Involved Source Files Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
defined in [FIPS 186-5].
Signatures generated by this package are not deterministic, but entropy is
mixed with the private key and the message, achieving the same level of
security in case of randomness source failure.
Operations involving private keys are implemented using constant-time
algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
[elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
[FIPS 186-5]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdfecdsa_legacy.gonotboring.go
Package-Level Type Names (total 2, both are exported)
/* sort exporteds by: | */
PrivateKey represents an ECDSA private key. D is the private scalar value.
Modifying the raw value can produce invalid keys, and may
invalidate internal optimizations; moreover, [big.Int] methods are not
suitable for operating on cryptographic values. To encode and decode
PrivateKey values, use [PrivateKey.Bytes] and [ParseRawPrivateKey] or
[crypto/x509.MarshalPKCS8PrivateKey] and [crypto/x509.ParsePKCS8PrivateKey].
For ECDH, use [crypto/ecdh].
This field will be deprecated in Go 1.26.PublicKeyPublicKeyPublicKey.Curveelliptic.Curve X, Y are the coordinates of the public key point.
Modifying the raw coordinates can produce invalid keys, and may
invalidate internal optimizations; moreover, [big.Int] methods are not
suitable for operating on cryptographic values. To encode and decode
PublicKey values, use [PublicKey.Bytes] and [ParseUncompressedPublicKey]
or [crypto/x509.MarshalPKIXPublicKey] and [crypto/x509.ParsePKIXPublicKey].
For ECDH, use [crypto/ecdh]. For lower-level elliptic curve operations,
use a third-party module like filippo.io/nistec.
These fields will be deprecated in Go 1.26. X, Y are the coordinates of the public key point.
Modifying the raw coordinates can produce invalid keys, and may
invalidate internal optimizations; moreover, [big.Int] methods are not
suitable for operating on cryptographic values. To encode and decode
PublicKey values, use [PublicKey.Bytes] and [ParseUncompressedPublicKey]
or [crypto/x509.MarshalPKIXPublicKey] and [crypto/x509.ParsePKIXPublicKey].
For ECDH, use [crypto/ecdh]. For lower-level elliptic curve operations,
use a third-party module like filippo.io/nistec.
These fields will be deprecated in Go 1.26. Add returns the sum of (x1,y1) and (x2,y2).
Deprecated: this is a low-level unsafe API. Bytes encodes the private key as a fixed-length big-endian integer according
to SEC 1, Version 2.0, Section 2.3.6 (sometimes referred to as the raw
format). It returns an error if the private key is invalid.
PrivateKey.Curve must be one of [elliptic.P224], [elliptic.P256],
[elliptic.P384], or [elliptic.P521], or Bytes returns an error.
Bytes returns the same format as [ecdh.PrivateKey.Bytes] does for NIST curves.
Note that private keys are more commonly encoded in ASN.1 or PKCS#8 format,
which can be generated with [crypto/x509.MarshalECPrivateKey] or
[crypto/x509.MarshalPKCS8PrivateKey] (and [encoding/pem]). Double returns 2*(x,y).
Deprecated: this is a low-level unsafe API. ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is
invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the
Curve is not supported by [crypto/ecdh]. Equal reports whether priv and x have the same value.
See [PublicKey.Equal] for details on how Curve is compared. IsOnCurve reports whether the given (x,y) lies on the curve.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. The NewPublicKey methods of NIST curves in crypto/ecdh accept
the same encoding as the Unmarshal function, and perform on-curve checks. Params returns the parameters for the curve. Public returns the public key corresponding to priv. ScalarBaseMult returns k*G, where G is the base point of the group
and k is an integer in big-endian form.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. Most uses of ScalarBaseMult can be replaced by a call to the
PrivateKey.PublicKey method in crypto/ecdh. ScalarMult returns k*(x,y) where k is an integer in big-endian form.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. Most uses of ScalarMult can be replaced by a call to the ECDH
methods of NIST curves in crypto/ecdh. Sign signs a hash (which should be the result of hashing a larger message
with opts.HashFunc()) using the private key, priv. If the hash is longer than
the bit-length of the private key's curve order, the hash will be truncated
to that length. It returns the ASN.1 encoded signature, like [SignASN1].
If rand is not nil, the signature is randomized. Most applications should use
[crypto/rand.Reader] as rand. Note that the returned signature does not
depend deterministically on the bytes read from rand, and may change between
calls and/or between versions.
If rand is nil, Sign will produce a deterministic signature according to RFC
6979. When producing a deterministic signature, opts.HashFunc() must be the
function used to produce digest and priv.Curve must be one of
[elliptic.P224], [elliptic.P256], [elliptic.P384], or [elliptic.P521].
