ecdsa.go

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
     6  // defined in [FIPS 186-5].
     7  //
     8  // Signatures generated by this package are not deterministic, but entropy is
     9  // mixed with the private key and the message, achieving the same level of
    10  // security in case of randomness source failure.
    11  //
    12  // Operations involving private keys are implemented using constant-time
    13  // algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
    14  // [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
    15  //
    16  // [FIPS 186-5]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
    17  package ecdsa
    18  
    19  import (
    20  	"crypto"
    21  	"crypto/ecdh"
    22  	"crypto/elliptic"
    23  	"crypto/internal/boring"
    24  	"crypto/internal/boring/bbig"
    25  	"crypto/internal/fips140/ecdsa"
    26  	"crypto/internal/fips140/nistec"
    27  	"crypto/internal/fips140cache"
    28  	"crypto/internal/fips140hash"
    29  	"crypto/internal/fips140only"
    30  	"crypto/internal/rand"
    31  	"crypto/sha512"
    32  	"crypto/subtle"
    33  	"errors"
    34  	"io"
    35  	"math/big"
    36  
    37  	"golang.org/x/crypto/cryptobyte"
    38  	"golang.org/x/crypto/cryptobyte/asn1"
    39  )
    40  
    41  // PublicKey represents an ECDSA public key.
    42  type PublicKey struct {
    43  	elliptic.Curve
    44  
    45  	// X, Y are the coordinates of the public key point.
    46  	//
    47  	// Deprecated: modifying the raw coordinates can produce invalid keys, and may
    48  	// invalidate internal optimizations; moreover, [big.Int] methods are not
    49  	// suitable for operating on cryptographic values. To encode and decode
    50  	// PublicKey values, use [PublicKey.Bytes] and [ParseUncompressedPublicKey]
    51  	// or [crypto/x509.MarshalPKIXPublicKey] and [crypto/x509.ParsePKIXPublicKey].
    52  	// For ECDH, use [crypto/ecdh]. For lower-level elliptic curve operations,
    53  	// use a third-party module like filippo.io/nistec.
    54  	X, Y *big.Int
    55  }
    56  
    57  // Any methods implemented on PublicKey might need to also be implemented on
    58  // PrivateKey, as the latter embeds the former and will expose its methods.
    59  
    60  // ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is
    61  // invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the
    62  // Curve is not supported by crypto/ecdh.
    63  func (pub *PublicKey) ECDH() (*ecdh.PublicKey, error) {
    64  	c := curveToECDH(pub.Curve)
    65  	if c == nil {
    66  		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
    67  	}
    68  	k, err := pub.Bytes()
    69  	if err != nil {
    70  		return nil, err
    71  	}
    72  	return c.NewPublicKey(k)
    73  }
    74  
    75  // Equal reports whether pub and x have the same value.
    76  //
    77  // Two keys are only considered to have the same value if they have the same Curve value.
    78  // Note that for example [elliptic.P256] and elliptic.P256().Params() are different
    79  // values, as the latter is a generic not constant time implementation.
    80  func (pub *PublicKey) Equal(x crypto.PublicKey) bool {
    81  	xx, ok := x.(*PublicKey)
    82  	if !ok {
    83  		return false
    84  	}
    85  	return bigIntEqual(pub.X, xx.X) && bigIntEqual(pub.Y, xx.Y) &&
    86  		// Standard library Curve implementations are singletons, so this check
    87  		// will work for those. Other Curves might be equivalent even if not
    88  		// singletons, but there is no definitive way to check for that, and
    89  		// better to err on the side of safety.
    90  		pub.Curve == xx.Curve
    91  }
    92  
    93  // ParseUncompressedPublicKey parses a public key encoded as an uncompressed
    94  // point according to SEC 1, Version 2.0, Section 2.3.3 (also known as the X9.62
    95  // uncompressed format). It returns an error if the point is not in uncompressed
    96  // form, is not on the curve, or is the point at infinity.
    97  //
    98  // curve must be one of [elliptic.P224], [elliptic.P256], [elliptic.P384], or
    99  // [elliptic.P521], or ParseUncompressedPublicKey returns an error.
   100  //
   101  // ParseUncompressedPublicKey accepts the same format as
   102  // [ecdh.Curve.NewPublicKey] does for NIST curves, but returns a [PublicKey]
   103  // instead of an [ecdh.PublicKey].
