Skip to content

Commit b72d816

Browse files
yaronfyaronf
committed
P384-sha384
1 parent a7dc215 commit b72d816

File tree

3 files changed

+73
-37
lines changed

3 files changed

+73
-37
lines changed

crypto.go

Lines changed: 34 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -86,19 +86,29 @@ func NewRSAPSSSigner(keyID string, key rsa.PrivateKey, config *SignConfig, field
8686
// NewP256Signer returns a new Signer structure. Key is an elliptic curve P-256 private key.
8787
// Config may be nil for a default configuration.
8888
func NewP256Signer(keyID string, key ecdsa.PrivateKey, config *SignConfig, fields Fields) (*Signer, error) {
89+
return newECCSigner(keyID, key, config, fields, elliptic.P256(), "P-256", "ecdsa-p256-sha256")
90+
}
91+
92+
// NewP384Signer returns a new Signer structure. Key is an elliptic curve P-384 private key.
93+
// Config may be nil for a default configuration.
94+
func NewP384Signer(keyID string, key ecdsa.PrivateKey, config *SignConfig, fields Fields) (*Signer, error) {
95+
return newECCSigner(keyID, key, config, fields, elliptic.P384(), "P-384", "ecdsa-p384-sha384")
96+
}
97+
98+
func newECCSigner(keyID string, key ecdsa.PrivateKey, config *SignConfig, fields Fields, curve elliptic.Curve, curveName, alg string) (*Signer, error) {
8999
if keyID == "" {
90100
return nil, fmt.Errorf("keyID must not be empty")
91101
}
92-
if key.Curve != elliptic.P256() {
93-
return nil, fmt.Errorf("key curve must be P-256")
102+
if key.Curve != curve {
103+
return nil, fmt.Errorf("key curve must be %s", curveName)
94104
}
95105
if config == nil {
96106
config = NewSignConfig()
97107
}
98108
return &Signer{
99109
keyID: keyID,
100110
key: key,
101-
alg: "ecdsa-p256-sha256",
111+
alg: alg,
102112
config: config,
103113
fields: fields,
104114
}, nil
@@ -196,6 +206,10 @@ func (s Signer) sign(buff []byte) ([]byte, error) {
196206
hashed := sha256.Sum256(buff)
197207
key := s.key.(ecdsa.PrivateKey)
198208
return ecdsaSignRaw(rand.Reader, &key, hashed[:])
209+
case "ecdsa-p384-sha384":
210+
hashed := sha512.Sum384(buff)
211+
key := s.key.(ecdsa.PrivateKey)
212+
return ecdsaSignRaw(rand.Reader, &key, hashed[:])
199213
case "ed25519":
200214
key := s.key.(ed25519.PrivateKey)
201215
return ed25519.Sign(key, buff), nil
@@ -277,19 +291,29 @@ func NewRSAPSSVerifier(keyID string, key rsa.PublicKey, config *VerifyConfig, fi
277291
// NewP256Verifier generates a new Verifier for ECDSA (P-256) signatures. Set config to nil for a default configuration.
278292
// Fields is the list of required headers and fields, which may be empty (but this is typically insecure).
279293
func NewP256Verifier(keyID string, key ecdsa.PublicKey, config *VerifyConfig, fields Fields) (*Verifier, error) {
294+
return newECCVerifier(keyID, key, config, fields, elliptic.P256(), "P-256", "ecdsa-p256-sha256")
295+
}
296+
297+
// NewP384Verifier generates a new Verifier for ECDSA (P-384) signatures. Set config to nil for a default configuration.
298+
// Fields is the list of required headers and fields, which may be empty (but this is typically insecure).
299+
func NewP384Verifier(keyID string, key ecdsa.PublicKey, config *VerifyConfig, fields Fields) (*Verifier, error) {
300+
return newECCVerifier(keyID, key, config, fields, elliptic.P384(), "P-384", "ecdsa-p384-sha384")
301+
}
302+
303+
func newECCVerifier(keyID string, key ecdsa.PublicKey, config *VerifyConfig, fields Fields, curve elliptic.Curve, curveName, alg string) (*Verifier, error) {
280304
if config == nil {
281305
config = NewVerifyConfig()
282306
}
283307
if config.verifyKeyID && keyID == "" {
284308
return nil, fmt.Errorf("keyID should not be empty")
285309
}
286-
if key.Curve != elliptic.P256() {
287-
return nil, fmt.Errorf("key curve must be P-256")
310+
if key.Curve != curve {
311+
return nil, fmt.Errorf("key curve must be %s", curveName)
288312
}
289313
return &Verifier{
290314
keyID: keyID,
291315
key: key,
292-
alg: "ecdsa-p256-sha256",
316+
alg: alg,
293317
config: config,
294318
fields: fields,
295319
}, nil
@@ -385,6 +409,10 @@ func (v Verifier) verify(buff []byte, sig []byte) (bool, error) {
385409
hashed := sha256.Sum256(buff)
386410
key := v.key.(ecdsa.PublicKey)
387411
return ecdsaVerifyRaw(&key, hashed[:], sig)
412+
case "ecdsa-p384-sha384":
413+
hashed := sha512.Sum384(buff)
414+
key := v.key.(ecdsa.PublicKey)
415+
return ecdsaVerifyRaw(&key, hashed[:], sig)
388416
case "ed25519":
389417
key := v.key.(ed25519.PublicKey)
390418
verified := ed25519.Verify(key, buff, sig)

ecdsa.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,9 @@ func sigComponentLen(curve string) (int, int, error) {
5858
case "P-256":
5959
lr = 32
6060
ls = 32
61+
case "P-384":
62+
lr = 48
63+
ls = 48
6164
default:
6265
return 0, 0, fmt.Errorf("unknown curve \"%s\"", curve)
6366
}

signatures_test.go

Lines changed: 36 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -269,19 +269,6 @@ rOjr9w349JooGXhOxbu8nOxX
269269
-----END RSA PRIVATE KEY-----
270270
`
271271

