Skip to content

Add brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 EC group support#3286

Open
sfarestam-iproov wants to merge 2 commits into
aws:mainfrom
sfarestam-iproov:add-brainpool-curves
Open

Add brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 EC group support#3286
sfarestam-iproov wants to merge 2 commits into
aws:mainfrom
sfarestam-iproov:add-brainpool-curves

Conversation

@sfarestam-iproov

@sfarestam-iproov sfarestam-iproov commented Jun 3, 2026

Copy link
Copy Markdown

Issues:

Resolves #2939

Description of changes:

AWS-LC currently does not support Brainpool elliptic curves. This PR adds EC group support for the five Brainpool r1 prime curves defined in RFC 5639: brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, and brainpoolP512r1.

The implementation follows the same pattern as secp256k1 — generic Montgomery arithmetic via EC_GFp_mont_method(), with no hand-optimized assembly. The only structural addition is ec_group_set_a_mont() for setting an arbitrary Montgomery-form a coefficient, since Brainpool curves have a ≠ -3 (unlike NIST curves) and a ≠ 0 (unlike secp256k1). The existing ec_GFp_mont_dbl() already handles this case correctly via its a_is_minus3 == 0 code path.

NIDs (925, 927, 929, 931, 933) and OIDs were already registered in nid.h and obj_dat.h. All domain parameters are sourced from RFC 5639 Sections 3.3–3.7, with OIDs from Section 4.1.

This PR covers EC primitive support (key generation, ECDSA, ECDH). TLS negotiation support (RFC 7027 / RFC 8734) can follow in a separate PR.

Motivation: These curves are required by ICAO Doc 9303 (ePassport standard, 30+ countries), BSI TR-03116-4 (German federal regulation), and are blocking the pyca/cryptography project from accepting Brainpool improvements (pyca/cryptography#14905).

Call-outs:

  • FIPS boundary: The code is in crypto/fipsmodule/ec/. If adding curves inside the FIPS module is a concern for recertification, the implementation can be moved to crypto/ec_extra/. Please advise on the preferred placement.
  • Arbitrary a coefficient: Added a small helper ec_group_set_a_mont() (6 lines) to copy a Montgomery-form a value. This is the only new function beyond the existing curve template pattern.
  • make_tables.go changes: Added a curveWithA wrapper type and writeCurveDataWithA() function to emit MontA constants for curves where a is not -3 or 0. The standard elliptic.CurveParams in Go doesn't carry an A field (it assumes a = -3).

Testing:

  • BrainpoolKeygenSignVerify: generates a key, signs a digest with ECDSA, verifies the signature, and checks that a corrupted signature is rejected — for all 5 curves.
  • ECPKParmatersBio: round-trip i2d_ECPKParameters_bio / d2i_ECPKParameters_bio for all 5 curves.
  • GetNamedCurve: dispatches Brainpool curve names for file-based test vectors.
  • Scalar base multiplication test vectors are not included in this PR (generating them requires a Go Brainpool library); they can be added as a follow-up.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@sfarestam-iproov sfarestam-iproov requested a review from a team as a code owner June 3, 2026 14:58
@sfarestam-iproov sfarestam-iproov mentioned this pull request Jun 3, 2026
Open
github-actions[bot]
github-actions Bot reviewed Jun 3, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clang-tidy made some suggestions

Comment thread crypto/fipsmodule/ec/ec_test.cc
// Sign a digest.
std::vector<uint8_t> sig(ECDSA_size(key.get()));
unsigned sig_len;
ASSERT_TRUE(

@github-actions github-actions Bot Jun 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warning: variable 'sig_len' is not initialized [cppcoreguidelines-init-variables]

crypto/fipsmodule/ec/ec_test.cc:2829:

- len;
+ len = 0;

@sfarestam-iproov sfarestam-iproov Jun 3, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — initialized to 0. Thanks.

@sfarestam-iproov
Add brainpoolP224r1, brainpoolP256r1, brainpoolP320r1, brainpoolP384r…
6f99c57 
…1, brainpoolP512r1 EC group support

Add all five Brainpool r1 prime curves from RFC 5639 using the generic
Montgomery arithmetic path (EC_GFp_mont_method), following the same
pattern as secp256k1. No hand-optimized assembly is needed.

The only structural addition beyond the secp256k1 template is
ec_group_set_a_mont() for setting an arbitrary Montgomery-form a
coefficient (Brainpool curves have a != -3 and a != 0). The existing
ec_GFp_mont_dbl() already handles this case correctly.

NIDs were already registered in nid.h. This change adds the EC_GROUP
definitions, the precomputed Montgomery constants (via make_tables.go),
the NID-to-group switch cases, and the public API functions.

Domain parameters sourced from:
 - brainpoolP224r1: RFC 5639, Section 3.3
 - brainpoolP256r1: RFC 5639, Section 3.4
 - brainpoolP320r1: RFC 5639, Section 3.5
 - brainpoolP384r1: RFC 5639, Section 3.6
 - brainpoolP512r1: RFC 5639, Section 3.7
OIDs from: RFC 5639, Section 4.1

These curves are needed for:
- ICAO 9303 ePassport certificate processing (30+ countries)
- BSI TR-03116-4 compliance (German federal regulation)
- pyca/cryptography Brainpool support (blocked on aws-lc, see aws#2939)

Resolves aws#2939 (EC primitive support; TLS negotiation can follow separately)
@justsmth justsmth requested review from dkostic and nebeid June 3, 2026 16:10
@sfarestam-iproov
Fix Brainpool curve ASN.1 serialization by adding to kAllGroups
0c88b2d 
The kAllGroups array in ec_asn1.c is used by EC_KEY_parse_curve_name
and EC_get_builtin_curves to look up curves by OID. Without the
Brainpool entries, i2d/d2i_ECPKParameters_bio round-trips fail with
EC_R_UNKNOWN_GROUP.
@codecov-commenter

codecov-commenter commented Jun 9, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 92.85714% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.15%. Comparing base (c0a3c85) to head (0c88b2d).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
crypto/fipsmodule/ec/ec_test.cc 52.38% 10 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3286      +/-   ##
==========================================
- Coverage   78.17%   78.15%   -0.02%     
==========================================
  Files         689      689              
  Lines      123733   123872     +139     
  Branches    17197    17204       +7     
==========================================
+ Hits        96724    96817      +93     
- Misses      26091    26136      +45     
- Partials      918      919       +1

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@dkostic dkostic Awaiting requested review from dkostic

@nebeid nebeid Awaiting requested review from nebeid

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Support for Brainpool Curves (RFC 5639) in TLS 1.2 and TLS 1.3

2 participants

@sfarestam-iproov @codecov-commenter