Create extensions for older iOS and tvOS versions

The methods and initializers for getting the compressed
representation of p256 operations are only available for
iOS 16 and tvOS 16. These extensions allows for iOS and
tvOS versions lower than 16 to still use p256 features.

Author: MasterJ93

Sources/ATCryptography/Extensions/P256Extensions.swift

@@ -0,0 +1,210 @@
+//
+//  P256Extensions.swift
+//  ATCryptography
+//
+//  Created by Christopher Jr Riley on 2025-05-13.
+//
+
+import Foundation
+import Crypto
+import BigInt
+
+extension P256.Signing.PublicKey {
+
+    /// Returns the compressed SEC1 representation of a P256 public key,
+    /// compatible with platforms where `.compressedRepresentation` is unavailable.
+    ///
+    /// The compressed form includes only the X coordinate and a prefix byte
+    /// (0x02 for even Y, 0x03 for odd Y), following the SEC1 standard.
+    ///
+    /// - Returns: A 33-byte compressed public key.
+    /// - Throws: An error if the raw representation is invalid or not uncompressed.
+    @available(iOS, introduced: 13, obsoleted: 16)
+    @available(tvOS, introduced: 13, obsoleted: 16)
+    @available(macOS, unavailable)
+    @available(visionOS, unavailable)
+    @available(watchOS, unavailable)
+    public func compressedRepresentationCompat() throws -> Data {
+        let rawKey = self.rawRepresentation
+
+        // Ensure it’s exactly 64 bytes: 32 bytes for X, 32 for Y.
+        guard rawKey.count == 64 else {
+            throw P256Error.invalidCompressedKey
+        }
+
+        let xCoordinate = rawKey.prefix(32)
+        let yCoordinate = rawKey.suffix(32)
+
+        guard let lastByteOfY = yCoordinate.last else {
+            throw P256Error.invalidCompressedKey
+        }
+
+        let prefixByte: UInt8 = (lastByteOfY % 2 == 0) ? 0x02 : 0x03
+        return Data([prefixByte]) + xCoordinate
+    }
+
+    /// Decompresses a compressed P256 public key into a full uncompressed SEC1 key,
+    /// and initializes a `P256.Signing.PublicKey` from it.
+    ///
+    /// This function is designed to support older Apple platforms (iOS/tvOS 13–15)
+    /// where `.init(compressedRepresentation:)` is unavailable.
+    ///
+    /// - Parameter compressedKey: The SEC1 compressed public key data.
+    /// - Returns: A valid `P256.Signing.PublicKey`.
+    /// - Throws: `P256Error.invalidCompressedKey` or `P256Error.pointNotOnCurve`
+    ///   if the data is malformed or does not represent a point on the P256 curve.
+    @available(iOS, introduced: 13, obsoleted: 16)
+    @available(tvOS, introduced: 13, obsoleted: 16)
+    @available(macOS, unavailable)
+    @available(visionOS, unavailable)
+    @available(watchOS, unavailable)
+    public static func decompressP256PublicKey(compressed compressedKey: Data) throws -> P256.Signing.PublicKey {
+        guard compressedKey.count == 33 else {
+            throw P256Error.invalidCompressedKey
+        }
+
+        let prefixByte = compressedKey[0]
+        guard prefixByte == 0x02 || prefixByte == 0x03 else {
+            throw P256Error.invalidCompressedKey
+        }
+
+        let xBytes = compressedKey.dropFirst()
+        let xCoordinate = BigUInt(xBytes)
+
+        guard
+            let prime = BigUInt("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", radix: 16),
+            let b = BigUInt("5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B", radix: 16)
+        else {
+            throw P256Error.invalidCompressedKey
+        }
+
+        let a = prime - 3
+        let ySquared = (xCoordinate.power(3, modulus: prime) + a * xCoordinate + b) % prime
+
+        guard let yCoordinate = try modularSquareRoot(ySquared, prime: prime) else {
+            throw P256Error.pointNotOnCurve
+        }
+
+        let isYOdd = yCoordinate % 2 == 1
+        let shouldBeOdd = (prefixByte == 0x03)
+        let finalYCoordinate = (isYOdd == shouldBeOdd) ? yCoordinate : (prime - yCoordinate)
+
+        let xData = xCoordinate.serialize().pad(to: 32)
+        let yData = finalYCoordinate.serialize().pad(to: 32)
+
+        let uncompressedKey = xData + yData
+        return try P256.Signing.PublicKey(rawRepresentation: uncompressedKey)
+    }
+
+    /// Computes the modular square root of a given number (`squareRoot`) modulo a prime (`prime`).
+    ///
+    /// This function is specifically optimized for the p256 curve, whose `prime` satisfies the condition
+    /// `prime ≡ 3 mod 4`. This allows the use of a simplified square root computation:
+    ///
+    ///     sqrt(squareRoot) ≡ squareRoot^((prime + 1) / 4) mod prime
