12 files changed, 1920 insertions, 0 deletions
diff --git a/src/crypto/ecdsa/boring.go b/src/crypto/ecdsa/boring.go
new file mode 100644
index 0000000..275c60b
--- /dev/null
+++ b/src/crypto/ecdsa/boring.go
@@ -0,0 +1,106 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build boringcrypto
+
+package ecdsa
+
+import (
+	"crypto/internal/boring"
+	"crypto/internal/boring/bbig"
+	"crypto/internal/boring/bcache"
+	"math/big"
+)
+
+// Cached conversions from Go PublicKey/PrivateKey to BoringCrypto.
+//
+// The first operation on a PublicKey or PrivateKey makes a parallel
+// BoringCrypto key and saves it in pubCache or privCache.
+//
+// We could just assume that once used in a Sign or Verify operation,
+// a particular key is never again modified, but that has not been a
+// stated assumption before. Just in case there is any existing code that
+// does modify the key between operations, we save the original values
+// alongside the cached BoringCrypto key and check that the real key
+// still matches before using the cached key. The theory is that the real
+// operations are significantly more expensive than the comparison.
+
+var pubCache bcache.Cache[PublicKey, boringPub]
+var privCache bcache.Cache[PrivateKey, boringPriv]
+
+func init() {
+	pubCache.Register()
+	privCache.Register()
+}
+
+type boringPub struct {
+	key  *boring.PublicKeyECDSA
+	orig PublicKey
+}
+
+func boringPublicKey(pub *PublicKey) (*boring.PublicKeyECDSA, error) {
+	b := pubCache.Get(pub)
+	if b != nil && publicKeyEqual(&b.orig, pub) {
+		return b.key, nil
+	}
+
+	b = new(boringPub)
+	b.orig = copyPublicKey(pub)
+	key, err := boring.NewPublicKeyECDSA(b.orig.Curve.Params().Name, bbig.Enc(b.orig.X), bbig.Enc(b.orig.Y))
+	if err != nil {
+		return nil, err
+	}
+	b.key = key
+	pubCache.Put(pub, b)
+	return key, nil
+}
+
+type boringPriv struct {
+	key  *boring.PrivateKeyECDSA
+	orig PrivateKey
+}
+
+func boringPrivateKey(priv *PrivateKey) (*boring.PrivateKeyECDSA, error) {
+	b := privCache.Get(priv)
+	if b != nil && privateKeyEqual(&b.orig, priv) {
+		return b.key, nil
+	}
+
+	b = new(boringPriv)
+	b.orig = copyPrivateKey(priv)
+	key, err := boring.NewPrivateKeyECDSA(b.orig.Curve.Params().Name, bbig.Enc(b.orig.X), bbig.Enc(b.orig.Y), bbig.Enc(b.orig.D))
+	if err != nil {
+		return nil, err
+	}
+	b.key = key
+	privCache.Put(priv, b)
+	return key, nil
+}
+
+func publicKeyEqual(k1, k2 *PublicKey) bool {
+	return k1.X != nil &&
+		k1.Curve.Params() == k2.Curve.Params() &&
+		k1.X.Cmp(k2.X) == 0 &&
+		k1.Y.Cmp(k2.Y) == 0
+}
+
+func privateKeyEqual(k1, k2 *PrivateKey) bool {
+	return publicKeyEqual(&k1.PublicKey, &k2.PublicKey) &&
+		k1.D.Cmp(k2.D) == 0
+}
+
+func copyPublicKey(k *PublicKey) PublicKey {
+	return PublicKey{
+		Curve: k.Curve,
+		X:     new(big.Int).Set(k.X),
+		Y:     new(big.Int).Set(k.Y),
+	}
+}
+
+func copyPrivateKey(k *PrivateKey) PrivateKey {
+	return PrivateKey{
+		PublicKey: copyPublicKey(&k.PublicKey),
+		D:         new(big.Int).Set(k.D),
+	}
+}
diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go
new file mode 100644
index 0000000..03a9a72
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa.go
@@ -0,0 +1,660 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
+// defined in FIPS 186-4 and SEC 1, Version 2.0.
+//
+// Signatures generated by this package are not deterministic, but entropy is
+// mixed with the private key and the message, achieving the same level of
+// security in case of randomness source failure.
+package ecdsa
+
+// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
+// That standard is not freely available, which is a problem in an open source
+// implementation, because not only the implementer, but also any maintainer,
+// contributor, reviewer, auditor, and learner needs access to it. Instead, this
+// package references and follows the equivalent [SEC 1, Version 2.0].
+//
+// [FIPS 186-4]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
+// [SEC 1, Version 2.0]: https://www.secg.org/sec1-v2.pdf
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ecdh"
+	"crypto/elliptic"
+	"crypto/internal/bigmod"
+	"crypto/internal/boring"
+	"crypto/internal/boring/bbig"
+	"crypto/internal/nistec"
+	"crypto/internal/randutil"
+	"crypto/sha512"
+	"crypto/subtle"
+	"errors"
+	"io"
+	"math/big"
+	"sync"
+
+	"golang.org/x/crypto/cryptobyte"
+	"golang.org/x/crypto/cryptobyte/asn1"
+)
+
+// PublicKey represents an ECDSA public key.
+type PublicKey struct {
+	elliptic.Curve
+	X, Y *big.Int
+}
+
+// Any methods implemented on PublicKey might need to also be implemented on
+// PrivateKey, as the latter embeds the former and will expose its methods.
+
+// ECDH returns k as a [ecdh.PublicKey]. It returns an error if the key is
+// invalid according to the definition of [ecdh.Curve.NewPublicKey], or if the
+// Curve is not supported by crypto/ecdh.
+func (k *PublicKey) ECDH() (*ecdh.PublicKey, error) {
+	c := curveToECDH(k.Curve)
+	if c == nil {
+		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
+	}
+	if !k.Curve.IsOnCurve(k.X, k.Y) {
+		return nil, errors.New("ecdsa: invalid public key")
+	}
+	return c.NewPublicKey(elliptic.Marshal(k.Curve, k.X, k.Y))
+}
+
+// Equal reports whether pub and x have the same value.
+//
+// Two keys are only considered to have the same value if they have the same Curve value.
+// Note that for example elliptic.P256() and elliptic.P256().Params() are different
+// values, as the latter is a generic not constant time implementation.
+func (pub *PublicKey) Equal(x crypto.PublicKey) bool {
+	xx, ok := x.(*PublicKey)
+	if !ok {
+		return false
+	}
+	return bigIntEqual(pub.X, xx.X) && bigIntEqual(pub.Y, xx.Y) &&
+		// Standard library Curve implementations are singletons, so this check
+		// will work for those. Other Curves might be equivalent even if not
+		// singletons, but there is no definitive way to check for that, and
+		// better to err on the side of safety.
+		pub.Curve == xx.Curve
+}
+
+// PrivateKey represents an ECDSA private key.
+type PrivateKey struct {
+	PublicKey
+	D *big.Int
+}
+
+// ECDH returns k as a [ecdh.PrivateKey]. It returns an error if the key is
+// invalid according to the definition of [ecdh.Curve.NewPrivateKey], or if the
+// Curve is not supported by crypto/ecdh.
+func (k *PrivateKey) ECDH() (*ecdh.PrivateKey, error) {
+	c := curveToECDH(k.Curve)
+	if c == nil {
+		return nil, errors.New("ecdsa: unsupported curve by crypto/ecdh")
+	}
+	size := (k.Curve.Params().N.BitLen() + 7) / 8
+	if k.D.BitLen() > size*8 {
+		return nil, errors.New("ecdsa: invalid private key")
+	}
+	return c.NewPrivateKey(k.D.FillBytes(make([]byte, size)))
+}
+
+func curveToECDH(c elliptic.Curve) ecdh.Curve {
+	switch c {
+	case elliptic.P256():
+		return ecdh.P256()
+	case elliptic.P384():
+		return ecdh.P384()
+	case elliptic.P521():
+		return ecdh.P521()
+	default:
+		return nil
+	}
+}
+
+// Public returns the public key corresponding to priv.