*PrivateKey : crypto.Signer
PrivateKey : crypto/elliptic.Curve
func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error)
func ParseRawPrivateKey(curve elliptic.Curve, data []byte) (*PrivateKey, error)
func crypto/x509.ParseECPrivateKey(der []byte) (*PrivateKey, error)
func generateFIPS[P](curve elliptic.Curve, c *ecdsa.Curve[P], rand io.Reader) (*PrivateKey, error)
func generateLegacy(c elliptic.Curve, rand io.Reader) (*PrivateKey, error)
func parseRawPrivateKey[P](c *ecdsa.Curve[P], newPoint func() P, curve elliptic.Curve, data []byte) (*PrivateKey, error)
func privateKeyFromFIPS(curve elliptic.Curve, priv *ecdsa.PrivateKey) (*PrivateKey, error)
func crypto/x509.parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *PrivateKey, err error)
func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error)
func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error)
func crypto/x509.MarshalECPrivateKey(key *PrivateKey) ([]byte, error)
func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyECDSA, error)
func privateKeyBytes[P](c *ecdsa.Curve[P], priv *PrivateKey) ([]byte, error)
func privateKeyToFIPS[P](c *ecdsa.Curve[P], priv *PrivateKey) (*ecdsa.PrivateKey, error)
func signFIPS[P](c *ecdsa.Curve[P], priv *PrivateKey, rand io.Reader, hash []byte) ([]byte, error)
func signFIPSDeterministic[P](c *ecdsa.Curve[P], hashFunc crypto.Hash, priv *PrivateKey, hash []byte) ([]byte, error)
func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error)
func signRFC6979(priv *PrivateKey, hash []byte, opts crypto.SignerOpts) ([]byte, error)
func crypto/x509.marshalECPrivateKeyWithOID(key *PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error)
PublicKey represents an ECDSA public key.Curveelliptic.Curve X, Y are the coordinates of the public key point.
Modifying the raw coordinates can produce invalid keys, and may
invalidate internal optimizations; moreover, [big.Int] methods are not
suitable for operating on cryptographic values. To encode and decode
PublicKey values, use [PublicKey.Bytes] and [ParseUncompressedPublicKey]
or [crypto/x509.MarshalPKIXPublicKey] and [crypto/x509.ParsePKIXPublicKey].
For ECDH, use [crypto/ecdh]. For lower-level elliptic curve operations,
use a third-party module like filippo.io/nistec.
These fields will be deprecated in Go 1.26. X, Y are the coordinates of the public key point.
Modifying the raw coordinates can produce invalid keys, and may
invalidate internal optimizations; moreover, [big.Int] methods are not
suitable for operating on cryptographic values. To encode and decode
PublicKey values, use [PublicKey.Bytes] and [ParseUncompressedPublicKey]
or [crypto/x509.MarshalPKIXPublicKey] and [crypto/x509.ParsePKIXPublicKey].
For ECDH, use [crypto/ecdh]. For lower-level elliptic curve operations,
use a third-party module like filippo.io/nistec.
These fields will be deprecated in Go 1.26. Add returns the sum of (x1,y1) and (x2,y2).
Deprecated: this is a low-level unsafe API. Bytes encodes the public key as an uncompressed point according to SEC 1,
Version 2.0, Section 2.3.3 (also known as the X9.62 uncompressed format).
It returns an error if the public key is invalid.
PublicKey.Curve must be one of [elliptic.P224], [elliptic.P256],
[elliptic.P384], or [elliptic.P521], or Bytes returns an error.
Bytes returns the same format as [ecdh.PublicKey.Bytes] does for NIST curves.
Note that public keys are more commonly encoded in DER (or PEM) format, which
can be generated with [crypto/x509.MarshalPKIXPublicKey] (and [encoding/pem]). Double returns 2*(x,y).
Deprecated: this is a low-level unsafe API. ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is
invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the
Curve is not supported by crypto/ecdh. Equal reports whether pub and x have the same value.
Two keys are only considered to have the same value if they have the same Curve value.
Note that for example [elliptic.P256] and elliptic.P256().Params() are different
values, as the latter is a generic not constant time implementation. IsOnCurve reports whether the given (x,y) lies on the curve.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. The NewPublicKey methods of NIST curves in crypto/ecdh accept
the same encoding as the Unmarshal function, and perform on-curve checks. Params returns the parameters for the curve. ScalarBaseMult returns k*G, where G is the base point of the group
and k is an integer in big-endian form.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. Most uses of ScalarBaseMult can be replaced by a call to the
PrivateKey.PublicKey method in crypto/ecdh. ScalarMult returns k*(x,y) where k is an integer in big-endian form.
