Coverage Report

Created: 2025-04-24 07:09

/src/botan/src/lib/pubkey/ed25519/ed25519_key.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* Ed25519
3
* (C) 2017 Ribose Inc
4
*     2025 Jack Lloyd
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/ed25519.h>
10
11
#include <botan/ber_dec.h>
12
#include <botan/der_enc.h>
13
#include <botan/hash.h>
14
#include <botan/rng.h>
15
#include <botan/internal/ct_utils.h>
16
#include <botan/internal/ed25519_internal.h>
17
#include <botan/internal/pk_ops_impl.h>
18
19
namespace Botan {
20
21
0
AlgorithmIdentifier Ed25519_PublicKey::algorithm_identifier() const {
22
0
   return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM);
23
0
}
24
25
0
bool Ed25519_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
26
0
   if(m_public.size() != 32) {
27
0
      return false;
28
0
   }
29
30
   /*
31
   This function was derived from public domain code in Tor's blinding.c
32
   */
33
34
0
   const uint8_t identity_element[32] = {1};
35
0
   if(CT::is_equal(m_public.data(), identity_element, 32).as_bool()) {
36
0
      return false;
37
0
   }
38
39
   // The order of the Ed25519 group encoded
40
0
   const uint8_t modm_m[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
41
0
                               0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
42
0
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
43
44
0
   const unsigned char zero[32] = {0};
45
46
0
   unsigned char pkcopy[32];
47
48
0
   copy_mem(pkcopy, m_public.data(), 32);
49
0
   pkcopy[31] ^= (1 << 7);  // flip sign
50
0
   ge_p3 point;
51
0
   if(ge_frombytes_negate_vartime(&point, pkcopy) != 0) {
52
0
      return false;
53
0
   }
54
55
0
   uint8_t result[32];
56
0
   ge_double_scalarmult_vartime(result, modm_m, &point, zero);
57
58
0
   if(!CT::is_equal(result, identity_element, 32).as_bool()) {
59
0
      return false;
60
0
   }
61
62
0
   return true;
63
0
}
64
65
0
Ed25519_PublicKey::Ed25519_PublicKey(const uint8_t pub_key[], size_t pub_len) {
66
0
   if(pub_len != 32) {
67
0
      throw Decoding_Error("Invalid length for Ed25519 key");
68
0
   }
69
0
   m_public.assign(pub_key, pub_key + pub_len);
70
0
}
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(unsigned char const*, unsigned long)
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(unsigned char const*, unsigned long)
71
72
0
Ed25519_PublicKey::Ed25519_PublicKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
73
0
   m_public.assign(key_bits.begin(), key_bits.end());
74
75
0
   if(m_public.size() != 32) {
76
0
      throw Decoding_Error("Invalid size for Ed25519 public key");
77
0
   }
78
0
}
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Unexecuted instantiation: Botan::Ed25519_PublicKey::Ed25519_PublicKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
79
80
0
std::vector<uint8_t> Ed25519_PublicKey::raw_public_key_bits() const {
81
0
   return m_public;
82
0
}
83
84
0
std::vector<uint8_t> Ed25519_PublicKey::public_key_bits() const {
85
0
   return raw_public_key_bits();
86
0
}
87
88
0
std::unique_ptr<Private_Key> Ed25519_PublicKey::generate_another(RandomNumberGenerator& rng) const {
