Cleanup secret derivation API and make providers use only ByteArray and not ByteString

For now `ByteString` is used mostly as a wrapper. When kotlinx-io will be stable or `ByteString` will migrate to kotlin-stdlib `ByteArray` overloads will be deprecated

Author: whyoleg

cryptography-core/api/cryptography-core.api

@@ -760,7 +760,10 @@ public abstract interface class dev/whyoleg/cryptography/operations/SecretDeriva
 public abstract interface class dev/whyoleg/cryptography/operations/SharedSecretGenerator {
 	public fun generateSharedSecret (Ldev/whyoleg/cryptography/materials/key/Key;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public static synthetic fun generateSharedSecret$suspendImpl (Ldev/whyoleg/cryptography/operations/SharedSecretGenerator;Ldev/whyoleg/cryptography/materials/key/Key;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public abstract fun generateSharedSecretBlocking (Ldev/whyoleg/cryptography/materials/key/Key;)Lkotlinx/io/bytestring/ByteString;
+	public fun generateSharedSecretBlocking (Ldev/whyoleg/cryptography/materials/key/Key;)Lkotlinx/io/bytestring/ByteString;
+	public fun generateSharedSecretToByteArray (Ldev/whyoleg/cryptography/materials/key/Key;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static synthetic fun generateSharedSecretToByteArray$suspendImpl (Ldev/whyoleg/cryptography/operations/SharedSecretGenerator;Ldev/whyoleg/cryptography/materials/key/Key;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public abstract fun generateSharedSecretToByteArrayBlocking (Ldev/whyoleg/cryptography/materials/key/Key;)[B
 }
 
 public abstract interface class dev/whyoleg/cryptography/operations/SignatureGenerator {

cryptography-core/api/cryptography-core.klib.api

@@ -420,8 +420,10 @@ abstract interface <#A: dev.whyoleg.cryptography.materials.key/Key> dev.whyoleg.
 }
 
 abstract interface <#A: dev.whyoleg.cryptography.materials.key/Key> dev.whyoleg.cryptography.operations/SharedSecretGenerator { // dev.whyoleg.cryptography.operations/SharedSecretGenerator|null[0]
-    abstract fun generateSharedSecretBlocking(#A): kotlinx.io.bytestring/ByteString // dev.whyoleg.cryptography.operations/SharedSecretGenerator.generateSharedSecretBlocking|generateSharedSecretBlocking(1:0){}[0]
+    abstract fun generateSharedSecretToByteArrayBlocking(#A): kotlin/ByteArray // dev.whyoleg.cryptography.operations/SharedSecretGenerator.generateSharedSecretToByteArrayBlocking|generateSharedSecretToByteArrayBlocking(1:0){}[0]
+    open fun generateSharedSecretBlocking(#A): kotlinx.io.bytestring/ByteString // dev.whyoleg.cryptography.operations/SharedSecretGenerator.generateSharedSecretBlocking|generateSharedSecretBlocking(1:0){}[0]
     open suspend fun generateSharedSecret(#A): kotlinx.io.bytestring/ByteString // dev.whyoleg.cryptography.operations/SharedSecretGenerator.generateSharedSecret|generateSharedSecret(1:0){}[0]
+    open suspend fun generateSharedSecretToByteArray(#A): kotlin/ByteArray // dev.whyoleg.cryptography.operations/SharedSecretGenerator.generateSharedSecretToByteArray|generateSharedSecretToByteArray(1:0){}[0]
 }
 
 abstract interface <#A: dev.whyoleg.cryptography.materials.key/KeyFormat, #B: dev.whyoleg.cryptography.materials.key/Key> dev.whyoleg.cryptography.materials.key/KeyDecoder { // dev.whyoleg.cryptography.materials.key/KeyDecoder|null[0]

cryptography-core/src/commonMain/kotlin/operations/SecretDerivation.kt

@@ -9,9 +9,17 @@ import kotlinx.io.bytestring.*
 
 @SubclassOptInRequired(CryptographyProviderApi::class)
 public interface SecretDerivation {
-    public suspend fun deriveSecret(input: ByteArray): ByteArray = deriveSecretBlocking(input)
+    public suspend fun deriveSecret(input: ByteArray): ByteArray {
+        return deriveSecretBlocking(input)
+    }
+
+    public suspend fun deriveSecret(input: ByteString): ByteString {
+        return deriveSecret(input.asByteArray()).asByteString()
+    }
+
     public fun deriveSecretBlocking(input: ByteArray): ByteArray
 