   104  //
   105  // Note that public keys are more commonly encoded in DER (or PEM) format, which
   106  // can be parsed with [crypto/x509.ParsePKIXPublicKey] (and [encoding/pem]).
   107  func ParseUncompressedPublicKey(curve elliptic.Curve, data []byte) (*PublicKey, error) {
   108  	if len(data) < 1 || data[0] != 4 {
   109  		return nil, errors.New("ecdsa: invalid uncompressed public key")
   110  	}
   111  	switch curve {
   112  	case elliptic.P224():
   113  		return parseUncompressedPublicKey(ecdsa.P224(), curve, data)
   114  	case elliptic.P256():
   115  		return parseUncompressedPublicKey(ecdsa.P256(), curve, data)
   116  	case elliptic.P384():
   117  		return parseUncompressedPublicKey(ecdsa.P384(), curve, data)
   118  	case elliptic.P521():
   119  		return parseUncompressedPublicKey(ecdsa.P521(), curve, data)
   120  	default:
   121  		return nil, errors.New("ecdsa: curve not supported by ParseUncompressedPublicKey")
   122  	}
   123  }
   124  
   125  func parseUncompressedPublicKey[P ecdsa.Point[P]](c *ecdsa.Curve[P], curve elliptic.Curve, data []byte) (*PublicKey, error) {
   126  	k, err := ecdsa.NewPublicKey(c, data)
   127  	if err != nil {
   128  		return nil, err
   129  	}
   130  	return publicKeyFromFIPS(curve, k)
   131  }
   132  
   133  // Bytes encodes the public key as an uncompressed point according to SEC 1,
   134  // Version 2.0, Section 2.3.3 (also known as the X9.62 uncompressed format).
   135  // It returns an error if the public key is invalid.
   136  //
   137  // PublicKey.Curve must be one of [elliptic.P224], [elliptic.P256],
   138  // [elliptic.P384], or [elliptic.P521], or Bytes returns an error.
   139  //
   140  // Bytes returns the same format as [ecdh.PublicKey.Bytes] does for NIST curves.
   141  //
   142  // Note that public keys are more commonly encoded in DER (or PEM) format, which
   143  // can be generated with [crypto/x509.MarshalPKIXPublicKey] (and [encoding/pem]).
   144  func (pub *PublicKey) Bytes() ([]byte, error) {
   145  	switch pub.Curve {
   146  	case elliptic.P224():
   147  		return publicKeyBytes(ecdsa.P224(), pub)
   148  	case elliptic.P256():
   149  		return publicKeyBytes(ecdsa.P256(), pub)
   150  	case elliptic.P384():
   151  		return publicKeyBytes(ecdsa.P384(), pub)
   152  	case elliptic.P521():
   153  		return publicKeyBytes(ecdsa.P521(), pub)
   154  	default:
   155  		return nil, errors.New("ecdsa: curve not supported by PublicKey.Bytes")
   156  	}
   157  }
   158  
   159  func publicKeyBytes[P ecdsa.Point[P]](c *ecdsa.Curve[P], pub *PublicKey) ([]byte, error) {
   160  	k, err := publicKeyToFIPS(c, pub)
   161  	if err != nil {
   162  		return nil, err
   163  	}
   164  	return k.Bytes(), nil
   165  }
   166  
   167  // PrivateKey represents an ECDSA private key.
   168  type PrivateKey struct {
   169  	PublicKey
   170  
   171  	// D is the private scalar value.
   172  	//
   173  	// Deprecated: modifying the raw value can produce invalid keys, and may
   174  	// invalidate internal optimizations; moreover, [big.Int] methods are not
   175  	// suitable for operating on cryptographic values. To encode and decode
   176  	// PrivateKey values, use [PrivateKey.Bytes] and [ParseRawPrivateKey] or
   177  	// [crypto/x509.MarshalPKCS8PrivateKey] and [crypto/x509.ParsePKCS8PrivateKey].
   178  	// For ECDH, use [crypto/ecdh].
   179  	D *big.Int
   180  }
   181  
   182  // ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is
   183  // invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the
   184  // Curve is not supported by [crypto/ecdh].