+func (priv *PrivateKey) Public() crypto.PublicKey {
+	return &priv.PublicKey
+}
+
+// Equal reports whether priv and x have the same value.
+//
+// See PublicKey.Equal for details on how Curve is compared.
+func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
+	xx, ok := x.(*PrivateKey)
+	if !ok {
+		return false
+	}
+	return priv.PublicKey.Equal(&xx.PublicKey) && bigIntEqual(priv.D, xx.D)
+}
+
+// bigIntEqual reports whether a and b are equal leaking only their bit length
+// through timing side-channels.
+func bigIntEqual(a, b *big.Int) bool {
+	return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1
+}
+
+// Sign signs digest with priv, reading randomness from rand. The opts argument
+// is not currently used but, in keeping with the crypto.Signer interface,
+// should be the hash function used to digest the message.
+//
+// This method implements crypto.Signer, which is an interface to support keys
+// where the private part is kept in, for example, a hardware module. Common
+// uses can use the SignASN1 function in this package directly.
+func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	return SignASN1(rand, priv, digest)
+}
+
+// GenerateKey generates a public and private key pair.
+func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
+	randutil.MaybeReadByte(rand)
+
+	if boring.Enabled && rand == boring.RandReader {
+		x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
+		if err != nil {
+			return nil, err
+		}
+		return &PrivateKey{PublicKey: PublicKey{Curve: c, X: bbig.Dec(x), Y: bbig.Dec(y)}, D: bbig.Dec(d)}, nil
+	}
+	boring.UnreachableExceptTests()
+
+	switch c.Params() {
+	case elliptic.P224().Params():
+		return generateNISTEC(p224(), rand)
+	case elliptic.P256().Params():
+		return generateNISTEC(p256(), rand)
+	case elliptic.P384().Params():
+		return generateNISTEC(p384(), rand)
+	case elliptic.P521().Params():
+		return generateNISTEC(p521(), rand)
+	default:
+		return generateLegacy(c, rand)
+	}
+}
+
+func generateNISTEC[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (*PrivateKey, error) {
+	k, Q, err := randomPoint(c, rand)
+	if err != nil {
+		return nil, err
+	}
+
+	priv := new(PrivateKey)
+	priv.PublicKey.Curve = c.curve
+	priv.D = new(big.Int).SetBytes(k.Bytes(c.N))
+	priv.PublicKey.X, priv.PublicKey.Y, err = c.pointToAffine(Q)
+	if err != nil {
+		return nil, err
+	}
+	return priv, nil
+}
+
+// randomPoint returns a random scalar and the corresponding point using the
+// procedure given in FIPS 186-4, Appendix B.5.2 (rejection sampling).
+func randomPoint[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (k *bigmod.Nat, p Point, err error) {
+	k = bigmod.NewNat()
+	for {
+		b := make([]byte, c.N.Size())
+		if _, err = io.ReadFull(rand, b); err != nil {
+			return
+		}
+
+		// Mask off any excess bits to increase the chance of hitting a value in
+		// (0, N). These are the most dangerous lines in the package and maybe in
+		// the library: a single bit of bias in the selection of nonces would likely
+		// lead to key recovery, but no tests would fail. Look but DO NOT TOUCH.
+		if excess := len(b)*8 - c.N.BitLen(); excess > 0 {
+			// Just to be safe, assert that this only happens for the one curve that
+			// doesn't have a round number of bits.
+			if excess != 0 && c.curve.Params().Name != "P-521" {
+				panic("ecdsa: internal error: unexpectedly masking off bits")
+			}
+			b[0] >>= excess
+		}
+
+		// FIPS 186-4 makes us check k <= N - 2 and then add one.
+		// Checking 0 < k <= N - 1 is strictly equivalent.
+		// None of this matters anyway because the chance of selecting
+		// zero is cryptographically negligible.
+		if _, err = k.SetBytes(b, c.N); err == nil && k.IsZero() == 0 {
+			break
+		}
+
+		if testingOnlyRejectionSamplingLooped != nil {
+			testingOnlyRejectionSamplingLooped()
+		}
+	}
+
+	p, err = c.newPoint().ScalarBaseMult(k.Bytes(c.N))
+	return
+}
+
+// testingOnlyRejectionSamplingLooped is called when rejection sampling in
+// randomPoint rejects a candidate for being higher than the modulus.
+var testingOnlyRejectionSamplingLooped func()
+
+// errNoAsm is returned by signAsm and verifyAsm when the assembly
+// implementation is not available.
+var errNoAsm = errors.New("no assembly implementation available")
+
+// SignASN1 signs a hash (which should be the result of hashing a larger message)
+// using the private key, priv. If the hash is longer than the bit-length of the
+// private key's curve order, the hash will be truncated to that length. It
+// returns the ASN.1 encoded signature.
+func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
+	randutil.MaybeReadByte(rand)
+
+	if boring.Enabled && rand == boring.RandReader {
+		b, err := boringPrivateKey(priv)
+		if err != nil {
+			return nil, err
+		}
+		return boring.SignMarshalECDSA(b, hash)
+	}
+	boring.UnreachableExceptTests()
+
+	csprng, err := mixedCSPRNG(rand, priv, hash)
+	if err != nil {
+		return nil, err
+	}
+
+	if sig, err := signAsm(priv, csprng, hash); err != errNoAsm {
+		return sig, err
+	}
+
+	switch priv.Curve.Params() {
+	case elliptic.P224().Params():
+		return signNISTEC(p224(), priv, csprng, hash)
+	case elliptic.P256().Params():
+		return signNISTEC(p256(), priv, csprng, hash)
+	case elliptic.P384().Params():
+		return signNISTEC(p384(), priv, csprng, hash)
+	case elliptic.P521().Params():
+		return signNISTEC(p521(), priv, csprng, hash)
+	default:
+		return signLegacy(priv, csprng, hash)
+	}
+}
+
+func signNISTEC[Point nistPoint[Point]](c *nistCurve[Point], priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+	// SEC 1, Version 2.0, Section 4.1.3
+
+	k, R, err := randomPoint(c, csprng)
+	if err != nil {
+		return nil, err
+	}
+
+	// kInv = k⁻¹
+	kInv := bigmod.NewNat()
+	inverse(c, kInv, k)
+
+	Rx, err := R.BytesX()
+	if err != nil {
+		return nil, err
+	}
+	r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
+	if err != nil {
+		return nil, err
+	}
+
+	// The spec wants us to retry here, but the chance of hitting this condition
+	// on a large prime-order group like the NIST curves we support is
+	// cryptographically negligible. If we hit it, something is awfully wrong.
+	if r.IsZero() == 1 {
+		return nil, errors.New("ecdsa: internal error: r is zero")
+	}
+
+	e := bigmod.NewNat()
+	hashToNat(c, e, hash)
+
+	s, err := bigmod.NewNat().SetBytes(priv.D.Bytes(), c.N)
+	if err != nil {
+		return nil, err
+	}
+	s.Mul(r, c.N)
+	s.Add(e, c.N)
+	s.Mul(kInv, c.N)
+
+	// Again, the chance of this happening is cryptographically negligible.
+	if s.IsZero() == 1 {
+		return nil, errors.New("ecdsa: internal error: s is zero")
+	}
+
+	return encodeSignature(r.Bytes(c.N), s.Bytes(c.N))
+}
+
+func encodeSignature(r, s []byte) ([]byte, error) {
+	var b cryptobyte.Builder
+	b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
+		addASN1IntBytes(b, r)
+		addASN1IntBytes(b, s)
+	})
+	return b.Bytes()
+}
+
+// addASN1IntBytes encodes in ASN.1 a positive integer represented as
+// a big-endian byte slice with zero or more leading zeroes.
