Documentation
¶
Overview ¶
Package brainpool implements the Brainpool elliptic curves (RFC 5639) used by the gematik telematics infrastructure, together with X.509 certificate/key parsing for these curves and the signing entry points used by the josebp JOSE layer.
Constant-time posture is per curve:
- brainpoolP256r1 secret-scalar operations (ECDSA signing via SignFuncPrivateKey, ECDH via ECDHP256r1) are routed through a constant-time, formally-verified core (see internal/bp256) using RFC 6979 deterministic nonces and low-s normalisation. Signature verification uses the standard library, which is appropriate because it processes only public data.
- brainpoolP384r1, brainpoolP512r1 and the twisted (t1) curves use the standard library's generic, non-constant-time crypto/elliptic implementation (the rcurve isomorphism is adapted from github.com/ebfe/brainpool). They are used for certificate handling, not as software-signing curves.
See README.md for the full security posture and references.
Index ¶
- Variables
- func CurveFromOID(oid asn1.ObjectIdentifier) (bool, elliptic.Curve)
- func ECDHP256r1(priv *ecdsa.PrivateKey, pubX, pubY *big.Int) ([]byte, error)
- func IsBrainpoolCertificate(cert *x509.Certificate) bool
- func IsBrainpoolCurve(curve elliptic.Curve) bool
- func IsBrainpoolPublicKey(pub any) bool
- func MarshalPKIXPublicKey(pub any) ([]byte, error)
- func P256r1() elliptic.Curve
- func P256t1() elliptic.Curve
- func P384r1() elliptic.Curve
- func P384t1() elliptic.Curve
- func P512r1() elliptic.Curve
- func P512t1() elliptic.Curve
- func ParseCertificate(der []byte) (*x509.Certificate, error)
- func ParseCertificatePEM(pemBytes []byte) (*x509.Certificate, error)
- func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)
- func ParsePKCS8PrivateKey(der []byte) (any, error)
- func ParsePrivateKeyPEM(pemBytes []byte) (*ecdsa.PrivateKey, error)
- func SignP256r1(priv *ecdsa.PrivateKey, prehash []byte) ([]byte, error)
- func SignP256r1Random(rng io.Reader, priv *ecdsa.PrivateKey, prehash []byte) ([]byte, error)
- type SignFunc
Constants ¶
This section is empty.
Variables ¶
var OIDNamedCurveP256r1 = asn1.ObjectIdentifier{1, 3, 36, 3, 3, 2, 8, 1, 1, 7}
var OIDNamedCurveP384r1 = asn1.ObjectIdentifier{1, 3, 36, 3, 3, 2, 8, 1, 1, 11}
var OIDNamedCurveP512r1 = asn1.ObjectIdentifier{1, 3, 36, 3, 3, 2, 8, 1, 1, 13}
Functions ¶
func CurveFromOID ¶
func CurveFromOID(oid asn1.ObjectIdentifier) (bool, elliptic.Curve)
func ECDHP256r1 ¶ added in v1.0.0
ECDHP256r1 computes the brainpoolP256r1 ECDH shared secret (the x-coordinate of priv·peer, BSI TR-03111 §3.5.1) using the constant-time core. The peer point (pubX, pubY) is validated (on-curve, in range) before use.
func IsBrainpoolCertificate ¶
func IsBrainpoolCertificate(cert *x509.Certificate) bool
IsBrainpoolCertificate checks if the given certificate uses elliptic curve cryptography with a brainpool curve.
func IsBrainpoolCurve ¶
IsBrainpoolCurve checks if the given elliptic curve is one of the brainpool curves.
func IsBrainpoolPublicKey ¶
IsBrainpoolPublicKey checks if the given public key uses elliptic curve cryptography with a brainpool curve.
