Rename Makefile targets

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alex@openfaas.com>
2025-06-23 07:13:23 +00:00 · 2023-10-23 11:29:19 +01:00
parent 479285caf6
commit 9ba4a73d5d
350 changed files with 22981 additions and 3972 deletions
--- a/gateway/vendor/github.com/nats-io/nkeys/.gitignore
+++ b/gateway/vendor/github.com/nats-io/nkeys/.gitignore
@ -13,3 +13,4 @@ build/

 # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
 .glide/
+.idea/
--- a/gateway/vendor/github.com/nats-io/nkeys/.goreleaser.yml
+++ b/gateway/vendor/github.com/nats-io/nkeys/.goreleaser.yml
@ -6,23 +6,45 @@ release:
  name_template: '{{.Tag}}'
  draft: true
 builds:
-  - main: ./nk/main.go
+  - id: nk
+    main: ./nk/main.go
    ldflags: "-X main.Version={{.Tag}}_{{.Commit}}"
    binary: nk
    goos:
-      - linux
      - darwin
+      - linux
+      - windows
+      - freebsd
    goarch:
      - amd64
-
+      - arm
+      - arm64
+      - 386
+      - mips64le
+      - s390x
+    goarm:
+      - 6
+      - 7
+    ignore:
+      - goos: darwin
+        goarch: 386
+      - goos: freebsd
+        goarch: arm
+      - goos: freebsd
+        goarch: arm64
+      - goos: freebsd
+        goarch: 386

 dist: build

-archive:
-  wrap_in_directory: true
-  name_template: '{{ .ProjectName }}-v{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ if .Arm
+archives:
+  - name_template: '{{ .ProjectName }}-v{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ if .Arm
    }}v{{ .Arm }}{{ end }}'
-  format: zip
+    wrap_in_directory: true
+    format: zip
+    files:
+      - README.md
+      - LICENSE

 checksum:
  name_template: '{{ .ProjectName }}-v{{ .Version }}-checksums.txt'
@ -30,9 +52,12 @@ checksum:
 snapshot:
  name_template: 'dev'

-nfpm:
-  formats:
-    - deb
-  bindir: /usr/local/bin
-  description: NKeys utility cli program
-  vendor: nats-io
+nfpms:
+  - file_name_template: '{{ .ProjectName }}-v{{ .Version }}-{{ .Arch }}{{ if .Arm
+    }}v{{ .Arm }}{{ end }}'
+    maintainer: nats.io
+    description: NKeys utility cli program
+    vendor: nats-io
+    bindir: /usr/local/bin
+    formats:
+      - deb
--- a/gateway/vendor/github.com/nats-io/nkeys/.travis.yml
+++ b/gateway/vendor/github.com/nats-io/nkeys/.travis.yml
@ -1,35 +0,0 @@
-language: go
-sudo: false
-
-arch:
- amd64
- ppc64le
-go:
- 1.16.x
- 1.15.x
-
-install:
- go get -t ./...
- go get github.com/mattn/goveralls
- go get -u honnef.co/go/tools/cmd/staticcheck
- go get -u github.com/client9/misspell/cmd/misspell
-
-before_script:
- $(exit $(go fmt ./... | wc -l))
- go vet ./...
- misspell -error -locale US .
- staticcheck ./...
-
-script:
- go test -v
- go test -v --race
- go test -v -covermode=count -coverprofile=coverage.out
- $HOME/gopath/bin/goveralls -coverprofile coverage.out -service travis-ci
-
-#deploy:
-#- provider: script
-#  skip_cleanup: true
-#  script: curl -sL http://git.io/goreleaser | bash
-#  on:
-#    tags: true
-#    condition: $TRAVIS_OS_NAME = linux
--- a/gateway/vendor/github.com/nats-io/nkeys/README.md
+++ b/gateway/vendor/github.com/nats-io/nkeys/README.md
@ -1,9 +1,9 @@
 # NKEYS

