Support raw ECDH key agreements

Author: vcsjones

src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs

@@ -45,6 +45,7 @@ internal static class KeyDerivationFunction
             public const string Hash = "HASH";                  // BCRYPT_KDF_HASH
             public const string Hmac = "HMAC";                  // BCRYPT_KDF_HMAC
             public const string Tls = "TLS_PRF";                // BCRYPT_KDF_TLS_PRF
+            public const string Raw = "TRUNCATE";               // BCRYPT_KDF_RAW_SECRET
         }
     }
 

src/libraries/Common/src/Interop/Windows/NCrypt/Interop.NCryptDeriveKeyMaterial.cs

@@ -241,5 +241,25 @@ internal static unsafe byte[] DeriveKeyMaterialTls(
                     flags);
             }
         }
+
+        internal static unsafe byte[] DeriveKeyMaterialTruncate(
+            SafeNCryptSecretHandle secretAgreement,
+            SecretAgreementFlags flags)
+        {
+            if (!OperatingSystem.IsWindowsVersionAtLeast(10))
+            {
+                throw new PlatformNotSupportedException();
+            }
+
+            byte[] result = DeriveKeyMaterial(
+                secretAgreement,
+                BCryptNative.KeyDerivationFunction.Raw,
+                ReadOnlySpan<NCryptBuffer>.Empty,
+                flags);
+
+            // Win32 returns the result as little endian. So we need to flip it to big endian.
+            Array.Reverse(result);
+            return result;
+        }
     }
 }

src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanAndroid.Derive.cs

@@ -72,6 +72,16 @@ public override byte[] DeriveKeyTls(ECDiffieHellmanPublicKey otherPartyPublicKey
                     DeriveSecretAgreement);
             }
 
+            public override byte[] DeriveRawSecretAgreement(ECDiffieHellmanPublicKey otherPartyPublicKey)
+            {
+                ArgumentNullException.ThrowIfNull(otherPartyPublicKey);
+                ThrowIfDisposed();
+
+                byte[]? secretAgreement = DeriveSecretAgreement(otherPartyPublicKey, hasher: null);
+                Debug.Assert(secretAgreement is not null);
+                return secretAgreement;
+            }
+
             /// <summary>
             /// Get the secret agreement generated between two parties
             /// </summary>

src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanCng.cs

@@ -130,5 +130,18 @@ public override byte[] DeriveKeyTls(ECDiffieHellmanPublicKey otherPartyPublicKey
                     Interop.NCrypt.SecretAgreementFlags.None);
             }
         }
+
+        /// <inheritdoc />
+        public override byte[] DeriveRawSecretAgreement(ECDiffieHellmanPublicKey otherPartyPublicKey)
+        {
+            ArgumentNullException.ThrowIfNull(otherPartyPublicKey);
+
+            using (SafeNCryptSecretHandle secretAgreement = DeriveSecretAgreementHandle(otherPartyPublicKey))
+            {
+                return Interop.NCrypt.DeriveKeyMaterialTruncate(
+                    secretAgreement,
+                    Interop.NCrypt.SecretAgreementFlags.None);
+            }
+        }
     }
 }

src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanOpenSsl.Derive.cs

@@ -69,6 +69,17 @@ public override byte[] DeriveKeyTls(ECDiffieHellmanPublicKey otherPartyPublicKey
                 DeriveSecretAgreement);
         }
 
+        /// <inheritdoc />
+        public override byte[] DeriveRawSecretAgreement(ECDiffieHellmanPublicKey otherPartyPublicKey)
+        {
+            ArgumentNullException.ThrowIfNull(otherPartyPublicKey);
+            ThrowIfDisposed();
+
+            byte[]? secretAgreement = DeriveSecretAgreement(otherPartyPublicKey, hasher: null);
+            Debug.Assert(secretAgreement is not null);
+            return secretAgreement;
+        }
+
         /// <summary>
         /// Get the secret agreement generated between two parties
         /// </summary>

src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanSecurityTransforms.cs

@@ -165,6 +165,16 @@ public override byte[] DeriveKeyTls(ECDiffieHellmanPublicKey otherPartyPublicKey
                     DeriveSecretAgreement);
             }
 