272-
var p256PubKey = `-----BEGIN PUBLIC KEY-----
273-
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWAO+Y/BP3c7Aw7dSWYGkuckwl/e6
274-
H54D/P9uzXDjby0Frysdpcny/NL807iRVfVDDg+ctHhuRTzBwP+lwVdN2g==
275-
-----END PUBLIC KEY-----
276-
`
277-
278-
var p256PrvKey = `-----BEGIN EC PRIVATE KEY-----
279-
MHcCAQEEIMLnTZwmWikcBCrKlXZVUjaq9jwsv22sy/P7yIIonkVwoAoGCCqGSM49
280-
AwEHoUQDQgAEWAO+Y/BP3c7Aw7dSWYGkuckwl/e6H54D/P9uzXDjby0Frysdpcny
281-
/NL807iRVfVDDg+ctHhuRTzBwP+lwVdN2g==
282-
-----END EC PRIVATE KEY-----
283-
`
284-
285272
// Note: the private key from the draft is never used
286273
var p256PubKey2 = `-----BEGIN PUBLIC KEY-----
287274
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqIVYZVLCrPZHGHjP17CTW0/+D9Lf
@@ -351,18 +338,6 @@ func parseRsaPublicKeyFromPemStr(pemString string) (*rsa.PublicKey, error) {
351338
return k.(*rsa.PublicKey), nil
352339
}
353340

354-
func parseECPrivateKeyFromPemStr(pemString string) (*ecdsa.PrivateKey, error) {
355-
block, _ := pem.Decode([]byte(pemString))
356-
if block == nil {
357-
return nil, fmt.Errorf("cannot decode PEM")
358-
}
359-
k, err := x509.ParseECPrivateKey(block.Bytes)
360-
if err != nil {
361-
return nil, err
362-
}
363-
return k, nil
364-
}
365-
366341
func parseECPublicKeyFromPemStr(pemString string) (*ecdsa.PublicKey, error) {
367342
block, _ := pem.Decode([]byte(pemString))
368343
if block == nil {
@@ -804,9 +779,9 @@ func TestSignAndVerifyRSA(t *testing.T) {
804779
func TestSignAndVerifyP256(t *testing.T) {
805780
config := NewSignConfig().setFakeCreated(1618884475)
806781
signatureName := "sig1"
807-
prvKey, err := parseECPrivateKeyFromPemStr(p256PrvKey)
782+
prvKey, pubKey, err := genP256KeyPair()
808783
if err != nil {
809-
t.Errorf("cannot read private key")
784+
t.Errorf("cannot generate P-256 keypair")
810785
}
811786
fields := *NewFields().AddHeader("@method").AddHeader("Date").AddHeader("Content-Type").AddQueryParam("pet")
812787
signer, _ := NewP256Signer("test-key-p256", *prvKey, config, fields)
@@ -817,11 +792,33 @@ func TestSignAndVerifyP256(t *testing.T) {
817792
}
818793
req.Header.Add("Signature", sig)
819794
req.Header.Add("Signature-Input", sigInput)
820-
pubKey, err := parseECPublicKeyFromPemStr(p256PubKey)
795+
verifier, err := NewP256Verifier("test-key-p256", *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
821796
if err != nil {
822-
t.Errorf("cannot read public key: %v", err)
797+
t.Errorf("could not generate Verifier: %s", err)
823798
}
824-
verifier, err := NewP256Verifier("test-key-p256", *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
799+
err = VerifyRequest(signatureName, *verifier, req)
800+
if err != nil {
801+
t.Errorf("verification error: %s", err)
802+
}
803+
}
804+
805+
func TestSignAndVerifyP384(t *testing.T) {
806+
config := NewSignConfig().setFakeCreated(1618884475)
807+
signatureName := "sig1"
808+
prvKey, pubKey, err := genP384KeyPair()
809+
if err != nil {
810+
t.Errorf("cannot generate P-384 keypair")
811+
}
812+
fields := *NewFields().AddHeader("@method").AddHeader("Date").AddHeader("Content-Type").AddQueryParam("pet")
813+
signer, _ := NewP384Signer("test-key-p384", *prvKey, config, fields)
814+
req := readRequest(httpreq2)
815+
sigInput, sig, err := SignRequest(signatureName, *signer, req)
816+
if err != nil {
817+
t.Errorf("signature failed: %v", err)
818+
}
819+
req.Header.Add("Signature", sig)
820+
req.Header.Add("Signature-Input", sigInput)
821+
verifier, err := NewP384Verifier("test-key-p384", *pubKey, NewVerifyConfig().SetVerifyCreated(false), fields)
825822
if err != nil {
826823
t.Errorf("could not generate Verifier: %s", err)
827824
}
@@ -1190,7 +1187,15 @@ func TestResponseDetails(t *testing.T) {
11901187
}
11911188

11921189
func genP256KeyPair() (priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, err error) {
1193-
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
1190+
return genECCKeypair(elliptic.P256())
1191+
}
1192+
1193+
func genP384KeyPair() (priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, err error) {
1194+
return genECCKeypair(elliptic.P384())
1195+
}
1196+
1197+
func genECCKeypair(curve elliptic.Curve) (priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, err error) {
1198+
priv, err = ecdsa.GenerateKey(curve, rand.Reader)
11941199
if err != nil {
11951200
return nil, nil, err
11961201
}

0 commit comments

Comments
 (0)