 [![License Apache 2](https://img.shields.io/badge/License-Apache2-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
-[![ReportCard](http://goreportcard.com/badge/nats-io/nkeys)](http://goreportcard.com/report/nats-io/nkeys)
-[![Build Status](https://travis-ci.com/nats-io/nkeys.svg?branch=master)](http://travis-ci.com/nats-io/nkeys)
-[![GoDoc](http://godoc.org/github.com/nats-io/nkeys?status.svg)](http://godoc.org/github.com/nats-io/nkeys)
+[![Go Report Card](https://goreportcard.com/badge/github.com/nats-io/nkeys)](https://goreportcard.com/report/github.com/nats-io/nkeys)
+[![Build Status](https://app.travis-ci.com/nats-io/nkeys.svg?branch=master)](https://app.travis-ci.com/nats-io/nkeys)
+[![GoDoc](https://godoc.org/github.com/nats-io/nkeys?status.svg)](https://godoc.org/github.com/nats-io/nkeys)
 [![Coverage Status](https://coveralls.io/repos/github/nats-io/nkeys/badge.svg?branch=master&service=github)](https://coveralls.io/github/nats-io/nkeys?branch=master)

 A public-key signature system based on [Ed25519](https://ed25519.cr.yp.to/) for the NATS ecosystem.
--- a/gateway/vendor/github.com/nats-io/nkeys/crc16.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/crc16.go
@ -13,15 +13,8 @@

 package nkeys

-import (
-	"errors"
-)
-
 // An implementation of crc16 according to CCITT standards for XMODEM.

-// ErrInvalidChecksum indicates a failed verification.
-var ErrInvalidChecksum = errors.New("nkeys: invalid checksum")
-
 var crc16tab = [256]uint16{
 	0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50a5, 0x60c6, 0x70e7,
 	0x8108, 0x9129, 0xa14a, 0xb16b, 0xc18c, 0xd1ad, 0xe1ce, 0xf1ef,
--- a/gateway/vendor/github.com/nats-io/nkeys/creds_utils.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/creds_utils.go
@ -2,8 +2,8 @@ package nkeys

 import (
 	"bytes"
-	"errors"
 	"regexp"
+	"strings"
 )

 var userConfigRE = regexp.MustCompile(`\s*(?:(?:[-]{3,}.*[-]{3,}\r?\n)([\w\-.=]+)(?:\r?\n[-]{3,}.*[-]{3,}\r?\n))`)
@ -19,7 +19,7 @@ func ParseDecoratedJWT(contents []byte) (string, error) {
 	raw := items[0][1]
 	tmp := make([]byte, len(raw))
 	copy(tmp, raw)
-	return string(tmp), nil
+	return strings.TrimSpace(string(tmp)), nil
 }

