Skip to content

Add support for encoding/decoding compressed EC keys #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add support for encoding/decoding compressed EC keys #57

wants to merge 6 commits into from

Conversation

huskcasaca
Copy link
Contributor

@huskcasaca huskcasaca commented Dec 13, 2024
edited
Loading

This PR add support for Compressed and Uncompressed(default) format under RAW EC Public Key.

  • JDK(BC)
  • WebCrypto
  • Apple (Not Supported)
  • OpenSSL3

huskcasaca
huskcasaca commented Dec 13, 2024
View reviewed changes
cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt
Comment on lines +211 to +243
internal fun ECParameterSpec.decodePoint(bytes: ByteArray): ECPoint {
val fieldSize = curveOrderSize()
return when (bytes[0].toInt()) {
0x02, // compressed evenY
0x03, // compressed oddY
-> {
check(bytes.size == fieldSize + 1) { "Wrong compressed key size ${bytes.size}" }
val p = (curve.field as ECFieldFp).p
val a = curve.a
val b = curve.b
val x = BigInteger(1, bytes.copyOfRange(1, bytes.size))
var y = x.multiply(x).add(a).multiply(x).add(b).mod(p).modSqrt(p)
if (y.testBit(0) != (bytes[0].toInt() == 0x03)) {
y = p.subtract(y)
}
ECPoint(x, y)
}
0x04, // uncompressed
-> {
check(bytes.size == fieldSize * 2 + 1) { "Wrong uncompressed key size ${bytes.size}" }
val x = bytes.copyOfRange(1, fieldSize + 1)
val y = bytes.copyOfRange(fieldSize + 1, fieldSize + 1 + fieldSize)
ECPoint(BigInteger(1, x), BigInteger(1, y))
}
else -> error("Unsupported key type ${bytes[0].toInt()}")
}
}

internal fun BigInteger.modSqrt(p: BigInteger): BigInteger {
check(p.testBit(0) && p.testBit(1)) { "Unsupported curve modulus" } // p ≡ 3 (mod 4)
return modPow(p.add(BigInteger.ONE).shiftRight(2), p) // Tonelli-Shanks
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BC is added as a provider without some API access so it requires manually calculating y.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation looks legit, thanks!
The only thing I would like to add is some link to the reference based on what the implementation is written.
For example link to a https://www.secg.org/sec1-v2.pdf or anything else?

@huskcasaca huskcasaca marked this pull request as ready for review December 18, 2024 03:51
@whyoleg whyoleg self-requested a review January 19, 2025 22:32
whyoleg
whyoleg requested changes Feb 19, 2025
View reviewed changes
Copy link
Owner

@whyoleg whyoleg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!
Looks nice!
Here is the first round of review. I still need to check JDK implementation, as it contains more hand-written logic :)

cryptography-providers-tests-api/src/commonMain/kotlin/support.kt
else -> null
format.name == "JWK" && !provider.isWebCrypto
-> "JWK key format"
format == EC.PublicKey.Format.RAW.Compressed && provider.isApple
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please mention this in limitations of apple provider?

cryptography-providers/openssl3/api/src/commonMain/kotlin/algorithms/Openssl3Ec.kt
Comment on lines +104 to +106
val ecKey = checkError(EVP_PKEY_get1_EC_KEY(key))
val ecGroup = checkError(EC_KEY_get0_group(ecKey))
val ecPoint = checkError(EC_KEY_get0_public_key(ecKey))
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those functions are deprecated in openssl:

Could you please replace them?

Looks like we need to find a way to provide OPENSSL_API_COMPAT to cinterop to hide those declarations to avoid usage them in future

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: I was able to enforce OPENSSL_NO_DEPRECATED in cinterop in eeea305 and now those declarations are not available.
This commit will be soon merged into main, so if you willing to proceed with changing those you can temporary cherry-pick it from whyoleg/dev branch

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the late reply. I will check when free.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem, take your time.
FYI: openssl changes mentioned are already in main, so you can just rebase.
FYI2: At the current moment, I plan to do a release in mid-June, so it would be really nice to include those changes in it, along with your other contribution of RIPEMD!