+    ///
+    /// This equation is valid only when `squareRoot` is a quadratic residue modulo `prime`. If `squareRoot`
+    /// is not a square modulo `prime`, the function returns `nil`.
+    ///
+    /// - Parameters:
+    ///   - squareRoot: The value whose modular square root is to be computed.
+    ///   - prime: A prime modulus. For p256, this should be the curve's prime field.
+    /// - Returns: The modular square root of `squareRoot` modulo `prime`, if it exists.
+    ///
+    /// - Throws: `P256Error.pointNotOnCurve` if the prime does not satisfy `prime ≡ 3 mod 4`, which means
+    /// the simplified square root algorithm cannot be used.
+    @available(iOS, introduced: 13, obsoleted: 16)
+    @available(tvOS, introduced: 13, obsoleted: 16)
+    @available(macOS, unavailable)
+    @available(visionOS, unavailable)
+    @available(watchOS, unavailable)
+    private static func modularSquareRoot(_ squareRoot: BigUInt, prime prime: BigUInt) throws -> BigUInt? {
+        // Special case for p256 where prime ≡ 3 mod 4:
+        // sqrt(squareRoot) ≡ squareRoot^((prime + 1) / 4) mod prime
+        if prime % 4 == 3 {
+            let exponent = (prime + 1) / 4
+            let result = squareRoot.power(exponent, modulus: prime)
+            if (result.power(2, modulus: prime) == squareRoot % prime) {
+                return result
+            } else {
+                return nil
+            }
+        }
+
+        // Otherwise, a full Tonelli-Shanks is needed.
+        throw P256Error.pointNotOnCurve
+    }
+}
+
+extension Data {
+
+    /// Pads the current `Data` instance with leading zeroes to match the specified length.
+    ///
+    /// This is commonly used to ensure big-endian encoded integers or coordinates are a fixed size,
+    /// such as 32 bytes for P256 public key components.
+    ///
+    /// - Parameter length: The target length in bytes.
+    /// - Returns: A new `Data` instance of exactly `length` bytes, with leading zeroes added if necessary.
+    ///           If the current length is already `>= length`, the original data is returned unchanged.
+    @available(iOS, introduced: 13, obsoleted: 16)
+    @available(tvOS, introduced: 13, obsoleted: 16)
+    @available(macOS, unavailable)
+    @available(visionOS, unavailable)
+    @available(watchOS, unavailable)
+    public func pad(to length: Int) -> Data {
+        if count >= length { return self }
+        return Data(repeating: 0, count: length - count) + self
+    }
+}
+
+/// Utility for compressing and decompressing P256 public keys on platforms
+/// where native CryptoKit support for compressed keys is unavailable.
+///
+/// This wrapper supports SEC1 compressed key encoding (33 bytes) and
+/// decoding by reconstructing the full point on the curve using the
+/// Weierstrass equation.
+///
+/// Use this only on iOS/tvOS 13–15. Prefer native CryptoKit APIs
+/// on newer platforms.
+@available(iOS, introduced: 13, obsoleted: 16)
+@available(tvOS, introduced: 13, obsoleted: 16)
+@available(macOS, unavailable)
+@available(visionOS, unavailable)
+@available(watchOS, unavailable)
+public struct CompressedP256 {
+
+    /// Compresses a P256 public key using SEC1 encoding.
+    ///
+    /// - Parameter key: A valid uncompressed P256 public key.
+    /// - Returns: A 33-byte compressed SEC1 representation.
+    ///
+    /// - Throws: If compression fails (e.g., invalid raw data).
+    public static func compress(_ key: P256.Signing.PublicKey) throws -> Data {
+        return try key.compressedRepresentationCompat()
+    }
+
+    /// Decompresses a SEC1 compressed public key into a usable P256 public key.
+    ///
+    /// - Parameter data: A 33-byte compressed key.
+    /// - Returns: A full `P256.Signing.PublicKey`.
+    /// - Throws: `P256Error` if the key is malformed or cannot be decompressed.
+    public static func decompress(_ data: Data) throws -> P256.Signing.PublicKey {
+        return try P256.Signing.PublicKey.decompressP256PublicKey(compressed: data)
+    }
+}
+
+/// Errors that may occur while working with compressed P256 keys.
+@available(iOS, introduced: 13, obsoleted: 16)
+@available(tvOS, introduced: 13, obsoleted: 16)
+@available(macOS, unavailable)
+@available(visionOS, unavailable)
+@available(watchOS, unavailable)
+public enum P256Error: Error {
+
+    /// The input data is not a valid compressed P256 key.
+    case invalidCompressedKey
+
+    /// The calculated Y coordinate is not a valid point on the curve.
+    case pointNotOnCurve
+}
+

