File Coverage

blib/lib/Crypt/PK/X25519.pm

Criterion	Covered	Total	%
statement	26	69	37.6
branch	6	60	10.0
condition	0	40	0.0
subroutine	8	12	66.6
pod	5	5	100.0
total	45	186	24.1

line	stmt	bran	cond	sub	pod	time	code
1							package Crypt::PK::X25519;
2
3	4			4		262867	use strict;
	4					63
	4					163
4	4			4		40	use warnings;
	4					6
	4					652
5							our $VERSION = '0.089';
6
7							require Exporter; our @ISA = qw(Exporter); ### use Exporter 5.57 'import';
8							our %EXPORT_TAGS = ( all => [qw( )] );
9							our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
10							our @EXPORT = qw();
11
12	4			4		28	use Carp;
	4					17
	4					402
13							$Carp::Internal{(__PACKAGE__)}++;
14	4			4		1229	use CryptX;
	4					9
	4					153
15	4			4		1097	use Crypt::PK;
	4					11
	4					171
16	4			4		1252	use Crypt::Misc qw(read_rawfile encode_b64u decode_b64u encode_b64 decode_b64 pem_to_der der_to_pem);
	4					11
	4					4378
17
18							sub new {
19	3			3	1	243877	my $self = shift->_new();
20	3	50				2376	return @_ > 0 ? $self->import_key(@_) : $self;
21							}
22
23							sub import_key_raw {
24	1			1	1	3	my ($self, $key, $type) = @_;
25	1	50				4	croak "FATAL: undefined key" unless $key;
26	1	50				4	croak "FATAL: invalid key" unless length($key) == 32;
27	1	50				3	croak "FATAL: undefined type" unless $type;
28	1	50				3	return $self->_import_raw($key, 1) if $type eq 'private';
29	1	50				22	return $self->_import_raw($key, 0) if $type eq 'public';
30	0						croak "FATAL: invalid key type '$type'";
31							}
32
33							sub import_key {
34	0			0	1		my ($self, $key, $password) = @_;
35	0						local $SIG{__DIE__} = \&CryptX::_croak;
36	0	0					croak "FATAL: undefined key" unless $key;
37
38							# special case
39	0	0					if (ref($key) eq 'HASH') {
40	0	0	0				if ($key->{kty} && $key->{kty} eq "OKP" && $key->{crv} && $key->{crv} eq 'X25519') {
			0
			0
41							# JWK-like structure e.g.
42							# {"kty":"OKP","crv":"X25519","d":"...","x":"..."}
43	0	0					return $self->_import_raw(decode_b64u($key->{d}), 1) if $key->{d}; # private
44	0	0					return $self->_import_raw(decode_b64u($key->{x}), 0) if $key->{x}; # public
45							}
46	0	0	0				if ($key->{curve} && $key->{curve} eq "x25519" && ($key->{priv} \|\| $key->{pub})) {
			0
			0
47							# hash exported via key2hash
48	0	0					return $self->_import_raw(pack("H*", $key->{priv}), 1) if $key->{priv};
49	0	0					return $self->_import_raw(pack("H*", $key->{pub}), 0) if $key->{pub};
50							}
51	0						croak "FATAL: unexpected X25519 key hash";
52							}
53
54	0						my $data;
55	0	0					if (ref($key) eq 'SCALAR') {
		0
56	0						$data = $$key;
57							}
58							elsif (-f $key) {
59	0						$data = read_rawfile($key);
60							}
61							else {
62	0						croak "FATAL: non-existing file '$key'";
63							}
64	0	0					croak "FATAL: invalid key data" unless $data;
65
66	0	0					if ($data =~ /-----BEGIN (PUBLIC\|PRIVATE\|ENCRYPTED PRIVATE) KEY-----(.+?)-----END (PUBLIC\|PRIVATE\|ENCRYPTED PRIVATE) KEY-----/s) {
		0
		0
67	0						return $self->_import_pem($data, $password);
68							}
69							elsif ($data =~ /^\s(\{.?\})\s*$/s) { # JSON
70	0		0				my $h = CryptX::_decode_json("$1") \|\| {};
71	0	0	0				if ($h->{kty} && $h->{kty} eq "OKP" && $h->{crv} && $h->{crv} eq 'X25519') {
			0
			0
72	0	0					return $self->_import_raw(decode_b64u($h->{d}), 1) if $h->{d}; # private
73	0	0					return $self->_import_raw(decode_b64u($h->{x}), 0) if $h->{x}; # public
74							}
75							}
76							elsif (length($data) == 32) {
77	0						croak "FATAL: use import_key_raw() to load raw (32 bytes) X25519 key";
