diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 614c86c..76c6639 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -23,10 +23,14 @@ Please note that changes that are purely cosmetic and do not add anything substa This project tries to be as Go idiomatic as possible. Conventions from [Effective Go](https://golang.org/doc/effective_go) apply here. Tests use a very opinionated linting configuration that you can use before committing to your changes. +### Governance Model + +This project follows the [Benevolent Dictator Governance Model](http://oss-watch.ac.uk/resources/benevolentdictatorgovernancemodel) where the project owner and lead makes all final decisions. + ### Licence By contributing to this project, you agree that your contributions will be licensed under the project's [License](https://github.com/bytemare/crypto/blob/main/LICENSE). -All contributions (including pull requests) must agree to the [Developer Certificate of Origin (DCO) version 1.1](http://developercertificate.org). It states that the contributor has the right to submit the patch for inclusion into the project. Simply submitting a contribution implies this agreement, however, please include the "Signed-off-by" git tag in every commit (this tag is a conventional way to confirm that you agree to the DCO). +All contributions (including pull requests) must agree to the [Developer Certificate of Origin (DCO) version 1.1](https://developercertificate.org). It states that the contributor has the right to submit the patch for inclusion into the project. Simply submitting a contribution implies this agreement, however, please include the "Signed-off-by" git tag in every commit (this tag is a conventional way to confirm that you agree to the DCO). Thanks! :heart: \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/enhancement.md b/.github/ISSUE_TEMPLATE/enhancement.md new file mode 100644 index 0000000..8300dba --- /dev/null +++ b/.github/ISSUE_TEMPLATE/enhancement.md @@ -0,0 +1,24 @@ +--- +name: "📈 Enhancement" +about: Request or discuss improvements +title: "[Enhancement]" +labels: enhancement +assignees: bytemare + +--- + + + +### Describe the feature + +A clear and concise description of what the enhancement is and what problem it solves. + +**Expected behaviour** + +A clear and concise description of what you expected to happen. + +**Additional context** + +Add any other context about the problem here. diff --git a/.github/Makefile b/.github/Makefile index 6498af2..7a019ba 100644 --- a/.github/Makefile +++ b/.github/Makefile @@ -1,7 +1,7 @@ .PHONY: update update: @echo "Updating dependencies..." - @cd ../ && go get -u + @cd ../ && go get -u ./... @go mod tidy @echo "Updating Github Actions pins..." @$(foreach file, $(wildcard workflows/*.yml), pin-github-action $(file);) @@ -9,10 +9,10 @@ update: .PHONY: update-linters update-linters: @echo "Updating linters..." - @go install golang.org/x/tools/cmd/goimports@latest @go install mvdan.cc/gofumpt@latest @go install github.com/daixiang0/gci@latest @go install github.com/segmentio/golines@latest + @go install golang.org/x/tools/cmd/goimports@latest @go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest @curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md index 0c4ba8a..3898f62 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -8,6 +8,8 @@ + + ### Motivation and Context @@ -26,9 +28,9 @@ ### Checklist: +- [ ] I have read the **CONTRIBUTING** document. - [ ] My code follows the code style of this project. - [ ] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly. -- [ ] I have read the **CONTRIBUTING** document. - [ ] I have added tests to cover my changes. - [ ] All new and existing tests passed. diff --git a/SECURITY.md b/.github/SECURITY.md similarity index 100% rename from SECURITY.md rename to .github/SECURITY.md diff --git a/.github/dependency-review.yml b/.github/dependency-review.yml new file mode 100644 index 0000000..d2488d0 --- /dev/null +++ b/.github/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: block + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61ff028..f40e352 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,17 @@ jobs: name: Lint runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + - name: Checkout repo uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: @@ -35,8 +46,18 @@ jobs: strategy: fail-fast: false matrix: - go: [ '1.21', '1.20' ] + go: [ '1.22', '1.21' ] steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + - name: Checkout repo uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: @@ -54,6 +75,22 @@ jobs: name: Analyze runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.codecov.io:443 + api.github.com:443 + cli.codecov.io:443 + ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + storage.googleapis.com:443 + - name: Checkout repo uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: @@ -70,6 +107,8 @@ jobs: # Codecov - name: Codecov uses: codecov/codecov-action@1290bddc8851afa46a03b9a73dd9979a415d4c4f + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: file: .github/coverage.out @@ -86,5 +125,6 @@ jobs: -Dsonar.go.coverage.reportPaths=.github/coverage.out -Dsonar.sources=. -Dsonar.test.exclusions=tests/** + -Dsonar.coverage.exclusions=tests/** -Dsonar.tests=tests/ -Dsonar.verbose=true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e1c6b96..6ebbc46 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,6 +1,9 @@ name: "CodeQL" on: + push: + branches: + - main pull_request: branches: - main @@ -23,17 +26,22 @@ jobs: fail-fast: false steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f + uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 # pin@master + uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 # pin@master + uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 # pin@master + uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 61d96b9..b7c346f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,9 +1,10 @@ -name: Scorecards supply-chain security +name: Scorecard analysis workflow on: # Only the default branch is supported. branch_protection_rule: schedule: - - cron: '44 9 * * 0' + # Weekly on Saturdays. + - cron: '30 1 * * 6' push: branches: [ main ] @@ -12,15 +13,30 @@ permissions: read-all jobs: analysis: - name: Scorecards analysis + name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. + # Needed if using Code scanning alerts security-events: write - actions: read - contents: read + # Needed for GitHub OIDC token if publish_results is true + id-token: write steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout code" uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: @@ -31,16 +47,19 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see + # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional. + repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68 with: @@ -48,8 +67,8 @@ jobs: path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # pin@master + # required for Code scanning alerts + - name: "Upload SARIF results to code scanning" + uses: github/codeql-action/upload-sarif@4ebadbc7468649cf79b138f45e20d999351f6ed0 with: sarif_file: results.sarif diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 01e9a1e..354fb91 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -17,9 +17,18 @@ jobs: name: Snyk runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.snyk.io:443 + github.com:443 + proxy.golang.org:443 + - uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/golang@3e2680e8df93a24b52d119b1305fb7cedc60ceae # pin@master + uses: snyk/actions/golang@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: diff --git a/.gitignore b/.gitignore index 66fd13c..bbfd2cb 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ # Dependency directories (remove the comment below to include it) # vendor/ + +.idea \ No newline at end of file diff --git a/README.md b/README.md index 846d30a..dfe9c0d 