   185  func (priv *PrivateKey) ECDH() (*ecdh.PrivateKey, error) {
   186  	c := curveToECDH(priv.Curve)
   187  	if c == nil {
   188  		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
   189  	}
   190  	k, err := priv.Bytes()
   191  	if err != nil {
   192  		return nil, err
   193  	}
   194  	return c.NewPrivateKey(k)
   195  }
   196  
   197  func curveToECDH(c elliptic.Curve) ecdh.Curve {
   198  	switch c {
   199  	case elliptic.P256():
   200  		return ecdh.P256()
   201  	case elliptic.P384():
   202  		return ecdh.P384()
   203  	case elliptic.P521():
   204  		return ecdh.P521()
   205  	default:
   206  		return nil
   207  	}
   208  }
   209  
   210  // Public returns the public key corresponding to priv.
   211  func (priv *PrivateKey) Public() crypto.PublicKey {
   212  	return &priv.PublicKey
   213  }
   214  
   215  // Equal reports whether priv and x have the same value.
   216  //
   217  // See [PublicKey.Equal] for details on how Curve is compared.
   218  func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
   219  	xx, ok := x.(*PrivateKey)
   220  	if !ok {
   221  		return false
   222  	}
   223  	return priv.PublicKey.Equal(&xx.PublicKey) && bigIntEqual(priv.D, xx.D)
   224  }
   225  
   226  // bigIntEqual reports whether a and b are equal leaking only their bit length
   227  // through timing side-channels.
   228  func bigIntEqual(a, b *big.Int) bool {
   229  	return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1
   230  }
   231  
   232  // ParseRawPrivateKey parses a private key encoded as a fixed-length big-endian
   233  // integer, according to SEC 1, Version 2.0, Section 2.3.6 (sometimes referred
   234  // to as the raw format). It returns an error if the value is not reduced modulo
   235  // the curve's order, or if it's zero.
   236  //
   237  // curve must be one of [elliptic.P224], [elliptic.P256], [elliptic.P384], or
   238  // [elliptic.P521], or ParseRawPrivateKey returns an error.
   239  //
   240  // ParseRawPrivateKey accepts the same format as [ecdh.Curve.NewPrivateKey] does
   241  // for NIST curves, but returns a [PrivateKey] instead of an [ecdh.PrivateKey].
   242  //
   243  // Note that private keys are more commonly encoded in ASN.1 or PKCS#8 format,
   244  // which can be parsed with [crypto/x509.ParseECPrivateKey] or
   245  // [crypto/x509.ParsePKCS8PrivateKey] (and [encoding/pem]).
   246  func ParseRawPrivateKey(curve elliptic.Curve, data []byte) (*PrivateKey, error) {
   247  	switch curve {
   248  	case elliptic.P224():
   249  		return parseRawPrivateKey(ecdsa.P224(), nistec.NewP224Point, curve, data)
   250  	case elliptic.P256():
   251  		return parseRawPrivateKey(ecdsa.P256(), nistec.NewP256Point, curve, data)
   252  	case elliptic.P384():
   253  		return parseRawPrivateKey(ecdsa.P384(), nistec.NewP384Point, curve, data)
   254  	case elliptic.P521():
   255  		return parseRawPrivateKey(ecdsa.P521(), nistec.NewP521Point, curve, data)
   256  	default:
   257  		return nil, errors.New("ecdsa: curve not supported by ParseRawPrivateKey")
   258  	}
   259  }
   260  
   261  func parseRawPrivateKey[P ecdsa.Point[P]](c *ecdsa.Curve[P], newPoint func() P, curve elliptic.Curve, data []byte) (*PrivateKey, error) {
   262  	q, err := newPoint().ScalarBaseMult(data)
   263  	if err != nil {
   264  		return nil, err
   265  	}
   266  	k, err := ecdsa.NewPrivateKey(c, data, q.Bytes())
   267  	if err != nil {
   268  		return nil, err
   269  	}
   270  	return privateKeyFromFIPS(curve, k)
   271  }
   272  
   273  // Bytes encodes the private key as a fixed-length big-endian integer according
   274  // to SEC 1, Version 2.0, Section 2.3.6 (sometimes referred to as the raw
   275  // format). It returns an error if the private key is invalid.
   276  //
   277  // PrivateKey.Curve must be one of [elliptic.P224], [elliptic.P256],
   278  // [elliptic.P384], or [elliptic.P521], or Bytes returns an error.
   279  //
   280  // Bytes returns the same format as [ecdh.PrivateKey.Bytes] does for NIST curves.