78							}
79							else {
80							my $rv = eval { $self->_import($data) } \|\|
81							eval { $self->_import_pkcs8($data, $password) } \|\|
82	0		0				eval { $self->_import_x509($data) };
83	0	0					return $rv if $rv;
84							}
85	0						croak "FATAL: invalid or unsupported X25519 key format";
86							}
87
88							sub export_key_pem {
89	0			0	1		my ($self, $type, $password, $cipher) = @_;
90	0						local $SIG{__DIE__} = \&CryptX::_croak;
91	0		0				my $key = $self->export_key_der($type\|\|'');
92	0	0					return unless $key;
93	0	0					return der_to_pem($key, "PRIVATE KEY", $password, $cipher) if $type eq 'private';
94	0	0					return der_to_pem($key, "PUBLIC KEY") if $type eq 'public';
95							}
96
97							sub export_key_jwk {
98	0			0	1		my ($self, $type, $wanthash) = @_;
99	0						local $SIG{__DIE__} = \&CryptX::_croak;
100	0						my $kh = $self->key2hash;
101	0	0					return unless $kh;
102	0						my $hash = { kty => "OKP", crv => "X25519" };
103	0						$hash->{x} = encode_b64u(pack("H*", $kh->{pub}));
104	0	0	0				$hash->{d} = encode_b64u(pack("H*", $kh->{priv})) if $type && $type eq 'private' && $kh->{priv};
			0
105	0	0					return $wanthash ? $hash : CryptX::_encode_json($hash);
106							}
107
108	0			0			sub CLONE_SKIP { 1 } # prevent cloning
109
110							1;
111
112							=pod
113
114							=head1 NAME
115
116							Crypt::PK::X25519 - Asymmetric cryptography based on X25519
117
118							=head1 SYNOPSIS
119
120							use Crypt::PK::X25519;
121
122							my $alice = Crypt::PK::X25519->new->generate_key;
123							my $bob = Crypt::PK::X25519->new->generate_key;
124							my $alice_secret = $alice->shared_secret($bob);
125							my $bob_secret = $bob->shared_secret($alice);
126							die "ERROR" unless $alice_secret eq $bob_secret;
127
128							#Load key
129							my $pk = Crypt::PK::X25519->new;
130							my $pk_hex = "EA7806F721A8570512C8F6EFB4E8D620C49A529E4DF5EAA77DEC646FB1E87E41";
131							$pk->import_key_raw(pack("H*", $pk_hex), "public");
132							my $sk = Crypt::PK::X25519->new;
133							my $sk_hex = "002F93D10BA5728D8DD8E9527721DABA3261C0BB1BEFDE7B4BBDAC631D454651";
134							$sk->import_key_raw(pack("H*", $sk_hex), "private");
135
136							#Key generation
137							my $pk = Crypt::PK::X25519->new->generate_key;
138							my $private_der = $pk->export_key_der('private');
139							my $public_der = $pk->export_key_der('public');
140							my $private_pem = $pk->export_key_pem('private');
141							my $public_pem = $pk->export_key_pem('public');
142							my $private_raw = $pk->export_key_raw('private');
143							my $public_raw = $pk->export_key_raw('public');
144							my $private_jwk = $pk->export_key_jwk('private');
145							my $public_jwk = $pk->export_key_jwk('public');
146
147							=head1 DESCRIPTION
148
149							I
150
151							=head1 METHODS
152
153							=head2 new
154
155							my $source = Crypt::PK::X25519->new();
156							$source->generate_key;
157
158							my $public_der = $source->export_key_der('public');
159							my $pub = Crypt::PK::X25519->new(\$public_der);
160
161							my $private_pem = $source->export_key_pem('private', 'secret', 'AES-256-CBC');
162							my $priv = Crypt::PK::X25519->new(\$private_pem, 'secret');
163
164							Passing C<$filename> or C<\$buffer> to C is equivalent: both forms
165							immediately import the key material into the new object.
166
167							=head2 generate_key
168
169							Uses the bundled C PRNG via C. The exact OS entropy
170							source is handled by the underlying LibTomCrypt RNG setup.