-    public suspend fun deriveSecret(input: ByteString): ByteString = deriveSecret(input.asByteArray()).asByteString()
-    public fun deriveSecretBlocking(input: ByteString): ByteString = deriveSecretBlocking(input.asByteArray()).asByteString()
+    public fun deriveSecretBlocking(input: ByteString): ByteString {
+        return deriveSecretBlocking(input.asByteArray()).asByteString()
+    }
 }

cryptography-core/src/commonMain/kotlin/operations/SharedSecretGenerator.kt

@@ -10,6 +10,17 @@ import kotlinx.io.bytestring.*
 
 @SubclassOptInRequired(CryptographyProviderApi::class)
 public interface SharedSecretGenerator<K : Key> {
-    public suspend fun generateSharedSecret(other: K): ByteString = generateSharedSecretBlocking(other)
-    public fun generateSharedSecretBlocking(other: K): ByteString
+    public suspend fun generateSharedSecretToByteArray(other: K): ByteArray {
+        return generateSharedSecretToByteArrayBlocking(other)
+    }
+
+    public fun generateSharedSecretToByteArrayBlocking(other: K): ByteArray
+
+    public suspend fun generateSharedSecret(other: K): ByteString {
+        return generateSharedSecretToByteArray(other).asByteString()
+    }
+
+    public fun generateSharedSecretBlocking(other: K): ByteString {
+        return generateSharedSecretToByteArrayBlocking(other).asByteString()
+    }
 }

cryptography-providers/jdk/src/jvmMain/kotlin/algorithms/JdkEcdh.kt

@@ -8,7 +8,6 @@ import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.jdk.*
 import dev.whyoleg.cryptography.providers.jdk.operations.*
-import kotlinx.io.bytestring.*
 
 internal class JdkEcdh(state: JdkCryptographyState) : JdkEc<ECDH.PublicKey, ECDH.PrivateKey, ECDH.KeyPair>(state), ECDH {
     override fun JPublicKey.convert(): ECDH.PublicKey = EcdhPublicKey(state, this)
@@ -26,7 +25,7 @@ internal class JdkEcdh(state: JdkCryptographyState) : JdkEc<ECDH.PublicKey, ECDH
     ) : ECDH.PublicKey, BaseEcPublicKey(key), SharedSecretGenerator<ECDH.PrivateKey> {
         private val keyAgreement = state.keyAgreement("ECDH")
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PrivateKey> = this
-        override fun generateSharedSecretBlocking(other: ECDH.PrivateKey): ByteString {
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PrivateKey): ByteArray {
             check(other is EcdhPrivateKey) { "Only key produced by JDK provider is supported" }
 
             return keyAgreement.doAgreement(state, other.key, key)
@@ -39,7 +38,7 @@ internal class JdkEcdh(state: JdkCryptographyState) : JdkEc<ECDH.PublicKey, ECDH
     ) : ECDH.PrivateKey, BaseEcPrivateKey(key), SharedSecretGenerator<ECDH.PublicKey> {
         private val keyAgreement = state.keyAgreement("ECDH")
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PublicKey> = this
-        override fun generateSharedSecretBlocking(other: ECDH.PublicKey): ByteString {
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PublicKey): ByteArray {
             check(other is EcdhPublicKey) { "Only key produced by JDK provider is supported" }
 
             return keyAgreement.doAgreement(state, key, other.key)

cryptography-providers/jdk/src/jvmMain/kotlin/operations/JdkKeyAgreement.kt

@@ -5,16 +5,13 @@
 package dev.whyoleg.cryptography.providers.jdk.operations
 
 import dev.whyoleg.cryptography.providers.jdk.*
-import kotlinx.io.bytestring.*
-import kotlinx.io.bytestring.unsafe.*
 
-@OptIn(UnsafeByteStringApi::class)
 internal fun Pooled<JKeyAgreement>.doAgreement(
     state: JdkCryptographyState,
     privateKey: JPrivateKey,
     publicKey: JPublicKey,
-): ByteString = use {
+): ByteArray = use {
     it.init(privateKey, state.secureRandom)
     it.doPhase(publicKey, true)
-    UnsafeByteStringOperations.wrapUnsafe(it.generateSecret())
+    it.generateSecret()
 }

cryptography-providers/openssl3/api/src/commonMain/kotlin/algorithms/Openssl3Ecdh.kt

@@ -11,8 +11,6 @@ import dev.whyoleg.cryptography.providers.openssl3.internal.*
 import dev.whyoleg.cryptography.providers.openssl3.internal.cinterop.*
 import dev.whyoleg.cryptography.providers.openssl3.materials.*
 import kotlinx.cinterop.*
-import kotlinx.io.bytestring.*
-import kotlinx.io.bytestring.unsafe.*
 import platform.posix.*
 
 internal object Openssl3Ecdh : ECDH {
@@ -111,7 +109,7 @@ internal object Openssl3Ecdh : ECDH {
 
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PublicKey> = this
 
-        override fun generateSharedSecretBlocking(other: ECDH.PublicKey): ByteString {
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PublicKey): ByteArray {
             check(other is EcPublicKey)
 
             return deriveSharedSecret(publicKey = other.key, privateKey = key)
@@ -135,19 +133,19 @@ internal object Openssl3Ecdh : ECDH {
 