Sources/ATCryptography/p256/P256Encoding.swift

@@ -41,7 +41,11 @@ public struct P256Encoding {
 
         // Convert to a compressed public key.
         let key = try P256.Signing.PublicKey(rawRepresentation: Data(rawKey))
-        return Array(key.compressedRepresentation)
+        if #available(iOS 16, tvOS 16, *) {
+            return Array(key.compressedRepresentation)
+        } else {
+            return Array(try key.compressedRepresentationCompat())
+        }
     }
 
     /// Decompresses a compressed p256 public key.
@@ -59,38 +63,46 @@ public struct P256Encoding {
     /// - Throws: `EllipticalCurveEncodingError.invalidKeyLength` if the key length is incorrect.
     ///           `EllipticalCurveEncodingError.keyDecodingFailed` if the key decoding failed.
     public static func decompress(publicKey: [UInt8], shouldAddPrefix: Bool = false) throws -> [UInt8] {
-        let rawKey: Data
+        let compressedPublicKey: Data
 
         switch publicKey.count {
             case 33 where publicKey.first == 0x02 || publicKey.first == 0x03:
                 // Remove prefix before using CryptoKit.
-                rawKey = Data(publicKey)
+                compressedPublicKey = Data(publicKey)
 
             case 32:
                 // Already in raw format.
-                rawKey = Data(publicKey)
+                compressedPublicKey = Data(publicKey)
 
             default:
                 throw EllipticalCurveEncodingError.invalidKeyLength(expected: 33, actual: publicKey.count)
         }
 
         // Convert to an uncompressed public key.
-        let key = try P256.Signing.PublicKey(compressedRepresentation: rawKey)
-        var uncompressedKey = Array(key.rawRepresentation)
+        var uncompressedRawPublicKey: [Data.Element]
+        if #available(iOS 16.0, *) {
+            let key = try P256.Signing.PublicKey(compressedRepresentation: compressedPublicKey)
+            uncompressedRawPublicKey = Array(key.rawRepresentation)
+        } else {
+            // Fallback on earlier versions
+            let key = try CompressedP256.decompress(compressedPublicKey)
+            uncompressedRawPublicKey = Array(key.rawRepresentation)
+        }
+//        var uncompressedRawPublicKey = Array(key.rawRepresentation)
 
         // Prepend the uncompressed prefix (0x04)
         if shouldAddPrefix {
             // Prepend the uncompressed key prefix (0x04) if not already present.
-            if uncompressedKey.first != 0x04 {
-                uncompressedKey.insert(0x04, at: 0)
+            if uncompressedRawPublicKey.first != 0x04 {
+                uncompressedRawPublicKey.insert(0x04, at: 0)
             }
         } else {
             // Ensure the key is returned without the prefix.
-            if uncompressedKey.first == 0x04 && (uncompressedKey.count - 1) != 63 {
-                uncompressedKey.removeFirst()
+            if uncompressedRawPublicKey.first == 0x04 && (uncompressedRawPublicKey.count - 1) != 63 {
+                uncompressedRawPublicKey.removeFirst()
             }
         }
 
-        return uncompressedKey
+        return uncompressedRawPublicKey
     }
 }

Sources/ATCryptography/p256/P256Operations.swift

@@ -47,8 +47,20 @@ public struct P256Operations {
         let allowMalleable = options?.areMalleableSignaturesAllowed ?? false
         let hashedData = await SHA256Hasher.sha256(data)
 
-        guard let publicKey = try? P256.Signing.PublicKey(compressedRepresentation: publicKey) else {
-            throw EllipticalCurveOperationsError.invalidPublicKey
+        let uncompressedPublicKey: P256.Signing.PublicKey
+
+        if #available(iOS 16, tvOS 16, *) {
+            guard let key = try? P256.Signing.PublicKey(compressedRepresentation: publicKey) else {
+                throw EllipticalCurveOperationsError.invalidPublicKey
+            }
+
+            uncompressedPublicKey = key
+        } else {
+            guard let key = try? CompressedP256.decompress(Data(publicKey)) else {
+                throw EllipticalCurveOperationsError.invalidPublicKey
+            }
+
+            uncompressedPublicKey = key
         }
 
         let signatureData = Data(signature)
@@ -66,7 +78,7 @@ public struct P256Operations {
             return false
         }
 
-        return publicKey.isValidSignature(correctedSignature, for: Data(hashedData))
+        return uncompressedPublicKey.isValidSignature(correctedSignature, for: Data(hashedData))
     }
 
     /// Checks if a signature is in compact format.