171							Returns the object itself (for chaining).
172
173							$pk->generate_key;
174
175							=head2 import_key
176
177							Loads private or public key in DER or PEM format.
178
179							my $source = Crypt::PK::X25519->new();
180							$source->generate_key;
181
182							my $public_der = $source->export_key_der('public');
183							my $pub = Crypt::PK::X25519->new();
184							$pub->import_key(\$public_der);
185
186							my $private_pem = $source->export_key_pem('private', 'secret', 'AES-256-CBC');
187							my $priv = Crypt::PK::X25519->new();
188							$priv->import_key(\$private_pem, 'secret');
189
190							The same method also accepts filenames instead of buffers.
191
192							Loading private or public keys from a Perl HASH:
193
194							$pk->import_key($hashref);
195
196							# the $hashref is either a key exported via key2hash
197							$pk->import_key({
198							curve => "x25519",
199							pub => "EA7806F721A8570512C8F6EFB4E8D620C49A529E4DF5EAA77DEC646FB1E87E41",
200							priv => "002F93D10BA5728D8DD8E9527721DABA3261C0BB1BEFDE7B4BBDAC631D454651",
201							});
202
203							# or a hash with items corresponding to JWK (JSON Web Key)
204							$pk->import_key({
205							kty => "OKP",
206							crv => "X25519",
207							d => "AC-T0Qulco2N2OlSdyHaujJhwLsb7957S72sYx1FRlE",
208							x => "6ngG9yGoVwUSyPbvtOjWIMSaUp5N9eqnfexkb7HofkE",
209							});
210
211							Supported key formats:
212
213							# all formats can be loaded from a file
214							my $pk = Crypt::PK::X25519->new($filename);
215
216							# or from a buffer containing the key
217							my $pk = Crypt::PK::X25519->new(\$buffer_with_key);