89
0
   return std::make_unique<Ed25519_PrivateKey>(rng);
90
0
}
91
92
0
Ed25519_PrivateKey::Ed25519_PrivateKey(std::span<const uint8_t> secret_key) {
93
0
   if(secret_key.size() == 64) {
94
0
      m_private.assign(secret_key.begin(), secret_key.end());
95
0
      m_public.assign(m_private.begin() + 32, m_private.end());
96
0
   } else if(secret_key.size() == 32) {
97
0
      m_public.resize(32);
98
0
      m_private.resize(64);
99
0
      ed25519_gen_keypair(m_public.data(), m_private.data(), secret_key.data());
100
0
   } else {
101
0
      throw Decoding_Error("Invalid size for Ed25519 private key");
102
0
   }
103
0
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(std::__1::span<unsigned char const, 18446744073709551615ul>)
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(std::__1::span<unsigned char const, 18446744073709551615ul>)
104
105
//static
106
0
Ed25519_PrivateKey Ed25519_PrivateKey::from_seed(std::span<const uint8_t> seed) {
107
0
   BOTAN_ARG_CHECK(seed.size() == 32, "Ed25519 seed must be exactly 32 bytes long");
108
0
   return Ed25519_PrivateKey(seed);
109
0
}
110
111
//static
112
0
Ed25519_PrivateKey Ed25519_PrivateKey::from_bytes(std::span<const uint8_t> bytes) {
113
0
   BOTAN_ARG_CHECK(bytes.size() == 64, "Ed25519 private key must be exactly 64 bytes long");
114
0
   return Ed25519_PrivateKey(bytes);
115
0
}
116
117
0
Ed25519_PrivateKey::Ed25519_PrivateKey(RandomNumberGenerator& rng) {
118
0
   const secure_vector<uint8_t> seed = rng.random_vec(32);
119
0
   m_public.resize(32);
120
0
   m_private.resize(64);
121
0
   ed25519_gen_keypair(m_public.data(), m_private.data(), seed.data());
122
0
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::RandomNumberGenerator&)
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::RandomNumberGenerator&)
123
124
0
Ed25519_PrivateKey::Ed25519_PrivateKey(const AlgorithmIdentifier& /*unused*/, std::span<const uint8_t> key_bits) {
125
0
   secure_vector<uint8_t> bits;
126
0
   BER_Decoder(key_bits).decode(bits, ASN1_Type::OctetString).discard_remaining();
127
128
0
   if(bits.size() != 32) {
129
0
      throw Decoding_Error("Invalid size for Ed25519 private key");
130
0
   }
131
0
   m_public.resize(32);
132
0
   m_private.resize(64);
133
0
   ed25519_gen_keypair(m_public.data(), m_private.data(), bits.data());
134
0
}
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
Unexecuted instantiation: Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(Botan::AlgorithmIdentifier const&, std::__1::span<unsigned char const, 18446744073709551615ul>)
135
136
0
std::unique_ptr<Public_Key> Ed25519_PrivateKey::public_key() const {
137
0
   return std::make_unique<Ed25519_PublicKey>(get_public_key());
138
0
}
139
140
0
secure_vector<uint8_t> Ed25519_PrivateKey::private_key_bits() const {
141
0
   secure_vector<uint8_t> bits(&m_private[0], &m_private[32]);
142
0
   return DER_Encoder().encode(bits, ASN1_Type::OctetString).get_contents();
143
0
}
144
145
0
bool Ed25519_PrivateKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
146
0
   return true;  // ???