   281  //
   282  // Note that private keys are more commonly encoded in ASN.1 or PKCS#8 format,
   283  // which can be generated with [crypto/x509.MarshalECPrivateKey] or
   284  // [crypto/x509.MarshalPKCS8PrivateKey] (and [encoding/pem]).
   285  func (priv *PrivateKey) Bytes() ([]byte, error) {
   286  	switch priv.Curve {
   287  	case elliptic.P224():
   288  		return privateKeyBytes(ecdsa.P224(), priv)
   289  	case elliptic.P256():
   290  		return privateKeyBytes(ecdsa.P256(), priv)
   291  	case elliptic.P384():
   292  		return privateKeyBytes(ecdsa.P384(), priv)
   293  	case elliptic.P521():
   294  		return privateKeyBytes(ecdsa.P521(), priv)
   295  	default:
   296  		return nil, errors.New("ecdsa: curve not supported by PrivateKey.Bytes")
   297  	}
   298  }
   299  
   300  func privateKeyBytes[P ecdsa.Point[P]](c *ecdsa.Curve[P], priv *PrivateKey) ([]byte, error) {
   301  	k, err := privateKeyToFIPS(c, priv)
   302  	if err != nil {
   303  		return nil, err
   304  	}
   305  	return k.Bytes(), nil
   306  }
   307  
   308  // Sign signs a hash (which should be the result of hashing a larger message
   309  // with opts.HashFunc()) using the private key, priv. If the hash is longer than
   310  // the bit-length of the private key's curve order, the hash will be truncated
   311  // to that length. It returns the ASN.1 encoded signature, like [SignASN1].
   312  //
   313  // If random is not nil, the signature is randomized. Most applications should use
   314  // [crypto/rand.Reader] as random, but unless GODEBUG=cryptocustomrand=1 is set, a
   315  // secure source of random bytes is always used, and the actual Reader is ignored.
   316  // The GODEBUG setting will be removed in a future Go release. Instead, use
   317  // [testing/cryptotest.SetGlobalRandom].
   318  //
   319  // If random is nil, Sign will produce a deterministic signature according to RFC
   320  // 6979. When producing a deterministic signature, opts.HashFunc() must be the
   321  // function used to produce digest and priv.Curve must be one of
   322  // [elliptic.P224], [elliptic.P256], [elliptic.P384], or [elliptic.P521].
   323  func (priv *PrivateKey) Sign(random io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
   324  	if random == nil {
   325  		return signRFC6979(priv, digest, opts)
   326  	}
   327  	random = rand.CustomReader(random)
   328  	return SignASN1(random, priv, digest)
   329  }
   330  
   331  // GenerateKey generates a new ECDSA private key for the specified curve.
   332  //
   333  // Since Go 1.26, a secure source of random bytes is always used, and the Reader is
   334  // ignored unless GODEBUG=cryptocustomrand=1 is set. This setting will be removed
   335  // in a future Go release. Instead, use [testing/cryptotest.SetGlobalRandom].
   336  func GenerateKey(c elliptic.Curve, r io.Reader) (*PrivateKey, error) {
   337  	if boring.Enabled && rand.IsDefaultReader(r) {
   338  		x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
   339  		if err != nil {
   340  			return nil, err
   341  		}
   342  		return &PrivateKey{PublicKey: PublicKey{Curve: c, X: bbig.Dec(x), Y: bbig.Dec(y)}, D: bbig.Dec(d)}, nil
   343  	}
   344  	boring.UnreachableExceptTests()
   345  
   346  	r = rand.CustomReader(r)
   347  
   348  	switch c.Params() {
   349  	case elliptic.P224().Params():
   350  		return generateFIPS(c, ecdsa.P224(), r)
   351  	case elliptic.P256().Params():
   352  		return generateFIPS(c, ecdsa.P256(), r)
   353  	case elliptic.P384().Params():
   354  		return generateFIPS(c, ecdsa.P384(), r)
   355  	case elliptic.P521().Params():
   356  		return generateFIPS(c, ecdsa.P521(), r)
   357  	default:
   358  		return generateLegacy(c, r)
   359  	}
   360  }
   361  
   362  func generateFIPS[P ecdsa.Point[P]](curve elliptic.Curve, c *ecdsa.Curve[P], rand io.Reader) (*PrivateKey, error) {
   363  	if fips140only.Enforced() && !fips140only.ApprovedRandomReader(rand) {
   364  		return nil, errors.New("crypto/ecdsa: only crypto/rand.Reader is allowed in FIPS 140-only mode")
   365  	}
   366  	privateKey, err := ecdsa.GenerateKey(c, rand)
   367  	if err != nil {
   368  		return nil, err
   369  	}
   370  	return privateKeyFromFIPS(curve, privateKey)
   371  }
   372  
   373  // SignASN1 signs a hash (which should be the result of hashing a larger message)
   374  // using the private key, priv. If the hash is longer than the bit-length of the
   375  // private key's curve order, the hash will be truncated to that length. It
   376  // returns the ASN.1 encoded signature.