 // ParseDecoratedNKey takes a creds file, finds the NKey portion and creates a
@ -42,12 +42,12 @@ func ParseDecoratedNKey(contents []byte) (KeyPair, error) {
 		}
 	}
 	if seed == nil {
-		return nil, errors.New("no nkey seed found")
+		return nil, ErrNoSeedFound
 	}
 	if !bytes.HasPrefix(seed, []byte("SO")) &&
 		!bytes.HasPrefix(seed, []byte("SA")) &&
 		!bytes.HasPrefix(seed, []byte("SU")) {
-		return nil, errors.New("doesn't contain a seed nkey")
+		return nil, ErrInvalidNkeySeed
 	}
 	kp, err := FromSeed(seed)
 	if err != nil {
@ -68,7 +68,7 @@ func ParseDecoratedUserNKey(contents []byte) (KeyPair, error) {
 		return nil, err
 	}
 	if !bytes.HasPrefix(seed, []byte("SU")) {
-		return nil, errors.New("doesn't contain an user seed nkey")
+		return nil, ErrInvalidUserSeed
 	}
 	kp, err := FromSeed(seed)
 	if err != nil {
--- a/gateway/vendor/github.com/nats-io/nkeys/dependencies.md
+++ b/gateway/vendor/github.com/nats-io/nkeys/dependencies.md
@ -0,0 +1,12 @@
+# External Dependencies
+
+This file lists the dependencies used in this repository.
+
+| Dependency | License |
+|-|-|
+| Go | BSD 3-Clause "New" or "Revised" License |
+| golang.org/x/crypto v0.3.0 | BSD 3-Clause "New" or "Revised" License |
+| golang.org/x/net v0.2.0 | BSD 3-Clause "New" or "Revised" License |
+| golang.org/x/sys v0.2.0 | BSD 3-Clause "New" or "Revised" License |
+| golang.org/x/term v0.2.0 | BSD 3-Clause "New" or "Revised" License |
+| golang.org/x/text v0.4.0 | BSD 3-Clause "New" or "Revised" License |
--- a/gateway/vendor/github.com/nats-io/nkeys/errors.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/errors.go
@ -0,0 +1,50 @@
+// Copyright 2022 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nkeys
+
+// Errors
+const (
+	ErrInvalidPrefixByte        = nkeysError("nkeys: invalid prefix byte")
+	ErrInvalidKey               = nkeysError("nkeys: invalid key")
+	ErrInvalidPublicKey         = nkeysError("nkeys: invalid public key")
+	ErrInvalidPrivateKey        = nkeysError("nkeys: invalid private key")
+	ErrInvalidSeedLen           = nkeysError("nkeys: invalid seed length")
+	ErrInvalidSeed              = nkeysError("nkeys: invalid seed")
+	ErrInvalidEncoding          = nkeysError("nkeys: invalid encoded key")
+	ErrInvalidSignature         = nkeysError("nkeys: signature verification failed")
+	ErrCannotSign               = nkeysError("nkeys: can not sign, no private key available")
+	ErrPublicKeyOnly            = nkeysError("nkeys: no seed or private key available")
+	ErrIncompatibleKey          = nkeysError("nkeys: incompatible key")
+	ErrInvalidChecksum          = nkeysError("nkeys: invalid checksum")
+	ErrNoSeedFound              = nkeysError("nkeys: no nkey seed found")
+	ErrInvalidNkeySeed          = nkeysError("nkeys: doesn't contain a seed nkey")
+	ErrInvalidUserSeed          = nkeysError("nkeys: doesn't contain an user seed nkey")
+	ErrInvalidRecipient         = nkeysError("nkeys: not a valid recipient public curve key")
+	ErrInvalidSender            = nkeysError("nkeys: not a valid sender public curve key")
+	ErrInvalidCurveKey          = nkeysError("nkeys: not a valid curve key")
+	ErrInvalidCurveSeed         = nkeysError("nkeys: not a valid curve seed")
+	ErrInvalidEncrypted         = nkeysError("nkeys: encrypted input is not valid")
+	ErrInvalidEncVersion        = nkeysError("nkeys: encrypted input wrong version")
+	ErrCouldNotDecrypt          = nkeysError("nkeys: could not decrypt input")
+	ErrInvalidCurveKeyOperation = nkeysError("nkeys: curve key is not valid for sign/verify")
+	ErrInvalidNKeyOperation     = nkeysError("nkeys: only curve key can seal/open")
+	ErrCannotOpen               = nkeysError("nkeys: cannot open no private curve key available")
+	ErrCannotSeal               = nkeysError("nkeys: cannot seal no private curve key available")
+)
+
+type nkeysError string
+
+func (e nkeysError) Error() string {
+	return string(e)
+}
--- a/gateway/vendor/github.com/nats-io/nkeys/keypair.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/keypair.go
@ -1,4 +1,4 @@
-// Copyright 2018 The NATS Authors
+// Copyright 2018-2022 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@ -26,11 +26,25 @@ type kp struct {
 	seed []byte
 }

-// CreatePair will create a KeyPair based on the rand entropy and a type/prefix byte. rand can be nil.
-func CreatePair(prefix PrefixByte) (KeyPair, error) {
-	var rawSeed [32]byte
+// All seeds are 32 bytes long.
+const seedLen = 32

