crypto::ecdsa+x86_64 +linux

This module implements the elliptic curve digital signature algorithm for a selection of curves supported by crypto::ec.

This is a low-level module which implements cryptographic primitives. Direct use of cryptographic primitives is not recommended for non-experts, as incorrect use of these primitives can easily lead to the introduction of security vulnerabilities. Non-experts are advised to use the high-level operations available in the top-level crypto:: module.

Be advised that Hare's cryptography implementations have not been audited.

Index

Types

// Undocumented types:
type p256privkey = struct {
	priv: privkey,
	x: [ec::P256_SCALARSZ]u8,
};
type p256pubkey = struct {
	pub: pubkey,
	q: [ec::P256_POINTSZ]u8,
};
type p384privkey = struct {
	priv: privkey,
	x: [ec::P384_SCALARSZ]u8,
};
type p384pubkey = struct {
	pub: pubkey,
	q: [ec::P384_POINTSZ]u8,
};
type p521privkey = struct {
	priv: privkey,
	x: [ec::P521_SCALARSZ]u8,
};
type p521pubkey = struct {
	pub: pubkey,
	q: [ec::P521_POINTSZ]u8,
};
type privkey = struct {
	curve: *ec::curve,
	get_x: *fn(priv: *privkey) []u8,
};
type pubkey = struct {
	curve: *ec::curve,
	get_q: *fn(pub: *pubkey) []u8,
};

Errors

type error = !(invalidkey | invalidsig);
type invalidkey = !void;
type invalidsig = !void;

Constants

def MAX_SIGSZ = ec::MAX_POINTSZ - 1;
def P256_SIGSZ = 64;
def P384_SIGSZ = 96;
def P521_SIGSZ = 132;

Functions

fn newkey(priv: *privkey, rand: io::handle) (void | io::error);
fn p256priv() p256privkey;
fn p256pub() p256pubkey;
fn p384priv() p384privkey;
fn p521priv() p521privkey;
fn privkey_buf(priv: *privkey) []u8;
fn privkey_finish(priv: *privkey) void;
fn privkey_validate(priv: *privkey) (void | invalidkey);
fn pubkey_buf(pub: *pubkey) []u8;
fn pubkey_derive(pub: *pubkey, priv: *privkey) void;
fn pubkey_init(pub: *pubkey, x: []u8, y: []u8) (void | invalidkey);
fn pubkey_validate(pub: *pubkey) (void | invalidkey);
fn pubkey_validate_format(pub: *pubkey) (void | invalidkey);
fn sign(priv: *privkey, hash: []u8, hashfn: *hash::hash, hashbuf: []u8, sig: []u8) (u32 | invalidkey);
fn sigsz(key: (*pubkey | *privkey)) size;
fn strerror(e: error) str;
fn verify(pub: *pubkey, hash: []u8, sig: []u8) (void | error);

// Undocumented functions:
fn p384pub() p384pubkey;
fn p521pub() p521pubkey;

Types

type p256privkey[link]

Show undocumented member
type p256privkey = struct {
	priv: privkey,
	x: [ec::P256_SCALARSZ]u8,
};

type p256pubkey[link]

Show undocumented member
type p256pubkey = struct {
	pub: pubkey,
	q: [ec::P256_POINTSZ]u8,
};

type p384privkey[link]

Show undocumented member
type p384privkey = struct {
	priv: privkey,
	x: [ec::P384_SCALARSZ]u8,
};

type p384pubkey[link]

Show undocumented member
type p384pubkey = struct {
	pub: pubkey,
	q: [ec::P384_POINTSZ]u8,
};

type p521privkey[link]

Show undocumented member
type p521privkey = struct {
	priv: privkey,
	x: [ec::P521_SCALARSZ]u8,
};

type p521pubkey[link]

Show undocumented member
type p521pubkey = struct {
	pub: pubkey,
	q: [ec::P521_POINTSZ]u8,
};

type privkey[link]

Show undocumented member
type privkey = struct {
	curve: *ec::curve,
	get_x: *fn(priv: *privkey) []u8,
};

type pubkey[link]

Show undocumented member
type pubkey = struct {
	curve: *ec::curve,
	get_q: *fn(pub: *pubkey) []u8,
};

Errors

type error[link]

type error = !(invalidkey | invalidsig);

Possible ecdsa errors.

type invalidkey[link]

type invalidkey = !void;

Invalid key.

type invalidsig[link]

type invalidsig = !void;

Invalid signature.