   377  //
   378  // The signature is randomized. Since Go 1.26, a secure source of random bytes
   379  // is always used, and the Reader is ignored unless GODEBUG=cryptocustomrand=1
   380  // is set. This setting will be removed in a future Go release. Instead, use
   381  // [testing/cryptotest.SetGlobalRandom].
   382  func SignASN1(r io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
   383  	if boring.Enabled && rand.IsDefaultReader(r) {
   384  		b, err := boringPrivateKey(priv)
   385  		if err != nil {
   386  			return nil, err
   387  		}
   388  		return boring.SignMarshalECDSA(b, hash)
   389  	}
   390  	boring.UnreachableExceptTests()
   391  
   392  	r = rand.CustomReader(r)
   393  
   394  	switch priv.Curve.Params() {
   395  	case elliptic.P224().Params():
   396  		return signFIPS(ecdsa.P224(), priv, r, hash)
   397  	case elliptic.P256().Params():
   398  		return signFIPS(ecdsa.P256(), priv, r, hash)
   399  	case elliptic.P384().Params():
   400  		return signFIPS(ecdsa.P384(), priv, r, hash)
   401  	case elliptic.P521().Params():
   402  		return signFIPS(ecdsa.P521(), priv, r, hash)
   403  	default:
   404  		return signLegacy(priv, r, hash)
   405  	}
   406  }
   407  
   408  func signFIPS[P ecdsa.Point[P]](c *ecdsa.Curve[P], priv *PrivateKey, rand io.Reader, hash []byte) ([]byte, error) {
   409  	if fips140only.Enforced() && !fips140only.ApprovedRandomReader(rand) {
   410  		return nil, errors.New("crypto/ecdsa: only crypto/rand.Reader is allowed in FIPS 140-only mode")
   411  	}
   412  	k, err := privateKeyToFIPS(c, priv)
   413  	if err != nil {
   414  		return nil, err
   415  	}
   416  	// Always using SHA-512 instead of the hash that computed hash is
   417  	// technically a violation of draft-irtf-cfrg-det-sigs-with-noise-04 but in
   418  	// our API we don't get to know what it was, and this has no security impact.
   419  	sig, err := ecdsa.Sign(c, sha512.New, k, rand, hash)
   420  	if err != nil {
   421  		return nil, err
   422  	}
   423  	return encodeSignature(sig.R, sig.S)
   424  }
   425  
   426  func signRFC6979(priv *PrivateKey, hash []byte, opts crypto.SignerOpts) ([]byte, error) {
   427  	if opts == nil {
   428  		return nil, errors.New("ecdsa: Sign called with nil opts")
   429  	}
   430  	h := opts.HashFunc()
   431  	if h.Size() != len(hash) {
   432  		return nil, errors.New("ecdsa: hash length does not match hash function")
   433  	}
   434  	switch priv.Curve.Params() {
   435  	case elliptic.P224().Params():
   436  		return signFIPSDeterministic(ecdsa.P224(), h, priv, hash)
   437  	case elliptic.P256().Params():
   438  		return signFIPSDeterministic(ecdsa.P256(), h, priv, hash)
   439  	case elliptic.P384().Params():
   440  		return signFIPSDeterministic(ecdsa.P384(), h, priv, hash)
   441  	case elliptic.P521().Params():
   442  		return signFIPSDeterministic(ecdsa.P521(), h, priv, hash)
   443  	default:
   444  		return nil, errors.New("ecdsa: curve not supported by deterministic signatures")
   445  	}
   446  }
   447  
   448  func signFIPSDeterministic[P ecdsa.Point[P]](c *ecdsa.Curve[P], hashFunc crypto.Hash, priv *PrivateKey, hash []byte) ([]byte, error) {
   449  	k, err := privateKeyToFIPS(c, priv)
   450  	if err != nil {
   451  		return nil, err
   452  	}
   453  	h := fips140hash.UnwrapNew(hashFunc.New)
   454  	if fips140only.Enforced() && !fips140only.ApprovedHash(h()) {
   455  		return nil, errors.New("crypto/ecdsa: use of hash functions other than SHA-2 or SHA-3 is not allowed in FIPS 140-only mode")
   456  	}
   457  	sig, err := ecdsa.SignDeterministic(c, h, k, hash)
   458  	if err != nil {
   459  		return nil, err
   460  	}
   461  	return encodeSignature(sig.R, sig.S)
   462  }
   463  
   464  func encodeSignature(r, s []byte) ([]byte, error) {
   465  	var b cryptobyte.Builder
   466  	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
   467  		addASN1IntBytes(b, r)
   468  		addASN1IntBytes(b, s)
   469  	})
   470  	return b.Bytes()
   471  }
   472  
   473  // addASN1IntBytes encodes in ASN.1 a positive integer represented as
   474  // a big-endian byte slice with zero or more leading zeroes.