-	_, err := io.ReadFull(rand.Reader, rawSeed[:])
+// CreatePair will create a KeyPair based on the rand entropy and a type/prefix byte.
+func CreatePair(prefix PrefixByte) (KeyPair, error) {
+	return CreatePairWithRand(prefix, rand.Reader)
+}
+
+// CreatePair will create a KeyPair based on the rand reader and a type/prefix byte. rand can be nil.
+func CreatePairWithRand(prefix PrefixByte, rr io.Reader) (KeyPair, error) {
+	if prefix == PrefixByteCurve {
+		return CreateCurveKeysWithRand(rr)
+	}
+	if rr == nil {
+		rr = rand.Reader
+	}
+	var rawSeed [seedLen]byte
+
+	_, err := io.ReadFull(rr, rawSeed[:])
 	if err != nil {
 		return nil, err
 	}
@ -115,3 +129,18 @@ func (pair *kp) Verify(input []byte, sig []byte) error {
 	}
 	return nil
 }
+
+// Seal is only supported on CurveKeyPair
+func (pair *kp) Seal(input []byte, recipient string) ([]byte, error) {
+	return nil, ErrInvalidNKeyOperation
+}
+
+// SealWithRand is only supported on CurveKeyPair
+func (pair *kp) SealWithRand(input []byte, recipient string, rr io.Reader) ([]byte, error) {
+	return nil, ErrInvalidNKeyOperation
+}
+
+// Open is only supported on CurveKey
+func (pair *kp) Open(input []byte, sender string) ([]byte, error) {
+	return nil, ErrInvalidNKeyOperation
+}
--- a/gateway/vendor/github.com/nats-io/nkeys/nkeys.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/nkeys.go
@ -13,37 +13,30 @@

 // Package nkeys is an Ed25519 based public-key signature system that simplifies keys and seeds
 // and performs signing and verification.
+// It also supports encryption via x25519 keys and is compatible with https://pkg.go.dev/golang.org/x/crypto/nacl/box.
 package nkeys

-import (
-	"errors"
-)
+import "io"

 // Version is our current version
-const Version = "0.3.0"
-
-// Errors
-var (
-	ErrInvalidPrefixByte = errors.New("nkeys: invalid prefix byte")
-	ErrInvalidKey        = errors.New("nkeys: invalid key")
-	ErrInvalidPublicKey  = errors.New("nkeys: invalid public key")
-	ErrInvalidSeedLen    = errors.New("nkeys: invalid seed length")
-	ErrInvalidSeed       = errors.New("nkeys: invalid seed")
-	ErrInvalidEncoding   = errors.New("nkeys: invalid encoded key")
-	ErrInvalidSignature  = errors.New("nkeys: signature verification failed")
-	ErrCannotSign        = errors.New("nkeys: can not sign, no private key available")
-	ErrPublicKeyOnly     = errors.New("nkeys: no seed or private key available")
-	ErrIncompatibleKey   = errors.New("nkeys: incompatible key")
-)
+const Version = "0.4.5"

 // KeyPair provides the central interface to nkeys.
 type KeyPair interface {
 	Seed() ([]byte, error)
 	PublicKey() (string, error)
 	PrivateKey() ([]byte, error)
+	// Sign is only supported on Non CurveKeyPairs
 	Sign(input []byte) ([]byte, error)
+	// Verify is only supported on Non CurveKeyPairs
 	Verify(input []byte, sig []byte) error
 	Wipe()
+	// Seal is only supported on CurveKeyPair
+	Seal(input []byte, recipient string) ([]byte, error)
+	// SealWithRand is only supported on CurveKeyPair
+	SealWithRand(input []byte, recipient string, rr io.Reader) ([]byte, error)
+	// Open is only supported on CurveKey
+	Open(input []byte, sender string) ([]byte, error)
 }

 // CreateUser will create a User typed KeyPair.
@ -86,10 +79,13 @@ func FromPublicKey(public string) (KeyPair, error) {