+func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
+	for len(bytes) > 0 && bytes[0] == 0 {
+		bytes = bytes[1:]
+	}
+	if len(bytes) == 0 {
+		b.SetError(errors.New("invalid integer"))
+		return
+	}
+	b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
+		if bytes[0]&0x80 != 0 {
+			c.AddUint8(0)
+		}
+		c.AddBytes(bytes)
+	})
+}
+
+// inverse sets kInv to the inverse of k modulo the order of the curve.
+func inverse[Point nistPoint[Point]](c *nistCurve[Point], kInv, k *bigmod.Nat) {
+	if c.curve.Params().Name == "P-256" {
+		kBytes, err := nistec.P256OrdInverse(k.Bytes(c.N))
+		// Some platforms don't implement P256OrdInverse, and always return an error.
+		if err == nil {
+			_, err := kInv.SetBytes(kBytes, c.N)
+			if err != nil {
+				panic("ecdsa: internal error: P256OrdInverse produced an invalid value")
+			}
+			return
+		}
+	}
+
+	// Calculate the inverse of s in GF(N) using Fermat's method
+	// (exponentiation modulo P - 2, per Euler's theorem)
+	kInv.Exp(k, c.nMinus2, c.N)
+}
+
+// hashToNat sets e to the left-most bits of hash, according to
+// SEC 1, Section 4.1.3, point 5 and Section 4.1.4, point 3.
+func hashToNat[Point nistPoint[Point]](c *nistCurve[Point], e *bigmod.Nat, hash []byte) {
+	// ECDSA asks us to take the left-most log2(N) bits of hash, and use them as
+	// an integer modulo N. This is the absolute worst of all worlds: we still
+	// have to reduce, because the result might still overflow N, but to take
+	// the left-most bits for P-521 we have to do a right shift.
+	if size := c.N.Size(); len(hash) >= size {
+		hash = hash[:size]
+		if excess := len(hash)*8 - c.N.BitLen(); excess > 0 {
+			hash = bytes.Clone(hash)
+			for i := len(hash) - 1; i >= 0; i-- {
+				hash[i] >>= excess
+				if i > 0 {
+					hash[i] |= hash[i-1] << (8 - excess)
+				}
+			}
+		}
+	}
+	_, err := e.SetOverflowingBytes(hash, c.N)
+	if err != nil {
+		panic("ecdsa: internal error: truncated hash is too long")
+	}
+}
+
+// mixedCSPRNG returns a CSPRNG that mixes entropy from rand with the message
+// and the private key, to protect the key in case rand fails. This is
+// equivalent in security to RFC 6979 deterministic nonce generation, but still
+// produces randomized signatures.
+func mixedCSPRNG(rand io.Reader, priv *PrivateKey, hash []byte) (io.Reader, error) {
+	// This implementation derives the nonce from an AES-CTR CSPRNG keyed by:
+	//
+	//    SHA2-512(priv.D || entropy || hash)[:32]
+	//
+	// The CSPRNG key is indifferentiable from a random oracle as shown in
+	// [Coron], the AES-CTR stream is indifferentiable from a random oracle
+	// under standard cryptographic assumptions (see [Larsson] for examples).
+	//
+	// [Coron]: https://cs.nyu.edu/~dodis/ps/merkle.pdf
+	// [Larsson]: https://web.archive.org/web/20040719170906/https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf
+
+	// Get 256 bits of entropy from rand.
+	entropy := make([]byte, 32)
+	if _, err := io.ReadFull(rand, entropy); err != nil {
+		return nil, err
+	}
+
+	// Initialize an SHA-512 hash context; digest...
+	md := sha512.New()
+	md.Write(priv.D.Bytes()) // the private key,
+	md.Write(entropy)        // the entropy,
+	md.Write(hash)           // and the input hash;
+	key := md.Sum(nil)[:32]  // and compute ChopMD-256(SHA-512),
+	// which is an indifferentiable MAC.
+
+	// Create an AES-CTR instance to use as a CSPRNG.
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create a CSPRNG that xors a stream of zeros with
+	// the output of the AES-CTR instance.
+	const aesIV = "IV for ECDSA CTR"
+	return &cipher.StreamReader{
+		R: zeroReader,
+		S: cipher.NewCTR(block, []byte(aesIV)),
+	}, nil
+}
+
+type zr struct{}
+
+var zeroReader = zr{}
+
+// Read replaces the contents of dst with zeros. It is safe for concurrent use.
+func (zr) Read(dst []byte) (n int, err error) {
+	for i := range dst {
+		dst[i] = 0
+	}
+	return len(dst), nil
+}
+
+// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
+// public key, pub. Its return value records whether the signature is valid.
+func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
+	if boring.Enabled {
+		key, err := boringPublicKey(pub)
+		if err != nil {
+			return false
+		}
+		return boring.VerifyECDSA(key, hash, sig)
+	}
+	boring.UnreachableExceptTests()
+
+	if err := verifyAsm(pub, hash, sig); err != errNoAsm {
+		return err == nil
+	}
+
+	switch pub.Curve.Params() {
+	case elliptic.P224().Params():
+		return verifyNISTEC(p224(), pub, hash, sig)
+	case elliptic.P256().Params():
+		return verifyNISTEC(p256(), pub, hash, sig)
+	case elliptic.P384().Params():
+		return verifyNISTEC(p384(), pub, hash, sig)
+	case elliptic.P521().Params():
+		return verifyNISTEC(p521(), pub, hash, sig)
+	default:
+		return verifyLegacy(pub, hash, sig)
+	}
+}
+
+func verifyNISTEC[Point nistPoint[Point]](c *nistCurve[Point], pub *PublicKey, hash, sig []byte) bool {
+	rBytes, sBytes, err := parseSignature(sig)
+	if err != nil {
+		return false
+	}
+
+	Q, err := c.pointFromAffine(pub.X, pub.Y)
+	if err != nil {
+		return false
+	}
+
+	// SEC 1, Version 2.0, Section 4.1.4
+
+	r, err := bigmod.NewNat().SetBytes(rBytes, c.N)
+	if err != nil || r.IsZero() == 1 {
+		return false
+	}
+	s, err := bigmod.NewNat().SetBytes(sBytes, c.N)
+	if err != nil || s.IsZero() == 1 {
+		return false
+	}
+
+	e := bigmod.NewNat()
+	hashToNat(c, e, hash)
+
+	// w = s⁻¹
+	w := bigmod.NewNat()
+	inverse(c, w, s)
+
+	// p₁ = [e * s⁻¹]G
+	p1, err := c.newPoint().ScalarBaseMult(e.Mul(w, c.N).Bytes(c.N))
+	if err != nil {
+		return false
+	}
+	// p₂ = [r * s⁻¹]Q
+	p2, err := Q.ScalarMult(Q, w.Mul(r, c.N).Bytes(c.N))
+	if err != nil {
+		return false
+	}
+	// BytesX returns an error for the point at infinity.
+	Rx, err := p1.Add(p1, p2).BytesX()
+	if err != nil {
+		return false
+	}
+
+	v, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
+	if err != nil {
+		return false
+	}
+
+	return v.Equal(r) == 1
+}
+
+func parseSignature(sig []byte) (r, s []byte, err error) {
+	var inner cryptobyte.String
+	input := cryptobyte.String(sig)
+	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
+		!input.Empty() ||
+		!inner.ReadASN1Integer(&r) ||
+		!inner.ReadASN1Integer(&s) ||
+		!inner.Empty() {
+		return nil, nil, errors.New("invalid ASN.1")
+	}
+	return r, s, nil
+}
+
+type nistCurve[Point nistPoint[Point]] struct {
+	newPoint func() Point
+	curve    elliptic.Curve
+	N        *bigmod.Modulus
+	nMinus2  []byte
+}
+
+// nistPoint is a generic constraint for the nistec Point types.
+type nistPoint[T any] interface {
+	Bytes() []byte
+	BytesX() ([]byte, error)
+	SetBytes([]byte) (T, error)
+	Add(T, T) T
+	ScalarMult(T, []byte) (T, error)
+	ScalarBaseMult([]byte) (T, error)
+}
+
+// pointFromAffine is used to convert the PublicKey to a nistec Point.
