crypto::ecdsa
This module implements the elliptic curve digital signature algorithm for a selection of curves supported by crypto::ec.
This is a low-level module which implements cryptographic primitives. Direct use of cryptographic primitives is not recommended for non-experts, as incorrect use of these primitives can easily lead to the introduction of security vulnerabilities. Non-experts are advised to use the high-level operations available in the top-level crypto:: module.
Be advised that Hare's cryptography implementations have not been audited.
Index
Types
type p256privkey = struct {
priv: privkey,
x: [ec::P256_SCALARSZ]u8,
};
type p256pubkey = struct {
pub: pubkey,
q: [ec::P256_POINTSZ]u8,
};
type p384privkey = struct {
priv: privkey,
x: [ec::P384_SCALARSZ]u8,
};
type p384pubkey = struct {
pub: pubkey,
q: [ec::P384_POINTSZ]u8,
};
type p521privkey = struct {
priv: privkey,
x: [ec::P521_SCALARSZ]u8,
};
type p521pubkey = struct {
pub: pubkey,
q: [ec::P521_POINTSZ]u8,
};
type privkey = struct {
curve: *ec::curve,
get_x: *fn(priv: *privkey) []u8,
};
type pubkey = struct {
curve: *ec::curve,
get_q: *fn(pub: *pubkey) []u8,
};
Errors
type error = !(invalidkey | invalidsig);
type invalidkey = !void;
type invalidsig = !void;
Constants
def MAX_SIGSZ = ec::MAX_POINTSZ - 1;
def P256_SIGSZ = 64;
def P384_SIGSZ = 96;
def P521_SIGSZ = 132;
Functions
fn newkey(priv: *privkey, rand: io::handle) (void | io::error);
fn p256priv() p256privkey;
fn p256pub() p256pubkey;
fn p384priv() p384privkey;
fn p521priv() p521privkey;
fn privkey_buf(priv: *privkey) []u8;
fn privkey_finish(priv: *privkey) void;
fn privkey_validate(priv: *privkey) (void | invalidkey);
fn pubkey_buf(pub: *pubkey) []u8;
fn pubkey_derive(pub: *pubkey, priv: *privkey) void;
fn pubkey_init(pub: *pubkey, x: []u8, y: []u8) (void | invalidkey);
fn pubkey_validate(pub: *pubkey) (void | invalidkey);
fn pubkey_validate_format(pub: *pubkey) (void | invalidkey);
fn sign(priv: *privkey, hash: []u8, hashfn: *hash::hash, hashbuf: []u8, sig: []u8) (u32 | invalidkey);
fn sigsz(key: (*pubkey | *privkey)) size;
fn strerror(e: error) str;
fn verify(pub: *pubkey, hash: []u8, sig: []u8) (void | error);
fn p384pub() p384pubkey;
fn p521pub() p521pubkey;
Types
type p256privkey
Show undocumented member
type p256privkey = struct {
priv: privkey,
x: [ec::P256_SCALARSZ]u8,
};
type p256pubkey
Show undocumented member
type p256pubkey = struct {
pub: pubkey,
q: [ec::P256_POINTSZ]u8,
};
type p384privkey
Show undocumented member
type p384privkey = struct {
priv: privkey,
x: [ec::P384_SCALARSZ]u8,
};
type p384pubkey
Show undocumented member
type p384pubkey = struct {
pub: pubkey,
q: [ec::P384_POINTSZ]u8,
};
type p521privkey
Show undocumented member
type p521privkey = struct {
priv: privkey,
x: [ec::P521_SCALARSZ]u8,
};
type p521pubkey
Show undocumented member
type p521pubkey = struct {
pub: pubkey,
q: [ec::P521_POINTSZ]u8,
};
type privkey
Show undocumented member
type privkey = struct {
curve: *ec::curve,
get_x: *fn(priv: *privkey) []u8,
};
type pubkey
Show undocumented member
type pubkey = struct {
curve: *ec::curve,
get_q: *fn(pub: *pubkey) []u8,
};
Errors
type error
type error = !(invalidkey | invalidsig);
Possible ecdsa errors.
type invalidkey
type invalidkey = !void;
Invalid key.
type invalidsig
type invalidsig = !void;
Invalid signature.