   475  func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
   476  	for len(bytes) > 0 && bytes[0] == 0 {
   477  		bytes = bytes[1:]
   478  	}
   479  	if len(bytes) == 0 {
   480  		b.SetError(errors.New("invalid integer"))
   481  		return
   482  	}
   483  	b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
   484  		if bytes[0]&0x80 != 0 {
   485  			c.AddUint8(0)
   486  		}
   487  		c.AddBytes(bytes)
   488  	})
   489  }
   490  
   491  // VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
   492  // public key, pub. Its return value records whether the signature is valid.
   493  //
   494  // The inputs are not considered confidential, and may leak through timing side
   495  // channels, or if an attacker has control of part of the inputs.
   496  func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
   497  	if boring.Enabled {
   498  		key, err := boringPublicKey(pub)
   499  		if err != nil {
   500  			return false
   501  		}
   502  		return boring.VerifyECDSA(key, hash, sig)
   503  	}
   504  	boring.UnreachableExceptTests()
   505  
   506  	switch pub.Curve.Params() {
   507  	case elliptic.P224().Params():
   508  		return verifyFIPS(ecdsa.P224(), pub, hash, sig)
   509  	case elliptic.P256().Params():
   510  		return verifyFIPS(ecdsa.P256(), pub, hash, sig)
   511  	case elliptic.P384().Params():
   512  		return verifyFIPS(ecdsa.P384(), pub, hash, sig)
   513  	case elliptic.P521().Params():
   514  		return verifyFIPS(ecdsa.P521(), pub, hash, sig)
   515  	default:
   516  		return verifyLegacy(pub, hash, sig)
   517  	}
   518  }
   519  
   520  func verifyFIPS[P ecdsa.Point[P]](c *ecdsa.Curve[P], pub *PublicKey, hash, sig []byte) bool {
   521  	r, s, err := parseSignature(sig)
   522  	if err != nil {
   523  		return false
   524  	}
   525  	k, err := publicKeyToFIPS(c, pub)
   526  	if err != nil {
   527  		return false
   528  	}
   529  	if err := ecdsa.Verify(c, k, hash, &ecdsa.Signature{R: r, S: s}); err != nil {
   530  		return false
   531  	}
   532  	return true
   533  }
   534  
   535  func parseSignature(sig []byte) (r, s []byte, err error) {
   536  	var inner cryptobyte.String
   537  	input := cryptobyte.String(sig)
   538  	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
   539  		!input.Empty() ||
   540  		!inner.ReadASN1Integer(&r) ||
   541  		!inner.ReadASN1Integer(&s) ||
   542  		!inner.Empty() {
   543  		return nil, nil, errors.New("invalid ASN.1")
   544  	}
   545  	return r, s, nil
   546  }
   547  
   548  func publicKeyFromFIPS(curve elliptic.Curve, pub *ecdsa.PublicKey) (*PublicKey, error) {
   549  	x, y, err := pointToAffine(curve, pub.Bytes())
   550  	if err != nil {
   551  		return nil, err
   552  	}
   553  	return &PublicKey{Curve: curve, X: x, Y: y}, nil
   554  }
   555  
   556  func privateKeyFromFIPS(curve elliptic.Curve, priv *ecdsa.PrivateKey) (*PrivateKey, error) {
   557  	pub, err := publicKeyFromFIPS(curve, priv.PublicKey())
   558  	if err != nil {
   559  		return nil, err
   560  	}
   561  	return &PrivateKey{PublicKey: *pub, D: new(big.Int).SetBytes(priv.Bytes())}, nil