+func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, err error) {
+	bitSize := curve.curve.Params().BitSize
+	// Reject values that would not get correctly encoded.
+	if x.Sign() < 0 || y.Sign() < 0 {
+		return p, errors.New("negative coordinate")
+	}
+	if x.BitLen() > bitSize || y.BitLen() > bitSize {
+		return p, errors.New("overflowing coordinate")
+	}
+	// Encode the coordinates and let SetBytes reject invalid points.
+	byteLen := (bitSize + 7) / 8
+	buf := make([]byte, 1+2*byteLen)
+	buf[0] = 4 // uncompressed point
+	x.FillBytes(buf[1 : 1+byteLen])
+	y.FillBytes(buf[1+byteLen : 1+2*byteLen])
+	return curve.newPoint().SetBytes(buf)
+}
+
+// pointToAffine is used to convert a nistec Point to a PublicKey.
+func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int, err error) {
+	out := p.Bytes()
+	if len(out) == 1 && out[0] == 0 {
+		// This is the encoding of the point at infinity.
+		return nil, nil, errors.New("ecdsa: public key point is the infinity")
+	}
+	byteLen := (curve.curve.Params().BitSize + 7) / 8
+	x = new(big.Int).SetBytes(out[1 : 1+byteLen])
+	y = new(big.Int).SetBytes(out[1+byteLen:])
+	return x, y, nil
+}
+
+var p224Once sync.Once
+var _p224 *nistCurve[*nistec.P224Point]
+
+func p224() *nistCurve[*nistec.P224Point] {
+	p224Once.Do(func() {
+		_p224 = &nistCurve[*nistec.P224Point]{
+			newPoint: func() *nistec.P224Point { return nistec.NewP224Point() },
+		}
+		precomputeParams(_p224, elliptic.P224())
+	})
+	return _p224
+}
+
+var p256Once sync.Once
+var _p256 *nistCurve[*nistec.P256Point]
+
+func p256() *nistCurve[*nistec.P256Point] {
+	p256Once.Do(func() {
+		_p256 = &nistCurve[*nistec.P256Point]{
+			newPoint: func() *nistec.P256Point { return nistec.NewP256Point() },
+		}
+		precomputeParams(_p256, elliptic.P256())
+	})
+	return _p256
+}
+
+var p384Once sync.Once
+var _p384 *nistCurve[*nistec.P384Point]
+
+func p384() *nistCurve[*nistec.P384Point] {
+	p384Once.Do(func() {
+		_p384 = &nistCurve[*nistec.P384Point]{
+			newPoint: func() *nistec.P384Point { return nistec.NewP384Point() },
+		}
+		precomputeParams(_p384, elliptic.P384())
+	})
+	return _p384
+}
+
+var p521Once sync.Once
+var _p521 *nistCurve[*nistec.P521Point]
+
+func p521() *nistCurve[*nistec.P521Point] {
+	p521Once.Do(func() {
+		_p521 = &nistCurve[*nistec.P521Point]{
+			newPoint: func() *nistec.P521Point { return nistec.NewP521Point() },
+		}
+		precomputeParams(_p521, elliptic.P521())
+	})
+	return _p521
+}
+
+func precomputeParams[Point nistPoint[Point]](c *nistCurve[Point], curve elliptic.Curve) {
+	params := curve.Params()
+	c.curve = curve
+	c.N = bigmod.NewModulusFromBig(params.N)
+	c.nMinus2 = new(big.Int).Sub(params.N, big.NewInt(2)).Bytes()
+}
diff --git a/src/crypto/ecdsa/ecdsa_legacy.go b/src/crypto/ecdsa/ecdsa_legacy.go
new file mode 100644
index 0000000..12a40e4
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_legacy.go
@@ -0,0 +1,188 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"io"
+	"math/big"
+
+	"golang.org/x/crypto/cryptobyte"
+	"golang.org/x/crypto/cryptobyte/asn1"
+)
+
+// This file contains a math/big implementation of ECDSA that is only used for
+// deprecated custom curves.
+
+func generateLegacy(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
+	k, err := randFieldElement(c, rand)
+	if err != nil {
+		return nil, err
+	}
+
+	priv := new(PrivateKey)
+	priv.PublicKey.Curve = c
+	priv.D = k
+	priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())
+	return priv, nil
+}
+
+// hashToInt converts a hash value to an integer. Per FIPS 186-4, Section 6.4,
+// we use the left-most bits of the hash to match the bit-length of the order of
+// the curve. This also performs Step 5 of SEC 1, Version 2.0, Section 4.1.3.
+func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
+	orderBits := c.Params().N.BitLen()
+	orderBytes := (orderBits + 7) / 8
+	if len(hash) > orderBytes {
+		hash = hash[:orderBytes]
+	}
+
+	ret := new(big.Int).SetBytes(hash)
+	excess := len(hash)*8 - orderBits
+	if excess > 0 {
+		ret.Rsh(ret, uint(excess))
+	}
+	return ret
+}
+
+var errZeroParam = errors.New("zero parameter")
+
+// Sign signs a hash (which should be the result of hashing a larger message)
+// using the private key, priv. If the hash is longer than the bit-length of the
+// private key's curve order, the hash will be truncated to that length. It
+// returns the signature as a pair of integers. Most applications should use
+// SignASN1 instead of dealing directly with r, s.
+func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
+	sig, err := SignASN1(rand, priv, hash)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	r, s = new(big.Int), new(big.Int)
+	var inner cryptobyte.String
+	input := cryptobyte.String(sig)
+	if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
+		!input.Empty() ||
+		!inner.ReadASN1Integer(r) ||
+		!inner.ReadASN1Integer(s) ||
+		!inner.Empty() {
+		return nil, nil, errors.New("invalid ASN.1 from SignASN1")
+	}
+	return r, s, nil
+}
+
+func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+	c := priv.Curve
+
+	// SEC 1, Version 2.0, Section 4.1.3
+	N := c.Params().N
+	if N.Sign() == 0 {
+		return nil, errZeroParam
+	}
+	var k, kInv, r, s *big.Int
+	for {
+		for {
+			k, err = randFieldElement(c, csprng)
+			if err != nil {
+				return nil, err
+			}
+
+			kInv = new(big.Int).ModInverse(k, N)
+
+			r, _ = c.ScalarBaseMult(k.Bytes())
+			r.Mod(r, N)
+			if r.Sign() != 0 {
+				break
+			}
+		}
+
+		e := hashToInt(hash, c)
+		s = new(big.Int).Mul(priv.D, r)
+		s.Add(s, e)
+		s.Mul(s, kInv)
+		s.Mod(s, N) // N != 0
+		if s.Sign() != 0 {
+			break
+		}
+	}
+
+	return encodeSignature(r.Bytes(), s.Bytes())
+}
+
+// Verify verifies the signature in r, s of hash using the public key, pub. Its
+// return value records whether the signature is valid. Most applications should
+// use VerifyASN1 instead of dealing directly with r, s.
