more convenient API

a-sit-plus · Jan 13, 2025 · 0c7df4d · 0c7df4d
1 parent 04a0f6f
commit 0c7df4d
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@
     * CBC
     * CBC-HMAC
     * GCM
+* Key Agreement Support
+  * ECDH
 
 
 ### 3.11.0 (Supreme 0.6.0)

diff --git a/docs/docs/features.md b/docs/docs/features.md
@@ -21,7 +21,7 @@ More details about the supported algorithms is provided in the next section.
 | Attestation                 |           ❋           |    ✔    |       ✔*        |
 | Biometric Auth              |           ✗           |    ✔    |        ✔        |
 | Hardware-Backed Key Storage | through dedicated HSM |    ✔    | P-256 keys only |
-| Key Agreement               |           ✗           |    ✗    |        ✗        |
+| Key Agreement               |           ✔           |    ✔    |        ✔        |
 | Asymmetric Encryption       |           ✗           |    ✗    |        ✗        |
 | Symmetric Encryption        |           ✔           |    ✔    |        ✔        |
 | MAC                         |           ✔           |    ✔    |        ✔        |
@@ -38,7 +38,7 @@ For example, if a hardware security module is plugged into the JVM crypto provid
 supports attestation, the JVM-specific attestation format can carry this information. WIP!
 If you have suggestions, experience or a concrete use-case where you need this, check the footer and let us know!
 
-### ✔* iOS Attestation
+### * iOS Attestation
 iOS supports App attestation, but no direct key attestation. The Supreme crypto provider emulates key attestation
 through app attestation, by _asserting_ the creation of a fresh public/private key pair inside the secure enclave
 through application-layer logic encapsulated by the Supreme crypto provider.  
@@ -58,6 +58,7 @@ a separate platform listing is omitted.
 | Elliptic Curves      | NIST Curves (P-256, P-384, P-521)                                                    |
 | Digests              | SHA-1 and SHA-2 family (SHA-256, SHA-384, SHA-512)                                   |
 | MAC                  | HMAC based on the SHA-1 and SHA-2 family (SHA-256, SHA-384, SHA-512)                 |
+| Key Agreement        | ECDH on all platforms. Needs key agreement bit set on Android                        |
 | Symmetric Encryption | AES-CBC, AES-CBC-HMAC, AES-GCM                                                       |
 
 On the JVM and on Android, supporting more algorithms is rather easy, since Bouncy Castle works on both platforms

diff --git a/supreme/src/commonMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.kt b/supreme/src/commonMain/kotlin/at/asitplus/signum/supreme/agreement/KeyAgreement.kt
@@ -2,13 +2,45 @@ package at.asitplus.signum.supreme.agreement
 
 import at.asitplus.KmmResult
 import at.asitplus.catching
+import at.asitplus.signum.indispensable.CryptoPrivateKey
 import at.asitplus.signum.indispensable.CryptoPublicKey
+import at.asitplus.signum.indispensable.SignatureAlgorithm
+import at.asitplus.signum.indispensable.nativeDigest
 import at.asitplus.signum.supreme.sign.Signer
 import at.asitplus.signum.supreme.sign.curve
+import at.asitplus.signum.supreme.sign.signerFor
 
+/**
+ * Elliptic-curve Diffie-Hellman key agreement.
+ * Curves of public key and signer need to match!
+ */
 fun Signer.ECDSA.keyAgreement(publicKey: CryptoPublicKey.EC): KmmResult<ByteArray> = catching {
-    require(curve == publicKey.curve) {"Private and public key curve mismatch"}
+    require(curve == publicKey.curve) { "Private and public key curve mismatch" }
     performAgreement(publicKey)
 }
+
+/**
+ * Elliptic-curve Diffie-Hellman key agreement.
+ * Curves of public key and signer need to match!
+ */
+fun CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>.keyAgreement(publicKey: CryptoPublicKey.EC) = catching {
+    (SignatureAlgorithm.ECDSA(this.publicKey.curve.nativeDigest, this.publicKey.curve).signerFor(this)
+        .getOrThrow() as Signer.ECDSA).keyAgreement(
+        publicKey
+    )
+}
+
+/**
+ * Elliptic-curve Diffie-Hellman key agreement.
+ * Curves of public key and signer need to match!
+ */
+fun CryptoPublicKey.EC.keyAgreement(privateKey: CryptoPrivateKey.WithPublicKey<CryptoPublicKey.EC>) = privateKey.keyAgreement(this)
+
+/**
+ * Elliptic-curve Diffie-Hellman key agreement.
+ * Curves of public key and signer need to match!
+ */
+fun CryptoPublicKey.EC.keyAgreement(signer: Signer.ECDSA) = signer.keyAgreement(this)
+
 //TODO CFG lambda for auth dialog, etc
 internal expect fun Signer.ECDSA.performAgreement(publicKey: CryptoPublicKey.EC): ByteArray
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,8 @@ @@
         * CBC
         * CBC-HMAC
         * GCM
+    * Key Agreement Support
+      * ECDH
     ### 3.11.0 (Supreme 0.6.0)
@@ Expand Down @@