Constants

def MAX_SIGSZ[link]

def MAX_SIGSZ = ec::MAX_POINTSZ - 1;

Maximum signature size of curves supported by crypto::ec.

def P256_SIGSZ[link]

def P256_SIGSZ = 64;

Size of signature created with a P256 key.

def P384_SIGSZ[link]

def P384_SIGSZ = 96;

Size of signature created with a P384 key.

def P521_SIGSZ[link]

def P521_SIGSZ = 132;

Size of signature created with a P521 key.

Functions

fn newkey[link]

fn newkey(priv: *privkey, rand: io::handle) (void | io::error);

Generates a key seeding from the 'rand' stream and stores it in 'priv'. 'rand' must be a cryptographic random generator like crypto::random::stream.

fn p256priv[link]

fn p256priv() p256privkey;

Creates an unitialized p256 privkey. The curve is also known as secp256r1 or prime256. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.

fn p256pub[link]

fn p256pub() p256pubkey;

Creates an unitialized p256 pubkey. The curve is also known as secp256r1 or prime256.

fn p384priv[link]

fn p384priv() p384privkey;

Creates an unitialized p384 privkey. The curve is also known as secp384r1. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.

fn p521priv[link]

fn p521priv() p521privkey;

Creates an unitialized p521 privkey. The curve is also known as secp521r1. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.

fn privkey_buf[link]

fn privkey_buf(priv: *privkey) []u8;

Returns the buffer to the encoded key. See crypto::ec::curve on how the scalar must be encoded. The key must be valid, otherwise undefined behaviour may result. The function privkey_validate checks if the scalar is valid for given curve.

fn privkey_finish[link]

fn privkey_finish(priv: *privkey) void;

Wipes private key data from memory.

fn privkey_validate[link]

fn privkey_validate(priv: *privkey) (void | invalidkey);

Checks whether 'priv' is a valid private key.

fn pubkey_buf[link]

fn pubkey_buf(pub: *pubkey) []u8;

Returns the buffer to the point stored in 'pub' to be able to store or read the point in encoded form. See crypto::ec::curve for how the point is and must be encoded.

fn pubkey_derive[link]

fn pubkey_derive(pub: *pubkey, priv: *privkey) void;

Derives the public key from given 'priv' and stores it into 'pub'.

fn pubkey_init[link]

fn pubkey_init(pub: *pubkey, x: []u8, y: []u8) (void | invalidkey);

Initializes the pubkey 'pub' from the coordinates 'x' and 'y' of a public point.

Does not validate if the point is on curve. verify will fail, if such is the case.

fn pubkey_validate[link]

fn pubkey_validate(pub: *pubkey) (void | invalidkey);

Validates the key of 'pub' and checks whether the point is on the curve. This operation is expensive and is not strictly necessary, since this is done during verify also.

fn pubkey_validate_format[link]

fn pubkey_validate_format(pub: *pubkey) (void | invalidkey);

Validates if the pubkey is encoded properly. Does not check if the point is on curve. verify will fail, if the point is not on the curve.

fn sign[link]

fn sign(priv: *privkey, hash: []u8, hashfn: *hash::hash, hashbuf: []u8, sig: []u8) (u32 | invalidkey);

Signs hashed message 'hash' with the private key and stores it into 'sig'. Returns the number of bytes written to sig on success or invalidkey otherwise.

The signature is done in a deterministic way according to RFC 6979, hence 'hashfn' and 'hashbuf' are required. 'hashfn' can be the same as the one that created 'hash', though it might not be. The overall security will be limited by the weaker of the two hash functions, according to the RFC. 'hashbuf' must be of size hash::sz of 'hashfn' * 2 + hash::bsz of 'hashfn'.

For the size requirenment of 'sig' see sigsz.

fn sigsz[link]

fn sigsz(key: (*pubkey | *privkey)) size;

Returns the size of a signature created/verifiable with given key. It is crypto::ec::pointsz - 1 for the NIST curves.

fn strerror[link]

fn strerror(e: error) str;

String representation of error 'e'.

fn verify[link]

fn verify(pub: *pubkey, hash: []u8, sig: []u8) (void | error);

Verifies the signature 'sig' with message 'hash' using the public key 'pub'. Returns invalidkey or invalidsig in case of error. An invalid key may not be detected and causes an invalidsig in this case. Verification is done in constant time, but may return earlier if the signature format is not valid.

fn p384pub[link]

Show undocumented member
fn p384pub() p384pubkey;

fn p521pub[link]

Show undocumented member
fn p521pub() p521pubkey;