main
1// Package ed25519 implements the ed25519 signature algorithm for OpenPGP
2// as defined in the Open PGP crypto refresh.
3package ed25519
4
5import (
6 "crypto/subtle"
7 "io"
8
9 "github.com/ProtonMail/go-crypto/openpgp/errors"
10 ed25519lib "github.com/cloudflare/circl/sign/ed25519"
11)
12
13const (
14 // PublicKeySize is the size, in bytes, of public keys in this package.
15 PublicKeySize = ed25519lib.PublicKeySize
16 // SeedSize is the size, in bytes, of private key seeds.
17 // The private key representation used by RFC 8032.
18 SeedSize = ed25519lib.SeedSize
19 // SignatureSize is the size, in bytes, of signatures generated and verified by this package.
20 SignatureSize = ed25519lib.SignatureSize
21)
22
23type PublicKey struct {
24 // Point represents the elliptic curve point of the public key.
25 Point []byte
26}
27
28type PrivateKey struct {
29 PublicKey
30 // Key the private key representation by RFC 8032,
31 // encoded as seed | pub key point.
32 Key []byte
33}
34
35// NewPublicKey creates a new empty ed25519 public key.
36func NewPublicKey() *PublicKey {
37 return &PublicKey{}
38}
39
40// NewPrivateKey creates a new empty private key referencing the public key.
41func NewPrivateKey(key PublicKey) *PrivateKey {
42 return &PrivateKey{
43 PublicKey: key,
44 }
45}
46
47// Seed returns the ed25519 private key secret seed.
48// The private key representation by RFC 8032.
49func (pk *PrivateKey) Seed() []byte {
50 return pk.Key[:SeedSize]
51}
52
53// MarshalByteSecret returns the underlying 32 byte seed of the private key.
54func (pk *PrivateKey) MarshalByteSecret() []byte {
55 return pk.Seed()
56}
57
58// UnmarshalByteSecret computes the private key from the secret seed
59// and stores it in the private key object.
60func (sk *PrivateKey) UnmarshalByteSecret(seed []byte) error {
61 sk.Key = ed25519lib.NewKeyFromSeed(seed)
62 return nil
63}
64
65// GenerateKey generates a fresh private key with the provided randomness source.
66func GenerateKey(rand io.Reader) (*PrivateKey, error) {
67 publicKey, privateKey, err := ed25519lib.GenerateKey(rand)
68 if err != nil {
69 return nil, err
70 }
71 privateKeyOut := new(PrivateKey)
72 privateKeyOut.PublicKey.Point = publicKey[:]
73 privateKeyOut.Key = privateKey[:]
74 return privateKeyOut, nil
75}
76
77// Sign signs a message with the ed25519 algorithm.
78// priv MUST be a valid key! Check this with Validate() before use.
79func Sign(priv *PrivateKey, message []byte) ([]byte, error) {
80 return ed25519lib.Sign(priv.Key, message), nil
81}
82
83// Verify verifies an ed25519 signature.
84func Verify(pub *PublicKey, message []byte, signature []byte) bool {
85 return ed25519lib.Verify(pub.Point, message, signature)
86}
87
88// Validate checks if the ed25519 private key is valid.
89func Validate(priv *PrivateKey) error {
90 expectedPrivateKey := ed25519lib.NewKeyFromSeed(priv.Seed())
91 if subtle.ConstantTimeCompare(priv.Key, expectedPrivateKey) == 0 {
92 return errors.KeyInvalidError("ed25519: invalid ed25519 secret")
93 }
94 if subtle.ConstantTimeCompare(priv.PublicKey.Point, expectedPrivateKey[SeedSize:]) == 0 {
95 return errors.KeyInvalidError("ed25519: invalid ed25519 public key")
96 }
97 return nil
98}
99
100// ENCODING/DECODING signature:
101
102// WriteSignature encodes and writes an ed25519 signature to writer.
103func WriteSignature(writer io.Writer, signature []byte) error {
104 _, err := writer.Write(signature)
105 return err
106}
107
108// ReadSignature decodes an ed25519 signature from a reader.
109func ReadSignature(reader io.Reader) ([]byte, error) {
110 signature := make([]byte, SignatureSize)
111 if _, err := io.ReadFull(reader, signature); err != nil {
112 return nil, err
113 }
114 return signature, nil
115}