Ecdh kdf test vectors (#10)

Sajjon · Mar 16, 2023 · d32c3e2 · d32c3e2
1 parent bb66fe0
commit d32c3e2
Show file tree

Hide file tree

Showing 5 changed files with 5,841 additions and 8,071 deletions.
diff --git a/Sources/K1/K1/Keys/PrivateKey/PrivateKey/PrivateKey+Bridge+To+C.swift b/Sources/K1/K1/Keys/PrivateKey/PrivateKey/PrivateKey+Bridge+To+C.swift
@@ -165,7 +165,7 @@ extension Bridge {
 
         /// Following the [ANSI X9.63][ansix963] standard
         ///
-        /// [ansix963]: https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
+        /// [ansix963]:  https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
         case ansiX963
 
         /// Following no standard at all, does not hash the shared public point, and returns it in full.
@@ -569,6 +569,7 @@ extension K1.PrivateKey {
     /// - JS: `elliptic` (v6.4.0 in nodeJS v8.2.1)
     /// - JS: `crypto` (builtin) - uses openssl under the hood (in nodeJS v8.2.1)
     /// - .NET: `BouncyCastle` (BC v1.8.1.3, .NET v2.1.4)
+    /// - Python: pyca/cryptography (hazmat)
     ///
     /// [ansix963]: https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
     /// [cryptostackexchange]: https://crypto.stackexchange.com/a/57727

