Add support for ECDH key agreement in Transit Secret Engine

[DanGhita]

Resolves #655

Target Release

1.14.7

[cipherboy]

Some comments!

[cipherboy]

Little surprised you don't support Curve25519 EdDH derivation :-)

[DanGhita]

Strange, my previous comment seems to be lost :(
I was saying: OK, I will try to add KeyType_ED25519, since they are pretty used in the field.
However, if I'm not wrong, they are considered as less secure than the other curves; for example, ANSSI (French Security Agency) considers ED25519 just as an "acceptable" alternative.
Furthermore, digging into the subject, it seems that most of crypto/elliptic functions are deprecated (so, probably I should change the current ECDH implementation):
https://pkg.go.dev/crypto/elliptic#P521

[cipherboy]

NIST P-Curves are vulnerable to certain problems that Ed25519 isn't: https://safecurves.cr.yp.to/

NIST recently certified EdDSA at the same level as ECDSA in FIPS 186-5.

[fatima2003]

I think switching to crypto/ecdh would be a good move since it supports both NIST P-Curves and Ed25519.

[DanGhita]

Yes, that was my idea too, I will play a little bit with the crypto/ecdh API and if everything works fine, I will update my implementation accordingly. Thank you @fatima2003 !

[cipherboy]

Maybe there needs to be a kdf parameter, which accepts "" or "hkdf", and if using HKDF, can add HKDF-specific parameters (like salt or context)? (to answer your TODO below).

Then HKDF can also be a key type potentially, and we can do multiple HKDF invocations (without doing multiple ECDH invocations), if they don't want to use the shared secret directly.