github.com/insolar/x-crypto@v0.0.0-20191031140942-75fab8a325f6/x509/sec1.go (about)

     1  // Copyright 2012 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509
     6  
     7  import (
     8  	"encoding/asn1"
     9  	"errors"
    10  	"fmt"
    11  	"github.com/insolar/x-crypto/ecdsa"
    12  	"github.com/insolar/x-crypto/elliptic"
    13  	"math/big"
    14  )
    15  
    16  const ecPrivKeyVersion = 1
    17  
    18  // ecPrivateKey reflects an ASN.1 Elliptic Curve Private Key Structure.
    19  // References:
    20  //   RFC 5915
    21  //   SEC1 - http://www.secg.org/sec1-v2.pdf
    22  // Per RFC 5915 the NamedCurveOID is marked as ASN.1 OPTIONAL, however in
    23  // most cases it is not.
    24  type ecPrivateKey struct {
    25  	Version       int
    26  	PrivateKey    []byte
    27  	NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"`
    28  	PublicKey     asn1.BitString        `asn1:"optional,explicit,tag:1"`
    29  }
    30  
    31  // ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.
    32  func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error) {
    33  	return parseECPrivateKey(nil, der)
    34  }
    35  
    36  // MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.
    37  func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
    38  	oid, ok := oidFromNamedCurve(key.Curve)
    39  	if !ok {
    40  		return nil, errors.New("x509: unknown elliptic curve")
    41  	}
    42  
    43  	return marshalECPrivateKeyWithOID(key, oid)
    44  }
    45  
    46  // marshalECPrivateKey marshals an EC private key into ASN.1, DER format and
    47  // sets the curve ID to the given OID, or omits it if OID is nil.
    48  func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error) {
    49  	privateKeyBytes := key.D.Bytes()
    50  	paddedPrivateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
    51  	copy(paddedPrivateKey[len(paddedPrivateKey)-len(privateKeyBytes):], privateKeyBytes)
    52  
    53  	return asn1.Marshal(ecPrivateKey{
    54  		Version:       1,
    55  		PrivateKey:    paddedPrivateKey,
    56  		NamedCurveOID: oid,
    57  		PublicKey:     asn1.BitString{Bytes: elliptic.Marshal(key.Curve, key.X, key.Y)},
    58  	})
    59  }
    60  
    61  // parseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.
    62  // The OID for the named curve may be provided from another source (such as
    63  // the PKCS8 container) - if it is provided then use this instead of the OID
    64  // that may exist in the EC private key structure.
    65  func parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *ecdsa.PrivateKey, err error) {
    66  	var privKey ecPrivateKey
    67  	if _, err := asn1.Unmarshal(der, &privKey); err != nil {
    68  		return nil, errors.New("x509: failed to parse EC private key: " + err.Error())
    69  	}
    70  	if privKey.Version != ecPrivKeyVersion {
    71  		return nil, fmt.Errorf("x509: unknown EC private key version %d", privKey.Version)
    72  	}
    73  
    74  	var curve elliptic.Curve
    75  	if namedCurveOID != nil {
    76  		curve = namedCurveFromOID(*namedCurveOID)
    77  	} else {
    78  		curve = namedCurveFromOID(privKey.NamedCurveOID)
    79  	}
    80  	if curve == nil {
    81  		return nil, errors.New("x509: unknown elliptic curve")
    82  	}
    83  
    84  	k := new(big.Int).SetBytes(privKey.PrivateKey)
    85  	curveOrder := curve.Params().N
    86  	if k.Cmp(curveOrder) >= 0 {
    87  		return nil, errors.New("x509: invalid elliptic curve private key value")
    88  	}
    89  	priv := new(ecdsa.PrivateKey)
    90  	priv.Curve = curve
    91  	priv.D = k
    92  
    93  	privateKey := make([]byte, (curveOrder.BitLen()+7)/8)
    94  
    95  	// Some private keys have leading zero padding. This is invalid
    96  	// according to [SEC1], but this code will ignore it.
    97  	for len(privKey.PrivateKey) > len(privateKey) {
    98  		if privKey.PrivateKey[0] != 0 {
    99  			return nil, errors.New("x509: invalid private key length")
   100  		}
   101  		privKey.PrivateKey = privKey.PrivateKey[1:]
   102  	}
   103  
   104  	// Some private keys remove all leading zeros, this is also invalid
   105  	// according to [SEC1] but since OpenSSL used to do this, we ignore
   106  	// this too.
   107  	copy(privateKey[len(privateKey)-len(privKey.PrivateKey):], privKey.PrivateKey)
   108  	priv.X, priv.Y = curve.ScalarBaseMult(privateKey)
   109  
   110  	return priv, nil
   111  }