+func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
+	if r.Sign() <= 0 || s.Sign() <= 0 {
+		return false
+	}
+	sig, err := encodeSignature(r.Bytes(), s.Bytes())
+	if err != nil {
+		return false
+	}
+	return VerifyASN1(pub, hash, sig)
+}
+
+func verifyLegacy(pub *PublicKey, hash []byte, sig []byte) bool {
+	rBytes, sBytes, err := parseSignature(sig)
+	if err != nil {
+		return false
+	}
+	r, s := new(big.Int).SetBytes(rBytes), new(big.Int).SetBytes(sBytes)
+
+	c := pub.Curve
+	N := c.Params().N
+
+	if r.Sign() <= 0 || s.Sign() <= 0 {
+		return false
+	}
+	if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {
+		return false
+	}
+
+	// SEC 1, Version 2.0, Section 4.1.4
+	e := hashToInt(hash, c)
+	w := new(big.Int).ModInverse(s, N)
+
+	u1 := e.Mul(e, w)
+	u1.Mod(u1, N)
+	u2 := w.Mul(r, w)
+	u2.Mod(u2, N)
+
+	x1, y1 := c.ScalarBaseMult(u1.Bytes())
+	x2, y2 := c.ScalarMult(pub.X, pub.Y, u2.Bytes())
+	x, y := c.Add(x1, y1, x2, y2)
+
+	if x.Sign() == 0 && y.Sign() == 0 {
+		return false
+	}
+	x.Mod(x, N)
+	return x.Cmp(r) == 0
+}
+
+var one = new(big.Int).SetInt64(1)
+
+// randFieldElement returns a random element of the order of the given
+// curve using the procedure given in FIPS 186-4, Appendix B.5.2.
+func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error) {
+	// See randomPoint for notes on the algorithm. This has to match, or s390x
+	// signatures will come out different from other architectures, which will
+	// break TLS recorded tests.
+	for {
+		N := c.Params().N
+		b := make([]byte, (N.BitLen()+7)/8)
+		if _, err = io.ReadFull(rand, b); err != nil {
+			return
+		}
+		if excess := len(b)*8 - N.BitLen(); excess > 0 {
+			b[0] >>= excess
+		}
+		k = new(big.Int).SetBytes(b)
+		if k.Sign() != 0 && k.Cmp(N) < 0 {
+			return
+		}
+	}
+}
diff --git a/src/crypto/ecdsa/ecdsa_noasm.go b/src/crypto/ecdsa/ecdsa_noasm.go
new file mode 100644
index 0000000..a72aa4b
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_noasm.go
@@ -0,0 +1,17 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !s390x
+
+package ecdsa
+
+import "io"
+
+func verifyAsm(pub *PublicKey, hash []byte, sig []byte) error {
+	return errNoAsm
+}
+
+func signAsm(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+	return nil, errNoAsm
+}
diff --git a/src/crypto/ecdsa/ecdsa_s390x.go b/src/crypto/ecdsa/ecdsa_s390x.go
new file mode 100644
index 0000000..49f645a
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_s390x.go
@@ -0,0 +1,177 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"internal/cpu"
+	"io"
+	"math/big"
+)
+
+// kdsa invokes the "compute digital signature authentication"
+// instruction with the given function code and 4096 byte
+// parameter block.
+//
+// The return value corresponds to the condition code set by the
+// instruction. Interrupted invocations are handled by the
+// function.
+//
+//go:noescape
+func kdsa(fc uint64, params *[4096]byte) (errn uint64)
+
+// testingDisableKDSA forces the generic fallback path. It must only be set in tests.
+var testingDisableKDSA bool
+
+// canUseKDSA checks if KDSA instruction is available, and if it is, it checks
+// the name of the curve to see if it matches the curves supported(P-256, P-384, P-521).
+// Then, based on the curve name, a function code and a block size will be assigned.
+// If KDSA instruction is not available or if the curve is not supported, canUseKDSA
+// will set ok to false.
+func canUseKDSA(c elliptic.Curve) (functionCode uint64, blockSize int, ok bool) {
+	if testingDisableKDSA {
+		return 0, 0, false
+	}
+	if !cpu.S390X.HasECDSA {
+		return 0, 0, false
+	}
+	switch c.Params().Name {
+	case "P-256":
+		return 1, 32, true
+	case "P-384":
+		return 2, 48, true
+	case "P-521":
+		return 3, 80, true
+	}
+	return 0, 0, false // A mismatch
+}
+
+func hashToBytes(dst, hash []byte, c elliptic.Curve) {
+	l := len(dst)
+	if n := c.Params().N.BitLen(); n == l*8 {
+		// allocation free path for curves with a length that is a whole number of bytes
+		if len(hash) >= l {
+			// truncate hash
+			copy(dst, hash[:l])
+			return
+		}
+		// pad hash with leading zeros
+		p := l - len(hash)
+		for i := 0; i < p; i++ {
+			dst[i] = 0
+		}
+		copy(dst[p:], hash)
+		return
+	}
+	// TODO(mundaym): avoid hashToInt call here
+	hashToInt(hash, c).FillBytes(dst)
+}
+
+func signAsm(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+	c := priv.Curve
+	functionCode, blockSize, ok := canUseKDSA(c)
+	if !ok {
+		return nil, errNoAsm
+	}
+	for {
+		var k *big.Int
+		k, err = randFieldElement(c, csprng)
+		if err != nil {
+			return nil, err
+		}
+
+		// The parameter block looks like the following for sign.
+		// 	+---------------------+
+		// 	|   Signature(R)      |
+		//	+---------------------+
+		//	|   Signature(S)      |
+		//	+---------------------+
+		//	|   Hashed Message    |
+		//	+---------------------+
+		//	|   Private Key       |
+		//	+---------------------+
+		//	|   Random Number     |
+		//	+---------------------+
+		//	|                     |
+		//	|        ...          |
+		//	|                     |
+		//	+---------------------+
+		// The common components(signatureR, signatureS, hashedMessage, privateKey and
+		// random number) each takes block size of bytes. The block size is different for
+		// different curves and is set by canUseKDSA function.
+		var params [4096]byte
+
+		// Copy content into the parameter block. In the sign case,
+		// we copy hashed message, private key and random number into
+		// the parameter block.
+		hashToBytes(params[2*blockSize:3*blockSize], hash, c)
+		priv.D.FillBytes(params[3*blockSize : 4*blockSize])
+		k.FillBytes(params[4*blockSize : 5*blockSize])
+		// Convert verify function code into a sign function code by adding 8.
+		// We also need to set the 'deterministic' bit in the function code, by
+		// adding 128, in order to stop the instruction using its own random number
+		// generator in addition to the random number we supply.
+		switch kdsa(functionCode+136, &params) {
+		case 0: // success
+			return encodeSignature(params[:blockSize], params[blockSize:2*blockSize])
+		case 1: // error
+			return nil, errZeroParam
+		case 2: // retry
+			continue
+		}
+		panic("unreachable")
+	}
+}
+
+func verifyAsm(pub *PublicKey, hash []byte, sig []byte) error {
+	c := pub.Curve
+	functionCode, blockSize, ok := canUseKDSA(c)
+	if !ok {
+		return errNoAsm
+	}
+
+	r, s, err := parseSignature(sig)
+	if err != nil {
+		return err
+	}
+	if len(r) > blockSize || len(s) > blockSize {
+		return errors.New("invalid signature")
+	}
+
+	// The parameter block looks like the following for verify:
+	// 	+---------------------+
+	// 	|   Signature(R)      |
+	//	+---------------------+
+	//	|   Signature(S)      |
+	//	+---------------------+
+	//	|   Hashed Message    |
+	//	+---------------------+
+	//	|   Public Key X      |
+	//	+---------------------+
+	//	|   Public Key Y      |
+	//	+---------------------+
+	//	|                     |
+	//	|        ...          |
+	//	|                     |
+	//	+---------------------+
+	// The common components(signatureR, signatureS, hashed message, public key X,
+	// and public key Y) each takes block size of bytes. The block size is different for
+	// different curves and is set by canUseKDSA function.
+	var params [4096]byte
+
+	// Copy content into the parameter block. In the verify case,
+	// we copy signature (r), signature(s), hashed message, public key x component,
+	// and public key y component into the parameter block.