Constants
def MAX_SIGSZ
def MAX_SIGSZ = ec::MAX_POINTSZ - 1;
Maximum signature size of curves supported by crypto::ec.
def P256_SIGSZ
def P256_SIGSZ = 64;
Size of signature created with a P256 key.
def P384_SIGSZ
def P384_SIGSZ = 96;
Size of signature created with a P384 key.
def P521_SIGSZ
def P521_SIGSZ = 132;
Size of signature created with a P521 key.
Functions
fn newkey
fn newkey(priv: *privkey, rand: io::handle) (void | io::error);
Generates a key seeding from the 'rand' stream and stores it in 'priv'. 'rand' must be a cryptographic random generator like crypto::random::stream.
fn p256priv
fn p256priv() p256privkey;
Creates an unitialized p256 privkey. The curve is also known as secp256r1 or prime256. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.
fn p256pub
fn p256pub() p256pubkey;
Creates an unitialized p256 pubkey. The curve is also known as secp256r1 or prime256.
fn p384priv
fn p384priv() p384privkey;
Creates an unitialized p384 privkey. The curve is also known as secp384r1. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.
fn p521priv
fn p521priv() p521privkey;
Creates an unitialized p521 privkey. The curve is also known as secp521r1. The key must be initialized using newkey. The key must be finished with privkey_finish to wipe it from memory.
fn privkey_buf
fn privkey_buf(priv: *privkey) []u8;
Returns the buffer to the encoded key. See crypto::ec::curve on how the scalar must be encoded. The key must be valid, otherwise undefined behaviour may result. The function privkey_validate checks if the scalar is valid for given curve.
fn privkey_finish
fn privkey_finish(priv: *privkey) void;
Wipes private key data from memory.
fn privkey_validate
fn privkey_validate(priv: *privkey) (void | invalidkey);
Checks whether 'priv' is a valid private key.
fn pubkey_buf
fn pubkey_buf(pub: *pubkey) []u8;
Returns the buffer to the point stored in 'pub' to be able to store or read the point in encoded form. See crypto::ec::curve for how the point is and must be encoded.
fn pubkey_derive
fn pubkey_derive(pub: *pubkey, priv: *privkey) void;
Derives the public key from given 'priv' and stores it into 'pub'.
fn pubkey_init
fn pubkey_init(pub: *pubkey, x: []u8, y: []u8) (void | invalidkey);
Initializes the pubkey 'pub' from the coordinates 'x' and 'y' of a public point.
Does not validate if the point is on curve. verify will fail, if such is the case.
fn pubkey_validate
fn pubkey_validate(pub: *pubkey) (void | invalidkey);
Validates the key of 'pub' and checks whether the point is on the curve. This operation is expensive and is not strictly necessary, since this is done during verify also.
fn pubkey_validate_format(pub: *pubkey) (void | invalidkey);
Validates if the pubkey is encoded properly. Does not check if the point is on curve. verify will fail, if the point is not on the curve.
fn sign
fn sign(priv: *privkey, hash: []u8, hashfn: *hash::hash, hashbuf: []u8, sig: []u8) (u32 | invalidkey);
Signs hashed message 'hash' with the private key and stores it into 'sig'. Returns the number of bytes written to sig on success or invalidkey otherwise.
The signature is done in a deterministic way according to RFC 6979, hence 'hashfn' and 'hashbuf' are required. 'hashfn' can be the same as the one that created 'hash', though it might not be. The overall security will be limited by the weaker of the two hash functions, according to the RFC. 'hashbuf' must be of size hash::sz of 'hashfn' * 2 + hash::bsz of 'hashfn'.
For the size requirenment of 'sig' see sigsz.
fn sigsz
fn sigsz(key: (*pubkey | *privkey)) size;
Returns the size of a signature created/verifiable with given key. It is crypto::ec::pointsz - 1 for the NIST curves.
fn strerror
fn strerror(e: error) str;
String representation of error 'e'.
fn verify
fn verify(pub: *pubkey, hash: []u8, sig: []u8) (void | error);
Verifies the signature 'sig' with message 'hash' using the public key 'pub'. Returns invalidkey or invalidsig in case of error. An invalid key may not be detected and causes an invalidsig in this case. Verification is done in constant time, but may return earlier if the signature format is not valid.
fn p384pub
Show undocumented member
fn p384pub() p384pubkey;
fn p521pub
Show undocumented member
fn p521pub() p521pubkey;