218
219							=over
220
221							=item * X25519 private keys in PEM format
222
223							-----BEGIN X25519 PRIVATE KEY-----
224							MC4CAQAwBQYDK2VuBCIEIAAvk9ELpXKNjdjpUnch2royYcC7G+/ee0u9rGMdRUZR
225							-----END X25519 PRIVATE KEY-----
226
227							=item * X25519 private keys in password protected PEM format
228
229							-----BEGIN X25519 PRIVATE KEY-----
230							Proc-Type: 4,ENCRYPTED
231							DEK-Info: DES-CBC,DEEFD3D6B714E75A
232
233							dfFWP5bKn49aZ993NVAhQQPdFWgsTb4j8CWhRjGBVTPl6ITstAL17deBIRBwZb7h
234							pAyIka81Kfs=
235							-----END X25519 PRIVATE KEY-----
236
237							=item * X25519 public keys in PEM format
238
239							-----BEGIN PUBLIC KEY-----
240							MCowBQYDK2VuAyEA6ngG9yGoVwUSyPbvtOjWIMSaUp5N9eqnfexkb7HofkE=
241							-----END PUBLIC KEY-----
242
243							=item * PKCS#8 private keys
244
245							-----BEGIN PRIVATE KEY-----
246							MC4CAQAwBQYDK2VuBCIEIAAvk9ELpXKNjdjpUnch2royYcC7G+/ee0u9rGMdRUZR
247							-----END PRIVATE KEY-----
248
249							=item * PKCS#8 encrypted private keys
250
251							-----BEGIN ENCRYPTED PRIVATE KEY-----
252							MIGHMEsGCSqGSIb3DQEFDTA+MCkGCSqGSIb3DQEFDDAcBAiS0NOFZmjJswICCAAw
253							DAYIKoZIhvcNAgkFADARBgUrDgMCBwQIGd40Hdso8Y4EONSRCTrqvftl9hl3zbH9
254							2QmHF1KJ4HDMdLDRxD7EynonCw2SV7BO+XNRHzw2yONqiTybfte7nk9t
255							-----END ENCRYPTED PRIVATE KEY-----
256
257							=item * X25519 private keys in JSON Web Key (JWK) format
258
259							See L
260
261							{
262							"kty":"OKP",
263							"crv":"X25519",
264							"x":"6ngG9yGoVwUSyPbvtOjWIMSaUp5N9eqnfexkb7HofkE",
265							"d":"AC-T0Qulco2N2OlSdyHaujJhwLsb7957S72sYx1FRlE",
266							}
267
268							B For JWK support you need to have L module installed.
269
270							=item * X25519 public keys in JSON Web Key (JWK) format
271
272							{
273							"kty":"OKP",
274							"crv":"X25519",
275							"x":"6ngG9yGoVwUSyPbvtOjWIMSaUp5N9eqnfexkb7HofkE",
276							}
277
278							B For JWK support you need to have L module installed.
279
280							=back
281
282							=head2 import_key_raw
283
284							Import raw public/private key - can load raw key data exported by L.
285
286							$pk->import_key_raw($key, 'public');
287							$pk->import_key_raw($key, 'private');
288
289							=head2 export_key_der
290
291							Returns the key as a binary DER-encoded string.
292
293							my $private_der = $pk->export_key_der('private');
294							#or
295							my $public_der = $pk->export_key_der('public');
296
297							=head2 export_key_pem
298
299							Returns the key as a PEM-encoded string (ASCII).
300
301							my $private_pem = $pk->export_key_pem('private');
302							#or
303							my $public_pem = $pk->export_key_pem('public');
304
305							Support for password protected PEM keys
306
307							my $private_pem = $pk->export_key_pem('private', $password);
308							#or
309							my $private_pem = $pk->export_key_pem('private', $password, $cipher);
310
311							# supported ciphers: 'DES-CBC'
312							# 'DES-EDE3-CBC'
313							# 'SEED-CBC'
314							# 'CAMELLIA-128-CBC'
315							# 'CAMELLIA-192-CBC'
316							# 'CAMELLIA-256-CBC'
317							# 'AES-128-CBC'
318							# 'AES-192-CBC'
319							# 'AES-256-CBC' (DEFAULT)
320
321							=head2 export_key_jwk
322
323							Returns a JSON string, or a hashref if the optional second argument is true.
324
325							Exports public/private keys as a JSON Web Key (JWK).
326
327							my $private_json_text = $pk->export_key_jwk('private');
328							#or
329							my $public_json_text = $pk->export_key_jwk('public');
330
331							Also exports public/private keys as a Perl HASH with JWK structure.
332
333							my $jwk_hash = $pk->export_key_jwk('private', 1);
334							#or
335							my $jwk_hash = $pk->export_key_jwk('public', 1);
336
337							B For JWK support you need to have L module installed.
338
339							=head2 export_key_raw
340
341							Returns the raw key as a binary string.
342
343							Export raw public/private key
344
345							my $private_bytes = $pk->export_key_raw('private');
346							#or
347							my $public_bytes = $pk->export_key_raw('public');
348
349							=head2 shared_secret
350
351							Returns the shared secret as a binary string (raw bytes).
352
353							# Alice having her priv key $pk and Bob's public key $pkb
354							my $pk = Crypt::PK::X25519->new($priv_key_filename);
355							my $pkb = Crypt::PK::X25519->new($pub_key_filename);
356							my $shared_secret = $pk->shared_secret($pkb);
357
358							# Bob having his priv key $pk and Alice's public key $pka
359							my $pk = Crypt::PK::X25519->new($priv_key_filename);
360							my $pka = Crypt::PK::X25519->new($pub_key_filename);
361							my $shared_secret = $pk->shared_secret($pka); # same value as computed by Alice
362
363							=head2 is_private
364
365							my $rv = $pk->is_private;
366							# 1 .. private key loaded
367							# 0 .. public key loaded
368							# undef .. no key loaded
369
370							=head2 key2hash
371
372							Returns a hashref with the key components, or C if no key is loaded.
373
374							my $hash = $pk->key2hash;
375
376							# returns hash like this (or undef if no key loaded):
377							{
378							curve => "x25519",
379							# raw public key as a hexadecimal string
380							pub => "EA7806F721A8570512C8F6EFB4E8D620C49A529E4DF5EAA77DEC646FB1E87E41",
381							# raw private key as a hexadecimal string. undef if key is public only
382							priv => "002F93D10BA5728D8DD8E9527721DABA3261C0BB1BEFDE7B4BBDAC631D454651",
383							}
384
385							=head1 OpenSSL interoperability
386
387							# Generate a key with OpenSSL
388							# openssl genpkey -algorithm x25519 -out x25519_priv.pem
389							# openssl pkey -in x25519_priv.pem -pubout -out x25519_pub.pem
390
391							# Load the OpenSSL-generated key in CryptX
392							use Crypt::PK::X25519;
393							my $alice = Crypt::PK::X25519->new("x25519_priv.pem");
394							my $bob_pub = Crypt::PK::X25519->new("bob_x25519_pub.pem");
395
396							# Derive shared secret
397							my $shared_secret = $alice->shared_secret($bob_pub);
398
399							# Export CryptX key for OpenSSL
400							my $pem = $alice->export_key_pem('private');
401							# then: openssl pkey -in priv.pem -text -noout
402
403							=head1 SEE ALSO
404
405							=over
406
407							=item * L
408
409							=item * L
410
411							=back
412
413							=cut