+	copy(params[0*blockSize+blockSize-len(r):], r)
+	copy(params[1*blockSize+blockSize-len(s):], s)
+	hashToBytes(params[2*blockSize:3*blockSize], hash, c)
+	pub.X.FillBytes(params[3*blockSize : 4*blockSize])
+	pub.Y.FillBytes(params[4*blockSize : 5*blockSize])
+	if kdsa(functionCode, &params) != 0 {
+		return errors.New("invalid signature")
+	}
+	return nil
+}
diff --git a/src/crypto/ecdsa/ecdsa_s390x.s b/src/crypto/ecdsa/ecdsa_s390x.s
new file mode 100644
index 0000000..ba5b3bf
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_s390x.s
@@ -0,0 +1,28 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "textflag.h"
+
+// func kdsa(fc uint64, params *[4096]byte) (errn uint64)
+TEXT ·kdsa(SB), NOSPLIT|NOFRAME, $0-24
+	MOVD fc+0(FP), R0     // function code
+	MOVD params+8(FP), R1 // address parameter block
+
+loop:
+	WORD $0xB93A0008 // compute digital signature authentication
+	BVS  loop        // branch back if interrupted
+	BGT  retry       // signing unsuccessful, but retry with new CSPRN
+	BLT  error       // condition code of 1 indicates a failure
+
+success:
+	MOVD $0, errn+16(FP) // return 0 - sign/verify was successful
+	RET
+
+error:
+	MOVD $1, errn+16(FP) // return 1 - sign/verify failed
+	RET
+
+retry:
+	MOVD $2, errn+16(FP) // return 2 - sign/verify was unsuccessful -- if sign, retry with new RN
+	RET
diff --git a/src/crypto/ecdsa/ecdsa_s390x_test.go b/src/crypto/ecdsa/ecdsa_s390x_test.go
new file mode 100644
index 0000000..fd1dc7c
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_s390x_test.go
@@ -0,0 +1,32 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build s390x
+
+package ecdsa
+
+import (
+	"crypto/elliptic"
+	"testing"
+)
+
+func TestNoAsm(t *testing.T) {
+	testingDisableKDSA = true
+	defer func() { testingDisableKDSA = false }()
+
+	curves := [...]elliptic.Curve{
+		elliptic.P256(),
+		elliptic.P384(),
+		elliptic.P521(),
+	}
+
+	for _, curve := range curves {
+		name := curve.Params().Name
+		t.Run(name, func(t *testing.T) { testKeyGeneration(t, curve) })
+		t.Run(name, func(t *testing.T) { testSignAndVerify(t, curve) })
+		t.Run(name, func(t *testing.T) { testNonceSafety(t, curve) })
+		t.Run(name, func(t *testing.T) { testINDCCA(t, curve) })
+		t.Run(name, func(t *testing.T) { testNegativeInputs(t, curve) })
+	}
+}
diff --git a/src/crypto/ecdsa/ecdsa_test.go b/src/crypto/ecdsa/ecdsa_test.go
new file mode 100644
index 0000000..08a0903
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_test.go
@@ -0,0 +1,589 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa
+
+import (
+	"bufio"
+	"bytes"
+	"compress/bzip2"
+	"crypto/elliptic"
+	"crypto/internal/bigmod"
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+	"hash"
+	"io"
+	"math/big"
+	"os"
+	"strings"
+	"testing"
+)
+
+func testAllCurves(t *testing.T, f func(*testing.T, elliptic.Curve)) {
+	tests := []struct {
+		name  string
+		curve elliptic.Curve
+	}{
+		{"P256", elliptic.P256()},
+		{"P224", elliptic.P224()},
+		{"P384", elliptic.P384()},
+		{"P521", elliptic.P521()},
+		{"P256/Generic", genericParamsForCurve(elliptic.P256())},
+	}
+	if testing.Short() {
+		tests = tests[:1]
+	}
+	for _, test := range tests {
+		curve := test.curve
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			f(t, curve)
+		})
+	}
+}
+
+// genericParamsForCurve returns the dereferenced CurveParams for
+// the specified curve. This is used to avoid the logic for
+// upgrading a curve to its specific implementation, forcing
+// usage of the generic implementation.
+func genericParamsForCurve(c elliptic.Curve) *elliptic.CurveParams {
+	d := *(c.Params())
+	return &d
+}
+
+func TestKeyGeneration(t *testing.T) {
+	testAllCurves(t, testKeyGeneration)
+}
+
+func testKeyGeneration(t *testing.T, c elliptic.Curve) {
+	priv, err := GenerateKey(c, rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) {
+		t.Errorf("public key invalid: %s", err)
+	}
+}
+
+func TestSignAndVerify(t *testing.T) {
+	testAllCurves(t, testSignAndVerify)
+}
+
+func testSignAndVerify(t *testing.T, c elliptic.Curve) {
+	priv, _ := GenerateKey(c, rand.Reader)
+
+	hashed := []byte("testing")
+	r, s, err := Sign(rand.Reader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	if !Verify(&priv.PublicKey, hashed, r, s) {
+		t.Errorf("Verify failed")
+	}
+
+	hashed[0] ^= 0xff
+	if Verify(&priv.PublicKey, hashed, r, s) {
+		t.Errorf("Verify always works!")
+	}
+}
+
+func TestSignAndVerifyASN1(t *testing.T) {
+	testAllCurves(t, testSignAndVerifyASN1)
+}
+
+func testSignAndVerifyASN1(t *testing.T, c elliptic.Curve) {
+	priv, _ := GenerateKey(c, rand.Reader)
+
+	hashed := []byte("testing")
+	sig, err := SignASN1(rand.Reader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	if !VerifyASN1(&priv.PublicKey, hashed, sig) {
+		t.Errorf("VerifyASN1 failed")
+	}
+
+	hashed[0] ^= 0xff
+	if VerifyASN1(&priv.PublicKey, hashed, sig) {
+		t.Errorf("VerifyASN1 always works!")
+	}
+}
+
+func TestNonceSafety(t *testing.T) {
+	testAllCurves(t, testNonceSafety)
+}
+
+func testNonceSafety(t *testing.T, c elliptic.Curve) {
+	priv, _ := GenerateKey(c, rand.Reader)
+
+	hashed := []byte("testing")
+	r0, s0, err := Sign(zeroReader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	hashed = []byte("testing...")
+	r1, s1, err := Sign(zeroReader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	if s0.Cmp(s1) == 0 {
+		// This should never happen.
+		t.Errorf("the signatures on two different messages were the same")
+	}
+
+	if r0.Cmp(r1) == 0 {
+		t.Errorf("the nonce used for two different messages was the same")
+	}
+}
+
+func TestINDCCA(t *testing.T) {
+	testAllCurves(t, testINDCCA)
+}
+
+func testINDCCA(t *testing.T, c elliptic.Curve) {
+	priv, _ := GenerateKey(c, rand.Reader)
+
+	hashed := []byte("testing")
+	r0, s0, err := Sign(rand.Reader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	r1, s1, err := Sign(rand.Reader, priv, hashed)
+	if err != nil {
+		t.Errorf("error signing: %s", err)
+		return
+	}
+
+	if s0.Cmp(s1) == 0 {
+		t.Errorf("two signatures of the same message produced the same result")
+	}
+
+	if r0.Cmp(r1) == 0 {
+		t.Errorf("two signatures of the same message produced the same nonce")
+	}
+}
+
+func fromHex(s string) *big.Int {
+	r, ok := new(big.Int).SetString(s, 16)
+	if !ok {
+		panic("bad hex")
+	}
+	return r
+}
+
+func TestVectors(t *testing.T) {
+	// This test runs the full set of NIST test vectors from
+	// https://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip
+	//
+	// The SigVer.rsp file has been edited to remove test vectors for
+	// unsupported algorithms and has been compressed.
+
+	if testing.Short() {
+		return
+	}
+
+	f, err := os.Open("testdata/SigVer.rsp.bz2")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buf := bufio.NewReader(bzip2.NewReader(f))
+
+	lineNo := 1
+	var h hash.Hash
+	var msg []byte
+	var hashed []byte
+	var r, s *big.Int
+	pub := new(PublicKey)
+
+	for {
+		line, err := buf.ReadString('\n')
+		if len(line) == 0 {
+			if err == io.EOF {
+				break
+			}
+			t.Fatalf("error reading from input: %s", err)
+		}
+		lineNo++
+		// Need to remove \r\n from the end of the line.
