osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Watch 15
Star 7
Wiki 捐赠
本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 4f0cac5ea6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f0cac5ea6'
${ noResults }
com/vendor/github.com/keybase/go-crypto/openpgp/ecdh/ecdh.go

283 lines
7.2KB
Raw Blame History 

  1. package ecdh

  2. 

  3. import (

  4. 	"bytes"

  5. 	"crypto"

  6. 	"crypto/aes"

  7. 	"crypto/elliptic"

  8. 	"encoding/binary"

  9. 	"errors"

  10. 	"github.com/keybase/go-crypto/curve25519"

  11. 	"io"

  12. 	"math/big"

  13. )

  14. 

  15. type PublicKey struct {

  16. 	elliptic.Curve

  17. 	X, Y *big.Int

  18. }

  19. 

  20. type PrivateKey struct {

  21. 	PublicKey

  22. 	X *big.Int

  23. }

  24. 

  25. // KDF implements Key Derivation Function as described in

  26. // https://tools.ietf.org/html/rfc6637#section-7

  27. func (e *PublicKey) KDF(S []byte, kdfParams []byte, hash crypto.Hash) []byte {

  28. 	sLen := (e.Curve.Params().P.BitLen() + 7) / 8

  29. 	buf := new(bytes.Buffer)

  30. 	buf.Write([]byte{0, 0, 0, 1})

  31. 	if sLen > len(S) {

  32. 		// zero-pad the S. If we got invalid S (bigger than curve's

  33. 		// P), we are going to produce invalid key. Garbage in,

  34. 		// garbage out.

  35. 		buf.Write(make([]byte, sLen-len(S)))

  36. 	}

  37. 	buf.Write(S)

  38. 	buf.Write(kdfParams)

  39. 

  40. 	hashw := hash.New()

  41. 

  42. 	hashw.Write(buf.Bytes())

  43. 	key := hashw.Sum(nil)

  44. 

  45. 	return key

  46. }

  47. 

  48. // AESKeyUnwrap implements RFC 3394 Key Unwrapping. See

  49. // http://tools.ietf.org/html/rfc3394#section-2.2.1

  50. // Note: The second described algorithm ("index-based") is implemented

  51. // here.

  52. func AESKeyUnwrap(key, cipherText []byte) ([]byte, error) {

  53. 	if len(cipherText)%8 != 0 {

  54. 		return nil, errors.New("cipherText must by a multiple of 64 bits")

  55. 	}

  56. 

  57. 	cipher, err := aes.NewCipher(key)

  58. 	if err != nil {

  59. 		return nil, err

  60. 	}

  61. 

  62. 	nblocks := len(cipherText)/8 - 1

  63. 

  64. 	// 1) Initialize variables.

  65. 	// - Set A = C[0]

  66. 	var A [aes.BlockSize]byte

  67. 	copy(A[:8], cipherText[:8])

  68. 

  69. 	// For i = 1 to n

  70. 	//   Set R[i] = C[i]

  71. 	R := make([]byte, len(cipherText)-8)

  72. 	copy(R, cipherText[8:])

  73. 

  74. 	// 2) Compute intermediate values.

  75. 	for j := 5; j >= 0; j-- {

  76. 		for i := nblocks - 1; i >= 0; i-- {

  77. 			// B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i

  78. 			// A = MSB(64, B)

  79. 			t := uint64(nblocks*j + i + 1)

  80. 			At := binary.BigEndian.Uint64(A[:8]) ^ t

  81. 			binary.BigEndian.PutUint64(A[:8], At)

  82. 

  83. 			copy(A[8:], R[i*8:i*8+8])

  84. 			cipher.Decrypt(A[:], A[:])

  85. 

  86. 			// R[i] = LSB(B, 64)

  87. 			copy(R[i*8:i*8+8], A[8:])

  88. 		}

  89. 	}

  90. 

  91. 	// 3) Output results.

  92. 	// If A is an appropriate initial value (see 2.2.3),

  93. 	for i := 0; i < 8; i++ {

  94. 		if A[i] != 0xA6 {

  95. 			return nil, errors.New("Failed to unwrap key (A is not IV)")

  96. 		}

  97. 	}

  98. 

