Add support for NIST P-256 curve

[AlfioEmanueleFresta]

Changes

• Adds support for NIST P-256, aka secp256r1, using the p256 crate from RustCrypto. This is a pure-Rust implementation.
• As per feedback in previous abandoned PR try to add secp256k1_support #38 (comment), the code is feature gated, as this is a non-standard curve.
• Includes PR Update Cargo.toml #181 which updates curve25519-dalek, which unbreaks the build for me.

Motivation

This curve is used for the Noise handshake in CTAP2 Hybrid Transport. This is the protocol used for browsers to access FIDO2 credentials (aka Passkeys) on roaming authenticators connected over the internet, such as phones running Android and iOS.

I'm using snow in my implementation of CTAP2, aimed at bringing Passkeys to the Linux desktop, see xdg-credentials-portal.

Tests

All commands below succeed:

$ cargo build --all-targets
$ cargo build --all-targets --features p256
$ cargo test --all-targets
$ cargo test --all-targets --features p256

[AlfioEmanueleFresta]

Friendy ping on this @mcginty - I would need this change to be upstreamed so we can begin publishing linux-credentials/libwebauthn to crates.io. TIA!

[mcginty]

@AlfioEmanueleFresta Wow, I'm so sorry I dropped the ball on this! Reviewing now.

[mcginty]

Thanks for the PR! This is looking pretty good, I just have some small comments/questions.

[mcginty]

I think we should feature-gate this as well so we don't change any constants in the default state (although really our MAXDHLEN should be 32 by default here, since we don't support Curve448 as of yet, but that's another fix outside of this PR :)

Suggested change

	pub const MAXDHLEN: usize = 65;
	// P-256 uncompressed SEC-1 encodings are 65 bytes long, larger than the `MAXDHLEN` in the official Noise spec.
	#[cfg(feature = "p256")]
	pub const MAXDHLEN: usize = 65;
	// Curve448 keys are the largest in the official Noise spec.
	#[cfg(not(feature = "p256"))]
	pub const MAXDHLEN: usize = 56;

[mcginty]

Any reason not to store privkey as a p256::SecretKey here?

[AlfioEmanueleFresta]

I gave this a try again, as I couldn't remember why - it seems it's not trivial:

error[E0515]: cannot return reference to temporary value
   --> src/resolvers/default.rs:241:9
    |
241 |         &self.pubkey.to_sec1_bytes()
    |         ^---------------------------
    |         ||
    |         |temporary value created here
    |         returns a reference to data owned by the current function

The issue is that the Dh trait requires exporting slices:

pub trait Dh: Send + Sync {
    fn pubkey(&self) -> &[u8];
    fn privkey(&self) -> &[u8];

However, p256::SecretKey and p256::PublicKey only return owned types (eg. FieldBytes<...>, or GenericArray<u8, ...>).

Pre-serializing the keys to their byte representation allows keeping the trait unchanged.

[complexspaces]

I also took a quick look and agree this isn't a simple drop-in; the key types available only provide copied-array access to the inner bytes because they are stored as a "generic" field representation.

FWIW I have run into similar issues before with the use of slices for everything in the Dh implementations. It was when attempting to add support for ECDH directly in the ring provider because those also don't (at all) provide access to a slice representation of private keys.

[mcginty]

Got it -- that makes sense to keep it as-is then!

I can address this more holistically in a large rework of this trait later. It doesn't make sense to keep these slices if they're holding us back in the long run.

[mcginty]

Where did you get these test constants from? It would be good to have a citation to a known-good example to derive trust for this implementation.

[AlfioEmanueleFresta]

I honestly do not recall, so I've replaced these with the test vectors from RFC 5903, and added some comments to this effect.

[mcginty]

Thanks for the PR! This is looking pretty good, I just have some small comments/questions.

[complexspaces]

As a drive-by comment, which might be helpful context: I asked Trevor at RWC one year what his thoughts were on CTAP Hybrid being specified with a non-standard Noise curve, as the designer of Noise because I was curious, and the answer was that it wasn't a big deal these days and that maybe future versions of Noise would be more curve agnostic anyway.

Tl;dr I think this change is worthwhile for sure :)

[mcginty]

@complexspaces thanks for the context! Yeah, generally I'm open to snow supporting "unofficial" general-use Noise modes, as long as the default snow only exposes the officially supported modes and unofficial modifications are feature-gated, just as this PR does.

[AlfioEmanueleFresta]

Thanks for the review @mcginty! Addressed your comments.

@complexspaces that's interesting! FWIW, here are some reasons P-256 might have been chosen for the FIDO specs: fido-alliance/discussions#2 (comment)

[complexspaces]

@AlfioEmanueleFresta Yeah it makes a lot of sense why they picked P-256, including the reasons listed in your link. I don't think it was done harmfully to be clear, just out of necessity for what algorithms existing key APIs supported across OSes.

[mcginty]

Looks great, thank you very much for making the change and patience in needing to ping me to review it :).