target = "https://tools.ietf.org/rfc/rfc8446#4.2.8.2" # 4.2.8.2. ECDHE Parameters # # ECDHE parameters for both clients and servers are encoded in the # opaque key_exchange field of a KeyShareEntry in a KeyShare structure. # # For secp256r1, secp384r1, and secp521r1, the contents are the # serialized value of the following struct: # # struct { # uint8 legacy_form = 4; # opaque X[coordinate_length]; # opaque Y[coordinate_length]; # } UncompressedPointRepresentation; # # X and Y, respectively, are the binary representations of the x and y # values in network byte order. There are no internal length markers, # so each number representation occupies as many octets as implied by # the curve parameters. For P-256, this means that each of X and Y use # 32 octets, padded on the left by zeros if necessary. For P-384, they # take 48 octets each. For P-521, they take 66 octets each. # # For the curves secp256r1, secp384r1, and secp521r1, peers MUST # validate each other's public value Q by ensuring that the point is a # valid point on the elliptic curve. The appropriate validation # procedures are defined in Section 4.3.7 of [ECDSA] and alternatively # in Section 5.6.2.3 of [KEYAGREEMENT]. This process consists of three # steps: (1) verify that Q is not the point at infinity (O), (2) verify # that for Q = (x, y) both integers x and y are in the correct # interval, and (3) ensure that (x, y) is a correct solution to the # elliptic curve equation. For these curves, implementors do not need # to verify membership in the correct subgroup. # # For X25519 and X448, the contents of the public value are the byte # string inputs and outputs of the corresponding functions defined in # [RFC7748]: 32 bytes for X25519 and 56 bytes for X448. # # Note: Versions of TLS prior to 1.3 permitted point format # negotiation; TLS 1.3 removes this feature in favor of a single point # format for each curve. [[spec]] level = "MUST" quote = ''' For the curves secp256r1, secp384r1, and secp521r1, peers MUST validate each other's public value Q by ensuring that the point is a valid point on the elliptic curve. '''