Deprecated: this is a low-level unsafe API. For ECDH, use the crypto/ecdh
package. Most uses of ScalarMult can be replaced by a call to the ECDH
methods of NIST curves in crypto/ecdh.
PublicKey : crypto/elliptic.Curve
func ParseUncompressedPublicKey(curve elliptic.Curve, data []byte) (*PublicKey, error)
func parseUncompressedPublicKey[P](c *ecdsa.Curve[P], curve elliptic.Curve, data []byte) (*PublicKey, error)
func publicKeyFromFIPS(curve elliptic.Curve, pub *ecdsa.PublicKey) (*PublicKey, error)
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool
func boringPublicKey(*PublicKey) (*boring.PublicKeyECDSA, error)
func publicKeyBytes[P](c *ecdsa.Curve[P], pub *PublicKey) ([]byte, error)
func publicKeyToFIPS[P](c *ecdsa.Curve[P], pub *PublicKey) (*ecdsa.PublicKey, error)
func verifyFIPS[P](c *ecdsa.Curve[P], pub *PublicKey, hash, sig []byte) bool
func verifyLegacy(pub *PublicKey, hash []byte, sig []byte) bool
Package-Level Functions (total 35, in which 7 are exported)
GenerateKey generates a new ECDSA private key for the specified curve.
Most applications should use [crypto/rand.Reader] as rand. Note that the
returned key does not depend deterministically on the bytes read from rand,
and may change between calls and/or between versions.
ParseRawPrivateKey parses a private key encoded as a fixed-length big-endian
integer, according to SEC 1, Version 2.0, Section 2.3.6 (sometimes referred
to as the raw format). It returns an error if the value is not reduced modulo
the curve's order, or if it's zero.
curve must be one of [elliptic.P224], [elliptic.P256], [elliptic.P384], or
[elliptic.P521], or ParseRawPrivateKey returns an error.
ParseRawPrivateKey accepts the same format as [ecdh.Curve.NewPrivateKey] does
for NIST curves, but returns a [PrivateKey] instead of an [ecdh.PrivateKey].
Note that private keys are more commonly encoded in ASN.1 or PKCS#8 format,
which can be parsed with [crypto/x509.ParseECPrivateKey] or
[crypto/x509.ParsePKCS8PrivateKey] (and [encoding/pem]).
ParseUncompressedPublicKey parses a public key encoded as an uncompressed
point according to SEC 1, Version 2.0, Section 2.3.3 (also known as the X9.62
uncompressed format). It returns an error if the point is not in uncompressed
form, is not on the curve, or is the point at infinity.
curve must be one of [elliptic.P224], [elliptic.P256], [elliptic.P384], or
[elliptic.P521], or ParseUncompressedPublicKey returns an error.
ParseUncompressedPublicKey accepts the same format as
[ecdh.Curve.NewPublicKey] does for NIST curves, but returns a [PublicKey]
instead of an [ecdh.PublicKey].
Note that public keys are more commonly encoded in DER (or PEM) format, which
can be parsed with [crypto/x509.ParsePKIXPublicKey] (and [encoding/pem]).
Sign signs a hash (which should be the result of hashing a larger message)
using the private key, priv. If the hash is longer than the bit-length of the
private key's curve order, the hash will be truncated to that length. It
returns the signature as a pair of integers. Most applications should use
[SignASN1] instead of dealing directly with r, s.
SignASN1 signs a hash (which should be the result of hashing a larger message)
using the private key, priv. If the hash is longer than the bit-length of the
private key's curve order, the hash will be truncated to that length. It
returns the ASN.1 encoded signature.
The signature is randomized. Most applications should use [crypto/rand.Reader]
as rand. Note that the returned signature does not depend deterministically on
the bytes read from rand, and may change between calls and/or between versions.
Verify verifies the signature in r, s of hash using the public key, pub. Its
return value records whether the signature is valid. Most applications should
use VerifyASN1 instead of dealing directly with r, s.
The inputs are not considered confidential, and may leak through timing side
channels, or if an attacker has control of part of the inputs.
VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
public key, pub. Its return value records whether the signature is valid.
The inputs are not considered confidential, and may leak through timing side
channels, or if an attacker has control of part of the inputs.
addASN1IntBytes encodes in ASN.1 a positive integer represented as
a big-endian byte slice with zero or more leading zeroes.
bigIntEqual reports whether a and b are equal leaking only their bit length
through timing side-channels.
hashToInt converts a hash value to an integer. Per FIPS 186-4, Section 6.4,
we use the left-most bits of the hash to match the bit-length of the order of
the curve. This also performs Step 5 of SEC 1, Version 2.0, Section 4.1.3.