compressed size of public key (PK).`
			`PublicKeyCompressedSize = 33`

			`// PublicKeyUncompressedSize is constant with uncompressed size of public key (PK).`
			`// First byte always should be 0x4 other 64 bytes is X and Y (32 bytes per coordinate).`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// 2 * 32 + 1`
initial 2019-10-17 13:11:58 +00:00			`PublicKeyUncompressedSize = 65`
			`)`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// P256 is base elliptic curve.`
initial 2019-10-17 13:11:58 +00:00			`var curve = elliptic.P256()`

			`// Marshal converts a points into the uncompressed form specified in section 4.3.6 of ANSI X9.62.`
			`func marshalXY(x, y *big.Int) []byte {`
			`return elliptic.Marshal(curve, x, y)`
			`}`

			`// unmarshalXY converts a point, serialized by Marshal, into an x, y pair.`
			`// It is an error if the point is not in uncompressed form.`
			`// On error, x,y = nil.`
			`// Unlike the original version of the code, we ignore that x or y not on the curve`
			`// --------------`
			`// It's copy-paste elliptic.Unmarshal(curve, data) stdlib function, without last line`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// of code.`
initial 2019-10-17 13:11:58 +00:00			`// Link - https://golang.org/pkg/crypto/elliptic/#Unmarshal`
			`func unmarshalXY(data []byte) (x big.Int, y big.Int) {`
			`if len(data) != PublicKeyUncompressedSize {`
			`return`
			`} else if data[0] != 4 { // uncompressed form`
			`return`
			`}`

			`p := curve.Params().P`
			`x = new(big.Int).SetBytes(data[1:PublicKeyCompressedSize])`
			`y = new(big.Int).SetBytes(data[PublicKeyCompressedSize:])`

			`if x.Cmp(p) >= 0 \|\| y.Cmp(p) >= 0 {`
			`x, y = nil, nil`
			`}`

			`return`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// MarshalPublicKey to bytes.`
initial 2019-10-17 13:11:58 +00:00			`func MarshalPublicKey(key *ecdsa.PublicKey) []byte {`
			`if key == nil \|\| key.X == nil \|\| key.Y == nil {`
			`return nil`
			`}`

			`return encodePoint(key.X, key.Y)`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// UnmarshalPublicKey from bytes.`
initial 2019-10-17 13:11:58 +00:00			`func UnmarshalPublicKey(data []byte) *ecdsa.PublicKey {`
Refactoring for go1.15+ - use elliptic.MarshalCompressed - use elliptic.UnmarshalCompressed - for older go versions use old methods - update dependencies - github.com/mr-tron/base58 v1.2.0 - github.com/pkg/errors v0.9.1 - github.com/stretchr/testify v1.7.0 Signed-off-by: Evgeniy Kulikov <kim@nspcc.ru> 2021-02-12 09:07:39 +00:00			`if x, y := decodePoint(data); x != nil && y != nil {`
initial 2019-10-17 13:11:58 +00:00			`return &ecdsa.PublicKey{`
			`Curve: curve,`
			`X: x,`
			`Y: y,`
			`}`
			`}`

			`return nil`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// UnmarshalPrivateKey from bytes.`
			// It is similar to `ecdsa.Generate()` but uses pre-defined big.Int and
			`// curve for NEO Blockchain (elliptic.P256)`
initial 2019-10-17 13:11:58 +00:00			`// Link - https://golang.org/pkg/crypto/ecdsa/#GenerateKey`
			`func UnmarshalPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {`
			`if len(data) == PrivateKeyCompressedSize { // todo: consider using only NEO blockchain private keys`
			`d := new(big.Int).SetBytes(data)`
			`priv := new(ecdsa.PrivateKey)`
			`priv.PublicKey.Curve = curve`
			`priv.D = d`
			`priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(data)`

			`return priv, nil`
			`}`

			`return x509.ParseECPrivateKey(data)`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// MarshalPrivateKey to bytes.`
initial 2019-10-17 13:11:58 +00:00			`func MarshalPrivateKey(key *ecdsa.PrivateKey) []byte {`
			`return key.D.Bytes()`
			`}`

Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`// hashBytes returns the sha512 sum.`
initial 2019-10-17 13:11:58 +00:00			`func hashBytes(data []byte) []byte {`
Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`buf := sha512.Sum512(data)`
initial 2019-10-17 13:11:58 +00:00			`return buf[:]`
			`}`

Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// Verify verifies the signature of msg using the public key pub. It returns`
			`// nil only if signature is valid.`
Change func Verify signature - Before `func Verify(pub ecdsa.PublicKey, sig, msg []byte) error` - After `func Verify(pub ecdsa.PublicKey, msg, sig []byte) error` - Update tests and replace `hash` with `sign` for signatures Fix issue #5 2019-11-12 12:52:13 +00:00			`func Verify(pub *ecdsa.PublicKey, msg, sig []byte) error {`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`if r, s := unmarshalXY(sig); r == nil \|\| s == nil {`
initial 2019-10-17 13:11:58 +00:00			`return ErrCannotUnmarshal`
			`} else if pub == nil {`
			`return ErrEmptyPublicKey`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`} else if !ecdsa.Verify(pub, hashBytes(msg), r, s) {`
initial 2019-10-17 13:11:58 +00:00			`return errors.Wrapf(ErrInvalidSignature, "%0x : %0x", r, s)`
			`}`

			`return nil`
			`}`

Use SHA512 instead of SHA256 Fix issue #4 2019-11-12 13:00:27 +00:00			`// Sign signs a message using the private key. If the sha512 hash of msg`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`// is longer than the bit-length of the private key's curve order, the hash`
			`// will be truncated to that length. It returns the signature as slice bytes.`
initial 2019-10-17 13:11:58 +00:00			`// The security of the private key depends on the entropy of rand.`
Use consistent parameter names for Sign and Verify functions It may be misleading when verify function takes signature as a hash parameter. This commit suggested to use rfc6979 original naming for the parameters: - `msg` as the message to sign, - `sig` as the signature of message. All hashing operations are encapsulated inside of the Sign and Verify functions. Also there are comment fixes and re-usage of `hashBytes()` in rfc6979. 2019-11-12 08:13:12 +00:00			`func Sign(key *ecdsa.PrivateKey, msg []byte) ([]byte, error) {`
			`x, y, err := ecdsa.Sign(rand.Reader, key, hashBytes(msg))`
initial 2019-10-17 13:11:58 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`return marshalXY(x, y), nil`
			`}`