diff --git a/Tests/K1Tests/TestCases/ECDH/ECDH_X963_Tests.swift b/Tests/K1Tests/TestCases/ECDH/ECDH_X963_Tests.swift
diff --git a/Tests/K1Tests/TestCases/ECDH/TwoVariantsOfECDHWithKDFTests.swift b/Tests/K1Tests/TestCases/ECDH/TwoVariantsOfECDHWithKDFTests.swift
@@ -0,0 +1,229 @@
+import Foundation
+@testable import K1
+import CryptoKit
+import XCTest
+
+private struct ECDHX963Suite: Decodable {
+    let origin: String
+    let author: String
+    let description: String
+    let numberOfTests: Int
+    let algorithm: String
+    let generatedOn: String // data
+    let vectors: [Vector]
+}
+
+private struct Vector: Decodable {
+    let alicePrivateKey: String
+    let bobPrivateKey: String
+    let alicePublicKeyUncompressed: String
+    let bobPublicKeyUncompressed: String
+    let outcomes: [Outcome]
+
+    struct Outcome: Decodable {
+        enum ECDHVariant: String, Decodable {
+            case asn1X963 = "ASN1X963"
+            case libsecp256k1 = "Bitcoin"
+        }
+        let ecdhVariant: ECDHVariant
+        let ecdhSharedKey: String
+        let derivedKeys: [DerivedKeys]
+        struct DerivedKeys: Decodable {
+
+            /// Used by both `x963` and `HKDF`
+            let info: String
+
+            /// `x963` KDF  output
+            let x963: String
+
+            /// Salt for `HDKF`
+            let salt: String
+
+            let hkdf: String
+        }
+    }
+}
+
+
+
+final class TwoVariantsOfECDHWithKDFTests: XCTestCase {
+
+    func testTwoVariantsOfECDHWithKDF_vectors() throws {
+        let fileURL = Bundle.module.url(forResource: "ecdh_secp256k1_two_variants_with_kdf_test", withExtension: ".json")
+        let data = try Data(contentsOf: fileURL!)
+        let suite = try JSONDecoder().decode(ECDHX963Suite.self, from: data)
+        try suite.vectors.forEach(doTest)
+    }
+}
+
+extension TwoVariantsOfECDHWithKDFTests {
+
+
+    fileprivate func doTest(_ vector: Vector) throws {
+        let outputByteCount = 32
+        let hash = SHA256.self
+
+        let alice = try PrivateKey(hex: vector.alicePrivateKey)
+        let bob = try PrivateKey(hex: vector.bobPrivateKey)
+        try XCTAssertEqual(alice.publicKey.rawRepresentation(format: .uncompressed).hex, vector.alicePublicKeyUncompressed)
+        try XCTAssertEqual(bob.publicKey.rawRepresentation(format: .uncompressed).hex, vector.bobPublicKeyUncompressed)
+
+        for outcome in vector.outcomes {
+            switch outcome.ecdhVariant {
+            case .asn1X963:
+                let sharedSecretAB = try alice.sharedSecretFromKeyAgreement(with: bob.publicKey)
+                let sharedSecretBA = try bob.sharedSecretFromKeyAgreement(with: alice.publicKey)
+
+                XCTAssertEqual(sharedSecretAB, sharedSecretBA)
+                sharedSecretAB.withUnsafeBytes {
+                    XCTAssertEqual(Data($0).hex, outcome.ecdhSharedKey, "Wrong ECDH secret, mismatched expected from vector.")
+                }
+
+                for derivedKeys in outcome.derivedKeys {
+                    let info = try XCTUnwrap(derivedKeys.info.data(using: .utf8))
+                    let salt = try Data(hex: derivedKeys.salt)
+                    let x963 = sharedSecretBA.x963DerivedSymmetricKey(using: hash, sharedInfo: info, outputByteCount: outputByteCount)
+                    x963.withUnsafeBytes {
+                        XCTAssertEqual(Data($0).hex, derivedKeys.x963, "Wrong X963 KDF result, mismatched expected from vector.")
+                    }
+                    let hkdf = sharedSecretBA.hkdfDerivedSymmetricKey(using: hash, salt: salt, sharedInfo: info, outputByteCount: outputByteCount)
+                    hkdf.withUnsafeBytes {
+                        XCTAssertEqual(Data($0).hex, derivedKeys.hkdf, "Wrong HKDF result, mismatched expected from vector.")
+                    }
+                }
+
+            case .libsecp256k1:
+                let sharedSecretAB = try alice.ecdh(with: bob.publicKey)
+                let sharedSecretBA = try bob.ecdh(with: alice.publicKey)
+
+                XCTAssertEqual(sharedSecretAB, sharedSecretBA)
+                sharedSecretAB.withUnsafeBytes {
+                    XCTAssertEqual(Data($0).hex, outcome.ecdhSharedKey, "Wrong ECDH secret, mismatched expected from vector.")
+                }
+
+                for derivedKeys in outcome.derivedKeys {
+                    let info = try XCTUnwrap(derivedKeys.info.data(using: .utf8))
+                    let salt = try Data(hex: derivedKeys.salt)
+                    let x963 = x963DerivedSymmetricKey(secret: sharedSecretAB, using: hash, sharedInfo: info, outputByteCount: outputByteCount)
+                    x963.withUnsafeBytes {