+            public override byte[] DeriveRawSecretAgreement(ECDiffieHellmanPublicKey otherPartyPublicKey)
+            {
+                ArgumentNullException.ThrowIfNull(otherPartyPublicKey);
+                ThrowIfDisposed();
+
+                byte[]? secretAgreement = DeriveSecretAgreement(otherPartyPublicKey, hasher: null);
+                Debug.Assert(secretAgreement is not null);
+                return secretAgreement;
+            }
+
             private byte[]? DeriveSecretAgreement(ECDiffieHellmanPublicKey otherPartyPublicKey, IncrementalHash? hasher)
             {
                 if (!(otherPartyPublicKey is ECDiffieHellmanSecurityTransformsPublicKey secTransPubKey))

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/ECDiffieHellman/ECDiffieHellmanFactory.cs

@@ -13,6 +13,7 @@ public interface IECDiffieHellmanProvider
         bool IsCurveValid(Oid oid);
         bool ExplicitCurvesSupported { get; }
         bool CanDeriveNewPublicKey { get; }
+        bool SupportsRawDerivation { get; }
     }
 
     public static partial class ECDiffieHellmanFactory
@@ -42,5 +43,7 @@ public static bool IsCurveValid(Oid oid)
         public static bool ExplicitCurvesSupported => s_provider.ExplicitCurvesSupported;
 
         public static bool CanDeriveNewPublicKey => s_provider.CanDeriveNewPublicKey;
+
+        public static bool SupportsRawDerivation => s_provider.SupportsRawDerivation;
     }
 }

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/ECDiffieHellman/ECDiffieHellmanTests.NistValidation.cs

@@ -223,9 +223,19 @@ private static void Verify(
             HashAlgorithmName zHashAlgorithm,
             byte[] iutZ)
         {
-            byte[] result = iut.DeriveKeyFromHash(cavsPublic, zHashAlgorithm);
+            byte[] deriveHash = iut.DeriveKeyFromHash(cavsPublic, zHashAlgorithm);
             byte[] hashedZ = zHasher.ComputeHash(iutZ);
-            Assert.Equal(hashedZ.ByteArrayToHex(), result.ByteArrayToHex());
+            Assert.Equal(hashedZ.ByteArrayToHex(), deriveHash.ByteArrayToHex());
+
+            if (ECDiffieHellmanFactory.SupportsRawDerivation)
+            {
+                byte[] rawDerived = iut.DeriveRawSecretAgreement(cavsPublic);
+                Assert.Equal(iutZ.ByteArrayToHex(), rawDerived.ByteArrayToHex());
+            }
+            else
+            {
+                Assert.Throws<PlatformNotSupportedException>(() => iut.DeriveRawSecretAgreement(cavsPublic));
+            }
         }
     }
 #endif

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/ECDiffieHellman/ECDiffieHellmanTests.Raw.cs