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PrivateKey> = this
 
-        override fun generateSharedSecretBlocking(other: ECDH.PrivateKey): ByteString {
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PrivateKey): ByteArray {
             check(other is EcPrivateKey)
 
             return deriveSharedSecret(publicKey = key, privateKey = other.key)
         }
     }
 }
 
-@OptIn(UnsafeNumber::class, UnsafeByteStringApi::class)
+@OptIn(UnsafeNumber::class)
 private fun deriveSharedSecret(
     publicKey: CPointer<EVP_PKEY>,
     privateKey: CPointer<EVP_PKEY>,
-): ByteString = memScoped {
+): ByteArray = memScoped {
     val context = checkError(EVP_PKEY_CTX_new_from_pkey(null, privateKey, null))
     try {
         checkError(EVP_PKEY_derive_init(context))
@@ -156,7 +154,7 @@ private fun deriveSharedSecret(
         checkError(EVP_PKEY_derive(context, null, secretSize.ptr))
         val secret = ByteArray(secretSize.value.toInt())
         checkError(EVP_PKEY_derive(context, secret.refToU(0), secretSize.ptr))
-        UnsafeByteStringOperations.wrapUnsafe(secret)
+        secret
     } finally {
         EVP_PKEY_CTX_free(context)
     }

cryptography-providers/webcrypto/src/commonMain/kotlin/algorithms/WebCryptoEcdh.kt

@@ -8,8 +8,6 @@ import dev.whyoleg.cryptography.algorithms.*
 import dev.whyoleg.cryptography.operations.*
 import dev.whyoleg.cryptography.providers.webcrypto.internal.*
 import dev.whyoleg.cryptography.providers.webcrypto.materials.*
-import kotlinx.io.bytestring.*
-import kotlinx.io.bytestring.unsafe.*
 
 internal object WebCryptoEcdh : WebCryptoEc<ECDH.PublicKey, ECDH.PrivateKey, ECDH.KeyPair>(
     algorithmName = "ECDH",
@@ -27,38 +25,32 @@ internal object WebCryptoEcdh : WebCryptoEc<ECDH.PublicKey, ECDH.PrivateKey, ECD
     ) : EcPublicKey(publicKey), ECDH.PublicKey, SharedSecretGenerator<ECDH.PrivateKey> {
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PrivateKey> = this
 
-        @OptIn(UnsafeByteStringApi::class)
-        override suspend fun generateSharedSecret(other: ECDH.PrivateKey): ByteString {
+        override suspend fun generateSharedSecretToByteArray(other: ECDH.PrivateKey): ByteArray {
             check(other is EcdhPrivateKey)
-            return UnsafeByteStringOperations.wrapUnsafe(
-                WebCrypto.deriveBits(
-                    algorithm = EcdhKeyDeriveAlgorithm(publicKey),
-                    baseKey = other.privateKey,
-                    length = curveOrderSize(publicKey.algorithm.ecKeyAlgorithmNamedCurve).inBits
-                )
+            return WebCrypto.deriveBits(
+                algorithm = EcdhKeyDeriveAlgorithm(publicKey),
+                baseKey = other.privateKey,
+                length = curveOrderSize(publicKey.algorithm.ecKeyAlgorithmNamedCurve).inBits
             )
         }
 
-        override fun generateSharedSecretBlocking(other: ECDH.PrivateKey): ByteString = nonBlocking()
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PrivateKey): ByteArray = nonBlocking()
     }
 
     private class EcdhPrivateKey(
         privateKey: CryptoKey,
     ) : EcPrivateKey(privateKey), ECDH.PrivateKey, SharedSecretGenerator<ECDH.PublicKey> {
         override fun sharedSecretGenerator(): SharedSecretGenerator<ECDH.PublicKey> = this
 
-        @OptIn(UnsafeByteStringApi::class)
-        override suspend fun generateSharedSecret(other: ECDH.PublicKey): ByteString {
+        override suspend fun generateSharedSecretToByteArray(other: ECDH.PublicKey): ByteArray {
             check(other is EcdhPublicKey)
-            return UnsafeByteStringOperations.wrapUnsafe(
-                WebCrypto.deriveBits(
-                    algorithm = EcdhKeyDeriveAlgorithm(other.publicKey),
-                    baseKey = privateKey,
-                    length = curveOrderSize(privateKey.algorithm.ecKeyAlgorithmNamedCurve).inBits
-                )
+            return WebCrypto.deriveBits(
+                algorithm = EcdhKeyDeriveAlgorithm(other.publicKey),
+                baseKey = privateKey,
+                length = curveOrderSize(privateKey.algorithm.ecKeyAlgorithmNamedCurve).inBits
             )
         }
 
-        override fun generateSharedSecretBlocking(other: ECDH.PublicKey): ByteString = nonBlocking()
+        override fun generateSharedSecretToByteArrayBlocking(other: ECDH.PublicKey): ByteArray = nonBlocking()
     }
 }