+                        XCTAssertEqual(Data($0).hex, derivedKeys.x963, "Wrong X963 KDF result, mismatched expected from vector.")
+                    }
+                    let hkdf = hkdfDerivedSymmetricKey(secret: sharedSecretAB, using: hash, salt: salt, sharedInfo: info, outputByteCount: outputByteCount)
+                    hkdf.withUnsafeBytes {
+                        XCTAssertEqual(Data($0).hex, derivedKeys.hkdf, "Wrong HKDF result, mismatched expected from vector.")
+                    }
+                }
+            }
+
+        }
+
+    }
+
+
+
+}
+
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2019-2020 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.md for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+// Copy pasted over from https://github.com/apple/swift-crypto/blob/main/Sources/Crypto/Key%20Agreement/DH.swift#L48
+
+/// Derives a symmetric encryption key using X9.63 key derivation.
+///
+/// - Parameters:
+///   - hashFunction: The Hash Function to use for key derivation.
+///   - sharedInfo: The Shared Info to use for key derivation.
+///   - outputByteCount: The length in bytes of resulting symmetric key.
+/// - Returns: The derived symmetric key
+public func x963DerivedSymmetricKey<H: HashFunction, SI: DataProtocol>(
+    secret: Data,
+    using hashFunction: H.Type, sharedInfo: SI, outputByteCount: Int
+) -> SymmetricKey {
+    // SEC1 defines 3 inputs to the KDF:
+    //
+    // 1. An octet string Z which is the shared secret value. That's `self` here.
+    // 2. An integer `keydatalen` which is the length in octets of the keying data to be generated. Here that's `outputByteCount`.
+    // 3. An optional octet string `SharedInfo` which consists of other shared data. Here, that's `sharedInfo`.
+    //
+    // We then need to perform the following steps:
+    //
+    // 1. Check that keydatalen < hashlen × (2³² − 1). If keydatalen ≥ hashlen × (2³² − 1), fail.
+    // 2. Initiate a 4 octet, big-endian octet string Counter as 0x00000001.
+    // 3. For i = 1 to ⌈keydatalen/hashlen⌉, do the following:
+    //     1. Compute: Ki = Hash(Z || Counter || [SharedInfo]).
+    //     2. Increment Counter.
+    //     3. Increment i.
+    // 4. Set K to be the leftmost keydatalen octets of: K1 || K2 || . . . || K⌈keydatalen/hashlen⌉.
+    // 5. Output K.
+    //
+    // The loop in step 3 is not very Swifty, so instead we generate the counter directly.
+    // Step 1: Check that keydatalen < hashlen × (2³² − 1).
+    // We do this math in UInt64-space, because we'll overflow 32-bit integers.
+    guard UInt64(outputByteCount) < (UInt64(H.Digest.byteCount) * UInt64(UInt32.max)) else {
+        fatalError("Invalid parameter size")
+    }
+
+    var key = SecureBytes()
+    key.reserveCapacity(outputByteCount)
+
+    var remainingBytes = outputByteCount
+    var counter = UInt32(1)
+
+    while remainingBytes > 0 {
+        // 1. Compute: Ki = Hash(Z || Counter || [SharedInfo]).
+        var hasher = H()
+        hasher.update(data: secret)
+        hasher.update(counter.bigEndian)
+        hasher.update(data: sharedInfo)
+        let digest = hasher.finalize()
+
+        // 2. Increment Counter.
+        counter += 1
+
+        // Append the bytes of the digest. We don't want to append more than the remaining number of bytes.
+        let bytesToAppend = min(remainingBytes, H.Digest.byteCount)
+        digest.withUnsafeBytes { digestPtr in
+            key.append(digestPtr.prefix(bytesToAppend))
+        }
+        remainingBytes -= bytesToAppend
+    }
+
+    precondition(key.count == outputByteCount)
+    return SymmetricKey(data: key)
+}
+
+extension HashFunction {
+    mutating func update(_ counter: UInt32) {
+        withUnsafeBytes(of: counter) {
+            self.update(bufferPointer: $0)
+        }
+    }
+}
+
+
+/// From: https://github.com/apple/swift-crypto/blob/main/Sources/Crypto/Key%20Agreement/DH.swift#L110
+/// Derives a symmetric encryption key using HKDF key derivation.
+///
+/// - Parameters:
+///   - hashFunction: The Hash Function to use for key derivation.
+///   - salt: The salt to use for key derivation.
+///   - sharedInfo: The Shared Info to use for key derivation.
+///   - outputByteCount: The length in bytes of resulting symmetric key.
+/// - Returns: The derived symmetric key
+public func hkdfDerivedSymmetricKey<H: HashFunction, Salt: DataProtocol, SI: DataProtocol>(
+    secret: Data,
+    using hashFunction: H.Type, salt: Salt, sharedInfo: SI, outputByteCount: Int
+) -> SymmetricKey {
+    HKDF<H>.deriveKey(inputKeyMaterial: SymmetricKey(data: secret), salt: salt, info: sharedInfo, outputByteCount: outputByteCount)
+}