github.com/googgoog/go-ethereum@v1.9.7/crypto/ecies/ecies.go (about) 1 // Copyright (c) 2013 Kyle Isom <kyle@tyrfingr.is> 2 // Copyright (c) 2012 The Go Authors. All rights reserved. 3 // 4 // Redistribution and use in source and binary forms, with or without 5 // modification, are permitted provided that the following conditions are 6 // met: 7 // 8 // * Redistributions of source code must retain the above copyright 9 // notice, this list of conditions and the following disclaimer. 10 // * Redistributions in binary form must reproduce the above 11 // copyright notice, this list of conditions and the following disclaimer 12 // in the documentation and/or other materials provided with the 13 // distribution. 14 // * Neither the name of Google Inc. nor the names of its 15 // contributors may be used to endorse or promote products derived from 16 // this software without specific prior written permission. 17 // 18 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 30 package ecies 31 32 import ( 33 "crypto/cipher" 34 "crypto/ecdsa" 35 "crypto/elliptic" 36 "crypto/hmac" 37 "crypto/subtle" 38 "fmt" 39 "hash" 40 "io" 41 "math/big" 42 ) 43 44 var ( 45 ErrImport = fmt.Errorf("ecies: failed to import key") 46 ErrInvalidCurve = fmt.Errorf("ecies: invalid elliptic curve") 47 ErrInvalidParams = fmt.Errorf("ecies: invalid ECIES parameters") 48 ErrInvalidPublicKey = fmt.Errorf("ecies: invalid public key") 49 ErrSharedKeyIsPointAtInfinity = fmt.Errorf("ecies: shared key is point at infinity") 50 ErrSharedKeyTooBig = fmt.Errorf("ecies: shared key params are too big") 51 ) 52 53 // PublicKey is a representation of an elliptic curve public key. 54 type PublicKey struct { 55 X *big.Int 56 Y *big.Int 57 elliptic.Curve 58 Params *ECIESParams 59 } 60 61 // Export an ECIES public key as an ECDSA public key. 62 func (pub *PublicKey) ExportECDSA() *ecdsa.PublicKey { 63 return &ecdsa.PublicKey{Curve: pub.Curve, X: pub.X, Y: pub.Y} 64 } 65 66 // Import an ECDSA public key as an ECIES public key. 67 func ImportECDSAPublic(pub *ecdsa.PublicKey) *PublicKey { 68 return &PublicKey{ 69 X: pub.X, 70 Y: pub.Y, 71 Curve: pub.Curve, 72 Params: ParamsFromCurve(pub.Curve), 73 } 74 } 75 76 // PrivateKey is a representation of an elliptic curve private key. 77 type PrivateKey struct { 78 PublicKey 79 D *big.Int 80 } 81 82 // Export an ECIES private key as an ECDSA private key. 83 func (prv *PrivateKey) ExportECDSA() *ecdsa.PrivateKey { 84 pub := &prv.PublicKey 85 pubECDSA := pub.ExportECDSA() 86 return &ecdsa.PrivateKey{PublicKey: *pubECDSA, D: prv.D} 87 } 88 89 // Import an ECDSA private key as an ECIES private key. 90 func ImportECDSA(prv *ecdsa.PrivateKey) *PrivateKey { 91 pub := ImportECDSAPublic(&prv.PublicKey) 92 return &PrivateKey{*pub, prv.D} 93 } 94 95 // Generate an elliptic curve public / private keypair. If params is nil, 96 // the recommended default parameters for the key will be chosen. 97 func GenerateKey(rand io.Reader, curve elliptic.Curve, params *ECIESParams) (prv *PrivateKey, err error) { 98 pb, x, y, err := elliptic.GenerateKey(curve, rand) 99 if err != nil { 100 return 101 } 102 prv = new(PrivateKey) 103 prv.PublicKey.X = x 104 prv.PublicKey.Y = y 105 prv.PublicKey.Curve = curve 106 prv.D = new(big.Int).SetBytes(pb) 107 if params == nil { 108 params = ParamsFromCurve(curve) 109 } 110 prv.PublicKey.Params = params 111 return 112 } 113 114 // MaxSharedKeyLength returns the maximum length of the shared key the 115 // public key can produce. 