   562  }
   563  
   564  func publicKeyToFIPS[P ecdsa.Point[P]](c *ecdsa.Curve[P], pub *PublicKey) (*ecdsa.PublicKey, error) {
   565  	Q, err := pointFromAffine(pub.Curve, pub.X, pub.Y)
   566  	if err != nil {
   567  		return nil, err
   568  	}
   569  	return ecdsa.NewPublicKey(c, Q)
   570  }
   571  
   572  var privateKeyCache fips140cache.Cache[PrivateKey, ecdsa.PrivateKey]
   573  
   574  func privateKeyToFIPS[P ecdsa.Point[P]](c *ecdsa.Curve[P], priv *PrivateKey) (*ecdsa.PrivateKey, error) {
   575  	Q, err := pointFromAffine(priv.Curve, priv.X, priv.Y)
   576  	if err != nil {
   577  		return nil, err
   578  	}
   579  
   580  	// Reject values that would not get correctly encoded.
   581  	if priv.D.BitLen() > priv.Curve.Params().N.BitLen() {
   582  		return nil, errors.New("ecdsa: private key scalar too large")
   583  	}
   584  	if priv.D.Sign() <= 0 {
   585  		return nil, errors.New("ecdsa: private key scalar is zero or negative")
   586  	}
   587  
   588  	size := (priv.Curve.Params().N.BitLen() + 7) / 8
   589  	const maxScalarSize = 66 // enough for a P-521 private key
   590  	if size > maxScalarSize {
   591  		return nil, errors.New("ecdsa: internal error: curve size too large")
   592  	}
   593  	D := priv.D.FillBytes(make([]byte, size, maxScalarSize))
   594  
   595  	return privateKeyCache.Get(priv, func() (*ecdsa.PrivateKey, error) {
   596  		return ecdsa.NewPrivateKey(c, D, Q)
   597  	}, func(k *ecdsa.PrivateKey) bool {
   598  		return subtle.ConstantTimeCompare(k.PublicKey().Bytes(), Q) == 1 &&
   599  			subtle.ConstantTimeCompare(k.Bytes(), D) == 1
   600  	})
   601  }
   602  
   603  // pointFromAffine is used to convert the PublicKey to a nistec SetBytes input.
   604  func pointFromAffine(curve elliptic.Curve, x, y *big.Int) ([]byte, error) {
   605  	bitSize := curve.Params().BitSize
   606  	// Reject values that would not get correctly encoded.
   607  	if x.Sign() < 0 || y.Sign() < 0 {
   608  		return nil, errors.New("negative coordinate")
   609  	}
   610  	if x.BitLen() > bitSize || y.BitLen() > bitSize {
   611  		return nil, errors.New("overflowing coordinate")
   612  	}
   613  	// Encode the coordinates and let [ecdsa.NewPublicKey] reject invalid points.
   614  	byteLen := (bitSize + 7) / 8
   615  	buf := make([]byte, 1+2*byteLen)
   616  	buf[0] = 4 // uncompressed point
   617  	x.FillBytes(buf[1 : 1+byteLen])
   618  	y.FillBytes(buf[1+byteLen : 1+2*byteLen])
   619  	return buf, nil
   620  }
   621  
   622  // pointToAffine is used to convert a nistec Bytes encoding to a PublicKey.
   623  func pointToAffine(curve elliptic.Curve, p []byte) (x, y *big.Int, err error) {
   624  	if len(p) == 1 && p[0] == 0 {
   625  		// This is the encoding of the point at infinity.
   626  		return nil, nil, errors.New("ecdsa: public key point is the infinity")
   627  	}
   628  	byteLen := (curve.Params().BitSize + 7) / 8
   629  	x = new(big.Int).SetBytes(p[1 : 1+byteLen])
   630  	y = new(big.Int).SetBytes(p[1+byteLen:])
   631  	return x, y, nil
   632  }
   633
View as plain text