func MarshalPKIXPublicKey ¶
func P256r1 ¶
P256r1 returns a Curve which implements Brainpool P256r1 (see RFC 5639, section 3.4)
func P256t1 ¶
P256t1 returns a Curve which implements Brainpool P256t1 (see RFC 5639, section 3.4)
func P384r1 ¶
P384r1 returns a Curve which implements Brainpool P384r1 (see RFC 5639, section 3.6)
func P384t1 ¶
P384t1 returns a Curve which implements Brainpool P384t1 (see RFC 5639, section 3.6)
func P512r1 ¶
P512r1 returns a Curve which implements Brainpool P512r1 (see RFC 5639, section 3.7)
func P512t1 ¶
P512t1 returns a Curve which implements Brainpool P512t1 (see RFC 5639, section 3.7)
func ParseCertificate ¶
func ParseCertificate(der []byte) (*x509.Certificate, error)
func ParseCertificatePEM ¶
func ParseCertificatePEM(pemBytes []byte) (*x509.Certificate, error)
func ParseECPrivateKey ¶
func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error)
func ParsePKCS8PrivateKey ¶
func ParsePrivateKeyPEM ¶
func ParsePrivateKeyPEM(pemBytes []byte) (*ecdsa.PrivateKey, error)
func SignP256r1 ¶ added in v1.0.0
func SignP256r1(priv *ecdsa.PrivateKey, prehash []byte) ([]byte, error)
SignP256r1 signs prehash with priv using the constant-time core: an RFC 6979 deterministic nonce and low-s normalisation. It returns the fixed-width r‖s encoding (RFC 7518 §3.4). priv must be a brainpoolP256r1 key.
func SignP256r1Random ¶ added in v1.0.0
SignP256r1Random is the opt-out variant of SignP256r1 that draws a random per-message nonce from rng instead of RFC 6979. It still uses the constant-time core and low-s normalisation. Prefer SignP256r1 unless a random nonce is specifically required.
Types ¶
type SignFunc ¶
SignFunc signs a digest and returns the raw fixed-width r‖s ECDSA signature (RFC 7518 §3.4). It abstracts over software keys and hardware tokens (smartcards via the gematik connector), where the private key is not extractable. The JOSE layer lives in brainpool/josebp.
func SignFuncPrivateKey ¶
func SignFuncPrivateKey(sigPrK *ecdsa.PrivateKey) SignFunc
SignFuncPrivateKey returns a SignFunc backed by a software ECDSA private key.
For brainpoolP256r1 keys it uses the constant-time core with an RFC 6979 deterministic nonce and low-s normalisation (resisting the timing and weak-RNG key-recovery attacks the deprecated generic crypto/elliptic path is subject to). For the other curves it uses the standard library. Hardware-token signers are opaque SignFunc closures supplied by the caller and are unaffected.
func SignFuncPrivateKeyRandom ¶ added in v1.0.0
func SignFuncPrivateKeyRandom(sigPrK *ecdsa.PrivateKey) SignFunc
SignFuncPrivateKeyRandom is the opt-out variant of SignFuncPrivateKey that, for brainpoolP256r1, draws a random per-message nonce instead of the RFC 6979 deterministic one (still constant-time, still low-s). Other curves behave as with SignFuncPrivateKey.
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
bp256
Package bp256 implements constant-time arithmetic for the brainpoolP256r1 elliptic curve (RFC 5639 §3.4), used by the parent brainpool package for the secret-scalar operations that must resist timing side channels: ECDSA signing and ECDH.
|
Package bp256 implements constant-time arithmetic for the brainpoolP256r1 elliptic curve (RFC 5639 §3.4), used by the parent brainpool package for the secret-scalar operations that must resist timing side channels: ECDSA signing and ECDH. |
|
bp256/fiat
Package fiat provides constant-time arithmetic in the brainpoolP256r1 base field (integers modulo the field prime p, RFC 5639 §3.4).
|
Package fiat provides constant-time arithmetic in the brainpoolP256r1 base field (integers modulo the field prime p, RFC 5639 §3.4). |
|
bp256/fiatn
Package fiatn provides constant-time arithmetic in the brainpoolP256r1 scalar field, i.e.
|
Package fiatn provides constant-time arithmetic in the brainpoolP256r1 scalar field, i.e. |
|
Package josebp is a self-contained JOSE (JWS/JWT/JWK/JWE) implementation for the Brainpool elliptic curves used by the gematik telematik infrastructure (IDP-Dienst, SMC-B, ePA).
|
Package josebp is a self-contained JOSE (JWS/JWT/JWK/JWE) implementation for the Brainpool elliptic curves used by the gematik telematik infrastructure (IDP-Dienst, SMC-B, ePA). |