 // FromSeed will create a KeyPair capable of signing and verifying signatures.
 func FromSeed(seed []byte) (KeyPair, error) {
-	_, _, err := DecodeSeed(seed)
+	prefix, _, err := DecodeSeed(seed)
 	if err != nil {
 		return nil, err
 	}
+	if prefix == PrefixByteCurve {
+		return FromCurveSeed(seed)
+	}
 	copy := append([]byte{}, seed...)
 	return &kp{copy}, nil
 }
--- a/gateway/vendor/github.com/nats-io/nkeys/public.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/public.go
@ -64,3 +64,23 @@ func (p *pub) Wipe() {
 	p.pre = '0'
 	io.ReadFull(rand.Reader, p.pub)
 }
+
+func (p *pub) Seal(input []byte, recipient string) ([]byte, error) {
+	if p.pre == PrefixByteCurve {
+		return nil, ErrCannotSeal
+	}
+	return nil, ErrInvalidNKeyOperation
+}
+func (p *pub) SealWithRand(input []byte, _recipient string, rr io.Reader) ([]byte, error) {
+	if p.pre == PrefixByteCurve {
+		return nil, ErrCannotSeal
+	}
+	return nil, ErrInvalidNKeyOperation
+}
+
+func (p *pub) Open(input []byte, sender string) ([]byte, error) {
+	if p.pre == PrefixByteCurve {
+		return nil, ErrCannotOpen
+	}
+	return nil, ErrInvalidNKeyOperation
+}
--- a/gateway/vendor/github.com/nats-io/nkeys/strkey.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/strkey.go
@ -1,4 +1,4 @@
-// Copyright 2018 The NATS Authors
+// Copyright 2018-2023 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@ -17,7 +17,6 @@ import (
 	"bytes"
 	"encoding/base32"
 	"encoding/binary"
-	"golang.org/x/crypto/ed25519"
 )

 // PrefixByte is a lead byte representing the type.
@ -45,8 +44,11 @@ const (
 	// PrefixByteUser is the version byte used for encoded NATS Users
 	PrefixByteUser PrefixByte = 20 << 3 // Base32-encodes to 'U...'

+	// PrefixByteCurve is the version byte used for encoded CurveKeys (X25519)
+	PrefixByteCurve PrefixByte = 23 << 3 // Base32-encodes to 'X...'
+
 	// PrefixByteUnknown is for unknown prefixes.
-	PrefixByteUnknown PrefixByte = 23 << 3 // Base32-encodes to 'X...'
+	PrefixByteUnknown PrefixByte = 25 << 3 // Base32-encodes to 'Z...'
 )

 // Set our encoding to not include padding '=='
@ -83,12 +85,13 @@ func Encode(prefix PrefixByte, src []byte) ([]byte, error) {
 }

 // EncodeSeed will encode a raw key with the prefix and then seed prefix and crc16 and then base32 encoded.
+// `src` must be 32 bytes long (ed25519.SeedSize).
 func EncodeSeed(public PrefixByte, src []byte) ([]byte, error) {
 	if err := checkValidPublicPrefixByte(public); err != nil {
 		return nil, err
 	}

-	if len(src) != ed25519.SeedSize {
+	if len(src) != seedLen {
 		return nil, ErrInvalidSeedLen
 	}

@ -134,22 +137,18 @@ func decode(src []byte) ([]byte, error) {
 	}
 	raw = raw[:n]

-	if len(raw) < 4 {
+	if n < 4 {
 		return nil, ErrInvalidEncoding
 	}

-	var crc uint16
-	checksum := bytes.NewReader(raw[len(raw)-2:])
-	if err := binary.Read(checksum, binary.LittleEndian, &crc); err != nil {
-		return nil, err
-	}
+	crc := binary.LittleEndian.Uint16(raw[n-2:])

 	// ensure checksum is valid
-	if err := validate(raw[0:len(raw)-2], crc); err != nil {
+	if err := validate(raw[0:n-2], crc); err != nil {
 		return nil, err
 	}

