Support ECDH for ECDSA keys

[tv42]

Feedback on APIs would be most welcome.

Fixes #79

[ericchiang]

Thanks for sending a PR :)

Keys implement an optional interface because it's what the standard library wants. The only prior art I could find for Diffie-Hellman was:

https://github.com/golang/go/blob/01a9cf8487df2b108f0dfd7060ff5ffbda972c3a/src/crypto/tls/key_schedule.go#L104-L110

I think this package shouldn't establishing a key agreement interface. Maybe just export keyECDSA as concrete type that you can type switch on?

type ECPrivetKey struct {}

func (k *ECPrivateKey) Public() crypto.Public {}
func (k *ECPrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)
func (k *ECPrivateKey) KeyAgreement(peer *ecdsa.PublicKey) ([]byte, error)

Then using the API looks like:

priv, err := yk.PrivateKey(slot, pub, auth)
if err != nil {
    // ...
}
ecPriv, ok := priv.(*piv.ECPrivateKey)
if !ok {
    // ...
}
sharedKey, err := ecPriv.KeyAgreement(peer)

If there's ever an actual key agreement interface to satisfy in the future, then ECPrivateKey can implement that later.

[tv42]

Ooh I hadn't found the stdlib one. Of course it makes sense TLS would have one. I'll happily steal the SharedKey name for that.

The reason I exported an interface, not a concrete type, was that I was thinking there might be a non-ECDSA keytype that can do Diffie-Hellman on the yubikey. But yeah the interface is easy to add later, if and when. I can switch to a concrete type.

[tv42]

Naming question: You used ECPrivateKey. Since this is specifically a P-nnn key that is ECDSA, and will refuse to do DH with non-ECDSA keys, I think it should be ECDSAPrivateKey then. We're not speaking on behalf of all elliptic curve crypto. Callers can always use handle multiple concrete types with interfaces.

[ericchiang]

ECDSAPrivateKey works for me

[tv42]

Pushed fixups for all feedback above. If you're happy with the end result, I'll rebase them together and take the draft flag off this PR.

[ericchiang]

Couple comments, but other than that lgtm. Thanks for this!

[ericchiang]

nit: include user instructions to get a *ECDSAPrivateKey. Anyone reading the docs will probably appreciate that :)

// ECDSAPrivateKey is a crypto.PrivateKey implementation used to directly access ECDSA
// operations. Keys returned by PrivateKey() can be type casted to use these methods.
//
//     priv, err := yk.PrivateKey(slot, pub, auth)
//     if err != nil {
//         // ...
//     }
//     ecdsaPriv, ok := priv.(*piv. ECDSAPrivateKey)

[tv42]

I wrote proper examples for SharedKey, that should also demonstrate this, and the documentation for the type referring there.

[ericchiang]

Oh an please squash your commits :) I can merge after

[tv42]

Squashed, all ready to go. (Branch wip-ecdh has the commit-by-commit action, if you want to see the latest changes.)

[tv42]

Oops, sorry, I want to clean up one more nit in the example.

[tv42]

Nope, nevermind, what I needed to do was refresh my godoc window to see that I had already fixed the nit. All good!