116 func MaxSharedKeyLength(pub *PublicKey) int { 117 return (pub.Curve.Params().BitSize + 7) / 8 118 } 119 120 // ECDH key agreement method used to establish secret keys for encryption. 121 func (prv *PrivateKey) GenerateShared(pub *PublicKey, skLen, macLen int) (sk []byte, err error) { 122 if prv.PublicKey.Curve != pub.Curve { 123 return nil, ErrInvalidCurve 124 } 125 if skLen+macLen > MaxSharedKeyLength(pub) { 126 return nil, ErrSharedKeyTooBig 127 } 128 129 x, _ := pub.Curve.ScalarMult(pub.X, pub.Y, prv.D.Bytes()) 130 if x == nil { 131 return nil, ErrSharedKeyIsPointAtInfinity 132 } 133 134 sk = make([]byte, skLen+macLen) 135 skBytes := x.Bytes() 136 copy(sk[len(sk)-len(skBytes):], skBytes) 137 return sk, nil 138 } 139 140 var ( 141 ErrKeyDataTooLong = fmt.Errorf("ecies: can't supply requested key data") 142 ErrSharedTooLong = fmt.Errorf("ecies: shared secret is too long") 143 ErrInvalidMessage = fmt.Errorf("ecies: invalid message") 144 ) 145 146 var ( 147 big2To32 = new(big.Int).Exp(big.NewInt(2), big.NewInt(32), nil) 148 big2To32M1 = new(big.Int).Sub(big2To32, big.NewInt(1)) 149 ) 150 151 func incCounter(ctr []byte) { 152 if ctr[3]++; ctr[3] != 0 { 153 return 154 } 155 if ctr[2]++; ctr[2] != 0 { 156 return 157 } 158 if ctr[1]++; ctr[1] != 0 { 159 return 160 } 161 if ctr[0]++; ctr[0] != 0 { 162 return 163 } 164 } 165 166 // NIST SP 800-56 Concatenation Key Derivation Function (see section 5.8.1). 167 func concatKDF(hash hash.Hash, z, s1 []byte, kdLen int) (k []byte, err error) { 168 if s1 == nil { 169 s1 = make([]byte, 0) 170 } 171 172 reps := ((kdLen + 7) * 8) / (hash.BlockSize() * 8) 173 if big.NewInt(int64(reps)).Cmp(big2To32M1) > 0 { 174 fmt.Println(big2To32M1) 175 return nil, ErrKeyDataTooLong 176 } 177 178 counter := []byte{0, 0, 0, 1} 179 k = make([]byte, 0) 180 181 for i := 0; i <= reps; i++ { 182 hash.Write(counter) 183 hash.Write(z) 184 hash.Write(s1) 185 k = append(k, hash.Sum(nil)...) 186 hash.Reset() 187 incCounter(counter) 188 } 189 190 k = k[:kdLen] 191 return 192 } 193 194 // messageTag computes the MAC of a message (called the tag) as per 195 // SEC 1, 3.5. 196 func messageTag(hash func() hash.Hash, km, msg, shared []byte) []byte { 197 mac := hmac.New(hash, km) 198 mac.Write(msg) 199 mac.Write(shared) 200 tag := mac.Sum(nil) 201 return tag 202 } 203 204 // Generate an initialisation vector for CTR mode. 205 func generateIV(params *ECIESParams, rand io.Reader) (iv []byte, err error) { 206 iv = make([]byte, params.BlockSize) 207 _, err = io.ReadFull(rand, iv) 208 return 209 } 210 211 // symEncrypt carries out CTR encryption using the block cipher specified in the 212 // parameters. 213 func symEncrypt(rand io.Reader, params *ECIESParams, key, m []byte) (ct []byte, err error) { 214 c, err := params.Cipher(key) 215 if err != nil { 216 return 217 } 218 219 iv, err := generateIV(params, rand) 220 if err != nil { 221 return 222 } 223 ctr := cipher.NewCTR(c, iv) 224 225 ct = make([]byte, len(m)+params.BlockSize) 226 copy(ct, iv) 227 ctr.XORKeyStream(ct[params.BlockSize:], m) 228 return 229 } 230 231 // symDecrypt carries out CTR decryption using the block cipher specified in 232 // the parameters 233 func symDecrypt(params *ECIESParams, key, ct []byte) (m []byte, err error) { 234 c, err := params.Cipher(key) 235 if err != nil { 236 return 237 } 238 239 ctr := cipher.NewCTR(c, ct[:params.BlockSize]) 240 241 m = make([]byte, len(ct)-params.BlockSize) 242 ctr.XORKeyStream(m, ct[params.BlockSize:]) 243 return 244 } 245 246 // Encrypt encrypts a message using ECIES as specified in SEC 1, 5.1. 