+		if !strings.HasSuffix(line, "\r\n") {
+			t.Fatalf("bad line ending (expected \\r\\n) on line %d", lineNo)
+		}
+		line = line[:len(line)-2]
+
+		if len(line) == 0 || line[0] == '#' {
+			continue
+		}
+
+		if line[0] == '[' {
+			line = line[1 : len(line)-1]
+			curve, hash, _ := strings.Cut(line, ",")
+
+			switch curve {
+			case "P-224":
+				pub.Curve = elliptic.P224()
+			case "P-256":
+				pub.Curve = elliptic.P256()
+			case "P-384":
+				pub.Curve = elliptic.P384()
+			case "P-521":
+				pub.Curve = elliptic.P521()
+			default:
+				pub.Curve = nil
+			}
+
+			switch hash {
+			case "SHA-1":
+				h = sha1.New()
+			case "SHA-224":
+				h = sha256.New224()
+			case "SHA-256":
+				h = sha256.New()
+			case "SHA-384":
+				h = sha512.New384()
+			case "SHA-512":
+				h = sha512.New()
+			default:
+				h = nil
+			}
+
+			continue
+		}
+
+		if h == nil || pub.Curve == nil {
+			continue
+		}
+
+		switch {
+		case strings.HasPrefix(line, "Msg = "):
+			if msg, err = hex.DecodeString(line[6:]); err != nil {
+				t.Fatalf("failed to decode message on line %d: %s", lineNo, err)
+			}
+		case strings.HasPrefix(line, "Qx = "):
+			pub.X = fromHex(line[5:])
+		case strings.HasPrefix(line, "Qy = "):
+			pub.Y = fromHex(line[5:])
+		case strings.HasPrefix(line, "R = "):
+			r = fromHex(line[4:])
+		case strings.HasPrefix(line, "S = "):
+			s = fromHex(line[4:])
+		case strings.HasPrefix(line, "Result = "):
+			expected := line[9] == 'P'
+			h.Reset()
+			h.Write(msg)
+			hashed := h.Sum(hashed[:0])
+			if Verify(pub, hashed, r, s) != expected {
+				t.Fatalf("incorrect result on line %d", lineNo)
+			}
+		default:
+			t.Fatalf("unknown variable on line %d: %s", lineNo, line)
+		}
+	}
+}
+
+func TestNegativeInputs(t *testing.T) {
+	testAllCurves(t, testNegativeInputs)
+}
+
+func testNegativeInputs(t *testing.T, curve elliptic.Curve) {
+	key, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		t.Errorf("failed to generate key")
+	}
+
+	var hash [32]byte
+	r := new(big.Int).SetInt64(1)
+	r.Lsh(r, 550 /* larger than any supported curve */)
+	r.Neg(r)
+
+	if Verify(&key.PublicKey, hash[:], r, r) {
+		t.Errorf("bogus signature accepted")
+	}
+}
+
+func TestZeroHashSignature(t *testing.T) {
+	testAllCurves(t, testZeroHashSignature)
+}
+
+func testZeroHashSignature(t *testing.T, curve elliptic.Curve) {
+	zeroHash := make([]byte, 64)
+
+	privKey, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+
+	// Sign a hash consisting of all zeros.
+	r, s, err := Sign(rand.Reader, privKey, zeroHash)
+	if err != nil {
+		panic(err)
+	}
+
+	// Confirm that it can be verified.
+	if !Verify(&privKey.PublicKey, zeroHash, r, s) {
+		t.Errorf("zero hash signature verify failed for %T", curve)
+	}
+}
+
+func TestRandomPoint(t *testing.T) {
+	t.Run("P-224", func(t *testing.T) { testRandomPoint(t, p224()) })
+	t.Run("P-256", func(t *testing.T) { testRandomPoint(t, p256()) })
+	t.Run("P-384", func(t *testing.T) { testRandomPoint(t, p384()) })
+	t.Run("P-521", func(t *testing.T) { testRandomPoint(t, p521()) })
+}
+
+func testRandomPoint[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) {
+	t.Cleanup(func() { testingOnlyRejectionSamplingLooped = nil })
+	var loopCount int
+	testingOnlyRejectionSamplingLooped = func() { loopCount++ }
+
+	// A sequence of all ones will generate 2^N-1, which should be rejected.
+	// (Unless, for example, we are masking too many bits.)
+	r := io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0xff}, 100)), rand.Reader)
+	if k, p, err := randomPoint(c, r); err != nil {
+		t.Fatal(err)
+	} else if k.IsZero() == 1 {
+		t.Error("k is zero")
+	} else if p.Bytes()[0] != 4 {
+		t.Error("p is infinity")
+	}
+	if loopCount == 0 {
+		t.Error("overflow was not rejected")
+	}
+	loopCount = 0
+
+	// A sequence of all zeroes will generate zero, which should be rejected.
+	r = io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0}, 100)), rand.Reader)
+	if k, p, err := randomPoint(c, r); err != nil {
+		t.Fatal(err)
+	} else if k.IsZero() == 1 {
+		t.Error("k is zero")
+	} else if p.Bytes()[0] != 4 {
+		t.Error("p is infinity")
+	}
+	if loopCount == 0 {
+		t.Error("zero was not rejected")
+	}
+	loopCount = 0
+
+	// P-256 has a 2⁻³² chance or randomly hitting a rejection. For P-224 it's
+	// 2⁻¹¹², for P-384 it's 2⁻¹⁹⁴, and for P-521 it's 2⁻²⁶², so if we hit in
+	// tests, something is horribly wrong. (For example, we are masking the
+	// wrong bits.)