@whyoleg whyoleg linked an issue May 13, 2025 that may be closed by this pull request
Add support for encoding/decoding compressed EC keys #56
Open
whyoleg
whyoleg requested changes May 20, 2025
View reviewed changes
Copy link
Owner

@whyoleg whyoleg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR one more and sorry for long review.
Finally I was able to validate the JDK implementation and left some small remarks.
Let's resolve them, migrate OpenSSL implementation to use non-deprecated APIs and we are good to go!

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt
Comment on lines +137 to +138
EC.PublicKey.Format.RAW -> encodeToRaw(false)
EC.PublicKey.Format.RAW.Compressed -> encodeToRaw(true)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to use named parameters here:

Suggested change
EC.PublicKey.Format.RAW -> encodeToRaw(false)
EC.PublicKey.Format.RAW.Compressed -> encodeToRaw(true)
EC.PublicKey.Format.RAW -> encodeToRaw(compressed = false)
EC.PublicKey.Format.RAW.Compressed -> encodeToRaw(compressed = true)

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt

if (compressed) {
val output = ByteArray(fieldSize + 1)
output[0] = if (!BigInteger(1, y).testBit(0)) 0x02 else 0x03
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: maybe it’s possible to use key.w.affineY here? no need to re-create BigInteger from bytes, as we already have original value? :)

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt
val x = bytes.copyOfRange(1, fieldSize + 1)
val y = bytes.copyOfRange(fieldSize + 1, fieldSize + 1 + fieldSize)
val point = ECPoint(BigInteger(1, x), BigInteger(1, y))
// use RawEncodedKeySpec
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment is a bit missleading, as there is no such class. Do you mind just dropping it?

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEc.kt
Comment on lines +211 to +243
internal fun ECParameterSpec.decodePoint(bytes: ByteArray): ECPoint {
val fieldSize = curveOrderSize()
return when (bytes[0].toInt()) {
0x02, // compressed evenY
0x03, // compressed oddY
-> {
check(bytes.size == fieldSize + 1) { "Wrong compressed key size ${bytes.size}" }
val p = (curve.field as ECFieldFp).p
val a = curve.a
val b = curve.b
val x = BigInteger(1, bytes.copyOfRange(1, bytes.size))
var y = x.multiply(x).add(a).multiply(x).add(b).mod(p).modSqrt(p)
if (y.testBit(0) != (bytes[0].toInt() == 0x03)) {
y = p.subtract(y)
}
ECPoint(x, y)
}
0x04, // uncompressed
-> {
check(bytes.size == fieldSize * 2 + 1) { "Wrong uncompressed key size ${bytes.size}" }
val x = bytes.copyOfRange(1, fieldSize + 1)
val y = bytes.copyOfRange(fieldSize + 1, fieldSize + 1 + fieldSize)
ECPoint(BigInteger(1, x), BigInteger(1, y))
}
else -> error("Unsupported key type ${bytes[0].toInt()}")
}
}

internal fun BigInteger.modSqrt(p: BigInteger): BigInteger {
check(p.testBit(0) && p.testBit(1)) { "Unsupported curve modulus" } // p ≡ 3 (mod 4)
return modPow(p.add(BigInteger.ONE).shiftRight(2), p) // Tonelli-Shanks
}

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The implementation looks legit, thanks!
The only thing I would like to add is some link to the reference based on what the implementation is written.
For example link to a https://www.secg.org/sec1-v2.pdf or anything else?

@whyoleg whyoleg added the enhancement New feature or request label May 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whyoleg whyoleg whyoleg requested changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for encoding/decoding compressed EC keys
2 participants
@huskcasaca @whyoleg