Add ability to calculate ECDH shared secret

[Schamper]

I can see functions to generate EC keys, but not one to calculate the ECDH shared secret. Am I missing it or does it need to be added?

Thanks

[wbond]

This hasn’t been implemented yet, mostly because I haven’t run into a need for it in my projects.

I’m not opposed to it being added.

[jnsptrsn]

That would be a fine addition to this great project!

[wiml]

I need this and have started coding something up for my use. I'll see about putting it on a branch for review and/or pulling.

I can do the OpenSSL and MacOSX backends, but I have no access to (nor interest in) the Windows environment, so someone else would have to implement that part.

[wiml]

I have something reasonably tidy I could push to a branch now. However, the EVP-based key agreement support only showed up in OpenSSL 1.0.2. Is it worth coding a fallback for 0.9.8–1.0.1 that uses the lower-level ECDH_compute_key() function? @wbond what do you think?

[wbond]

I appreciate your interest in contributing @wiml. I don't have time to work on this now, and probably not for a while. That said, I wouldn't plan on merging until a Windows solution was present, since the the idea of the package is to provide a consistent API across platforms.

I think it would be worth pushing your work up into a PR if you are interested. I personally would prefer code that works on OpenSSL versions before 1.0.2, just because I am almost certain they are still in the wild and supported on various long-term support Linux distros.

[wiml]

Even my oldish LTS install is at 1.0.2, but it turns out not to be too hard to support older OpenSSL versions as well. I set up a tox thing to test the crossproduct of python versions / OpenSSL versions / FFI.

I did have to add a pure-Python implementation of the X9.63 KDF, but that's pretty simple.

I'll push it to GitHub in a few days probably.

[wiml]

All right, I've pushed a few branches to my fork which should be of interest to anyone else who needs this feature:

• ecdh-openssl: ECDH shared secret derivation using the OpenSSL backend. I've tested this thoroughly against the python versions oscrypto supports and a range of openssl versions from 0.9.8zh through 1.1.1. I think it's pretty solid.
• ecdh-macos: ECDH using the SecKeyCopyKeyExchangeResult() call, which was introduced in 10.12. I've only tested this on a few configurations but I would expect it to work on anything from 10.12 forward. It might be possible to support older versions using the CSSM/CDSA APIs, I'm not sure.
• ecdh-ms-bcrypt: I don't have access to a Windows machine, but I started sketching out an implementation based on Microsoft's documentation. This probably doesn't even run. However, if someone wants to work on this and wants help with the algorithms/standards side of it, just ask.

So, if someone writes a Microsoft backend, it and these branches could be octopus-merged to produce a final feature branch.

In addition there are a few utility branches containing stuff that's likely in common across backends; pull them into a Microsoft backend branch if useful, ignore otherwise (they're already incorporated into the above branches):

• ecdh-tests: Unit tests for ECDH key derivation
• x9.63-kdf: Python implementation of the X9.63 KDF, in case your API only provides the raw key agreement primitive

Happy hacking and I hope someone finds this useful.