  99. 	return R, nil

  100. }

  101. 

  102. // AESKeyWrap implements RFC 3394 Key Wrapping. See

  103. // https://tools.ietf.org/html/rfc3394#section-2.2.2

  104. // Note: The second described algorithm ("index-based") is implemented

  105. // here.

  106. func AESKeyWrap(key, plainText []byte) ([]byte, error) {

  107. 	if len(plainText)%8 != 0 {

  108. 		return nil, errors.New("plainText must be a multiple of 64 bits")

  109. 	}

  110. 

  111. 	cipher, err := aes.NewCipher(key) // NewCipher checks key size

  112. 	if err != nil {

  113. 		return nil, err

  114. 	}

  115. 

  116. 	nblocks := len(plainText) / 8

  117. 

  118. 	// 1) Initialize variables.

  119. 	var A [aes.BlockSize]byte

  120. 	// Section 2.2.3.1 -- Initial Value

  121. 	// http://tools.ietf.org/html/rfc3394#section-2.2.3.1

  122. 	for i := 0; i < 8; i++ {

  123. 		A[i] = 0xA6

  124. 	}

  125. 

  126. 	// For i = 1 to n

  127. 	//   Set R[i] = P[i]

  128. 	R := make([]byte, len(plainText))

  129. 	copy(R, plainText)

  130. 

  131. 	// 2) Calculate intermediate values.

  132. 	for j := 0; j <= 5; j++ {

  133. 		for i := 0; i < nblocks; i++ {

  134. 			// B = AES(K, A | R[i])

  135. 			copy(A[8:], R[i*8:i*8+8])

  136. 			cipher.Encrypt(A[:], A[:])

  137. 

  138. 			// (Assume B = A)

  139. 			// A = MSB(64, B) ^ t where t = (n*j)+1

  140. 			t := uint64(j*nblocks + i + 1)

  141. 			At := binary.BigEndian.Uint64(A[:8]) ^ t

  142. 			binary.BigEndian.PutUint64(A[:8], At)

  143. 

  144. 			// R[i] = LSB(64, B)

  145. 			copy(R[i*8:i*8+8], A[8:])

  146. 		}

  147. 	}

  148. 

  149. 	// 3) Output results.

  150. 	// Set C[0] = A

  151. 	// For i = 1 to n

  152. 	//   C[i] = R[i]

  153. 	return append(A[:8], R...), nil

  154. }

  155. 

  156. // PadBuffer pads byte buffer buf to a length being multiple of

  157. // blockLen. Additional bytes appended to the buffer have value of the

  158. // number padded bytes. E.g. if the buffer is 3 bytes short of being

  159. // 40 bytes total, the appended bytes will be [03, 03, 03].

  160. func PadBuffer(buf []byte, blockLen int) []byte {

  161. 	padding := blockLen - (len(buf) % blockLen)

  162. 	if padding == 0 {

  163. 		return buf

  164. 	}

  165. 

  166. 	padBuf := make([]byte, padding)

  167. 	for i := 0; i < padding; i++ {

  168. 		padBuf[i] = byte(padding)

  169. 	}

  170. 

  171. 	return append(buf, padBuf...)

  172. }

  173. 

  174. // UnpadBuffer verifies that buffer contains proper padding and

  175. // returns buffer without the padding, or nil if the padding was

  176. // invalid.

  177. func UnpadBuffer(buf []byte, dataLen int) []byte {

  178. 	padding := len(buf) - dataLen

  179. 	outBuf := buf[:dataLen]

  180. 

  181. 	for i := dataLen; i < len(buf); i++ {

  182. 		if buf[i] != byte(padding) {

  183. 			// Invalid padding - bail out

  184. 			return nil

  185. 		}

  186. 	}

  187. 

  188. 	return outBuf

  189. }

  190. 

  191. func (e *PublicKey) Encrypt(random io.Reader, kdfParams []byte, plain []byte, hash crypto.Hash, kdfKeySize int) (Vx *big.Int, Vy *big.Int, C []byte, err error) {

  192. 	// Vx, Vy - encryption key

  193. 