-	return raw[:len(raw)-2], nil
+	return raw[:n-2], nil
 }

 // Decode will decode the base32 string and check crc16 and enforce the prefix is what is expected.
@ -161,7 +160,8 @@ func Decode(expectedPrefix PrefixByte, src []byte) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	if prefix := PrefixByte(raw[0]); prefix != expectedPrefix {
+	b1 := raw[0] & 248 // 248 = 11111000
+	if prefix := PrefixByte(b1); prefix != expectedPrefix {
 		return nil, ErrInvalidPrefixByte
 	}
 	return raw[1:], nil
@ -248,12 +248,18 @@ func IsValidPublicOperatorKey(src string) bool {
 	return err == nil
 }

+// IsValidPublicCurveKey will decode and verify the string is a valid encoded Public Curve Key.
+func IsValidPublicCurveKey(src string) bool {
+	_, err := Decode(PrefixByteCurve, []byte(src))
+	return err == nil
+}
+
 // checkValidPrefixByte returns an error if the provided value
 // is not one of the defined valid prefix byte constants.
 func checkValidPrefixByte(prefix PrefixByte) error {
 	switch prefix {
 	case PrefixByteOperator, PrefixByteServer, PrefixByteCluster,
-		PrefixByteAccount, PrefixByteUser, PrefixByteSeed, PrefixBytePrivate:
+		PrefixByteAccount, PrefixByteUser, PrefixByteSeed, PrefixBytePrivate, PrefixByteCurve:
 		return nil
 	}
 	return ErrInvalidPrefixByte
@ -263,7 +269,7 @@ func checkValidPrefixByte(prefix PrefixByte) error {
 // is not one of the public defined valid prefix byte constants.
 func checkValidPublicPrefixByte(prefix PrefixByte) error {
 	switch prefix {
-	case PrefixByteServer, PrefixByteCluster, PrefixByteOperator, PrefixByteAccount, PrefixByteUser:
+	case PrefixByteOperator, PrefixByteServer, PrefixByteCluster, PrefixByteAccount, PrefixByteUser, PrefixByteCurve:
 		return nil
 	}
 	return ErrInvalidPrefixByte
@ -285,6 +291,8 @@ func (p PrefixByte) String() string {
 		return "seed"
 	case PrefixBytePrivate:
 		return "private"
+	case PrefixByteCurve:
+		return "x25519"
 	}
 	return "unknown"
 }
--- a/gateway/vendor/github.com/nats-io/nkeys/xkeys.go
+++ b/gateway/vendor/github.com/nats-io/nkeys/xkeys.go
@ -0,0 +1,184 @@
+// Copyright 2022 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nkeys
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/binary"
+	"io"
+
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/nacl/box"
+)
+
+// This package will support safe use of X25519 keys for asymmetric encryption.
+// We will be compatible with nacl.Box, but generate random nonces automatically.
+// We may add more advanced options in the future for group recipients and better
+// end to end algorithms.
+
+const (
+	curveKeyLen    = 32
+	curveDecodeLen = 35
+	curveNonceLen  = 24
+)
+
+type ckp struct {
+	seed [curveKeyLen]byte // Private raw key.
+}
+
+// CreateUser will create a User typed KeyPair.
+func CreateCurveKeys() (KeyPair, error) {
+	return CreateCurveKeysWithRand(rand.Reader)
+}
+
+// CreateUser will create a User typed KeyPair with specified rand source.
+func CreateCurveKeysWithRand(rr io.Reader) (KeyPair, error) {
+	var kp ckp
+	_, err := io.ReadFull(rr, kp.seed[:])
+	if err != nil {
+		return nil, err
+	}
+	return &kp, nil
+}
+
+// Will create a curve key pair from seed.
+func FromCurveSeed(seed []byte) (KeyPair, error) {
+	pb, raw, err := DecodeSeed(seed)
+	if err != nil {
+		return nil, err
+	}
+	if pb != PrefixByteCurve || len(raw) != curveKeyLen {