+	if c.curve == elliptic.P256() {
+		return
+	}
+	if k, p, err := randomPoint(c, rand.Reader); err != nil {
+		t.Fatal(err)
+	} else if k.IsZero() == 1 {
+		t.Error("k is zero")
+	} else if p.Bytes()[0] != 4 {
+		t.Error("p is infinity")
+	}
+	if loopCount > 0 {
+		t.Error("unexpected rejection")
+	}
+}
+
+func TestHashToNat(t *testing.T) {
+	t.Run("P-224", func(t *testing.T) { testHashToNat(t, p224()) })
+	t.Run("P-256", func(t *testing.T) { testHashToNat(t, p256()) })
+	t.Run("P-384", func(t *testing.T) { testHashToNat(t, p384()) })
+	t.Run("P-521", func(t *testing.T) { testHashToNat(t, p521()) })
+}
+
+func testHashToNat[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) {
+	for l := 0; l < 600; l++ {
+		h := bytes.Repeat([]byte{0xff}, l)
+		hashToNat(c, bigmod.NewNat(), h)
+	}
+}
+
+func TestZeroSignature(t *testing.T) {
+	testAllCurves(t, testZeroSignature)
+}
+
+func testZeroSignature(t *testing.T, curve elliptic.Curve) {
+	privKey, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+
+	if Verify(&privKey.PublicKey, make([]byte, 64), big.NewInt(0), big.NewInt(0)) {
+		t.Errorf("Verify with r,s=0 succeeded: %T", curve)
+	}
+}
+
+func TestNegtativeSignature(t *testing.T) {
+	testAllCurves(t, testNegativeSignature)
+}
+
+func testNegativeSignature(t *testing.T, curve elliptic.Curve) {
+	zeroHash := make([]byte, 64)
+
+	privKey, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	r, s, err := Sign(rand.Reader, privKey, zeroHash)
+	if err != nil {
+		panic(err)
+	}
+
+	r = r.Neg(r)
+	if Verify(&privKey.PublicKey, zeroHash, r, s) {
+		t.Errorf("Verify with r=-r succeeded: %T", curve)
+	}
+}
+
+func TestRPlusNSignature(t *testing.T) {
+	testAllCurves(t, testRPlusNSignature)
+}
+
+func testRPlusNSignature(t *testing.T, curve elliptic.Curve) {
+	zeroHash := make([]byte, 64)
+
+	privKey, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	r, s, err := Sign(rand.Reader, privKey, zeroHash)
+	if err != nil {
+		panic(err)
+	}
+
+	r = r.Add(r, curve.Params().N)
+	if Verify(&privKey.PublicKey, zeroHash, r, s) {
+		t.Errorf("Verify with r=r+n succeeded: %T", curve)
+	}
+}
+
+func TestRMinusNSignature(t *testing.T) {
+	testAllCurves(t, testRMinusNSignature)
+}
+
+func testRMinusNSignature(t *testing.T, curve elliptic.Curve) {
+	zeroHash := make([]byte, 64)
+
+	privKey, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	r, s, err := Sign(rand.Reader, privKey, zeroHash)
+	if err != nil {
+		panic(err)
+	}
+
+	r = r.Sub(r, curve.Params().N)
+	if Verify(&privKey.PublicKey, zeroHash, r, s) {
+		t.Errorf("Verify with r=r-n succeeded: %T", curve)
+	}
+}
+
+func randomPointForCurve(curve elliptic.Curve, rand io.Reader) error {
+	switch curve.Params() {
+	case elliptic.P224().Params():
+		_, _, err := randomPoint(p224(), rand)
+		return err
+	case elliptic.P256().Params():
+		_, _, err := randomPoint(p256(), rand)
+		return err
+	case elliptic.P384().Params():
+		_, _, err := randomPoint(p384(), rand)
+		return err
+	case elliptic.P521().Params():
+		_, _, err := randomPoint(p521(), rand)
+		return err
+	default:
+		panic("unknown curve")
+	}
+}
+
+func benchmarkAllCurves(b *testing.B, f func(*testing.B, elliptic.Curve)) {
+	tests := []struct {
+		name  string
+		curve elliptic.Curve
+	}{
+		{"P256", elliptic.P256()},
+		{"P384", elliptic.P384()},
+		{"P521", elliptic.P521()},
+	}
+	for _, test := range tests {
+		curve := test.curve
+		b.Run(test.name, func(b *testing.B) {
+			f(b, curve)
+		})
+	}
+}
+
+func BenchmarkSign(b *testing.B) {
+	benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) {
+		r := bufio.NewReaderSize(rand.Reader, 1<<15)
+		priv, err := GenerateKey(curve, r)
+		if err != nil {
+			b.Fatal(err)
+		}
+		hashed := []byte("testing")
+
+		b.ReportAllocs()
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			sig, err := SignASN1(r, priv, hashed)
+			if err != nil {
+				b.Fatal(err)
+			}
+			// Prevent the compiler from optimizing out the operation.
+			hashed[0] = sig[0]
+		}
+	})
+}
+
+func BenchmarkVerify(b *testing.B) {
+	benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) {
+		r := bufio.NewReaderSize(rand.Reader, 1<<15)
+		priv, err := GenerateKey(curve, r)
+		if err != nil {
+			b.Fatal(err)
+		}
+		hashed := []byte("testing")
+		sig, err := SignASN1(r, priv, hashed)
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		b.ReportAllocs()
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			if !VerifyASN1(&priv.PublicKey, hashed, sig) {
+				b.Fatal("verify failed")
+			}
+		}
+	})
+}
+
+func BenchmarkGenerateKey(b *testing.B) {
+	benchmarkAllCurves(b, func(b *testing.B, curve elliptic.Curve) {
+		r := bufio.NewReaderSize(rand.Reader, 1<<15)
+		b.ReportAllocs()
+		b.ResetTimer()
+		for i := 0; i < b.N; i++ {
+			if _, err := GenerateKey(curve, r); err != nil {
+				b.Fatal(err)
+			}
+		}
+	})
+}
diff --git a/src/crypto/ecdsa/equal_test.go b/src/crypto/ecdsa/equal_test.go
new file mode 100644
index 0000000..53ac850
--- /dev/null
+++ b/src/crypto/ecdsa/equal_test.go
@@ -0,0 +1,75 @@
+// Copyright 2020 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa_test
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"testing"
+)
+
+func testEqual(t *testing.T, c elliptic.Curve) {
+	private, _ := ecdsa.GenerateKey(c, rand.Reader)
+	public := &private.PublicKey
+
+	if !public.Equal(public) {
+		t.Errorf("public key is not equal to itself: %v", public)
+	}
+	if !public.Equal(crypto.Signer(private).Public().(*ecdsa.PublicKey)) {
+		t.Errorf("private.Public() is not Equal to public: %q", public)
+	}
+	if !private.Equal(private) {
+		t.Errorf("private key is not equal to itself: %v", private)
+	}
+
+	enc, err := x509.MarshalPKCS8PrivateKey(private)
+	if err != nil {
+		t.Fatal(err)
+	}
+	decoded, err := x509.ParsePKCS8PrivateKey(enc)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !public.Equal(decoded.(crypto.Signer).Public()) {
+		t.Errorf("public key is not equal to itself after decoding: %v", public)
+	}
+	if !private.Equal(decoded) {
+		t.Errorf("private key is not equal to itself after decoding: %v", private)
+	}
+
+	other, _ := ecdsa.GenerateKey(c, rand.Reader)
+	if public.Equal(other.Public()) {
+		t.Errorf("different public keys are Equal")
+	}
+	if private.Equal(other) {
+		t.Errorf("different private keys are Equal")
+	}
+
+	// Ensure that keys with the same coordinates but on different curves
+	// aren't considered Equal.
+	differentCurve := &ecdsa.PublicKey{}
+	*differentCurve = *public // make a copy of the public key
+	if differentCurve.Curve == elliptic.P256() {
+		differentCurve.Curve = elliptic.P224()
+	} else {
+		differentCurve.Curve = elliptic.P256()
+	}
+	if public.Equal(differentCurve) {
+		t.Errorf("public keys with different curves are Equal")
+	}
+}
+
+func TestEqual(t *testing.T) {
+	t.Run("P224", func(t *testing.T) { testEqual(t, elliptic.P224()) })
+	if testing.Short() {
+		return
+	}
+	t.Run("P256", func(t *testing.T) { testEqual(t, elliptic.P256()) })
+	t.Run("P384", func(t *testing.T) { testEqual(t, elliptic.P384()) })
+	t.Run("P521", func(t *testing.T) { testEqual(t, elliptic.P521()) })
+}
diff --git a/src/crypto/ecdsa/example_test.go b/src/crypto/ecdsa/example_test.go
new file mode 100644
index 0000000..652c165
--- /dev/null
+++ b/src/crypto/ecdsa/example_test.go
@@ -0,0 +1,32 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa_test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"fmt"
+)
+
+func Example() {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+
+	msg := "hello, world"
+	hash := sha256.Sum256([]byte(msg))
+
+	sig, err := ecdsa.SignASN1(rand.Reader, privateKey, hash[:])
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("signature: %x\n", sig)
+
+	valid := ecdsa.VerifyASN1(&privateKey.PublicKey, hash[:], sig)
+	fmt.Println("signature verified:", valid)
+}
diff --git a/src/crypto/ecdsa/notboring.go b/src/crypto/ecdsa/notboring.go
new file mode 100644
index 0000000..039bd82
--- /dev/null
+++ b/src/crypto/ecdsa/notboring.go
@@ -0,0 +1,16 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !boringcrypto
+
+package ecdsa
+
+import "crypto/internal/boring"
+
+func boringPublicKey(*PublicKey) (*boring.PublicKeyECDSA, error) {
+	panic("boringcrypto: not available")
+}
+func boringPrivateKey(*PrivateKey) (*boring.PrivateKeyECDSA, error) {
+	panic("boringcrypto: not available")
+}
diff --git a/src/crypto/ecdsa/testdata/SigVer.rsp.bz2 b/src/crypto/ecdsa/testdata/SigVer.rsp.bz2
new file mode 100644
index 0000000..09fe2b4
--- /dev/null
+++ b/src/crypto/ecdsa/testdata/SigVer.rsp.bz2