@@ -0,0 +1,94 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Security.Cryptography;
+using Xunit;
+
+namespace System.Security.Cryptography.EcDiffieHellman.Tests
+{
+    public partial class ECDiffieHellmanTests
+    {
+        public static bool DoesNotSupportRawDerivation => !ECDiffieHellmanFactory.SupportsRawDerivation;
+
+        [ConditionalFact(typeof(ECDiffieHellmanFactory), nameof(ECDiffieHellmanFactory.SupportsRawDerivation))]
+        public static void RawDerivation_OtherKeyRequired()
+        {
+            using (ECDiffieHellman ecdh = ECDiffieHellmanFactory.Create())
+            {
+                AssertExtensions.Throws<ArgumentNullException>(
+                    "otherPartyPublicKey",
+                    () => ecdh.DeriveRawSecretAgreement(null));
+            }
+        }
+
+        [ConditionalTheory(typeof(ECDiffieHellmanFactory), nameof(ECDiffieHellmanFactory.SupportsRawDerivation))]
+        [MemberData(nameof(MismatchedKeysizes))]
+        public static void RawDerivation_SameSizeOtherKeyRequired(int aliceSize, int bobSize)
+        {
+            using (ECDiffieHellman alice = ECDiffieHellmanFactory.Create(aliceSize))
+            using (ECDiffieHellman bob = ECDiffieHellmanFactory.Create(bobSize))
+            using (ECDiffieHellmanPublicKey bobPublic = bob.PublicKey)
+            {
+                AssertExtensions.Throws<ArgumentException>(
+                    "otherPartyPublicKey",
+                    () => alice.DeriveRawSecretAgreement(bobPublic));
+            }
+        }
+
+        [ConditionalTheory(typeof(ECDiffieHellmanFactory), nameof(ECDiffieHellmanFactory.SupportsRawDerivation))]
+        [MemberData(nameof(EveryKeysize))]
+        public static void RawDerivation_DeriveSharedSecret_Agree(int keySize)
+        {
+            using (ECDiffieHellman alice = ECDiffieHellmanFactory.Create(keySize))
+            using (ECDiffieHellman bob = ECDiffieHellmanFactory.Create(keySize))
+            using (ECDiffieHellmanPublicKey alicePublic = alice.PublicKey)
+            using (ECDiffieHellmanPublicKey bobPublic = bob.PublicKey)
+            {
+                byte[] aliceDerived = alice.DeriveRawSecretAgreement(bobPublic);
+                byte[] bobDerived = bob.DeriveRawSecretAgreement(alicePublic);
+                Assert.Equal(aliceDerived, bobDerived);
+            }
+        }
+
+        [ConditionalFact(typeof(ECDiffieHellmanFactory), nameof(ECDiffieHellmanFactory.SupportsRawDerivation))]
+        public static void RawDerivation_DeriveSharedSecret_Disagree()
+        {
+            using (ECDiffieHellman alice = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellman bob = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellman eve = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellmanPublicKey bobPublic = bob.PublicKey)
+            using (ECDiffieHellmanPublicKey evePublic = eve.PublicKey)
+            {
+                byte[] aliceDerived = alice.DeriveRawSecretAgreement(bobPublic);
+                byte[] eveDerived = alice.DeriveRawSecretAgreement(evePublic);
+
+                Assert.NotEqual(aliceDerived, eveDerived);
+            }
+        }
+
+        [ConditionalFact(typeof(ECDiffieHellmanFactory), nameof(ECDiffieHellmanFactory.SupportsRawDerivation))]
+        public static void RawDerivation_DeriveIsStable()
+        {
+            using (ECDiffieHellman alice = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellman bob = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellmanPublicKey bobPublic = bob.PublicKey)
+            {
+                byte[] aliceDerived1 = alice.DeriveRawSecretAgreement(bobPublic);
+                byte[] aliceDerived2 = alice.DeriveRawSecretAgreement(bobPublic);
+                Assert.Equal(aliceDerived1, aliceDerived2);
+            }
+        }
+
+        [ConditionalFact(nameof(DoesNotSupportRawDerivation))]
+        public static void RawDerivation_NotSupported()
+        {
+            using (ECDiffieHellman alice = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellman bob = ECDiffieHellmanFactory.Create(ECCurve.NamedCurves.nistP256))
+            using (ECDiffieHellmanPublicKey bobPublic = bob.PublicKey)
+            {
+                Assert.Throws<PlatformNotSupportedException>(() => alice.DeriveRawSecretAgreement(bobPublic));
+            }
+        }
+    }
+}

src/libraries/System.Security.Cryptography.Cng/tests/ECDiffieHellmanCngProvider.cs

@@ -35,6 +35,7 @@ public bool ExplicitCurvesSupported
         }
 
         public bool CanDeriveNewPublicKey => true;
+        public bool SupportsRawDerivation => PlatformDetection.IsWindows10OrLater;
 
         private static bool NativeOidFriendlyNameExists(string oidFriendlyName)
         {