147
0
}
148
149
namespace {
150
151
/**
152
* Ed25519 verifying operation
153
*/
154
class Ed25519_Pure_Verify_Operation final : public PK_Ops::Verification {
155
   public:
156
0
      explicit Ed25519_Pure_Verify_Operation(const Ed25519_PublicKey& key) : m_key(key.get_public_key()) {}
157
158
0
      void update(std::span<const uint8_t> msg) override { m_msg.insert(m_msg.end(), msg.begin(), msg.end()); }
159
160
0
      bool is_valid_signature(std::span<const uint8_t> sig) override {
161
0
         if(sig.size() != 64) {
162
0
            return false;
163
0
         }
164
165
0
         BOTAN_ASSERT_EQUAL(m_key.size(), 32, "Expected size");
166
0
         const bool ok = ed25519_verify(m_msg.data(), m_msg.size(), sig.data(), m_key.data(), nullptr, 0);
167
0
         m_msg.clear();
168
0
         return ok;
169
0
      }
170
171
0
      std::string hash_function() const override { return "SHA-512"; }
172
173
   private:
174
      std::vector<uint8_t> m_msg;
175
      std::vector<uint8_t> m_key;
176
};
177
178
/**
179
* Ed25519 verifying operation with pre-hash
180
*/
181
class Ed25519_Hashed_Verify_Operation final : public PK_Ops::Verification {
182
   public:
183
      Ed25519_Hashed_Verify_Operation(const Ed25519_PublicKey& key, std::string_view hash, bool rfc8032) :
184
0
            m_key(key.get_public_key()) {
185
0
         m_hash = HashFunction::create_or_throw(hash);
186
187
0
         if(rfc8032) {
188
0
            m_domain_sep = {0x53, 0x69, 0x67, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x6E,
189
0
                            0x6F, 0x20, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x63, 0x6F,
190
0
                            0x6C, 0x6C, 0x69, 0x73, 0x69, 0x6F, 0x6E, 0x73, 0x01, 0x00};
191
0
         }
192
0
      }
193
194
0
      void update(std::span<const uint8_t> msg) override { m_hash->update(msg); }
195
196
0
      bool is_valid_signature(std::span<const uint8_t> sig) override {
197
0
         if(sig.size() != 64) {
198
0
            return false;
199
0
         }
200
0
         std::vector<uint8_t> msg_hash(m_hash->output_length());
201
0
         m_hash->final(msg_hash.data());
202
203
0
         BOTAN_ASSERT_EQUAL(m_key.size(), 32, "Expected size");
204
0
         return ed25519_verify(
205
0
            msg_hash.data(), msg_hash.size(), sig.data(), m_key.data(), m_domain_sep.data(), m_domain_sep.size());
206
0
      }
207
208
0
      std::string hash_function() const override { return m_hash->name(); }
209
210
   private:
211
      std::unique_ptr<HashFunction> m_hash;
212
      std::vector<uint8_t> m_key;
213
      std::vector<uint8_t> m_domain_sep;
214
};
215
216
/**
217
* Ed25519 signing operation ('pure' - signs message directly)
218
*/
219
class Ed25519_Pure_Sign_Operation final : public PK_Ops::Signature {
220
   public:
221
0
      explicit Ed25519_Pure_Sign_Operation(const Ed25519_PrivateKey& key) : m_key(key.raw_private_key_bits()) {}
222
223
0
      void update(std::span<const uint8_t> msg) override { m_msg.insert(m_msg.end(), msg.begin(), msg.end()); }
224
225
0
      std::vector<uint8_t> sign(RandomNumberGenerator& /*rng*/) override {
226
0
         std::vector<uint8_t> sig(64);
227
0
         ed25519_sign(sig.data(), m_msg.data(), m_msg.size(), m_key.data(), nullptr, 0);
228
0
         m_msg.clear();
229
0
         return sig;
230
0
      }
231
232
0
      size_t signature_length() const override { return 64; }
233
234
      AlgorithmIdentifier algorithm_identifier() const override;
235
236
0
      std::string hash_function() const override { return "SHA-512"; }
237
238
   private:
239
      std::vector<uint8_t> m_msg;
240
      secure_vector<uint8_t> m_key;
241
};
242
243
0
AlgorithmIdentifier Ed25519_Pure_Sign_Operation::algorithm_identifier() const {
244
0
   return AlgorithmIdentifier(OID::from_string("Ed25519"), AlgorithmIdentifier::USE_EMPTY_PARAM);
245
0
}
246
247
/**
248
* Ed25519 signing operation with pre-hash
249
*/
250