  194. 	// Note for Curve 25519 - curve25519 library already does key

  195. 	// clamping in scalarMult, so we can use generic random scalar

  196. 	// generation from elliptic.

  197. 	priv, Vx, Vy, err := elliptic.GenerateKey(e.Curve, random)

  198. 	if err != nil {

  199. 		return nil, nil, nil, err

  200. 	}

  201. 

  202. 	// Sx, Sy - shared secret

  203. 	Sx, _ := e.Curve.ScalarMult(e.X, e.Y, priv)

  204. 

  205. 	// Encrypt the payload with KDF-ed S as the encryption key. Pass

  206. 	// the ciphertext along with V to the recipient. Recipient can

  207. 	// generate S using V and their priv key, and then KDF(S), on

  208. 	// their own, to get encryption key and decrypt the ciphertext,

  209. 	// revealing encryption key for symmetric encryption later.

  210. 

  211. 	plain = PadBuffer(plain, 8)

  212. 	key := e.KDF(Sx.Bytes(), kdfParams, hash)

  213. 

  214. 	// Take only as many bytes from key as the key length (the hash

  215. 	// result might be bigger)

  216. 	encrypted, err := AESKeyWrap(key[:kdfKeySize], plain)

  217. 

  218. 	return Vx, Vy, encrypted, nil

  219. }

  220. 

  221. func (e *PrivateKey) DecryptShared(X, Y *big.Int) []byte {

  222. 	Sx, _ := e.Curve.ScalarMult(X, Y, e.X.Bytes())

  223. 	return Sx.Bytes()

  224. }

  225. 

  226. func countBits(buffer []byte) int {

  227. 	var headerLen int

  228. 	switch buffer[0] {

  229. 	case 0x4:

  230. 		headerLen = 3

  231. 	case 0x40:

  232. 		headerLen = 7

  233. 	default:

  234. 		// Unexpected header - but we can still count the bits.

  235. 		val := buffer[0]

  236. 		headerLen = 0

  237. 		for val > 0 {

  238. 			val = val / 2

  239. 			headerLen++

  240. 		}

  241. 	}

  242. 

  243. 	return headerLen + (len(buffer)-1)*8

  244. }

  245. 

  246. // elliptic.Marshal and elliptic.Unmarshal only marshals uncompressed

  247. // 0x4 MPI types. These functions will check if the curve is cv25519,

  248. // and if so, use 0x40 compressed type to (un)marshal. Otherwise,

  249. // elliptic.(Un)marshal will be called.

  250. 

  251. // Marshal encodes point into either 0x4 uncompressed point form, or

  252. // 0x40 compressed point for Curve 25519.

  253. func Marshal(curve elliptic.Curve, x, y *big.Int) (buf []byte, bitSize int) {

  254. 	// NOTE: Read more about MPI encoding in the RFC:

  255. 	// https://tools.ietf.org/html/rfc4880#section-3.2

  256. 

  257. 	// We are required to encode size in bits, counting from the most-

  258. 	// significant non-zero bit. So assuming that the buffer never

  259. 	// starts with 0x00, we only need to count bits in the first byte

  260. 	// - and in current implentation it will always be 0x4 or 0x40.

  261. 

  262. 	cv, ok := curve25519.ToCurve25519(curve)

  263. 	if ok {

  264. 		buf = cv.MarshalType40(x, y)

  265. 	} else {

  266. 		buf = elliptic.Marshal(curve, x, y)

  267. 	}

  268. 

  269. 	return buf, countBits(buf)

  270. }

  271. 

  272. // Unmarshal converts point, serialized by Marshal, into x, y pair.

  273. // For 0x40 compressed points (for Curve 25519), y will always be 0.

  274. // It is an error if point is not on the curve, On error, x = nil.

  275. func Unmarshal(curve elliptic.Curve, data []byte) (x, y *big.Int) {

  276. 	cv, ok := curve25519.ToCurve25519(curve)

  277. 	if ok {

  278. 		return cv.UnmarshalType40(data)

  279. 	}

  280. 

  281. 	return elliptic.Unmarshal(curve, data)

  282. }
上海开阖软件有限公司 沪ICP备12045867号-1