+		return nil, ErrInvalidCurveSeed
+	}
+	var kp ckp
+	copy(kp.seed[:], raw)
+	return &kp, nil
+}
+
+// Seed will return the encoded seed.
+func (pair *ckp) Seed() ([]byte, error) {
+	return EncodeSeed(PrefixByteCurve, pair.seed[:])
+}
+
+// PublicKey will return the encoded public key.
+func (pair *ckp) PublicKey() (string, error) {
+	var pub [curveKeyLen]byte
+	curve25519.ScalarBaseMult(&pub, &pair.seed)
+	key, err := Encode(PrefixByteCurve, pub[:])
+	return string(key), err
+}
+
+// PrivateKey will return the encoded private key.
+func (pair *ckp) PrivateKey() ([]byte, error) {
+	return Encode(PrefixBytePrivate, pair.seed[:])
+}
+
+func decodePubCurveKey(src string, dest [curveKeyLen]byte) error {
+	var raw [curveDecodeLen]byte // should always be 35
+	n, err := b32Enc.Decode(raw[:], []byte(src))
+	if err != nil {
+		return err
+	}
+	if n != curveDecodeLen {
+		return ErrInvalidCurveKey
+	}
+	// Make sure it is what we expected.
+	if prefix := PrefixByte(raw[0]); prefix != PrefixByteCurve {
+		return ErrInvalidPublicKey
+	}
+	var crc uint16
+	end := n - 2
+	sum := raw[end:n]
+	checksum := bytes.NewReader(sum)
+	if err := binary.Read(checksum, binary.LittleEndian, &crc); err != nil {
+		return err
+	}
+
+	// ensure checksum is valid
+	if err := validate(raw[:end], crc); err != nil {
+		return err
+	}
+
+	// Copy over, ignore prefix byte.
+	copy(dest[:], raw[1:end])
+	return nil
+}
+
+// Only version for now, but could add in X3DH in the future, etc.
+const XKeyVersionV1 = "xkv1"
+const vlen = len(XKeyVersionV1)
+
+// Seal is compatible with nacl.Box.Seal() and can be used in similar situations for small messages.
+// We generate the nonce from crypto rand by default.
+func (pair *ckp) Seal(input []byte, recipient string) ([]byte, error) {
+	return pair.SealWithRand(input, recipient, rand.Reader)
+}
+
+func (pair *ckp) SealWithRand(input []byte, recipient string, rr io.Reader) ([]byte, error) {
+	var (
+		rpub  [curveKeyLen]byte
+		nonce [curveNonceLen]byte
+		out   [vlen + curveNonceLen]byte
+		err   error
+	)
+
+	if err = decodePubCurveKey(recipient, rpub); err != nil {
+		return nil, ErrInvalidRecipient
+	}
+	if _, err := io.ReadFull(rr, nonce[:]); err != nil {
+		return nil, err
+	}
+	copy(out[:vlen], []byte(XKeyVersionV1))
+	copy(out[vlen:], nonce[:])
+	return box.Seal(out[:], input, &nonce, &rpub, &pair.seed), nil
+}
+
+func (pair *ckp) Open(input []byte, sender string) ([]byte, error) {
+	if len(input) <= vlen+curveNonceLen {
+		return nil, ErrInvalidEncrypted
+	}
+	var (
+		spub  [curveKeyLen]byte
+		nonce [curveNonceLen]byte
+		err   error
+	)
+	if !bytes.Equal(input[:vlen], []byte(XKeyVersionV1)) {
+		return nil, ErrInvalidEncVersion
+	}
+	copy(nonce[:], input[vlen:vlen+curveNonceLen])
+
+	if err = decodePubCurveKey(sender, spub); err != nil {
+		return nil, ErrInvalidSender
+	}
+
+	decrypted, ok := box.Open(nil, input[vlen+curveNonceLen:], &nonce, &spub, &pair.seed)
+	if !ok {
+		return nil, ErrCouldNotDecrypt
+	}
+	return decrypted, nil
+}
+
+// Wipe will randomize the contents of the secret key
+func (pair *ckp) Wipe() {
+	io.ReadFull(rand.Reader, pair.seed[:])
+}
+
+func (pair *ckp) Sign(_ []byte) ([]byte, error) {
+	return nil, ErrInvalidCurveKeyOperation
+}
+
+func (pair *ckp) Verify(_ []byte, _ []byte) error {
+	return ErrInvalidCurveKeyOperation
+}