100644 --- a/README.md +++ b/README.md @@ -29,8 +29,9 @@ The following table indexes supported groups with hash-to-curve capability and l ## Prime-order group interface -This package defines an interface to the group and its scalars and elements, but exposes a type that handles that for -you. You don't need to instantiate or implement anything. +This package exposes types that can handle different implementations under the hood, internally using an interface +to the group and its scalars and elements, but you don't need to instantiate or implement anything. Just use the type in +the top package. ### Group interface @@ -105,7 +106,7 @@ You can find the documentation and usage examples in [the package doc](https://p ## Versioning -[SemVer](http://semver.org) is used for versioning. For the versions available, see the [tags on the repository](https://github.com/bytemare/crypto/tags). +[SemVer](https://semver.org) is used for versioning. For the versions available, see the [tags on the repository](https://github.com/bytemare/crypto/tags). ## Contributing diff --git a/go.mod b/go.mod index f57fac7..c79dbf6 100644 --- a/go.mod +++ b/go.mod @@ -1,17 +1,17 @@ module github.com/bytemare/crypto -go 1.21 +go 1.22.2 require ( filippo.io/edwards25519 v1.1.0 filippo.io/nistec v0.0.3 - github.com/bytemare/hash2curve v0.2.4 - github.com/bytemare/secp256k1 v0.1.1 + github.com/bytemare/hash2curve v0.3.0 + github.com/bytemare/secp256k1 v0.1.2 github.com/gtank/ristretto255 v0.1.2 ) require ( - github.com/bytemare/hash v0.2.0 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/sys v0.15.0 // indirect + github.com/bytemare/hash v0.3.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/sys v0.19.0 // indirect ) diff --git a/go.sum b/go.sum index 1c9603c..8cf3e82 100644 --- a/go.sum +++ b/go.sum @@ -2,15 +2,15 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= filippo.io/nistec v0.0.3 h1:h336Je2jRDZdBCLy2fLDUd9E2unG32JLwcJi0JQE9Cw= filippo.io/nistec v0.0.3/go.mod h1:84fxC9mi+MhC2AERXI4LSa8cmSVOzrFikg6hZ4IfCyw= -github.com/bytemare/hash v0.2.0 h1:BVWJOz1IIaLmxSybx8WiMMAS6OlB23JLU9vkCLgrt+0= -github.com/bytemare/hash v0.2.0/go.mod h1:aAUXRjcoavq+IrTSZHPY9nEy8wHmWZk8y4Sbol4XkWU= -github.com/bytemare/hash2curve v0.2.4 h1:os6/FM43D7W/K0FkUbrGoGemp+nX4x/Sytv9N5tF+hU= -github.com/bytemare/hash2curve v0.2.4/go.mod h1:P9v9uVR5wOGlSwlPqvRYzbj28+pmw/Lxpn2FgRQ7hCE= -github.com/bytemare/secp256k1 v0.1.1 h1:gy594u/BhqXt77EA+c2nBuJbGl/XAFhsc+kXm+5O6oA= -github.com/bytemare/secp256k1 v0.1.1/go.mod h1:VGxliu7lu4ZKheaBvGwAATmbzdELTrQqiDusFkodOCM= +github.com/bytemare/hash v0.3.0 h1:RqFMt3mqpF7UxLdjBrsOZm/2cz0cQiAOnYc9gDLopWE= +github.com/bytemare/hash v0.3.0/go.mod h1:YKOBchL0l8hRLFinVCL8YUKokGNIMhrWEHPHo3EV7/M= +github.com/bytemare/hash2curve v0.3.0 h1:41Npcbc+u/E252A5aCMtxDcz7JPkkX1QzShneTFm4eg= +github.com/bytemare/hash2curve v0.3.0/go.mod h1:itj45U8uqvCtWC0eCswIHVHswXcEHkpFui7gfJdPSfQ= +github.com/bytemare/secp256k1 v0.1.2 h1:aM+p/+0y1h0SZWqS/yzjGPzffVFubJvwLjUgodFEWOo= +github.com/bytemare/secp256k1 v0.1.2/go.mod h1:Pxb9miDs8PTt5mOktvvXiRflvLxI1wdxbXrc6IYsaho= github.com/gtank/ristretto255 v0.1.2 h1:JEqUCPA1NvLq5DwYtuzigd7ss8fwbYay9fi4/5uMzcc= github.com/gtank/ristretto255 v0.1.2/go.mod h1:Ph5OpO6c7xKUGROZfWVLiJf9icMDwUeIvY4OmlYW69o= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= diff --git a/internal/nist/curve.go b/internal/nist/curve.go index 6b9e0d2..ec77873 100644 --- a/internal/nist/curve.go +++ b/internal/nist/curve.go @@ -20,7 +20,7 @@ import ( type mapping struct { z big.Int hash crypto.Hash - secLength int + secLength uint } type curve[point nistECPoint[point]] struct { @@ -30,7 +30,7 @@ type curve[point nistECPoint[point]] struct { mapping } -func (c *curve[point]) setMapping(hash crypto.Hash, z string, secLength int) { +func (c *curve[point]) setMapping(hash crypto.Hash, z string, secLength uint) { c.mapping.hash = hash c.mapping.secLength = secLength c.mapping.z = field.String2Int(z)