Functions
ECDH
method
#
ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is
invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the
Curve is not supported by [crypto/ecdh].
func (k *PrivateKey) ECDH() (*ecdh.PrivateKey, error)
ECDH
method
#
ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is
invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the
Curve is not supported by crypto/ecdh.
func (k *PublicKey) ECDH() (*ecdh.PublicKey, error)
Equal
method
#
Equal reports whether priv and x have the same value.
See [PublicKey.Equal] for details on how Curve is compared.
func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool
Equal
method
#
Equal reports whether pub and x have the same value.
Two keys are only considered to have the same value if they have the same Curve value.
Note that for example [elliptic.P256] and elliptic.P256().Params() are different
values, as the latter is a generic not constant time implementation.
func (pub *PublicKey) Equal(x crypto.PublicKey) bool
GenerateKey
function
#
GenerateKey generates a new ECDSA private key for the specified curve.
Most applications should use [crypto/rand.Reader] as rand. Note that the
returned key does not depend deterministically on the bytes read from rand,
and may change between calls and/or between versions.
func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error)
Public
method
#
Public returns the public key corresponding to priv.
func (priv *PrivateKey) Public() crypto.PublicKey
Sign
function
#
Sign signs a hash (which should be the result of hashing a larger message)
using the private key, priv. If the hash is longer than the bit-length of the
private key's curve order, the hash will be truncated to that length. It
returns the signature as a pair of integers. Most applications should use
[SignASN1] instead of dealing directly with r, s.
func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r *big.Int, s *big.Int, err error)
Sign
method
#
Sign signs a hash (which should be the result of hashing a larger message
with opts.HashFunc()) using the private key, priv. If the hash is longer than
the bit-length of the private key's curve order, the hash will be truncated
to that length. It returns the ASN.1 encoded signature, like [SignASN1].
If rand is not nil, the signature is randomized. Most applications should use
[crypto/rand.Reader] as rand. Note that the returned signature does not
depend deterministically on the bytes read from rand, and may change between
calls and/or between versions.
If rand is nil, Sign will produce a deterministic signature according to RFC
6979. When producing a deterministic signature, opts.HashFunc() must be the
function used to produce digest and priv.Curve must be one of
[elliptic.P224], [elliptic.P256], [elliptic.P384], or [elliptic.P521].
func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
SignASN1
function
#
SignASN1 signs a hash (which should be the result of hashing a larger message)
using the private key, priv. If the hash is longer than the bit-length of the
private key's curve order, the hash will be truncated to that length. It
returns the ASN.1 encoded signature.
The signature is randomized. Most applications should use [crypto/rand.Reader]
as rand. Note that the returned signature does not depend deterministically on
the bytes read from rand, and may change between calls and/or between versions.
func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error)
Verify
function
#
Verify verifies the signature in r, s of hash using the public key, pub. Its
return value records whether the signature is valid. Most applications should
use VerifyASN1 instead of dealing directly with r, s.
The inputs are not considered confidential, and may leak through timing side
channels, or if an attacker has control of part of the inputs.
func Verify(pub *PublicKey, hash []byte, r *big.Int, s *big.Int) bool
VerifyASN1
function
#
VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
public key, pub. Its return value records whether the signature is valid.
The inputs are not considered confidential, and may leak through timing side
channels, or if an attacker has control of part of the inputs.
func VerifyASN1(pub *PublicKey, hash []byte, sig []byte) bool
addASN1IntBytes
function
#
addASN1IntBytes encodes in ASN.1 a positive integer represented as
a big-endian byte slice with zero or more leading zeroes.
func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte)
bigIntEqual
function
#
bigIntEqual reports whether a and b are equal leaking only their bit length
through timing side-channels.
func bigIntEqual(a *big.Int, b *big.Int) bool
boringPrivateKey
function
#
func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyECDSA, error)
boringPrivateKey
function
#
func boringPrivateKey(priv *PrivateKey) (*boring.PrivateKeyECDSA, error)
boringPublicKey
function
#
func boringPublicKey(*PublicKey) (*boring.PublicKeyECDSA, error)
boringPublicKey
function
#
func boringPublicKey(pub *PublicKey) (*boring.PublicKeyECDSA, error)
copyPrivateKey
function
#
func copyPrivateKey(k *PrivateKey) PrivateKey
copyPublicKey
function
#
func copyPublicKey(k *PublicKey) PublicKey
curveToECDH
function
#
func curveToECDH(c elliptic.Curve) ecdh.Curve
encodeSignature
function
#
func encodeSignature(r []byte, s []byte) ([]byte, error)
generateFIPS
function
#
func generateFIPS(curve elliptic.Curve, c **ast.IndexExpr, rand io.Reader) (*PrivateKey, error)
generateLegacy
function
#
func generateLegacy(c elliptic.Curve, rand io.Reader) (*PrivateKey, error)
hashToInt
function
#
hashToInt converts a hash value to an integer. Per FIPS 186-4, Section 6.4,
we use the left-most bits of the hash to match the bit-length of the order of
the curve. This also performs Step 5 of SEC 1, Version 2.0, Section 4.1.3.
func hashToInt(hash []byte, c elliptic.Curve) *big.Int
init
function
#
func init()
parseSignature
function
#
func parseSignature(sig []byte) (r []byte, s []byte, err error)
pointFromAffine
function
#
pointFromAffine is used to convert the PublicKey to a nistec SetBytes input.
func pointFromAffine(curve elliptic.Curve, x *big.Int, y *big.Int) ([]byte, error)
pointToAffine
function
#
pointToAffine is used to convert a nistec Bytes encoding to a PublicKey.
func pointToAffine(curve elliptic.Curve, p []byte) (x *big.Int, y *big.Int, err error)
privateKeyEqual
function
#
func privateKeyEqual(k1 *PrivateKey, k2 *PrivateKey) bool
privateKeyFromFIPS
function
#
func privateKeyFromFIPS(curve elliptic.Curve, priv *ecdsa.PrivateKey) (*PrivateKey, error)
privateKeyToFIPS
function
#
func privateKeyToFIPS(c **ast.IndexExpr, priv *PrivateKey) (*ecdsa.PrivateKey, error)
publicKeyEqual
function
#
func publicKeyEqual(k1 *PublicKey, k2 *PublicKey) bool
publicKeyFromFIPS
function
#
func publicKeyFromFIPS(curve elliptic.Curve, pub *ecdsa.PublicKey) (*PublicKey, error)
publicKeyToFIPS
function
#
func publicKeyToFIPS(c **ast.IndexExpr, pub *PublicKey) (*ecdsa.PublicKey, error)
randFieldElement
function
#
randFieldElement returns a random element of the order of the given
curve using the procedure given in FIPS 186-4, Appendix B.5.2.
func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error)
signFIPS
function
#
func signFIPS(c **ast.IndexExpr, priv *PrivateKey, rand io.Reader, hash []byte) ([]byte, error)
signFIPSDeterministic
function
#
func signFIPSDeterministic(c **ast.IndexExpr, hashFunc crypto.Hash, priv *PrivateKey, hash []byte) ([]byte, error)
signLegacy
function
#
func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error)
signRFC6979
function
#
func signRFC6979(priv *PrivateKey, hash []byte, opts crypto.SignerOpts) ([]byte, error)
verifyFIPS
function
#
func verifyFIPS(c **ast.IndexExpr, pub *PublicKey, hash []byte, sig []byte) bool
verifyLegacy
function
#
func verifyLegacy(pub *PublicKey, hash []byte, sig []byte) bool