247 // 248 // s1 and s2 contain shared information that is not part of the resulting 249 // ciphertext. s1 is fed into key derivation, s2 is fed into the MAC. If the 250 // shared information parameters aren't being used, they should be nil. 251 func Encrypt(rand io.Reader, pub *PublicKey, m, s1, s2 []byte) (ct []byte, err error) { 252 params := pub.Params 253 if params == nil { 254 if params = ParamsFromCurve(pub.Curve); params == nil { 255 err = ErrUnsupportedECIESParameters 256 return 257 } 258 } 259 R, err := GenerateKey(rand, pub.Curve, params) 260 if err != nil { 261 return 262 } 263 264 hash := params.Hash() 265 z, err := R.GenerateShared(pub, params.KeyLen, params.KeyLen) 266 if err != nil { 267 return 268 } 269 K, err := concatKDF(hash, z, s1, params.KeyLen+params.KeyLen) 270 if err != nil { 271 return 272 } 273 Ke := K[:params.KeyLen] 274 Km := K[params.KeyLen:] 275 hash.Write(Km) 276 Km = hash.Sum(nil) 277 hash.Reset() 278 279 em, err := symEncrypt(rand, params, Ke, m) 280 if err != nil || len(em) <= params.BlockSize { 281 return 282 } 283 284 d := messageTag(params.Hash, Km, em, s2) 285 286 Rb := elliptic.Marshal(pub.Curve, R.PublicKey.X, R.PublicKey.Y) 287 ct = make([]byte, len(Rb)+len(em)+len(d)) 288 copy(ct, Rb) 289 copy(ct[len(Rb):], em) 290 copy(ct[len(Rb)+len(em):], d) 291 return 292 } 293 294 // Decrypt decrypts an ECIES ciphertext. 295 func (prv *PrivateKey) Decrypt(c, s1, s2 []byte) (m []byte, err error) { 296 if len(c) == 0 { 297 return nil, ErrInvalidMessage 298 } 299 params := prv.PublicKey.Params 300 if params == nil { 301 if params = ParamsFromCurve(prv.PublicKey.Curve); params == nil { 302 err = ErrUnsupportedECIESParameters 303 return 304 } 305 } 306 hash := params.Hash() 307 308 var ( 309 rLen int 310 hLen int = hash.Size() 311 mStart int 312 mEnd int 313 ) 314 315 switch c[0] { 316 case 2, 3, 4: 317 rLen = (prv.PublicKey.Curve.Params().BitSize + 7) / 4 318 if len(c) < (rLen + hLen + 1) { 319 err = ErrInvalidMessage 320 return 321 } 322 default: 323 err = ErrInvalidPublicKey 324 return 325 } 326 327 mStart = rLen 328 mEnd = len(c) - hLen 329 330 R := new(PublicKey) 331 R.Curve = prv.PublicKey.Curve 332 R.X, R.Y = elliptic.Unmarshal(R.Curve, c[:rLen]) 333 if R.X == nil { 334 err = ErrInvalidPublicKey 335 return 336 } 337 if !R.Curve.IsOnCurve(R.X, R.Y) { 338 err = ErrInvalidCurve 339 return 340 } 341 342 z, err := prv.GenerateShared(R, params.KeyLen, params.KeyLen) 343 if err != nil { 344 return 345 } 346 347 K, err := concatKDF(hash, z, s1, params.KeyLen+params.KeyLen) 348 if err != nil { 349 return 350 } 351 352 Ke := K[:params.KeyLen] 353 Km := K[params.KeyLen:] 354 hash.Write(Km) 355 Km = hash.Sum(nil) 356 hash.Reset() 357 358 d := messageTag(params.Hash, Km, c[mStart:mEnd], s2) 359 if subtle.ConstantTimeCompare(c[mEnd:], d) != 1 { 360 err = ErrInvalidMessage 361 return 362 } 363 364 m, err = symDecrypt(params, Ke, c[mStart:mEnd]) 365 return 366 }