class Ed25519_Hashed_Sign_Operation final : public PK_Ops::Signature {
251
   public:
252
      Ed25519_Hashed_Sign_Operation(const Ed25519_PrivateKey& key, std::string_view hash, bool rfc8032) :
253
0
            m_key(key.raw_private_key_bits()) {
254
0
         m_hash = HashFunction::create_or_throw(hash);
255
256
0
         if(rfc8032) {
257
0
            m_domain_sep = std::vector<uint8_t>{0x53, 0x69, 0x67, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x6E,
258
0
                                                0x6F, 0x20, 0x45, 0x64, 0x32, 0x35, 0x35, 0x31, 0x39, 0x20, 0x63, 0x6F,
259
0
                                                0x6C, 0x6C, 0x69, 0x73, 0x69, 0x6F, 0x6E, 0x73, 0x01, 0x00};
260
0
         }
261
0
      }
262
263
0
      size_t signature_length() const override { return 64; }
264
265
0
      void update(std::span<const uint8_t> msg) override { m_hash->update(msg); }
266
267
0
      std::vector<uint8_t> sign(RandomNumberGenerator& /*rng*/) override {
268
0
         std::vector<uint8_t> sig(64);
269
0
         std::vector<uint8_t> msg_hash(m_hash->output_length());
270
0
         m_hash->final(msg_hash.data());
271
0
         ed25519_sign(
272
0
            sig.data(), msg_hash.data(), msg_hash.size(), m_key.data(), m_domain_sep.data(), m_domain_sep.size());
273
0
         return sig;
274
0
      }
275
276
0
      std::string hash_function() const override { return m_hash->name(); }
277
278
   private:
279
      std::unique_ptr<HashFunction> m_hash;
280
      secure_vector<uint8_t> m_key;
281
      std::vector<uint8_t> m_domain_sep;
282
};
283
284
}  // namespace
285
286
std::unique_ptr<PK_Ops::Verification> Ed25519_PublicKey::create_verification_op(std::string_view params,
287
0
                                                                                std::string_view provider) const {
288
0
   if(provider == "base" || provider.empty()) {
289
0
      if(params.empty() || params == "Identity" || params == "Pure") {
290
0
         return std::make_unique<Ed25519_Pure_Verify_Operation>(*this);
291
0
      } else if(params == "Ed25519ph") {
292
0
         return std::make_unique<Ed25519_Hashed_Verify_Operation>(*this, "SHA-512", true);
293
0
      } else {
294
0
         return std::make_unique<Ed25519_Hashed_Verify_Operation>(*this, params, false);
295
0
      }
296
0
   }
297
0
   throw Provider_Not_Found(algo_name(), provider);
298
0
}
299
300
std::unique_ptr<PK_Ops::Verification> Ed25519_PublicKey::create_x509_verification_op(const AlgorithmIdentifier& alg_id,
301
0
                                                                                     std::string_view provider) const {
302
0
   if(provider == "base" || provider.empty()) {
303
0
      if(alg_id != this->algorithm_identifier()) {
304
0
         throw Decoding_Error("Unexpected AlgorithmIdentifier for Ed25519 X509 signature");
305
0
      }
306
307
0
      return std::make_unique<Ed25519_Pure_Verify_Operation>(*this);
308
0
   }
309
0
   throw Provider_Not_Found(algo_name(), provider);
310
0
}
311
312
std::unique_ptr<PK_Ops::Signature> Ed25519_PrivateKey::create_signature_op(RandomNumberGenerator& /*rng*/,
313
                                                                           std::string_view params,
314
0
                                                                           std::string_view provider) const {
315
0
   if(provider == "base" || provider.empty()) {
316
0
      if(params.empty() || params == "Identity" || params == "Pure") {
317
0
         return std::make_unique<Ed25519_Pure_Sign_Operation>(*this);
318
0
      } else if(params == "Ed25519ph") {
319
0
         return std::make_unique<Ed25519_Hashed_Sign_Operation>(*this, "SHA-512", true);
320
0
      } else {
321
0
         return std::make_unique<Ed25519_Hashed_Sign_Operation>(*this, params, false);
322
0
      }
323
0
   }
324
0
   throw Provider_Not_Found(algo_name(), provider);
325
0
}
326
327
}  // namespace Botan